Andrew Masterson
2008-Jul-23 16:32 UTC
[Samba] Trouble authenticating to Samba shares with Win 2k3 ADS
I may have a deficiency in understanding the procedure for ADS
authentication with samba, but most of the server setup works so far. I
have bound a Red Hat Enterprise 5 server to our windows domain, it shows
up in DNS and ADS, I can ping it, but I can't get samba shares to be
accessible to users, or even get the smbclient to return shares
properly.
wbinfo -g returns the domain groups properly
wbinfo -u return the domain users properly
[root@solar samba]# wbinfo -a 'DNAME\uname'%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root@solar samba]# wbinfo -K 'DNAME\uname'%secret
plaintext kerberos password authentication for [DNAME\uname%secret]
succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
[root@solar samba]# wbinfo -t
checking the trust secret via RPC calls succeeded
So that all works fine. smbclient chokes though:
[root@solar samba]# smbclient -L solar -U 'DNAME\uname'
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root@solar samba]# smbclient -L solar -U uname
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
or if I even use a samba user that I have setup with smbpasswd
[root@solar samba]# smbclient -L solar -U sambaname
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
The only log file in /var/log/samba that shows any changes is log.nmbd
[2008/07/23 08:18:47, 0] nmbd/nmbd_namequery.c:query_name_response(109)
query_name_response: Multiple (2) responses received for a query on
subnet 192.168.77.244 for name DNAME<1d>.
This response was from IP 192.168.77.216, reporting an IP address of
192.168.77.216.
Here is my smb.conf
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2008/07/17 09:25:15
[global]
workgroup = DNAME
realm = DNAME.LOCAL
netbios aliases = solar.dname.local, solar.dname.com
server string = Samba %v %h
interfaces = 192.168.77.244
security = ADS
# security = user
auth methods = winbind
use kerberos keytab = Yes
encrypt passwords = yes
winbind enum users = Yes
winbind enum groups = Yes
preferred master = No
local master = No
domain master = No
ldap ssl = no
idmap domains = DNAME
idmap uid = 10000-20000
idmap gid = 10000-20000
[T_drive]
writeable = yes
valid users = sambaname,'DNAME\uname'
public = yes
path = /data/T_drive
Here is krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DNAME.LOCAL
[realms]
DNAME.LOCAL = {
default_domain
kdc = nvautil01.DNAME.local:
admin_server = nvadom01:
}
[domain_realm]
dname.local = DNAME.LOCAL
pam.d directory samba file
[root@solar samba]# more /etc/pam.d/samba
#%PAM-1.0
auth sufficient pam_krb5afs.so
account sufficient pam_krb5afs.so
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
session sufficient pam_krb5afs.so
password sufficient pam_krb5afs.so
auth required pam_unix.so
account required pam_unix.so
session sufficient pam_winbind.so
password sufficient pam_winbind.so
Jason Gerfen
2008-Jul-23 16:53 UTC
[Samba] Trouble authenticating to Samba shares with Win 2k3 ADS
Try using the following in your smb.conf client signing = yes client schannel = no client use spnego = yes client lanman auth = no client NTLMv2 auth = yes client plaintext auth = no idmap domains = DOMAIN idmap config DOMAIN:backend = ad idmap config DOMAIN:default = yes idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1000 - 300000000 And for troubleshooting try taking a look at the /var/log/samba/log.idmap* logs for UID/GID to SID mapping Or you can use %> wbinfo -i <USER> %> wbinfo -n <USER> %> wbinfo -s <USER> Hope that helps some. Andrew Masterson wrote:> I may have a deficiency in understanding the procedure for ADS > authentication with samba, but most of the server setup works so far. I > have bound a Red Hat Enterprise 5 server to our windows domain, it shows > up in DNS and ADS, I can ping it, but I can't get samba shares to be > accessible to users, or even get the smbclient to return shares > properly. > > > > wbinfo -g returns the domain groups properly > > wbinfo -u return the domain users properly > > > > [root@solar samba]# wbinfo -a 'DNAME\uname'%secret > > plaintext password authentication succeeded > > challenge/response password authentication succeeded > > > > [root@solar samba]# wbinfo -K 'DNAME\uname'%secret > > plaintext kerberos password authentication for [DNAME\uname%secret] > succeeded (requesting cctype: FILE) > > credentials were put in: FILE:/tmp/krb5cc_0 > > > > [root@solar samba]# wbinfo -t > > checking the trust secret via RPC calls succeeded > > > > So that all works fine. smbclient chokes though: > > > > [root@solar samba]# smbclient -L solar -U 'DNAME\uname' > > Password: > > session setup failed: NT_STATUS_LOGON_FAILURE > > > > [root@solar samba]# smbclient -L solar -U uname > > Password: > > session setup failed: NT_STATUS_LOGON_FAILURE > > > > or if I even use a samba user that I have setup with smbpasswd > > > > [root@solar samba]# smbclient -L solar -U sambaname > > Password: > > session setup failed: NT_STATUS_LOGON_FAILURE > > > > The only log file in /var/log/samba that shows any changes is log.nmbd > > > > [2008/07/23 08:18:47, 0] nmbd/nmbd_namequery.c:query_name_response(109) > > query_name_response: Multiple (2) responses received for a query on > subnet 192.168.77.244 for name DNAME<1d>. > > This response was from IP 192.168.77.216, reporting an IP address of > 192.168.77.216. > > > > Here is my smb.conf > > > > # Samba config file created using SWAT > > # from 127.0.0.1 (127.0.0.1) > > # Date: 2008/07/17 09:25:15 > > > > [global] > > workgroup = DNAME > > realm = DNAME.LOCAL > > netbios aliases = solar.dname.local, solar.dname.com > > server string = Samba %v %h > > interfaces = 192.168.77.244 > > security = ADS > > # security = user > > auth methods = winbind > > use kerberos keytab = Yes > > encrypt passwords = yes > > winbind enum users = Yes > > winbind enum groups = Yes > > preferred master = No > > local master = No > > domain master = No > > ldap ssl = no > > idmap domains = DNAME > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > > > [T_drive] > > writeable = yes > > valid users = sambaname,'DNAME\uname' > > public = yes > > path = /data/T_drive > > > > Here is krb5.conf > > > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > default_realm = DNAME.LOCAL > > > > [realms] > > DNAME.LOCAL = { > > default_domain > > kdc = nvautil01.DNAME.local: > > admin_server = nvadom01: > > } > > > > [domain_realm] > > dname.local = DNAME.LOCAL > > > > pam.d directory samba file > > > > [root@solar samba]# more /etc/pam.d/samba > > #%PAM-1.0 > > auth sufficient pam_krb5afs.so > > account sufficient pam_krb5afs.so > > auth sufficient pam_winbind.so > > account sufficient pam_winbind.so > > session sufficient pam_krb5afs.so > > password sufficient pam_krb5afs.so > > auth required pam_unix.so > > account required pam_unix.so > > session sufficient pam_winbind.so > > password sufficient pam_winbind.so >-- Jas
Andreas Ladanyi
2008-Jul-23 18:48 UTC
[Samba] Re: Trouble authenticating to Samba shares with Win 2k3 ADS
Hay Andrew, i read you use "idmap backend = ad". Did you install the AD schemata addon for POSIX data. For example MS SFU or AD4UNIX ? in our environment we installed MS SFU 3.5. This is a part of the 2003 R2 server Installation, but you have set a tick in "windows compenent7software setup" to install it. Bye, Andy> I may have a deficiency in understanding the procedure for ADS > authentication with samba, but most of the server setup works so far. I > have bound a Red Hat Enterprise 5 server to our windows domain, it shows > up in DNS and ADS, I can ping it, but I can't get samba shares to be > accessible to users, or even get the smbclient to return shares > properly. > > > > wbinfo -g returns the domain groups properly > > wbinfo -u return the domain users properly > > > > [root@solar samba]# wbinfo -a 'DNAME\uname'%secret > > plaintext password authentication succeeded > > challenge/response password authentication succeeded > > > > [root@solar samba]# wbinfo -K 'DNAME\uname'%secret > > plaintext kerberos password authentication for [DNAME\uname%secret] > succeeded (requesting cctype: FILE) > > credentials were put in: FILE:/tmp/krb5cc_0 > > > > [root@solar samba]# wbinfo -t > > checking the trust secret via RPC calls succeeded > > > > So that all works fine. smbclient chokes though: > > > > [root@solar samba]# smbclient -L solar -U 'DNAME\uname' > > Password: > > session setup failed: NT_STATUS_LOGON_FAILURE > > > > [root@solar samba]# smbclient -L solar -U uname > > Password: > > session setup failed: NT_STATUS_LOGON_FAILURE > > > > or if I even use a samba user that I have setup with smbpasswd > > > > [root@solar samba]# smbclient -L solar -U sambaname > > Password: > > session setup failed: NT_STATUS_LOGON_FAILURE > > > > The only log file in /var/log/samba that shows any changes is log.nmbd > > > > [2008/07/23 08:18:47, 0] nmbd/nmbd_namequery.c:query_name_response(109) > > query_name_response: Multiple (2) responses received for a query on > subnet 192.168.77.244 for name DNAME<1d>. > > This response was from IP 192.168.77.216, reporting an IP address of > 192.168.77.216. > > > > Here is my smb.conf > > > > # Samba config file created using SWAT > > # from 127.0.0.1 (127.0.0.1) > > # Date: 2008/07/17 09:25:15 > > > > [global] > > workgroup = DNAME > > realm = DNAME.LOCAL > > netbios aliases = solar.dname.local, solar.dname.com > > server string = Samba %v %h > > interfaces = 192.168.77.244 > > security = ADS > > # security = user > > auth methods = winbind > > use kerberos keytab = Yes > > encrypt passwords = yes > > winbind enum users = Yes > > winbind enum groups = Yes > > preferred master = No > > local master = No > > domain master = No > > ldap ssl = no > > idmap domains = DNAME > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > > > [T_drive] > > writeable = yes > > valid users = sambaname,'DNAME\uname' > > public = yes > > path = /data/T_drive > > > > Here is krb5.conf > > > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > default_realm = DNAME.LOCAL > > > > [realms] > > DNAME.LOCAL = { > > default_domain > > kdc = nvautil01.DNAME.local: > > admin_server = nvadom01: > > } > > > > [domain_realm] > > dname.local = DNAME.LOCAL > > > > pam.d directory samba file > > > > [root@solar samba]# more /etc/pam.d/samba > > #%PAM-1.0 > > auth sufficient pam_krb5afs.so > > account sufficient pam_krb5afs.so > > auth sufficient pam_winbind.so > > account sufficient pam_winbind.so > > session sufficient pam_krb5afs.so > > password sufficient pam_krb5afs.so > > auth required pam_unix.so > > account required pam_unix.so > > session sufficient pam_winbind.so > > password sufficient pam_winbind.so >
Volker Lendecke
2008-Jul-23 21:36 UTC
[Samba] Trouble authenticating to Samba shares with Win 2k3 ADS
On Wed, Jul 23, 2008 at 08:36:13AM -0600, Andrew Masterson wrote:> I may have a deficiency in understanding the procedure for ADS > authentication with samba, but most of the server setup works so far. I > have bound a Red Hat Enterprise 5 server to our windows domain, it shows > up in DNS and ADS, I can ping it, but I can't get samba shares to be > accessible to users, or even get the smbclient to return shares > properly.You did not list your nsswitch.conf. Did you put winbind in there (and killed nscd?)? Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080723/0f8fa0da/attachment.bin