samba - Sep 2011 - Samba and AD integration

Hello everyone.

I am running Samba on a Debian system, and I'm currently getting the
following error on the logs:

[2011/09/19 15:06:36.708281,  1] smbd/sesssetup.c:454(reply_spnego_kerberos)
  Username GALILEU-F\bmartins is invalid on this system

Being GALILEU-F my Windows domain and bmartins my username.

However, both 'wbinfo -g' and 'wbinfo -u' are working fine.
Also, 'kinit (...)' works.

My smb.conf:
[global]
        workgroup = GALILEU-F
        realm = GALILEU-F.GALILEU.PT
        server string = Samba Server
        security = ADS
        auth methods = winbind
        password server = 192.168.0.2
        username map = /etc/samba/smbusers
        client NTLMv2 auth = Yes
        log file = /var/log/samba/log.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        printcap name = cups
        dns proxy = No
        wins server = 192.168.0.2
        idmap uid = 200000-300000
        idmap gid = 200000-300000
        winbind use default domain = Yes
        winbind trusted domains only = Yes
        cups options = raw

My krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = GALILEU-F.GALILEU.PT
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
GALILEU-F.GALILEU.PT = {
   kdc = jupiter.galileu-f.galileu.pt
   admin_server = jupiter.galileu-f.galileu.pt
   default_domain = galileu-f.galileu.pt
}

[domain_realm]
.jupiter.galileu-f.galileu.pt = GALILEU-F.GALILEU.PT
.galileu-f.galileu.pt = GALILEU-F.GALILEU.PT

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

And... /etc/nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat  winbind
group:          compat  winbind
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Can someone please give me a light on this?

Best regards,

Bruno Martins

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2011 10:16 AM, Bruno Martins wrote:
> Hello everyone.
> 
> I am running Samba on a Debian system, and I'm currently getting the
following error on the logs:
> 
> [2011/09/19 15:06:36.708281,  1]
smbd/sesssetup.c:454(reply_spnego_kerberos)
>   Username GALILEU-F\bmartins is invalid on this system
> 
> Being GALILEU-F my Windows domain and bmartins my username.
> 
> However, both 'wbinfo -g' and 'wbinfo -u' are working fine.
Also, 'kinit (...)' works.
> 
> My smb.conf:
> [global]
>         workgroup = GALILEU-F
>         realm = GALILEU-F.GALILEU.PT
>         server string = Samba Server
>         security = ADS
>         auth methods = winbind
>         password server = 192.168.0.2
>         username map = /etc/samba/smbusers
>         client NTLMv2 auth = Yes
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>         printcap name = cups
>         dns proxy = No
>         wins server = 192.168.0.2
>         idmap uid = 200000-300000
>         idmap gid = 200000-300000
>         winbind use default domain = Yes
>         winbind trusted domains only = Yes
>         cups options = raw
> 
> My krb5.conf:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
> default_realm = GALILEU-F.GALILEU.PT
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
> 
> [realms]
> GALILEU-F.GALILEU.PT = {
>    kdc = jupiter.galileu-f.galileu.pt
>    admin_server = jupiter.galileu-f.galileu.pt
>    default_domain = galileu-f.galileu.pt
> }
> 
> [domain_realm]
> .jupiter.galileu-f.galileu.pt = GALILEU-F.GALILEU.PT
> .galileu-f.galileu.pt = GALILEU-F.GALILEU.PT
> 
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
> pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
> }
> 
> And... /etc/nsswitch.conf:
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:         compat  winbind
> group:          compat  winbind
> shadow:         compat
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> Can someone please give me a light on this?
> 
> Best regards,
> 
> Bruno Martins
Bruno,

You are using the option "winbind use default domain = Yes", so AD
users
should be able to access with just their username and there should be no
need to pre-pend the domain and backslash.

Robert

- -- 
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk53XnMACgkQup357T5MfTZcugCgvNMoqvTIPIlHdkov7i/ThBvK
x94AniXBk960e1L4ompA1nW+Wm+qZvAI
=yDia
-----END PGP SIGNATURE-----