samba - Nov 2005 - spnego_gen_negTokenTarg failed: No credentials cache found

Hello everybody!

I keep on trying to make my samba installation to work.  I have tried a 
couple threads before but I have not been able to pinpoint the problem.

So, yesterday I made a second last attempt to solve the problem before 
my boss forces me to install Windows2003 since it works out of the box.

The scenario is that I'm trying to use Samba (Suse 10) as a fileserver 
that authenicates against an Active Directory Server 2003 SP1 (all 
patches).

I can bind my server to the domain.
I can run wbinfo -g, -t, -u -p without error and get users from AD
I can run getent groups passwd and get the users and groups from AD

Here are the results from trying to connect to a share with smbclient 
from localhost:

AQMLIN03:/ # smbclient //aqmlin03/gemensam -U roca1
Password:
Domain=[ALFA-MOVING] OS=[Unix] Server=[Samba 3.0.20b-3.1-SUSE]
tree connect failed: NT_STATUS_ACCESS_DENIED

AQMLIN03: # smbclient -k //aqmlin03/gemensam
ads_krb5_mk_req: krb5_get_credentials failed for 
cifs/aqmlin03.alfa-moving@ALFA-MOVING.SE (Ticket expired)
spnego_gen_negTokenTarg failed: Ticket expired
session setup failed: SUCCESS - 0
(From localhost I can't use roca1 as user so this was run as root.)

Here are the same smbclient attempts from an OSX client:

PROSIT:~ roca1$ smbclient  //aqmlin03/gemensam -U roca1
Password:
Domain=[ALFA-MOVING] OS=[Unix] Server=[Samba 3.0.20b-3.1-SUSE]
tree connect failed: NT_STATUS_ACCESS_DENIED

PROSIT:~ roca1$ smbclient -k //aqmlin03/gemensam
spnego_gen_negTokenTarg failed: No credentials cache found
session setup failed: NT_STATUS_OK

When using smbclient -k get the following in log.smbd
[2005/11/22 11:06:51, 2] smbd/server.c:exit_server(612)
  Closing connections


Using the smbclient -U i get the following in log.smbd:
[2005/11/22 11:08:10, 0] auth/auth_util.c:make_server_info_info3(1173)
  make_server_info_info3: pdb_init_sam failed!
[2005/11/22 11:08:10, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [roca1] -> [roca1] 
FAILED with error NT_STATUS_NO_SUCH_USER
[2005/11/22 11:08:10, 2] smbd/service.c:make_connection_snum(311)
  guest user (from session setup) not permitted to access this share 
(gemensam)
[2005/11/22 11:08:10, 2] smbd/server.c:exit_server(612)

Running testparm gives this (and the shares that I cut out):

AQMLIN03:/var/log/samba # testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[printers]"
Processing section "[gemensam]"
Processing section "[j?nk?ping]"
Processing section "[g?teborg]"
Processing section "[malm?]"
Processing section "[oslo]"
Processing section "[stockholm]"
Processing section "[home]"
Processing section "[milldoc]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = ALFA-MOVING
        realm = ALFA-MOVING.SE
        security = ADS
        map to guest = Bad User
        log level = 5
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap suffix = dc=ALFA-MOVING,dc=SE
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        include = /etc/samba/dhcp.conf

The contents of /etc/krb5.conf
[libdefaults]
        default_realm = ALFA-MOVING.SE

[realms]
ALFA-MOVING.SE = {
        kdc = 192.168.10.10
        kpasswd_server = 192.168.10.10
}

[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

[appdefaults]
pam = {
        ticket_lifetime = 7d
        renew_lifetime = 7d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 0
        debug = false
}

The contents of /etc/nsswitch.conf
passwd: compat winbind
group:  compat winbind

hosts:  files dns wins
networks:       files dns

services:       files
protocols:      files :
rpc:    files
ethers: files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files


Thank you very much in advance
Roland Carlsson

Hi Roland!

I wonder if you could just try disable "Digitally Sign  
Communications" in the Domain Security Policy. Both client and  
server. Maybe this is something completely different but it puzzles  
me that you cannot connect through Mac OS.

Regards,
Henrik
22 nov 2005 kl. 11.42 skrev Roland Carlsson:
> Hello everybody!
>
> I keep on trying to make my samba installation to work.  I have  
> tried a couple threads before but I have not been able to pinpoint  
> the problem.
>
> So, yesterday I made a second last attempt to solve the problem  
> before my boss forces me to install Windows2003 since it works out  
> of the box.
>
> The scenario is that I'm trying to use Samba (Suse 10) as a  
> fileserver that authenicates against an Active Directory Server  
> 2003 SP1 (all patches).
>
> I can bind my server to the domain.
> I can run wbinfo -g, -t, -u -p without error and get users from AD
> I can run getent groups passwd and get the users and groups from AD
>
> Here are the results from trying to connect to a share with  
> smbclient from localhost:
>
> AQMLIN03:/ # smbclient //aqmlin03/gemensam -U roca1
> Password:
> Domain=[ALFA-MOVING] OS=[Unix] Server=[Samba 3.0.20b-3.1-SUSE]
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> AQMLIN03: # smbclient -k //aqmlin03/gemensam
> ads_krb5_mk_req: krb5_get_credentials failed for cifs/aqmlin03.alfa- 
> moving@ALFA-MOVING.SE (Ticket expired)
> spnego_gen_negTokenTarg failed: Ticket expired
> session setup failed: SUCCESS - 0
> (From localhost I can't use roca1 as user so this was run as root.)
>
> Here are the same smbclient attempts from an OSX client:
>
> PROSIT:~ roca1$ smbclient  //aqmlin03/gemensam -U roca1
> Password:
> Domain=[ALFA-MOVING] OS=[Unix] Server=[Samba 3.0.20b-3.1-SUSE]
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> PROSIT:~ roca1$ smbclient -k //aqmlin03/gemensam
> spnego_gen_negTokenTarg failed: No credentials cache found
> session setup failed: NT_STATUS_OK
>
> When using smbclient -k get the following in log.smbd
> [2005/11/22 11:06:51, 2] smbd/server.c:exit_server(612)
>  Closing connections
>
>
> Using the smbclient -U i get the following in log.smbd:
> [2005/11/22 11:08:10, 0] auth/auth_util.c:make_server_info_info3(1173)
>  make_server_info_info3: pdb_init_sam failed!
> [2005/11/22 11:08:10, 2] auth/auth.c:check_ntlm_password(317)
>  check_ntlm_password:  Authentication for user [roca1] -> [roca1]  
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2005/11/22 11:08:10, 2] smbd/service.c:make_connection_snum(311)
>  guest user (from session setup) not permitted to access this share  
> (gemensam)
> [2005/11/22 11:08:10, 2] smbd/server.c:exit_server(612)
>
> Running testparm gives this (and the shares that I cut out):
>
> AQMLIN03:/var/log/samba # testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[printers]"
> Processing section "[gemensam]"
> Processing section "[j?nk?ping]"
> Processing section "[g?teborg]"
> Processing section "[malm?]"
> Processing section "[oslo]"
> Processing section "[stockholm]"
> Processing section "[home]"
> Processing section "[milldoc]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
>        workgroup = ALFA-MOVING
>        realm = ALFA-MOVING.SE
>        security = ADS
>        map to guest = Bad User
>        log level = 5
>        preferred master = No
>        local master = No
>        domain master = No
>        dns proxy = No
>        ldap idmap suffix = ou=Idmap
>        ldap machine suffix = ou=Computers
>        ldap suffix = dc=ALFA-MOVING,dc=SE
>        ldap ssl = no
>        idmap uid = 10000-20000
>        idmap gid = 10000-20000
>        include = /etc/samba/dhcp.conf
>
> The contents of /etc/krb5.conf
> [libdefaults]
>        default_realm = ALFA-MOVING.SE
>
> [realms]
> ALFA-MOVING.SE = {
>        kdc = 192.168.10.10
>        kpasswd_server = 192.168.10.10
> }
>
> [logging]
>        default = SYSLOG:NOTICE:DAEMON
>        kdc = FILE:/var/log/kdc.log
>        kadmind = FILE:/var/log/kadmind.log
>
> [appdefaults]
> pam = {
>        ticket_lifetime = 7d
>        renew_lifetime = 7d
>        forwardable = true
>        proxiable = false
>        retain_after_close = false
>        minimum_uid = 0
>        debug = false
> }
>
> The contents of /etc/nsswitch.conf
> passwd: compat winbind
> group:  compat winbind
>
> hosts:  files dns wins
> networks:       files dns
>
> services:       files
> protocols:      files :
> rpc:    files
> ethers: files
> netmasks:       files
> netgroup:       files
> publickey:      files
>
> bootparams:     files
> automount:      files nis
> aliases:        files
>
>
> Thank you very much in advance
> Roland Carlsson
>
>
>
>
>
>
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba