samba - Nov 2005 - AD4Unix & Samba-3.0.20b+winbind

Scenario:  Samba-3.0.20b domain member server on SuSE 9.3 (w/ all 
available patches applied) providing kerberos authentication through a 
Windows 2000 domain with AD4Unix services installed.

Problem(s):
1. Can only view users from one OU in Active Directory (default is: 
CN=Users, problem container is: OU=authenticated)
2. According to log.winbind and log.smbd authentication fails with 
error:   check_ntlm_password:  Authentication for user [testj] -> 
[testj] FAILED with error NT_STATUS_WRONG_PASSWORD.  Is this error due 
to falling back to NTLM authentication vs. Kerberos TGT systems?

Troubleshooting performed:
1. Used 'net ads leave' to remove from domain, updated Samba+Winbind 
from 3.0.13 to 3.0.20b
2. Manually removed machine trust account from active directory
3. Manually removed cache files for Samba prior to upgrade
4. Attempted using 3.0.21rc1 release with same results
5. Created a Win 2K test domain w/o AD4Unix and Samba-3.0.13 ADS member 
server which would authenticate via Kerberos without problems.
6. Upgraded Samba to 3.0.20b and still worked fine on test domain w/o 
AD4Unix setup
7. Am in the process of upgrading Win2K domain server (in test env.) to 
provide AD4Unix services to see if it breaks.

Any help, insight into this is definately appreciated

Here is the pertinent configuration files:

[smb.conf]
[global]
        workgroup = DOMAIN
        realm = DOMAIN.COM
        server string = new-odin.domain.com
        security = ADS
        update encrypted = Yes
        encrypt passwords = yes
        password server = *
        preferred master = No
        domain master = No
        idmap uid = 500-500000
        idmap gid = 500-500000
        winbind trusted domains only = yes
        winbind separator = /
        winbind cache time = 5
        winbind use default domain = Yes
        winbind nested groups = Yes
        log level = 2
        interfaces = eth*
        bind interfaces only = yes
        socket options = IPTOS_LOWDELAY TCP_NODELAY

[images]
        comment = ODIN
        user = %S
        path = /odin/images
        inherit acls = Yes
        browseable = yes
        writeable = yes
        read only = no
        public = yes


[home]
        comment = User Home Directories
        user = %S
        path = /odin/home/%S
        inherit acls = Yes
        writeable = yes
        read only = no
        public = no
        browseable = yes

[krb5.conf]
[libdefaults]
default_realm = DOMAIN.COM
clockskew = 300

[realms]
UTAH.EDU = {
kdc = 192.168.0.10
default_domain = domain.com
admin_server = 192.168.0.10
}


[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}

[nsswitch.conf]
passwd: files winbind
shadow: files winbind
group:  files winbind

hosts:  files dns winbind
networks:       files dns

services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files

-- 
Jason Gerfen

"Oh I have seen alot of what
 the world can do, and its
 breaking my heart in two..."
 ~ Wild World, Cat Stevens

Ok in my test environment I just got done updating the schema on the 
Win2K domain to include the AD4Unix package and I am still able to 
authentication and view all users from any container including the 
CN=Users (default) and a new OU=authenticated.  Can someone please help 
me out on this?  The only major difference between the test domain and 
the live domain is the number of users at this point and the container 
setup in AD.

Jason Gerfen wrote:
> Scenario:  Samba-3.0.20b domain member server on SuSE 9.3 (w/ all 
> available patches applied) providing kerberos authentication through a 
> Windows 2000 domain with AD4Unix services installed.
>
> Problem(s):
> 1. Can only view users from one OU in Active Directory (default is: 
> CN=Users, problem container is: OU=authenticated)
> 2. According to log.winbind and log.smbd authentication fails with 
> error:   check_ntlm_password:  Authentication for user [testj] -> 
> [testj] FAILED with error NT_STATUS_WRONG_PASSWORD.  Is this error due 
> to falling back to NTLM authentication vs. Kerberos TGT systems?
>
> Troubleshooting performed:
> 1. Used 'net ads leave' to remove from domain, updated
Samba+Winbind
> from 3.0.13 to 3.0.20b
> 2. Manually removed machine trust account from active directory
> 3. Manually removed cache files for Samba prior to upgrade
> 4. Attempted using 3.0.21rc1 release with same results
> 5. Created a Win 2K test domain w/o AD4Unix and Samba-3.0.13 ADS 
> member server which would authenticate via Kerberos without problems.
> 6. Upgraded Samba to 3.0.20b and still worked fine on test domain w/o 
> AD4Unix setup
> 7. Am in the process of upgrading Win2K domain server (in test env.) 
> to provide AD4Unix services to see if it breaks.
>
> Any help, insight into this is definately appreciated
>
> Here is the pertinent configuration files:
>
> [smb.conf]
> [global]
>        workgroup = DOMAIN
>        realm = DOMAIN.COM
>        server string = new-odin.domain.com
>        security = ADS
>        update encrypted = Yes
>        encrypt passwords = yes
>        password server = *
>        preferred master = No
>        domain master = No
>        idmap uid = 500-500000
>        idmap gid = 500-500000
>        winbind trusted domains only = yes
>        winbind separator = /
>        winbind cache time = 5
>        winbind use default domain = Yes
>        winbind nested groups = Yes
>        log level = 2
>        interfaces = eth*
>        bind interfaces only = yes
>        socket options = IPTOS_LOWDELAY TCP_NODELAY
>
> [images]
>        comment = ODIN
>        user = %S
>        path = /odin/images
>        inherit acls = Yes
>        browseable = yes
>        writeable = yes
>        read only = no
>        public = yes
>
>
> [home]
>        comment = User Home Directories
>        user = %S
>        path = /odin/home/%S
>        inherit acls = Yes
>        writeable = yes
>        read only = no
>        public = no
>        browseable = yes
>
> [krb5.conf]
> [libdefaults]
> default_realm = DOMAIN.COM
> clockskew = 300
>
> [realms]
> UTAH.EDU = {
> kdc = 192.168.0.10
> default_domain = domain.com
> admin_server = 192.168.0.10
> }
>
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
> [domain_realm]
> .domain.com = DOMAIN.COM
> domain.com = DOMAIN.COM
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> }
>
> [nsswitch.conf]
> passwd: files winbind
> shadow: files winbind
> group:  files winbind
>
> hosts:  files dns winbind
> networks:       files dns
>
> services:       files
> protocols:      files
> rpc:    files
> ethers: files
> netmasks:       files
> netgroup:       files
> publickey:      files
>
> bootparams:     files
> automount:      files nis
> aliases:        files
>

-- 
Jason Gerfen

"Oh I have seen alot of what
 the world can do, and its
 breaking my heart in two..."
 ~ Wild World, Cat Stevens