Hello,
I'm trying to connect my Debian 4 samba box to my Windows 2003Server Active
Directory.
I successfully joined the domain, with net ads join. Wireshark captures a
lot of packets going over the wire, and I get the message "joined the
domain
successfully". In my AD, under 'computers', the samba box appeared.
So that
all works.
Asking a kerberos ticket for a user with kinit is also successful. So
kerberos is working fine.
Wbinfo -u gives me all the users I have in my AD, and wbinfo -g does the
same with all the groups. wbinfo -t also working fine.
But when I try wbinfo -a rutger%rutger, I get
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user rutger%rutger with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user rutger with challenge/response
Same result with wbinfo -K. It says the user does not exist, but it is there
when I do a wbinfo -u.
Same output with ntlm_auth and with --diagnostics:
ntlm_auth --request-nt-key --domain=PROJECT --username=rutger
password:
NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
project:/etc# ntlm_auth --request-nt-key --domain=PROJECT --username=rutger
--diagnostics
password:
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test LM failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test LM and NTLM failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLM failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLM in LM failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLM in both failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLMv2 failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLMv2 and LMv2 failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test LMv2 failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLMv2 and LMv2, LMv2 broken failed!
No such user (0xc0000064)
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLM and LM, LM broken failed!
No such user (0xc0000064)
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test Plaintext failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test Plaintext LM broken failed!
No such user (0xc0000064)
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test Plaintext NT only failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test Plaintext LM only failed!
The wbinfo -a and ntlm_auth result in NO data send over the wire. Is wbinfo
not correcty using Kerberos? Why are no packages send over the wire when I
do wbinfo -a? The ip of the AD is in /etc/hosts
Thanks a lot for your help, I'm really desperate!
Rutger
Here are the smb.conf and krb5.conf files:
--smb.conf--
project:/etc# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = PROJECT
realm = PROJECT.LOCAL
server string = %h server
security = ADS
obey pam restrictions = Yes
password server = project-ad.project.local
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
invalid users = root
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0700
directory mask = 0700
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
--krb5.conf--
[logging]
default = FILE:/war/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = PROJECT.LOCAL
# dns_lookup realm = false
# dns_lookup_kdc = false
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
# permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
PROJECT.LOCAL = {
kdc = PROJECT-AD.PROJECT.LOCAL
}
[domain_realm]
.project.local = PROJECT.LOCAL
project.local = PROJECT.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[login]
krb4_convert = true
krb4_get_tickets = false
Similar problem here, running Ubuntu Workstation 7.10 (so, also Debian). But it looks like I'm failing a stop beyond you. Works kinit wbinfo -u wbinfo -g wbinfo -t Fails - but note last line is a different result: wbinfo -a whit%<pass> plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user whit%<passwith plaintext password challenge/response password authentication succeeded However, despite the "succeeded" message there, from another box I see: # smbclient //no3/ftp -Uwhit%<pass Domain=[ABC] OS=[Unix] Server=[Samba 3.0.26a] tree connect failed: NT_STATUS_ACCESS_DENIED And from samba: [2008/02/16 15:05:30, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [whit] -[whit] -[whit] succeeded [2008/02/16 15:05:30, 0] auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators [2008/02/16 15:05:30, 2] auth/auth_util.c:create_local_nt_token(914) create_local_nt_token: Failed to create BUILTIN\Administrators group! [2008/02/16 15:05:30, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2008/02/16 15:05:30, 2] auth/auth_util.c:create_local_nt_token(941) create_local_nt_token: Failed to create BUILTIN\Users group! [2008/02/16 15:05:30, 2] lib/access.c:check_access(323) Allowed connection from (192.168.1.250) [2008/02/16 15:05:30, 2] lib/access.c:check_access(323) Allowed connection from (192.168.1.250) [2008/02/16 15:05:30, 2] smbd/service.c:make_connection_snum(616) user 'whit' (from session setup) not permitted to access this share (FTP) Despite that in smb.conf there is: [global] winbind separator = \ ... [FTP] valid users = ABC\whit ... In looking around for docs, nothing is complete, nothing is well cross-referenced with the rest, but this seems among the best: http://wiki.samba.org/index.php/Samba_&_Active_Directory I've found some old posts to this list about the BUILTIN stuff I ran into above, but just the problem reports, no description of the solution - or even if the errors there have anything to do with the subsequent failure to recognize that, yes samba, user 'whit' has explicit permission in smb.conf. It also fails with "winbind use default domain" which reportedly should mean no need to specify as "ABC\whit" but just "whit" should do. I've tried both krb5 and heimdal, with identical results. Curiously I was able to get it working just if my nsswitch.conf listed _only_ winbind for passwd: and group: entries - although of course without "compat" or "files" on that line local system users time out and the system becomes unusable after a short. The remote login then went fine though, using AD. WTF? Whit On Sat, Feb 16, 2008 at 05:00:07PM +0100, Rutger Beyen wrote:> > I'm trying to connect my Debian 4 samba box to my Windows 2003Server Active > Directory. > I successfully joined the domain, with net ads join. Wireshark captures a > lot of packets going over the wire, and I get the message "joined the domain > successfully". In my AD, under 'computers', the samba box appeared. So that > all works. > Asking a kerberos ticket for a user with kinit is also successful. So > kerberos is working fine. > > Wbinfo -u gives me all the users I have in my AD, and wbinfo -g does the > same with all the groups. wbinfo -t also working fine. > But when I try wbinfo -a rutger%rutger, I get > > plaintext password authentication failed > error code was NT_STATUS_NO_SUCH_USER (0xc0000064) > error messsage was: No such user > Could not authenticate user rutger%rutger with plaintext password > challenge/response password authentication failed > error code was NT_STATUS_NO_SUCH_USER (0xc0000064) > error messsage was: No such user > Could not authenticate user rutger with challenge/response > > Same result with wbinfo -K. It says the user does not exist, but it is there > when I do a wbinfo -u.