samba - Jun 2008 - Accessing member server prompts for credentials

Hi,

I'm trying to join a server as an AD member but it isn't working.

I do:

 kinit ADMINISTRATOR@DOMAIN1.CO.UK

which prompts for the password and displays nothing else. Then I do:

 net ads join -U Administrator%XXXXX

which returns:

 Using short domain name -- DOMAIN1
 Joined 'SERVER1' to realm 'DOMAIN1.CO.UK'

So all looks OK, but when I try to browse the shares on \\server1
from another domain member I'm prompted for a username and password. Any
valid domain credentials are rejected.

The log file for the IP address for the computer I'm trying to connect
from says:

 [2008/06/17 11:54:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

log.smbd says:
 [2008/06/17 11:55:47, 0] auth/auth_util.c:create_builtin_administrators(792)
   create_builtin_administrators: Failed to create Administrators
 [2008/06/17 11:55:47, 0] auth/auth_util.c:create_builtin_users(758)
   create_builtin_users: Failed to create Users

smb.conf says:
 [global]
        workgroup = DOMAIN1
        realm = DOMAIN1.CO.UK
        security = ADS

Samba 3.0.30 on Fedora 8.

Can anyone tell me where I'm going wrong?

Thanks in advance,

Leon...

-----------------------------------------
Email sent from www.virginmedia.com/email
Virus-checked using McAfee(R) Software and scanned for spam

I'm still struggling with this if anyone can help.

I'm back tracking through the HOWTO and realised that I hadn't created
a machine trust account.

So I've done:
 # groupadd machines
 # /usr/sbin/useradd -g machines -d /var/lib/nobody -c "Test Server"
-s /bin/false server1
 # passwd -l server1
 Locking password for user server1.
 # smbpasswd -a -m server1
 Failed to modify password entry for user server1$

Please can anyone tell me why this last step fails?
 
> 
> From: Leon Stringer <leon.stringer@ntlworld.com>
> Date: 2008/06/17 Tue AM 11:13:14 GMT
> To: <samba@lists.samba.org>
> Subject: [Samba] Accessing member server prompts for credentials
> 
> Hi,
> 
> I'm trying to join a server as an AD member but it isn't working.
> 
> I do:
> 
>  kinit ADMINISTRATOR@DOMAIN1.CO.UK
> 
> which prompts for the password and displays nothing else. Then I do:
> 
>  net ads join -U Administrator%XXXXX
> 
> which returns:
> 
>  Using short domain name -- DOMAIN1
>  Joined 'SERVER1' to realm 'DOMAIN1.CO.UK'
> 
> So all looks OK, but when I try to browse the shares on \\server1
> from another domain member I'm prompted for a username and password.
Any valid domain credentials are rejected.
> 
> The log file for the IP address for the computer I'm trying to connect
> from says:
> 
>  [2008/06/17 11:54:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
>    Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> 
> log.smbd says:
>  [2008/06/17 11:55:47, 0]
auth/auth_util.c:create_builtin_administrators(792)
>    create_builtin_administrators: Failed to create Administrators
>  [2008/06/17 11:55:47, 0] auth/auth_util.c:create_builtin_users(758)
>    create_builtin_users: Failed to create Users
> 
> smb.conf says:
>  [global]
>         workgroup = DOMAIN1
>         realm = DOMAIN1.CO.UK
>         security = ADS
> 
> Samba 3.0.30 on Fedora 8.
> 
> Can anyone tell me where I'm going wrong?
> 
-----------------------------------------
Email sent from www.virginmedia.com/email
Virus-checked using McAfee(R) Software and scanned for spam

> 
> From: "mallapadi niranjan" <niranjan.ashok@gmail.com>
> Date: 2008/06/18 Wed PM 01:08:13 GMT
> To: samba@lists.samba.org
> Subject: Re: [Samba] Accessing member server prompts for credentials
> 
> When accessing the share,  and when prompted for authentication,  If you
> give "Domain\username"  and then user's
> password . Does it work ?
Thanks for your reply. If I type the domain credentials when prompted it does
not work either.
> On Wed, Jun 18, 2008 at 6:33 PM, Leon Stringer
<leon.stringer@ntlworld.com>
> wrote:
> 
> > I'm still struggling with this if anyone can help.
> >
> > I'm back tracking through the HOWTO and realised that I hadn't
created
> > a machine trust account.
> >
> > So I've done:
> >  # groupadd machines
> >  # /usr/sbin/useradd -g machines -d /var/lib/nobody -c "Test
Server" -s
> > /bin/false server1
> >  # passwd -l server1
> >  Locking password for user server1.
> >  # smbpasswd -a -m server1
> >  Failed to modify password entry for user server1$
> >
> > Please can anyone tell me why this last step fails?
> >
> > >
> > > From: Leon Stringer <leon.stringer@ntlworld.com>
> > > Date: 2008/06/17 Tue AM 11:13:14 GMT
> > > To: <samba@lists.samba.org>
> > > Subject: [Samba] Accessing member server prompts for credentials
> > >
> > > Hi,
> > >
> > > I'm trying to join a server as an AD member but it isn't
working.
> > >
> > > I do:
> > >
> > >  kinit ADMINISTRATOR@DOMAIN1.CO.UK
> > >
> > > which prompts for the password and displays nothing else. Then I
do:
> > >
> > >  net ads join -U Administrator%XXXXX
> > >
> > > which returns:
> > >
> > >  Using short domain name -- DOMAIN1
> > >  Joined 'SERVER1' to realm 'DOMAIN1.CO.UK'
> > >
> > > So all looks OK, but when I try to browse the shares on \\server1
> > > from another domain member I'm prompted for a username and
password. Any
> > valid domain credentials are rejected.
> > >
> > > The log file for the IP address for the computer I'm trying
to connect
> > > from says:
> > >
> > >  [2008/06/17 11:54:54, 1]
smbd/sesssetup.c:reply_spnego_kerberos(316)
> > >    Failed to verify incoming ticket with error
NT_STATUS_LOGON_FAILURE!
> > >
> > > log.smbd says:
> > >  [2008/06/17 11:55:47, 0]
> > auth/auth_util.c:create_builtin_administrators(792)
> > >    create_builtin_administrators: Failed to create Administrators
> > >  [2008/06/17 11:55:47, 0]
auth/auth_util.c:create_builtin_users(758)
> > >    create_builtin_users: Failed to create Users
> > >
> > > smb.conf says:
> > >  [global]
> > >         workgroup = DOMAIN1
> > >         realm = DOMAIN1.CO.UK
> > >         security = ADS
> > >
> > > Samba 3.0.30 on Fedora 8.
> > >
> > > Can anyone tell me where I'm going wrong?

-----------------------------------------
Email sent from www.virginmedia.com/email
Virus-checked using McAfee(R) Software and scanned for spam

> From: devel@thom.fr.eu.org
> Date: 2008/06/18 Wed PM 03:32:53 GMT
> To: "Leon Stringer" <leon.stringer@ntlworld.com>
> CC: samba@lists.samba.org
> Subject: Re: [Samba] Accessing member server prompts for credentials
> 
> Do you have the "unix password sync" set to yes in smb.conf
> If yes, maybe you're in trouble with the password chat. I had the
problem
> on my debian systems were using the default "passwd chat" value
did not
> work because it expects *changed* and my system returned updated.
Thanks for your reply. I have unix password sync = no.
> > I'm still struggling with this if anyone can help.
> >
> > I'm back tracking through the HOWTO and realised that I hadn't
created
> > a machine trust account.
> >
> > So I've done:
> >  # groupadd machines
> >  # /usr/sbin/useradd -g machines -d /var/lib/nobody -c "Test
Server" -s
> > /bin/false server1
> >  # passwd -l server1
> >  Locking password for user server1.
> >  # smbpasswd -a -m server1
> >  Failed to modify password entry for user server1$
> >
> > Please can anyone tell me why this last step fails?
> >
-----------------------------------------
Email sent from www.virginmedia.com/email
Virus-checked using McAfee(R) Software and scanned for spam

> From: Toby Bluhm <tkb@midwestinstruments.com>
> Date: 2008/06/18 Wed PM 03:35:58 GMT
> To: samba@lists.samba.org
> Subject: Re: [Samba] Accessing member server prompts for credentials
> 
> Leon Stringer wrote:
> > I'm still struggling with this if anyone can help.
> >
> > I'm back tracking through the HOWTO and realised that I hadn't
created
> > a machine trust account.
> >
> >  # smbpasswd -a -m server1
> >  Failed to modify password entry for user server1$
> >
> > Please can anyone tell me why this last step fails?
> 
> Those commands are for working with an NT4 domain. They're of no use if
> you're trying to join samba to an AD domain.
> 
Thanks, that makes sense although it isn't very clear in the HOWTO.

So I'm back to square 1: I can't access shares on the server.

If I try to connect remotely I'm prompted for credentials. If I try a domain
user account it's rejected, same for a local UNIX user account on the Samba
box.


-----------------------------------------
Email sent from www.virginmedia.com/email
Virus-checked using McAfee(R) Software and scanned for spam

> From: Toby Bluhm <tkb@midwestinstruments.com>
> Date: 2008/06/18 Wed PM 03:35:58 GMT
> To: samba@lists.samba.org
> Subject: Re: [Samba] Accessing member server prompts for credentials
> 
> Leon Stringer wrote:
> > I'm still struggling with this if anyone can help.
> >
> >> I'm trying to join a server as an AD member but it isn't
working.
> >>
> >> I do:
> >>
> >>  kinit ADMINISTRATOR@DOMAIN1.CO.UK
> >>
> >> which prompts for the password and displays nothing else. Then I
do:
> >>
> >>  net ads join -U Administrator%XXXXX
> >>
> >> which returns:
> >>
> >>  Using short domain name -- DOMAIN1
> >>  Joined 'SERVER1' to realm 'DOMAIN1.CO.UK'
> >>
> >> So all looks OK, but when I try to browse the shares on \\server1
> >> from another domain member I'm prompted for a username and
password. Any valid domain credentials are rejected.
> 
> Actually, it all looks good so far, but you need a little more setup so 
> samba can authenticate accounts against AD.
> 
> Do you have winbindd running?
> What does 'wbinfo -t' tell you?
> Do you have the winbind sections in smb.conf configured correctly?
> Can you get a list of AD accounts with 'wbinfo -u'?
> Did you configure nsswitch.conf correctly?
> If 'id "DOMAIN\user"' returns useful info about the user,
your machine
> is authenticating with AD correctly.
> Also, ntpd needs to sync the time very closely with the domain. 'date ;
> net time -w DOMAIN' should show times that are within seconds of each
other.
> 
> 
> Go back to the Samba HOWTO and review Ch. 24 and 29. Any text in the 
> HOWTO that mentions NT4 or PDC or BDC configuration is not for your 
> situation.
> 
> Did you see my comments about winbind at the bottom of that message?
Toby: thanks for prompting me, I had missed those comments. I've configured
nsswitch.conf hopefully correctly.

And when I do wbinfo -t I get:

  the trust secret via RPC calls succeeded

but only for the first five minutes after starting winbindd. After 
five minutes I get:

  checking the trust secret via RPC calls failed
  error code was  (0x0)
  Could not check secret

wbinfo -u does not work at any point.

log.winbindd-idmap says:

[2008/06/19 10:46:56, 0]
nsswitch/winbindd_dual.c:async_request_timeout_handler(182)
  async_request_timeout_handler: child pid 21612 is not responding. Closing
connection to it.
[2008/06/19 10:46:56, 1] nsswitch/winbindd_util.c:trustdom_recv(229)
  Could not receive trustdoms

Any more advice gratefully received.

-----------------------------------------
Email sent from www.virginmedia.com/email
Virus-checked using McAfee(R) Software and scanned for spam

> From: Toby Bluhm <tkb@midwestinstruments.com>
> Date: 2008/06/19 Thu PM 01:35:32 GMT
> To: samba@lists.samba.org
> Subject: Re: [Samba] Accessing member server prompts for credentials
> 
> Leon Stringer wrote:
> 
> > And when I do wbinfo -t I get:
> >
> >   the trust secret via RPC calls succeeded
> >
> > but only for the first five minutes after starting winbindd. After 
> > five minutes I get:
> >
> >   checking the trust secret via RPC calls failed
> >   error code was  (0x0)
> >   Could not check secret
> >
> My experience was that winbind worked or it didn't. Never got the half 
> working results you have.
> 
> Here is the smb.conf  I used. It was probably samba version ~ 3.0.10. I 
> do remember that once I set 'ldap ssl = no' and 'allow trusted
domains =
> no' it all started working for me. Also, when I was changing settings 
> around, the tdb files would keep old info and mess things up for me. 
> Since it was not in production yet, what I did was:
> 
> stop samba
> rm /var/cache/samba/*.tdb
> rm /etc/samba/secrets.tdb
> Rejoin the domain
> start samba
> 
Thanks again for your help with this. I've tried to match you settings and
rejoin the domain but I'm no further forward. I guess this is something that
just isn't going to happen...

-----------------------------------------
Email sent from www.virginmedia.com/email
Virus-checked using McAfee(R) Software and scanned for spam

> From: Jeremy Allison <jra@samba.org>
> Date: 2008/06/19 Thu PM 04:58:55 GMT
> To: Leon Stringer <leon.stringer@ntlworld.com>
> CC: samba@lists.samba.org
> Subject: Re: [Samba] Accessing member server prompts for credentials
> 
> On Thu, Jun 19, 2008 at 10:08:34AM +0000, Leon Stringer wrote:
> > 
> > Toby: thanks for prompting me, I had missed those comments. I've
configured nsswitch.conf hopefully correctly.
> > 
> > And when I do wbinfo -t I get:
> > 
> >   the trust secret via RPC calls succeeded
> > 
> > but only for the first five minutes after starting winbindd. After 
> > five minutes I get:
> > 
> >   checking the trust secret via RPC calls failed
> >   error code was  (0x0)
> >   Could not check secret
> > 
> > wbinfo -u does not work at any point.
> > 
> > log.winbindd-idmap says:
> > 
> > [2008/06/19 10:46:56, 0]
nsswitch/winbindd_dual.c:async_request_timeout_handler(182)
> >   async_request_timeout_handler: child pid 21612 is not responding.
Closing connection to it.
> > [2008/06/19 10:46:56, 1] nsswitch/winbindd_util.c:trustdom_recv(229)
> >   Could not receive trustdoms
> > 
> > Any more advice gratefully received.
> 
> What Samba version is this please ? Looks like a bug I've fixed
> recently.
> 
3.0.30 (Fedora 8 package).

-----------------------------------------
Email sent from www.virginmedia.com/email
Virus-checked using McAfee(R) Software and scanned for spam