My problem consists of Samba + Winbindd + Ldap + Kerberos not authenticating with Active Directory. For example, if I do 'smbclient -L localhost -U username%password(active directory account)' I get NT_STATUS_LOGIN_FAILURE. Ive debugged for quite sometime trying to pinpoint some sort of configuration that needs to be changed or added. To my experience I think the problem resolves at ldap, but I cannot find anything. I can do a kerberos successfully(kinit), wbinfo succesfully(wbinfo -u), join the domain successfully(net ads join), a ldapsearch successfully(ldapsearch -h host.domain.com). The smb.conf,krb5.conf configs were pulled from other older but stable Linux servers and were modified for each server. I see a lot of folks posting similar problems relating to openLADP but cannot seem to relate exactly what I'm experiencing. I'm stumped. The thing that is realy throwing me is that i seem to be able in some odd way to authenticate to my active directory accounts using the smbclient command, I just can't do it unless an account with the same name exists on my BSD box. I ran the following test: 1) created a user named smbuser with the password "password" 2) placed the user in the mitsadmin group to give access to the share 3) tried an smbclient -L localhost -Usmbuser, the error returned was: ##################################### session setup failed: NT_STATUS_LOGON_FAILURE ##################################### 4) i then created an account smbuser with the password "diffpass" 5) tried an smbclient -L localhost -Usmbuser again this with the AD passwd "pasword" and got: ##################################### Domain=[TECH] OS=[Unix] Server=[Samba 3.0.11] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (FreeBSD Samba Server) ADMIN$ IPC IPC Service (FreeBSD Samba Server) Domain=[TECH] OS=[Unix] Server=[Samba 3.0.11] Server Comment --------- ------- CDSRV4 FreeBSD Samba Server ADC3 Workgroup Master --------- ------- TECH ADC3 ##################################### 5) tried an smbclient -L localhost -Usmbuser again this with the unix passwd "diffpass" and got: session setup failed: NT_STATUS_LOGON_FAILURE It seems there may be some intermediate step before the AD lookup that may be holding up authentication. The error message in my log file is as follows ##################################### [2005/03/21 14:53:37, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [TECH]\[smbuser]@[C DSRV4] with the new password interface [2005/03/21 14:53:37, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [TECH]\[smbuser]@[CDSRV4] [2005/03/21 14:53:37, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2005/03/21 14:53:37, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2005/03/21 14:53:37, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2005/03/21 14:53:37, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2005/03/21 14:53:37, 3] auth/auth_util.c:make_server_info_info3(1156) User smbuser does not exist, trying to add it [2005/03/21 14:53:37, 0] auth/auth_util.c:make_server_info_info3(1163) make_server_info_info3: pdb_init_sam failed! [2005/03/21 14:53:37, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [smbuser] -> [smbuser] FAILED with error NT_STATUS_NO_SUCH_USER [2005/03/21 14:53:37, 3] smbd/process.c:timeout_processing(1334) timeout_processing: End of file from client (client has disconnected). [2005/03/21 14:53:37, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2005/03/21 14:53:37, 2] smbd/server.c:exit_server(609) Closing connections [2005/03/21 14:53:37, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2005/03/21 14:53:37, 3] smbd/server.c:exit_server(652) Server exit (normal exit) ##################################### Versions of packages installed: samba-3.0.11.tar.gz openldap-2.2.24.tgz freebsd-5.3-RELEASE-i386 heimdal-0.6.1(kerberos) *also compilied samba with ldap,winbindd,krb5 Configuration Files: smb.conf ##################################### [global] workgroup = TECH netbios name = SERVER3 realm = host.domain.com security = ads encrypt passwords = yes password server = server.host.domain.com wins server = server.host.domain.com name resolve order = lmhosts host wins bcast log file = /var/log/samba/%m.log server string = FreeBSD Samba Server log level = 10 allow trusted domains = No winbind use default domain = yes winbind trusted domains only = No winbind cache time = 10 winbind enum users = yes winbind enum groups = yes template shell = /bin/sh template homedir = /home/%D/%U idmap uid = 10000-50000 idmap gid = 10000-20000 #============================ Share Definitions ============================= #Used for reimaging labs [IMAGES] comment = Ghost Images path = /data/pub/images browseable = no read only = no write list = @mitsadmin read list = @techs, ghost ##################################### krb5.conf ##################################### [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = HOST.DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false [realms] HOST.DOMAIN.COM = { kdc = server.host.domain.com:88 admin_server = server.host.domain.com:749 default_domain = host.domain.com } [domain_realm] .host.domain.com = HOST.DOMAIN.COM host.domain.com = HOST.DOMAIN.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ##################################### nsswitch.conf ##################################### passwd: files winbind group: files winbind hosts: files dns #####################################