thr3ads.net - samba - [Samba] samba ADS-based authentication fails with NT_STATUS_NO_SUCH

If this information is useful, please help other people find it:
Share via:

Geoff Winkless

2011-Feb-18 17:13 UTC

[Samba] samba ADS-based authentication fails with NT_STATUS_NO_SUCH_USER but wbinfo works

Once again, I forgot to change the "To:" line so apologies to Andrew,
who will have this twice....

Hi Andrew, thanks for the response.

(I've modified the subject line because I just realised I
mis-remembered the error message when I typed the subject line
before...)

I was running 3.0.33 on both boxes with identical conf files; it
wasn't working then, so I updated to 3.5 in case it improved matters
(it didn't). I can't get onto the first box right now cos I don't
have
admin rights on it and the owner's not here, but I'll try to get the
output from testparm on Monday.

krb5.conf file looks like this:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = LAN.XXXX.CO.UK
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 LAN.XXXX.CO.UK = {
 kdc = 192.168.3.1
 admin_server = 192.168.3.1
 default_domain = LAN.XXXX.CO.UK
 }

[domain_realm]
 .lan.xxxx.co.uk = LAN.XXXX.CO.UK
 lan.xxxx.co.uk = LAN.XXXX.CO.UK

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
 }

Thanks again

Geoff

On 18 February 2011 16:32, Andrew Masterson
<Andrew.Masterson at nuvistaenergy.com> wrote:> First thing I would do is a testparm -v on both the old and new boxes, and
do a diff -a on those files to see what has changed.
>
> Samba changes default options between versions so what may have worked on
an older version is not guaranteed to work on the new ones.
>
> Also, what does your krb5.conf file look like?
>
> -=Andrew

Andrew Masterson

2011-Feb-18 17:28 UTC

head link

[Samba] samba ADS-based authentication fails with NT_STATUS_NO_SUCH_USER but wbinfo works

> On 18 February 2011 16:32, Andrew Masterson
> <Andrew.Masterson at nuvistaenergy.com> wrote:
> > First thing I would do is a testparm -v on both the old and new
boxes, and do a diff -> a on those files to see what has changed.
> >
> > Samba changes default options between versions so what may have
worked on an> older version is not guaranteed to work on the new ones.
> >
> > Also, what does your krb5.conf file look like?
> >
> > -=Andrew
> -----Original Message-----
> From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org]> On Behalf Of Geoff Winkless
> Sent: Friday, February 18, 2011 10:14 AM
> To: samba
> Subject: Re: [Samba] samba ADS-based authentication fails with
> NT_STATUS_NO_SUCH_USER but wbinfo works
> 
> Once again, I forgot to change the "To:" line so apologies to
Andrew,
> who will have this twice....
> 
> Hi Andrew, thanks for the response.
> 
> (I've modified the subject line because I just realised I
> mis-remembered the error message when I typed the subject line
> before...)
> 
> I was running 3.0.33 on both boxes with identical conf files; it
> wasn't working then, so I updated to 3.5 in case it improved matters
> (it didn't). I can't get onto the first box right now cos I
don't have
> admin rights on it and the owner's not here, but I'll try to get
the
> output from testparm on Monday.
> 
> krb5.conf file looks like this:
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = LAN.XXXX.CO.UK
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  forwardable = yes
> 
> [realms]
>  LAN.XXXX.CO.UK = {
>  kdc = 192.168.3.1
>  admin_server = 192.168.3.1
>  default_domain = LAN.XXXX.CO.UK
>  }
> 
> [domain_realm]
>  .lan.xxxx.co.uk = LAN.XXXX.CO.UK
>  lan.xxxx.co.uk = LAN.XXXX.CO.UK
> 
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
>  pam = {
>   debug = false
>   ticket_lifetime = 36000
>   renew_lifetime = 36000
>   forwardable = true
>   krb4_convert = false
>  }
> 
> Thanks again
> 
> Geoff
> 
Your krb5.conf files looks pretty much the same, except I had to modify
mine to get it to work with 2008DCs, I specify the ports in the realms
section, and have no kdc profile.  Did you copy that kdc.conf file over
as well (if it is needed at all?)

 default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
 default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96

-=Andrew

Reasonably Related Threads

Search for more maybe matching threads

samba - Feb 2011 - samba ADS-based authentication fails with NT_STATUS_NO_SUCH_USER but wbinfo works

[Samba] samba ADS-based authentication fails with NT_STATUS_NO_SUCH_USER but wbinfo works

[Samba] samba ADS-based authentication fails with NT_STATUS_NO_SUCH_USER but wbinfo works

Reasonably Related Threads