Hi, Iam trying to setup Samba version 3.2.3 on Redhat (RHEL5) server to use Active Directory for authentication. I followed the instructions from article in following website: http://technet.microsoft.com/en-au/magazine/dd228986.aspx Setup Winbind + Samba + Kerberos and it seems to work fine. I can see the users in Active Directory through winbind as well as authenticate users using NTLM authentication. Problem is that Iam unable to access Samba share from Windows clients as AD user. Analyzing the network traffic on SMBD port gives: --- 10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: TESTDOMAIN\testuser 10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, Error:STATUS_LOGON_FAILURE -- I can however access the Samba share as local user in the Samba server via smbpasswd: --- 166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: D1950-01\kums 166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response 166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, Path: \\192.168.97.5\global 166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response --- Winbind gives following error, not sure if this is significant for I can access the AD via "wbinfo" [2008/11/26 15:22:58, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm Please see attached for configuration detail + detailed error log. Googling helped me to get so far, but not completely resolve this issue. Please advise. Thanks in Advance, -Kums -------------- next part -------------- i) Software Version samba-client-3.2.3 samba-common-3.2.3 samba-3.2.3 samba-doc-3.2.3 samba-winbind-32bit-3.2.3 samba-swat-3.2.3 samba-debuginfo-3.2.3 krb5-workstation-1.5-17 krb5-libs-1.5-17 krb5-devel-1.5-17 krb5-auth-dialog-0.7-1 pam_krb5-2.2.11-1 krb5-devel-1.5-17 krb5-libs-1.5-17 pam_krb5-2.2.11-1 ii) Configure Kerberos cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TESTDOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] TESTDOMAIN.LOCAL = { kdc = 172.16.4.10 default_domain = TESTDOMAIN.LOCAL } [domain_realm] .testdomain = TESTDOMAIN.LOCAL testdomain = TESTDOMAIN.LOCAL .localdomain = TESTDOMAIN.LOCAL localdomain = TESTDOMAIN.LOCAL sol.datadirectnet.com = TESTDOMAIN.LOCAL testdomain.local = TESTDOMAIN.LOCAL .testdomain.local = TESTDOMAIN.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } iii) Authenticate a user against AD via Kerberos kinit Administrator@TESTDOMAIN.LOCAL Password for Administrator@TESTDOMAIN.LOCAL: iv) List Kerberos Tickets klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@TESTDOMAIN.LOCAL Valid starting Expires Service principal 11/26/08 14:54:36 11/27/08 00:54:39 krbtgt/TESTDOMAIN.LOCAL@TESTDOMAIN.LOCAL renew until 11/27/08 14:54:36 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached v) Configure WinBind +PAM /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_mkhomedir.so skel=/etc/skel umask=0644 session required pam_unix.so vi) Windbind started and can see users in AD /etc/init.d/winbind status winbindd (pid 14574 14562 14561 14459 14458) is running... wbinfo -t checking the trust secret via RPC calls succeeded wbinfo -u list D1950-01+kums D1950-01+tristan TESTDOMAIN+administrator TESTDOMAIN+guest TESTDOMAIN+krbtgt TESTDOMAIN+testuser wbinfo -g TESTDOMAIN+domain computers TESTDOMAIN+domain controllers TESTDOMAIN+schema admins TESTDOMAIN+enterprise admins TESTDOMAIN+cert publishers TESTDOMAIN+domain admins TESTDOMAIN+domain users wbinfo -a TESTDOMAIN+testuser%password plaintext password authentication succeeded challenge/response password authentication succeeded vii) Modify /etc/pam.d/samba /etc/pam.d/samba auth required pam_stack.so service=system-auth auth required pam_env.so auth sufficient pam_krb5 use_first_pass auth include /lib/security/pam_winbind.so auth required pam_deny.so session required pam_stack.so service=system-auth account required pam_stack.so service=system-auth account include /lib/security/pam_winbind.so password required pam_stack.so service=system-auth viii) Configure smb.conf [global] workgroup = TESTDOMAIN realm = TESTDOMAIN.LOCAL security = ADS password server = 172.16.4.10 client NTLMv2 auth = Yes log file = /var/log/samba/log.%m max log size = 50 smb ports = 445 use mmap = No dns proxy = No socket address = 192.168.97.5 idmap backend = ad idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes nfs4:acedup = merge nfs4:chown = yes nfs4:mode = special force unknown acl user = Yes [global-share] path = /mnt/global read only = No inherit permissions = Yes inherit acls = Yes ix) Samba running /etc/init.d/smb status smbd (pid 32010 32006) is running... nmbd (pid 31998) is running... lsof -i TCP:445 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME winbindd 31799 root 17u IPv4 8034872 TCP D1950-01.sol.datadirectnet.com:57534->172.16.4.10:microsoft-ds (ESTABLISHED) winbindd 31800 root 17u IPv4 8034855 TCP D1950-01.sol.datadirectnet.com:57532->172.16.4.10:microsoft-ds (ESTABLISHED) smbd 32006 root 19u IPv4 8035491 TCP node1:microsoft-ds (LISTEN) x) Join to AD is successful net ads testjoin Join is OK xi) Authentication of AD user seems to work fine ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=testuser password: NT_STATUS_OK: Success (0x0) xii) /etc/init.d/iptables status Firewall is stopped. xiii)Analyze Network Traffic on SMBD port Login as TESTDOMAIN\testuser (in Windows System) 10.844796 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response 10.844932 192.168.97.2 -> 192.168.97.5 SMB Trans2 Request, GET_DFS_REFERRAL, File: \192.168.97.5\global-share 10.844993 192.168.97.5 -> 192.168.97.2 SMB Trans2 Response, GET_DFS_REFERRAL, Error: STATUS_NOT_FOUND 10.849712 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE 10.849800 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED 10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: TESTDOMAIN\testuser 10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE 11.033663 192.168.97.2 -> 192.168.97.5 TCP capmux > microsoft-ds [ACK] Seq=1616 Ack=1172 Win=15213 Len=0 20.944057 192.168.97.2 -> 192.168.97.5 SMB Logoff AndX Request 20.944152 192.168.97.5 -> 192.168.97.2 SMB Logoff AndX Response 20.944231 192.168.97.2 -> 192.168.97.5 SMB Tree Disconnect Request 20.944360 192.168.97.5 -> 192.168.97.2 SMB Tree Disconnect Response Login as D1950-01\kums (in Windows System) 163.625577 192.168.97.2 -> 192.168.97.5 TCP 4746 > microsoft-ds [ACK] Seq=1024 Ack=855 Win=15530 Len=0 166.059399 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE 166.059551 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED 166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: D1950-01\kums 166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response 166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, Path: \\192.168.97.5\global-share 166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response xiv) Winbind Error [2008/11/26 15:22:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for dc$@TESTDOMAIN (Cannot find KDC for requested realm) [2008/11/26 15:22:58, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm
saddam abu ghaida
2008-Nov-29 02:23 UTC
[Samba] SMBD not authenticating against Active Directory
could you add the following and send the generated log files os level = 3 passdb:5 auth:10 winbind:5 * spnego has something to do with this failure regards, saddam abu ghaida On Thu, Nov 27, 2008 at 2:01 AM, Kums <kumaran.rajaram@gmail.com> wrote:> Hi, > > Iam trying to setup Samba version 3.2.3 on Redhat (RHEL5) server to use > Active Directory for authentication. I followed the instructions from > article in following website: > http://technet.microsoft.com/en-au/magazine/dd228986.aspx > > Setup Winbind + Samba + Kerberos and it seems to work fine. I can see the > users in Active Directory through winbind as well as authenticate users > using NTLM authentication. > > Problem is that Iam unable to access Samba share from Windows clients as AD > user. Analyzing the network traffic on SMBD port gives: > --- > 10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, > NTLMSSP_AUTH, User: TESTDOMAIN\testuser > 10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, > Error:STATUS_LOGON_FAILURE > -- > > I can however access the Samba share as local user in the Samba server via > smbpasswd: > --- > 166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, > NTLMSSP_AUTH, User: D1950-01\kums > 166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response > 166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, Path: > \\192.168.97.5\global > 166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response > --- > > Winbind gives following error, not sure if this is significant for I can > access the AD via "wbinfo" > [2008/11/26 15:22:58, 1] > libsmb/cliconnect.c:cli_session_setup_kerberos(626) > cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find > KDC for requested realm > > Please see attached for configuration detail + detailed error log. Googling > helped me to get so far, but not completely resolve this issue. > > Please advise. > > Thanks in Advance, > -Kums > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
Hi Saddam, Please find the Samba log file attached with the below log level settings. Sorry for the delay in response. Regards, -Kums On Fri, Nov 28, 2008 at 7:22 PM, saddam abu ghaida < saddam.abughaida@gmail.com> wrote:> could you add the following and send the generated log files > > os level = 3 passdb:5 auth:10 winbind:5 > > * spnego has something to do with this failure > > regards, > saddam abu ghaida > > > On Thu, Nov 27, 2008 at 2:01 AM, Kums <kumaran.rajaram@gmail.com> wrote: > > Hi, > > > > Iam trying to setup Samba version 3.2.3 on Redhat (RHEL5) server to use > > Active Directory for authentication. I followed the instructions from > > article in following website: > > http://technet.microsoft.com/en-au/magazine/dd228986.aspx > > > > Setup Winbind + Samba + Kerberos and it seems to work fine. I can see the > > users in Active Directory through winbind as well as authenticate users > > using NTLM authentication. > > > > Problem is that Iam unable to access Samba share from Windows clients as > AD > > user. Analyzing the network traffic on SMBD port gives: > > --- > > 10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, > > NTLMSSP_AUTH, User: TESTDOMAIN\testuser > > 10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, > > Error:STATUS_LOGON_FAILURE > > -- > > > > I can however access the Samba share as local user in the Samba server > via > > smbpasswd: > > --- > > 166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, > > NTLMSSP_AUTH, User: D1950-01\kums > > 166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response > > 166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, > Path: > > \\192.168.97.5\global > > 166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response > > --- > > > > Winbind gives following error, not sure if this is significant for I can > > access the AD via "wbinfo" > > [2008/11/26 15:22:58, 1] > > libsmb/cliconnect.c:cli_session_setup_kerberos(626) > > cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find > > KDC for requested realm > > > > Please see attached for configuration detail + detailed error log. > Googling > > helped me to get so far, but not completely resolve this issue. > > > > Please advise. > > > > Thanks in Advance, > > -Kums > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > >
saddam abu ghaida
2008-Dec-01 07:46 UTC
[Samba] SMBD not authenticating against Active Directory
hello, add the following to samba socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap config TESTDOMAIN: default = yes idmap config TESTDOMAIN: backend = rid idmap config TESTDOMAIN: range = 10777216-57554431 idmap alloc TESTDOMAIN: range = 10777216-57554431 winbind nested groups = yes winbind use default domain = no prefered master = no and remove the following idmap backend = ad idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 if you still facing the same problem please send the new log once again regards, Saddam Abu Ghaida On Sun, Nov 30, 2008 at 6:13 AM, Kums <kumaran.rajaram@gmail.com> wrote:> Hi Saddam, > > Please find the Samba log file attached with the below log level settings. > > Sorry for the delay in response. > > Regards, > -Kums > > On Fri, Nov 28, 2008 at 7:22 PM, saddam abu ghaida > <saddam.abughaida@gmail.com> wrote: >> >> could you add the following and send the generated log files >> >> os level = 3 passdb:5 auth:10 winbind:5 >> >> * spnego has something to do with this failure >> >> regards, >> saddam abu ghaida >> >> >> On Thu, Nov 27, 2008 at 2:01 AM, Kums <kumaran.rajaram@gmail.com> wrote: >> > Hi, >> > >> > Iam trying to setup Samba version 3.2.3 on Redhat (RHEL5) server to use >> > Active Directory for authentication. I followed the instructions from >> > article in following website: >> > http://technet.microsoft.com/en-au/magazine/dd228986.aspx >> > >> > Setup Winbind + Samba + Kerberos and it seems to work fine. I can see >> > the >> > users in Active Directory through winbind as well as authenticate users >> > using NTLM authentication. >> > >> > Problem is that Iam unable to access Samba share from Windows clients as >> > AD >> > user. Analyzing the network traffic on SMBD port gives: >> > --- >> > 10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, >> > NTLMSSP_AUTH, User: TESTDOMAIN\testuser >> > 10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, >> > Error:STATUS_LOGON_FAILURE >> > -- >> > >> > I can however access the Samba share as local user in the Samba server >> > via >> > smbpasswd: >> > --- >> > 166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, >> > NTLMSSP_AUTH, User: D1950-01\kums >> > 166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response >> > 166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, >> > Path: >> > \\192.168.97.5\global >> > 166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response >> > --- >> > >> > Winbind gives following error, not sure if this is significant for I can >> > access the AD via "wbinfo" >> > [2008/11/26 15:22:58, 1] >> > libsmb/cliconnect.c:cli_session_setup_kerberos(626) >> > cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find >> > KDC for requested realm >> > >> > Please see attached for configuration detail + detailed error log. >> > Googling >> > helped me to get so far, but not completely resolve this issue. >> > >> > Please advise. >> > >> > Thanks in Advance, >> > -Kums >> > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/listinfo/samba >> > > >
Reasonably Related Threads
- Slow Directory Access after upgrade to 3.5.6
- Smbtorture + Domain Environment
- Join multiple CTDB managed Samba servers into Active Directory
- 20 second delays when accessing Samba on Fedora 11
- FOOBAR\usuario1 windows explorer hungs forever while accessing shared dirs in LAPAZ\comp1 (interdomain trust relationships)