Dear Help, We are in the process of setting up a new domain using Active Directory on Windows Server 2003R2. One of our goals was to use Active Directory for authentication on our AIX box (running version 6.1). I was able to successfully set up Kerberos, and the LDAP client to connect to our AD server so that you can now log in to the AIX box with users found in Active Directory. However, no matter what I try, I am unable to get Samba (also running on the same AIX box) to authenticate against the same AD server. Oh, and I'm running Samba 3.0.28 (from the AIX binaries available on the Samba website). When I try and connect from a test machine (running Windows XP SP2) I get the following in the logs (machine: Novel-Idea, username: test01, domain: TEST): check_ntlm_password: Checking password for unmapped user [TEST]\[test01]@[NOVEL-IDEA] with the new password interface [2008/08/08 09:55:29, 3] auth/auth.c:check_ntlm_password(224) check_ntlm_password: mapped user is: [TEST]\[test01]@[NOVEL-IDEA] [2008/08/08 09:55:29, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/08/08 09:55:29, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/08/08 09:55:29, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/08/08 09:55:29, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/08 09:55:29, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [test01] -> [test01] FAILED with error NT_STATUS_NO_SUCH_USER [2008/08/08 09:55:29, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE However, I can get successful results using wbinfo:>From wbinfo -u:administrator guest support_388945a0 krbtgt test02 host_aixplay1 test01 testcopy>From wbinfo -g:BUILTIN+administrators BUILTIN+users domain computers domain controllers schema admins enterprise admins domain admins domain users domain guests group policy creator owners dnsupdateproxy testgrp1 testgrp2 testgrp3 staff>From wbinfo -a test01%password:plaintext password authentication succeeded challenge/response password authentication succeeded>From wbinfo -K test01%passwordplaintext kerberos password authentication for [test01%password] succeeded (requ esting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 So, it makes me think that I'm missing something obvious in my smb.conf, but after searching around, I haven't found much. Any help would be greatly appreciated. See my configs below: SMB.CONF # Global parameters [global] workgroup = TEST realm = TEST.LOCAL security = ADS encrypt passwords = yes password server = IP.OF.AD.SERVER log level = 3 log file = /opt/pware/samba/3.0.28/var/log.%m max log size = 50 # idmap backend = ad # idmap uid = 100000-40000000 # idmap gid = 100000-40000000 idmap domains = TEST idmap config TEST:backend = ad idmap config TEST:default = yes idmap config TEST:schema_mode = rfc2307 idmap config DOMAIN:range = 100000-40000000 # auth methods = winbind # use kerberos keytab = yes # ldap ssl = no winbind separator = + winbind use default domain = Yes winbind nested groups = Yes winbind enum users = yes winbind enum groups = yes # winbind nss info = rfc2307 [anyone] path = /home/anyone guest ok = yes browseable = yes [testing] path = /home/testing guest ok = no valid users = test01 admin users = test01 write list = test01 KRB5.CONF [libdefaults] default_realm = TEST.LOCAL default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des-cbc-md5 des-cbc-crc default_tgs_enctypes = des-cbc-md5 des-cbc-crc [realms] TEST.LOCAL = { kdc = adtest.test.local:88 admin_server = adtest.test.local:749 default_domain = test.local } [domain_realm] .test.local = TEST.LOCAL adtest.test.local = TEST.LOCAL [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log default = FILE:/var/krb5/log/krb5lib.log
Matt Anderson wrote:> Dear Help, > > We are in the process of setting up a new domain using Active Directory on > Windows Server 2003R2. One of our goals was to use Active Directory for > authentication on our AIX box (running version 6.1). I was able to successfully > set up Kerberos, and the LDAP client to connect to our AD server so that you can > now log in to the AIX box with users found in Active Directory. However, no > matter what I try, I am unable to get Samba (also running on the same AIX box) > to authenticate against the same AD server. Oh, and I'm running Samba 3.0.28 > (from the AIX binaries available on the Samba website). > > When I try and connect from a test machine (running Windows XP SP2) I get the > following in the logs (machine: Novel-Idea, username: test01, domain: TEST): > check_ntlm_password: Checking password for unmapped user > [TEST]\[test01]@[NOVEL-IDEA] with the new password interface > [2008/08/08 09:55:29, 3] auth/auth.c:check_ntlm_password(224) > check_ntlm_password: mapped user is: [TEST]\[test01]@[NOVEL-IDEA] > [2008/08/08 09:55:29, 3] smbd/sec_ctx.c:push_sec_ctx(208) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2008/08/08 09:55:29, 3] smbd/uid.c:push_conn_ctx(358) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2008/08/08 09:55:29, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2008/08/08 09:55:29, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2008/08/08 09:55:29, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [test01] -> [test01] FAILED with > error NT_STATUS_NO_SUCH_USER > [2008/08/08 09:55:29, 3] smbd/error.c:error_packet_set(106) > error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > > However, I can get successful results using wbinfo: >>From wbinfo -u: > administrator > guest > support_388945a0 > krbtgt > test02 > host_aixplay1 > test01 > testcopy > >>From wbinfo -g: > BUILTIN+administrators > BUILTIN+users > domain computers > domain controllers > schema admins > enterprise admins > domain admins > domain users > domain guests > group policy creator owners > dnsupdateproxy > testgrp1 > testgrp2 > testgrp3 > staff > >>From wbinfo -a test01%password: > plaintext password authentication succeeded > challenge/response password authentication succeeded > >>From wbinfo -K test01%password > plaintext kerberos password authentication for [test01%password] succeeded (requ > esting cctype: FILE) > credentials were put in: FILE:/tmp/krb5cc_0Have you tried to look at the user account information using ldapsearch? Just to ensure the POSIX account data is present in AD. If you are attempting to authenticate as a domain user try the username as DOMAIN\Username.> > So, it makes me think that I'm missing something obvious in my smb.conf, but > after searching around, I haven't found much. > > Any help would be greatly appreciated. See my configs below: > > SMB.CONF > # Global parameters > [global] > workgroup = TEST > realm = TEST.LOCAL > security = ADS > encrypt passwords = yes > password server = IP.OF.AD.SERVER > log level = 3 > log file = /opt/pware/samba/3.0.28/var/log.%m > max log size = 50 > # idmap backend = ad > # idmap uid = 100000-40000000 > # idmap gid = 100000-40000000 > > idmap domains = TEST > idmap config TEST:backend = ad > idmap config TEST:default = yes > idmap config TEST:schema_mode = rfc2307 > idmap config DOMAIN:range = 100000-40000000 > > # auth methods = winbind > # use kerberos keytab = yes > # ldap ssl = no > > winbind separator = + > winbind use default domain = Yes > winbind nested groups = Yes > winbind enum users = yes > winbind enum groups = yes > # winbind nss info = rfc2307 > > [anyone] > path = /home/anyone > guest ok = yes > browseable = yes > > [testing] > path = /home/testing > guest ok = no > valid users = test01 > admin users = test01 > write list = test01 > > KRB5.CONF > [libdefaults] > default_realm = TEST.LOCAL > default_keytab_name = FILE:/etc/krb5/krb5.keytab > default_tkt_enctypes = des-cbc-md5 des-cbc-crc > default_tgs_enctypes = des-cbc-md5 des-cbc-crc > > [realms] > TEST.LOCAL = { > kdc = adtest.test.local:88 > admin_server = adtest.test.local:749 > default_domain = test.local > } > > [domain_realm] > .test.local = TEST.LOCAL > adtest.test.local = TEST.LOCAL > > [logging] > kdc = FILE:/var/krb5/log/krb5kdc.log > admin_server = FILE:/var/krb5/log/kadmin.log > default = FILE:/var/krb5/log/krb5lib.log > > >-- Jason Gerfen
Possibly Parallel Threads
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
- winbind: homeDirectory being ignored