samba - Aug 2008 - ADS Trouble authorizing users.

Hi all,

I've set up a CentOS machine with samba version 3.0.28-1.el5_2.1 to join a
Windows 2003 ADS.  Everything seemed to go fine while joining the domain:

[root@mailserver ~]# net ads join -U administrator
administrator's password:
Using short domain name -- MYDOMAIN
Joined 'MAILSERVER' to realm 'MYDOMAIN.LOCAL'

The trouble I'm having is authorizing users.

When connecting the the CentOS machine from a windows XP machine it pops up
a username and password dialog.  Entering in my details just pops it up
again as it would if I'd entered them incorrectly.  Nothing is recored in
the logs on the CentOS machine (either in /var/log/messages or
/var/log/samba/smbd.log) and I am unable to procced.

If I try a username in the dialog box that does not exist on the domain I
get an error in /var/log/messages:

Aug 28 12:58:06 mailserver smbd[23786]: [2008/08/28 12:58:06, 0]
auth/auth_domain.c:domain_client_validate(260)
Aug 28 12:58:06 mailserver smbd[23786]:   domain_client_validate: unable to
validate password for user dave in domain MYDOMAIN to Domain controller
MANS01.MYDOMAIN.LOCAL. Error was NT_STATUS_NO_SUCH_USER.


I'm guessing its a problem with the way the CentOS machine is passing on the
logon details but without an error message I'm a bit stuck.  Any help would
be greatful.

Cheers.

Config files below:

/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYDOMAIN.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
MYDOMAIN.LOCAL = {
  kdc = mans01
  admin_server = mans01
  default_domain = mydomain.local
 }

[domain_realm]
 .mydomain.local = MYDOMAIN.LOCAL
 mydomain.local = MYDOMAIN.LOCAL

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

/etc/smaba/smb.conf

[global]

workgroup = MYDOMAIN
netbios name = mailserver
server string = Samba Server 3.0
security = ads
realm = MYDOMAIN.LOCAL
password server = mans01
encrypt passwords = yes
printcap name = /etc/printcap
load printers = yes
printing = cups
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
preferred master = no
dns proxy = no

#============================ Share Definitions
=============================
[public]
  comment = Share
  path = /home/public
  public = yes
  writable = yes
  printable = no

Chris Bolton wrote:
> Hi all,
> 
> I've set up a CentOS machine with samba version 3.0.28-1.el5_2.1 to
join a
> Windows 2003 ADS.  Everything seemed to go fine while joining the domain:
> 
> [root@mailserver ~]# net ads join -U administrator
> administrator's password:
> Using short domain name -- MYDOMAIN
> Joined 'MAILSERVER' to realm 'MYDOMAIN.LOCAL'
> 
> The trouble I'm having is authorizing users.
> 
> When connecting the the CentOS machine from a windows XP machine it pops up
> a username and password dialog.  Entering in my details just pops it up
> again as it would if I'd entered them incorrectly.  Nothing is recored
in
> the logs on the CentOS machine (either in /var/log/messages or
> /var/log/samba/smbd.log) and I am unable to procced.
> 
> If I try a username in the dialog box that does not exist on the domain I
> get an error in /var/log/messages:
> 
> Aug 28 12:58:06 mailserver smbd[23786]: [2008/08/28 12:58:06, 0]
> auth/auth_domain.c:domain_client_validate(260)
> Aug 28 12:58:06 mailserver smbd[23786]:   domain_client_validate: unable to
> validate password for user dave in domain MYDOMAIN to Domain controller
> MANS01.MYDOMAIN.LOCAL. Error was NT_STATUS_NO_SUCH_USER.
Have you tried looking at the samba guides?

NT_STATUS_NO_SUCH_USER means just that, Samba cannot find the username 
in Active Directory

Some tools to help you are 'getent passwd | grep <username>',
'wbinfo -i
<username>'

You can also turn up the logging with the 'log level' directive in the 
smb.conf
> 
> 
> I'm guessing its a problem with the way the CentOS machine is passing
on the
> logon details but without an error message I'm a bit stuck.  Any help
would
> be greatful.
> 
> Cheers.
> 
> Config files below:
> 
> /etc/krb5.conf
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = MYDOMAIN.LOCAL
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  forwardable = yes
> 
> [realms]
> MYDOMAIN.LOCAL = {
>   kdc = mans01
>   admin_server = mans01
>   default_domain = mydomain.local
>  }
> 
> [domain_realm]
>  .mydomain.local = MYDOMAIN.LOCAL
>  mydomain.local = MYDOMAIN.LOCAL
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> /etc/smaba/smb.conf
> 
> [global]
> 
> workgroup = MYDOMAIN
> netbios name = mailserver
> server string = Samba Server 3.0
> security = ads
> realm = MYDOMAIN.LOCAL
> password server = mans01
> encrypt passwords = yes
> printcap name = /etc/printcap
> load printers = yes
> printing = cups
> log file = /var/log/samba/%m.log
> max log size = 0
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> local master = no
> domain master = no
> preferred master = no
> dns proxy = no
> 
> #============================ Share Definitions
> =============================> 
> [public]
>   comment = Share
>   path = /home/public
>   public = yes
>   writable = yes
>   printable = no
	

-- 
Jas