I'm trying to configure a Fedora 7 machine to authenticate access to
shares via AD. This works fine on other RHEL machines, but the same
configuration on Fedora maddeningly does not.
I've tried oodles of different configurations, and am currently using
something based on:
http://wiki.samba.org/index.php/Samba_&_Active_Directory
Here is my krb5.conf file:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ESRI.COM
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
ESRI.COM = {
kdc = dc1.esri.com:88
admin_server = dc1.esri.com:749
default_domain = esri.com
kdc = dc1.esri.com
}
[domain_realm]
.esri.com = ESRI.COM
esri.com = ESRI.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
I am able to kinit just fine and to net ads join. wbinfo -a and more
works just fine. I can use smbclient to view shares on other members
of the domain with and without -k perfectly. winbind appears to be
running without issue.
# net ads testjoin
Join is OK
Now, my smb.conf:
[global]
workgroup = AVWORLD
realm = ESRI.COM
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 500
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
;winbind separator = +
idmap uid = 10000-9999999999
idmap gid = 10000-9999999999
;template primary group = "Domain Users"
template shell = /bin/bash
; Some things that may or may not be useful.
;passdb backend = tdbsam
;idmap backend = ad
;winbind nss info = rfc2307
[public]
comment = gumnut public read-only share
path = /home/public
public = yes
However, when trying to access this machine (GUMNUT) from a Windows
client or using smbclient from the local machine, I get a failure --
smbclient says NT_STATUS_LOGON_FAILURE and the corresponding Samba
logfile says:
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_alloc(131)
Finding user AVWORLD\ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(75)
Trying _Get_Pwnam(), username as lowercase is avworld\ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(83)
Trying _Get_Pwnam(), username as given is AVWORLD\ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(93)
Trying _Get_Pwnam(), username as uppercase is AVWORLD\RAY5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(102)
Checking combinations of 0 uppercase letters in avworld\ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(108)
Get_Pwnam_internals didn't find user [AVWORLD\ray5147]!
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_alloc(131)
Finding user ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(75)
Trying _Get_Pwnam(), username as lowercase is ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(93)
Trying _Get_Pwnam(), username as uppercase is RAY5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(102)
Checking combinations of 0 uppercase letters in ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(108)
Get_Pwnam_internals didn't find user [ray5147]!
[2007/09/06 23:19:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
Username AVWORLD\ray5147 is invalid on this system
[2007/09/06 23:19:54, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Given the command:
smbclient -L GUMNUT -U ray5147 -W AVWORLD
At this point I am stumped. I believe we are running Windows 2003 AD
servers and it's just not clear to me why the above is failing.
Where can I look to begin troubleshooting this?
Thanks!
Ray