Lee Allen
2013-May-24 21:12 UTC
[Samba] Unable to get Samba-3.6.12 to authenticate using ADS
I have a Samba-4 system running as an Active Directory server. It's
working great: computers are joined to it, users are logged in, etc. Good
job Samba developers, and thank you!
But of course I am not satisfied. Now I want to configure another server
(well, a VM) as a file server using Samba-3.6.12. I want it to refer to
the Samba4 server for all user authentication. My understanding of the
documentation is that I set "server = ads" and join the samba3 system
to my
domain. I do not need to create any users/accounts on the Samba3
(fileserver) system.
Am I right so far?
But, it's not working -- it is not authenticating requests using the AD
server. There are error messages coming out of Samba that I don't
understand (no surprise there).
I have read the relevant documentation, including the Domain Membership
section, and I have followed the instructions here:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member
Here are the details.
AD is Samba-4 running on samba-ad.allenlan.net (192.168.0.13).
Fileserver is Samba-3.6.12 on smb-test-zone.allenlan.net (192.168.0.17).
A Win7 PC named t110-win7-base.allenlan.net (192.168.0.93) is joined to the
domain, user "allenlan\lallen" is logged in to it, and I attempt to
map a
share on the Samba-3.6.12 system using:
# net use L: \\192.168.0.17\Lee
this prompts for username (it should not), I enter "allenlan\lallen"
(or "
allenlan.net\lallen"), it prompts for password, and I enter that. The
authentication fails - the log file is below.
# cat /opt/local/etc/samba/smb.conf
[global]
workgroup = ALLENLAN
server string = Samba %v (%h)
realm = allenlan.net
security = ads
password server = 192.168.0.13
load printers = no
guest account = guest
(omitting the shares)
# kinit administrator at ALLENLAN.NET
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator at ALLENLAN.NET
Issued Expires Principal
May 24 19:44:08 2013 May 25 05:44:08 2013 krbtgt/ALLENLAN.NET at ALLENLAN.NET
# net ads join -U Administrator%password
# net ads testjoin
Join is OK
# net ads info
LDAP server: 192.168.0.13
LDAP server name: samba-ad.allenlan.net
Realm: ALLENLAN.NET
Bind Path: dc=ALLENLAN,dc=NET
LDAP port: 389
Server time: Fri, 24 May 2013 19:44:36 UTC
KDC server: 192.168.0.13
Server time offset: 0
# /opt/local/sbin/smbd -i -d3 -s /opt/local/etc/samba/smb.conf
Maximum core file size limits now -3(soft) -3(hard)
smbd version 3.6.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
uid=0 gid=0 euid=0 egid=0
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/opt/local/etc/samba/smb.conf"
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/opt/local/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[Lee]"
adding IPC service
added interface net0 ip=192.168.0.17 bcast=192.168.0.255
netmask=255.255.255.0
loaded services
Initialise the svcctl registry keys if needed.
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Initialise the eventlog registry keys if needed.
Closed policy
get_dc_list: preferred server list: "samba-ad.allenlan.net,
192.168.0.13"
Successfully contacted LDAP server 192.168.0.13
get_dc_list: preferred server list: "samba-ad.allenlan.net,
192.168.0.13"
get_dc_list: preferred server list: "samba-ad.allenlan.net,
192.168.0.13"
Successfully contacted LDAP server 192.168.0.13
Connected to LDAP server samba-ad.allenlan.net
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name not_defined_in_RFC4178 at
please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] expiration
Sat, 25 May 2013 05:46:13 UTC
reloading printcap cache
No Printers found!!!
reload status: error
waiting for connections
Allowed connection from 192.168.0.93 (192.168.0.93)
init_oplocks: initializing messages.
Transaction 0 of length 159 (0 toread)
switch message SMBnegprot (pid 85924) conn 0x0
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [LANMAN1.0]
Requested protocol [Windows for Workgroups 3.1a]
Requested protocol [LM1.2X002]
Requested protocol [LANMAN2.1]
Requested protocol [NT LM 0.12]
Requested protocol [SMB 2.002]
Requested protocol [SMB 2.???]
using SPNEGO
Selected protocol NT LM 0.12
Transaction 1 of length 1622 (0 toread)
switch message SMBsesssetupX (pid 85924) conn 0x0
wct=12 flg2=0xc807
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
Doing spnego session setup
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
reply_spnego_negotiate: Got secblob of size 1476
libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error
Decrypt integrity check failed
libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error
Decrypt integrity check failed
Found account name from PAC: lallen []
Kerberos ticket principal name is [lallen at ALLENLAN.NET]
Username ALLENLAN\lallen is invalid on this system
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Transaction 2 of length 1508 (0 toread)
switch message SMBsesssetupX (pid 85924) conn 0x0
wct=12 flg2=0xc807
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
Doing spnego session setup
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
reply_spnego_negotiate: Got secblob of size 1362
libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error
Decrypt integrity check failed
libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error
Decrypt integrity check failed
Found account name from PAC: lallen []
Kerberos ticket principal name is [lallen at ALLENLAN.NET]
Username ALLENLAN\lallen is invalid on this system
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
receive_smb_raw_talloc failed for client 192.168.0.93 read error
NT_STATUS_CONNECTION_RESET.
Server exit (failed to receive smb request)
This has had me stumped for several days. Thank you for any & all help.
Lee Allen
Rowland Penny
2013-May-25 08:24 UTC
[Samba] Unable to get Samba-3.6.12 to authenticate using ADS
Hi, you probably haven't setup NSS etc so that your fileserver knows about your AD users. Have a read here: https://wiki.samba.org/index.php/Samba_%26_Active_Directory Then once you have understood what needs to be done, go here: http://linuxcostablanca.blogspot.co.uk/2013/04/sssd-in-samba-40.html The above is about using sssd instead of winbind, sssd is a lot easier to use than winbind There is also a page (on the sssd website) about using sssd against windows 2008 server (AD): https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server Rowland On 24 May 2013 22:12, Lee Allen <lee at leecallen.com> wrote:> I have a Samba-4 system running as an Active Directory server. It's > working great: computers are joined to it, users are logged in, etc. Good > job Samba developers, and thank you! > > But of course I am not satisfied. Now I want to configure another server > (well, a VM) as a file server using Samba-3.6.12. I want it to refer to > the Samba4 server for all user authentication. My understanding of the > documentation is that I set "server = ads" and join the samba3 system to my > domain. I do not need to create any users/accounts on the Samba3 > (fileserver) system. > > Am I right so far? > > But, it's not working -- it is not authenticating requests using the AD > server. There are error messages coming out of Samba that I don't > understand (no surprise there). > > I have read the relevant documentation, including the Domain Membership > section, and I have followed the instructions here: > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member > > Here are the details. > > AD is Samba-4 running on samba-ad.allenlan.net (192.168.0.13). > Fileserver is Samba-3.6.12 on smb-test-zone.allenlan.net (192.168.0.17). > A Win7 PC named t110-win7-base.allenlan.net (192.168.0.93) is joined to > the > domain, user "allenlan\lallen" is logged in to it, and I attempt to map a > share on the Samba-3.6.12 system using: > # net use L: \\192.168.0.17\Lee > this prompts for username (it should not), I enter "allenlan\lallen" (or " > allenlan.net\lallen"), it prompts for password, and I enter that. The > authentication fails - the log file is below. > > # cat /opt/local/etc/samba/smb.conf > [global] > workgroup = ALLENLAN > server string = Samba %v (%h) > realm = allenlan.net > security = ads > password server = 192.168.0.13 > load printers = no > guest account = guest > > (omitting the shares) > > # kinit administrator at ALLENLAN.NET > # klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: administrator at ALLENLAN.NET > > Issued Expires Principal > May 24 19:44:08 2013 May 25 05:44:08 2013 krbtgt/ > ALLENLAN.NET at ALLENLAN.NET > > # net ads join -U Administrator%password > > # net ads testjoin > Join is OK > > # net ads info > LDAP server: 192.168.0.13 > LDAP server name: samba-ad.allenlan.net > Realm: ALLENLAN.NET > Bind Path: dc=ALLENLAN,dc=NET > LDAP port: 389 > Server time: Fri, 24 May 2013 19:44:36 UTC > KDC server: 192.168.0.13 > Server time offset: 0 > > # /opt/local/sbin/smbd -i -d3 -s /opt/local/etc/samba/smb.conf > Maximum core file size limits now -3(soft) -3(hard) > smbd version 3.6.12 started. > Copyright Andrew Tridgell and the Samba Team 1992-2011 > uid=0 gid=0 euid=0 egid=0 > lp_load_ex: refreshing parameters > Initialising global parameters > params.c:pm_process() - Processing configuration file > "/opt/local/etc/samba/smb.conf" > Processing section "[global]" > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > lp_load_ex: refreshing parameters > Initialising global parameters > params.c:pm_process() - Processing configuration file > "/opt/local/etc/samba/smb.conf" > Processing section "[global]" > Processing section "[Lee]" > adding IPC service > added interface net0 ip=192.168.0.17 bcast=192.168.0.255 > netmask=255.255.255.0 > loaded services > Initialise the svcctl registry keys if needed. > Closed policy > Closed policy > Closed policy > Closed policy > Closed policy > Closed policy > Closed policy > Closed policy > Closed policy > Initialise the eventlog registry keys if needed. > Closed policy > get_dc_list: preferred server list: "samba-ad.allenlan.net, 192.168.0.13" > Successfully contacted LDAP server 192.168.0.13 > get_dc_list: preferred server list: "samba-ad.allenlan.net, 192.168.0.13" > get_dc_list: preferred server list: "samba-ad.allenlan.net, 192.168.0.13" > Successfully contacted LDAP server 192.168.0.13 > Connected to LDAP server samba-ad.allenlan.net > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > ads_sasl_spnego_bind: got server principal name > not_defined_in_RFC4178 at please_ignore > ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] expiration > Sat, 25 May 2013 05:46:13 UTC > reloading printcap cache > No Printers found!!! > reload status: error > waiting for connections > Allowed connection from 192.168.0.93 (192.168.0.93) > init_oplocks: initializing messages. > Transaction 0 of length 159 (0 toread) > switch message SMBnegprot (pid 85924) conn 0x0 > Requested protocol [PC NETWORK PROGRAM 1.0] > Requested protocol [LANMAN1.0] > Requested protocol [Windows for Workgroups 3.1a] > Requested protocol [LM1.2X002] > Requested protocol [LANMAN2.1] > Requested protocol [NT LM 0.12] > Requested protocol [SMB 2.002] > Requested protocol [SMB 2.???] > using SPNEGO > Selected protocol NT LM 0.12 > Transaction 1 of length 1622 (0 toread) > switch message SMBsesssetupX (pid 85924) conn 0x0 > wct=12 flg2=0xc807 > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all > old resources. > Doing spnego session setup > NativeOS=[] NativeLanMan=[] PrimaryDomain=[] > reply_spnego_negotiate: Got secblob of size 1476 > libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error > Decrypt integrity check failed > libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error > Decrypt integrity check failed > Found account name from PAC: lallen [] > Kerberos ticket principal name is [lallen at ALLENLAN.NET] > Username ALLENLAN\lallen is invalid on this system > error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > Transaction 2 of length 1508 (0 toread) > switch message SMBsesssetupX (pid 85924) conn 0x0 > wct=12 flg2=0xc807 > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all > old resources. > Doing spnego session setup > NativeOS=[] NativeLanMan=[] PrimaryDomain=[] > reply_spnego_negotiate: Got secblob of size 1362 > libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error > Decrypt integrity check failed > libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error > Decrypt integrity check failed > Found account name from PAC: lallen [] > Kerberos ticket principal name is [lallen at ALLENLAN.NET] > Username ALLENLAN\lallen is invalid on this system > error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > receive_smb_raw_talloc failed for client 192.168.0.93 read error > NT_STATUS_CONNECTION_RESET. > Server exit (failed to receive smb request) > > > This has had me stumped for several days. Thank you for any & all help. > > Lee Allen > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >