thr3ads.net - samba - [Samba] cant authenticate Samba -> AD trying to map to shares on samba server [Dec 2006]

If this information is useful, please help other people find it:
Share via:

PAGE Kelley (RF4) BHR Hospital

2006-Dec-27 14:45 UTC

[Samba] cant authenticate Samba -> AD trying to map to shares on samba server

I have read through previous posts but still cant connect to samba shares - any
help much appreciated.

Running Samba   3.0.10-1 on fedora Core 2.  Dont know anything about AD as
it's looked after by the big boys and they wont share their secrets with the
linux team.  I do know the server I need to authenticate with is acting as some
sort of time server so I assume that is not an issue.

wbinfo -u - produces users list
wbinfo -g - produces user groups
wbinfo -t -  checking the trust secret via RPC calls failed
	error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
	Could not check secret

SMB.conf 

workgroup = hospitals
   realm = XHOSPITALS.A.B
hosts allow = 10.
security = ADS
password server = 10.x.y.z
encrypt passwords = yes
  smb passwd file = /etc/samba/smbpasswd
wins server = 10.x.y.z
netbios name = oncology
smb ports = 139

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = XHOSPITALS.A.B
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 XHOSPITALS.A.B = {
  kdc = astolat.xhospitals.a.b:88
  admin_server = astolat.xhospitals.a.b:749
  default_domain = xhospitals.a.b
 }

[domain_realm]
.kerberos.server = XHOSPITALS.A.B
.xhospitals.a.b = XHOSPITALS.A.B

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 604800
   forwardable = true
   krb4_convert = false


winbindd error log

[2006/12/27 13:54:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(745)
  got principal=astolat$@XHOSPITALS.A.B
[2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(878)
  Got challenge flags:
[2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x62890215
[2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(900)
  NTLMSSP: Set final flags:
[2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60080215
[2006/12/27 13:54:19, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60080215
[2006/12/27 13:54:19, 3] libsmb/cliconnect.c:cli_session_setup(868)
  SPNEGO login failed: Logon failure
[2006/12/27 13:54:19, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(290)
  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2006/12/27 13:54:19, 3] nsswitch/winbindd_cm.c:cm_open_connection(366)
  schannel refused - continuing without schannel (NT_STATUS_ACCESS_DENIED)
[2006/12/27 13:54:19, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(290)
  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2006/12/27 13:54:19, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(68)
  could not open handle to NETLOGON pipe
[2006/12/27 13:54:19, 2]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98)
  Checking the trust account password returned NT_STATUS_ACCESS_DENIED

Anyone had a similiar problem?  How did you sort it?  Any tips gretly
appreciated.

Thanks.

Kelley

Dale Schroeder

2006-Dec-27 19:12 UTC

head link

[Samba] cant authenticate Samba -> AD trying to map to shares on samba server

I recommend 
http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 and 
http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1 
as excellent references for ADS setup.
One thing that I do notice is, if  "realm = XHOSPITALS.A.B",  then 
"workgroup = XHOSPITALS" is the proper syntax.

Good luck,
Dale

PAGE Kelley (RF4) BHR Hospital wrote:> I have read through previous posts but still cant connect to samba shares -
any help much appreciated.
>
> Running Samba   3.0.10-1 on fedora Core 2.  Dont know anything about AD as
it's looked after by the big boys and they wont share their secrets with the
linux team.  I do know the server I need to authenticate with is acting as some
sort of time server so I assume that is not an issue.
>
> wbinfo -u - produces users list
> wbinfo -g - produces user groups
> wbinfo -t -  checking the trust secret via RPC calls failed
> 	error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> 	Could not check secret
>
> SMB.conf 
>
> workgroup = hospitals
>    realm = XHOSPITALS.A.B
> hosts allow = 10.
> security = ADS
> password server = 10.x.y.z
> encrypt passwords = yes
>   smb passwd file = /etc/samba/smbpasswd
> wins server = 10.x.y.z
> netbios name = oncology
> smb ports = 139
>
> krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = XHOSPITALS.A.B
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  forwardable = yes
>
> [realms]
>  XHOSPITALS.A.B = {
>   kdc = astolat.xhospitals.a.b:88
>   admin_server = astolat.xhospitals.a.b:749
>   default_domain = xhospitals.a.b
>  }
>
> [domain_realm]
> .kerberos.server = XHOSPITALS.A.B
> .xhospitals.a.b = XHOSPITALS.A.B
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 604800
>    forwardable = true
>    krb4_convert = false
>
>
> winbindd error log
>
> [2006/12/27 13:54:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(745)
>   got principal=astolat$@XHOSPITALS.A.B
> [2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(878)
>   Got challenge flags:
> [2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>   Got NTLMSSP neg_flags=0x62890215
> [2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(900)
>   NTLMSSP: Set final flags:
> [2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>   Got NTLMSSP neg_flags=0x60080215
> [2006/12/27 13:54:19, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>   Got NTLMSSP neg_flags=0x60080215
> [2006/12/27 13:54:19, 3] libsmb/cliconnect.c:cli_session_setup(868)
>   SPNEGO login failed: Logon failure
> [2006/12/27 13:54:19, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(290)
>   cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
> [2006/12/27 13:54:19, 3] nsswitch/winbindd_cm.c:cm_open_connection(366)
>   schannel refused - continuing without schannel (NT_STATUS_ACCESS_DENIED)
> [2006/12/27 13:54:19, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(290)
>   cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
> [2006/12/27 13:54:19, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(68)
>   could not open handle to NETLOGON pipe
> [2006/12/27 13:54:19, 2]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98)
>   Checking the trust account password returned NT_STATUS_ACCESS_DENIED
>
> Anyone had a similiar problem?  How did you sort it?  Any tips gretly
appreciated.
>
> Thanks.
>
> Kelley
>
>

Possibly Parallel Threads

Search for more possibly parallel threads

samba - Dec 2006 - cant authenticate Samba -> AD trying to map to shares on samba server

[Samba] cant authenticate Samba -> AD trying to map to shares on samba server

[Samba] cant authenticate Samba -> AD trying to map to shares on samba server

Possibly Parallel Threads