Hi
I have a s3 fileserver joined to a s4 DC
Here is smb.conf on the fileserver:
[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
kerberos method = system keytab
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-4000
idmap config HH3:backend = ad
idmap config HH3:range = 20000-40000000
idmap config HH3:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = Yes
[users]
path = /home/users
read only = No
getent passwd works fine and shows AD users. But cifs mount fails:
sudo mount -t cifs //oliva/users --verbose /mnt -osec=krb5
mount.cifs kernel mount options: ip=127.0.0.1,unc=\\oliva
\users,sec=krb5,user=root,pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
the log gives:
May 26 12:35:05 oliva cifs.upcall: key description:
cifs.spnego;0;0;39010000;ver=0x2;host=oliva;ip4=127.0.0.1;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6f3
May 26 12:35:05 oliva cifs.upcall: ver=2
May 26 12:35:05 oliva cifs.upcall: host=oliva
May 26 12:35:05 oliva cifs.upcall: ip=127.0.0.1
May 26 12:35:05 oliva cifs.upcall: sec=1
May 26 12:35:05 oliva cifs.upcall: uid=0
May 26 12:35:05 oliva cifs.upcall: creduid=0
May 26 12:35:05 oliva cifs.upcall: user=root
May 26 12:35:05 oliva cifs.upcall: pid=1779
May 26 12:35:05 oliva cifs.upcall: find_krb5_cc:
considering /tmp/krb5cc_0
May 26 12:35:05 oliva cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is
valid ccache
May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: getting service
ticket for oliva
May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: obtained service
ticket
May 26 12:35:05 oliva kernel: [ 612.342045] Status code returned
0xc000006d NT_STATUS_LOGON_FAILURE
May 26 12:35:05 oliva kernel: [ 612.342109] CIFS VFS: Send error in
SessSetup = -13
May 26 12:35:05 oliva kernel: [ 612.343323] CIFS VFS: cifs_mount failed
w/return code = -13
smbd fails with this:
Maximum core file size limits now 16777216(soft) -1(hard)
smbd version 3.6.9 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
uid=0 gid=0 euid=0 egid=0
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[users]"
adding IPC service
added interface eth0 ip=fe80::a00:27ff:fe7c:2d50%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.1.110 bcast=192.168.1.255
netmask=255.255.255.0
loaded services
Initialise the svcctl registry keys if needed.
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Initialise the eventlog registry keys if needed.
Closed policy
get_dc_list: preferred server list: "hh16.hh3.site, *"
Successfully contacted LDAP server 192.168.1.16
get_dc_list: preferred server list: "hh16.hh3.site, *"
get_dc_list: preferred server list: "hh16.hh3.site, *"
Successfully contacted LDAP server 192.168.1.16
Connected to LDAP server hh16.hh3.site
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name not_defined_in_RFC4178 at
please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache]
expiration dom, 26 may 2013 22:46:04 CEST
ads_krb5_mk_req: server marked as OK to delegate to, building
forwardable TGT
reloading printcap cache
reload status: ok
waiting for connections
Unable to connect to CUPS server localhost:631 - Transport endpoint is
not connected
failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
Could not find child 1808 -- ignoring
Allowed connection from 127.0.0.1 (127.0.0.1)
init_oplocks: initializing messages.
Linux kernel oplocks enabled
Transaction 0 of length 82 (0 toread)
switch message SMBnegprot (pid 1807) conn 0x0
Requested protocol [LM1.2X002]
Requested protocol [LANMAN2.1]
Requested protocol [NT LM 0.12]
Requested protocol [POSIX 2]
using SPNEGO
Selected protocol NT LM 0.12
Transaction 1 of length 1450 (0 toread)
switch message SMBsesssetupX (pid 1807) conn 0x0
wct=12 flg2=0xd801
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
Doing spnego session setup
NativeOS=[Linux version 3.8.0-22-generic] NativeLanMan=[CIFS VFS Client
for Linux] PrimaryDomain=[]
reply_spnego_negotiate: Got secblob of size 1227
libads/kerberos_verify.c:267: krb5_rd_req_return_keyblock_from_keytab
succeeded for principal host/oliva.hh3.site at HH3.SITE
Found account name from PAC: Administrator []
Kerberos ticket principal name is [Administrator at HH3.SITE]
Username HH3\Administrator is invalid on this system
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Server exit (failed to receive smb request)
Anyone please? In particular, why ntlm authentication? Why Username HH3
\Administrator is invalid on this system? I've tried without winbind use
default domain = but nada.
Cheers,
Steve