samba - Feb 2014 - AD integration - Administrator can log in but no one else can

I have an Ubuntu 12.04 LTS server that I am trying to get integrated into
the company AD.

The global AD administrator with the username Administrator can log in and
access the shares on the samba box.

No other user, even users with Administrator privileges, can.

  check_ntlm_password:  authentication for user [Administrator] ->
[Administrator] -> [WIKI\Administrator] succeeded

  check_ntlm_password:  Authentication for user [yans] -> [yans] FAILED
with error NT_STATUS_NO_SUCH_USER

The yans user (me) can log into any computer except the samba box.  Even
if I granted Admin privileges I am still refused.

Eventually I need to integrate this into our existing network but for now
I need to get user logins working.

The users do not have unix accounts on the samba box.  They do not need
any accounts unless required to by samba.

I can't figure out what I am doing wrong.  I have tried many things;
here's my current smb.conf:

[global]
   workgroup = hpm
   server string = %h server (Samba/Ubuntu)
   log level = 2
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   realm = hpm.net

   idmap backend = lwopen
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes

   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes

[mediawiki]
        comment = Manuals Wiki Folders
        read only = yes
        path = /srv/mediawiki
        read list = @wikiread
        guest ok = no
[manuals]
        comment = Manuals for download
        path = /srv/mediawiki/downloads
        browsable = yes
        writeable = yes
        read list = @wikiread
        write list = @wikiwrite
        create mask = 0775
        guest ok = no
[covers]
        comment = cover images for manuals
        path = /srv/mediawiki/local/covers
        browsable = yes
        writeable = yes
        read list = @wikiread
        write list = @wikiwrite
        guest ok = no
        create mask = 0775

/etc/nsswitch.conf:

passwd:         compat lsass winbind
group:          compat lsass winbind
shadow:         compat

hosts:          files dns winbind wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

> I have an Ubuntu 12.04 LTS server that I am trying to get integrated into
> the company AD.
>
> The global AD administrator with the username Administrator can log in and
> access the shares on the samba box.
>
> No other user, even users with Administrator privileges, can.
>
>   check_ntlm_password:  authentication for user [Administrator] ->
> [Administrator] -> [WIKI\Administrator] succeeded
>
>   check_ntlm_password:  Authentication for user [yans] -> [yans] FAILED
> with error NT_STATUS_NO_SUCH_USER
Here's what's puzzling - wbinfo returns my userid so I know it's
valid.
Why am I getting NO_SUCH_USER?

wbinfo -u
...
HPM\yans

Hai, 

In you globel smb.conf 
set realm in CAPS. 

is see your workgroup = HPM 

but administrator auths with : WIKI\Administrator 
and your users with :  
wbinfo -u
...
HPM\yans

so this isnt right im thinking.. , is you servername WIKI ? 

regards, 

Louis

>-----Oorspronkelijk bericht-----
>Van: yan at seiner.com [mailto:samba-bounces at lists.samba.org] 
>Namens yan at seiner.com
>Verzonden: donderdag 6 februari 2014 22:43
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] AD integration - Administrator can log in 
>but no one else can
>
>I have an Ubuntu 12.04 LTS server that I am trying to get 
>integrated into
>the company AD.
>
>The global AD administrator with the username Administrator 
>can log in and
>access the shares on the samba box.
>
>No other user, even users with Administrator privileges, can.
>
>  check_ntlm_password:  authentication for user [Administrator] ->
>[Administrator] -> [WIKI\Administrator] succeeded
>
>  check_ntlm_password:  Authentication for user [yans] -> [yans] FAILED
>with error NT_STATUS_NO_SUCH_USER
>
>The yans user (me) can log into any computer except the samba 
>box.  Even
>if I granted Admin privileges I am still refused.
>
>Eventually I need to integrate this into our existing network 
>but for now
>I need to get user logins working.
>
>The users do not have unix accounts on the samba box.  They do not need
>any accounts unless required to by samba.
>
>I can't figure out what I am doing wrong.  I have tried many things;
>here's my current smb.conf:
>
>[global]
>   workgroup = hpm
>   server string = %h server (Samba/Ubuntu)
>   log level = 2
>   log file = /var/log/samba/log.%m
>   max log size = 1000
>   syslog = 0
>   panic action = /usr/share/samba/panic-action %d
>   security = ads
>   realm = hpm.net
>
>   idmap backend = lwopen
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   winbind enum users = yes
>   winbind enum groups = yes
>
>   encrypt passwords = true
>   passdb backend = tdbsam
>   obey pam restrictions = yes
>   unix password sync = yes
>   passwd program = /usr/bin/passwd %u
>   passwd chat = *Enter\snew\s*\spassword:* %n\n
>*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>   pam password change = yes
>   map to guest = bad user
>   usershare allow guests = yes
>
>[mediawiki]
>        comment = Manuals Wiki Folders
>        read only = yes
>        path = /srv/mediawiki
>        read list = @wikiread
>        guest ok = no
>[manuals]
>        comment = Manuals for download
>        path = /srv/mediawiki/downloads
>        browsable = yes
>        writeable = yes
>        read list = @wikiread
>        write list = @wikiwrite
>        create mask = 0775
>        guest ok = no
>[covers]
>        comment = cover images for manuals
>        path = /srv/mediawiki/local/covers
>        browsable = yes
>        writeable = yes
>        read list = @wikiread
>        write list = @wikiwrite
>        guest ok = no
>        create mask = 0775
>
>/etc/nsswitch.conf:
>
>passwd:         compat lsass winbind
>group:          compat lsass winbind
>shadow:         compat
>
>hosts:          files dns winbind wins
>networks:       files
>
>protocols:      db files
>services:       db files
>ethers:         db files
>rpc:            db files
>
>netgroup:       nis
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>