thr3ads.net - samba - [Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade [Apr 2014]

If this information is useful, please help other people find it:
Share via:

Geoff Rowland

2014-Apr-25 15:27 UTC

[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

To be safe, I performed a clean installation of Ubuntu 14.04 to make 
sure the upgrade process wasn't breaking things.  I am able to join a 
domain, however it will always tell me invalid password when trying to 
log in with a domain account.  I guess that the major change was going 
from Samba3 to Samba4 with these versions.  I don't see anything crazy 
in the samba logs.  Am I missing something?  here are the steps I followed:

apt-get install krb5-config krb5-user winbind samba smbclient 
libnss-winbind libpam-winbind

config files:

smb.conf (had a more complex one but using this simple one for testing):

|[global]

     workgroup = MYDOMAIN
     security = ADS
     realm = MYDOMAIN.COM
     netbios name = trusty

     idmap config *:backend = tdb
     idmap config *:range = 70001-80000
     idmap config MYDOMAIN:backend = ad
     idmap config MYDOMAIN:schema_mode = rfc2307
     idmap config MYDOMAIN:range = 500-40000

     winbind nss info = rfc2307
     [test]
     path = /srv/samba/test
     read only = no

|

krb5.conf:

|[libdefaults]
     default_realm = MYDOMAIN.COM
     ticket_lifetime = 24000
     allow_weak_crypto = yes
     [realms]
     MYDOMAIN.COM = {
             kdc = my.domain.com
             admin_server = my.domain.com
             default_domain = MYDOMAIN.COM
     }


     [domain_realm]
     .mydomain.com = MYDOMAIN.COM
     mydomain.com = MYDOMAIN.COM
     [login]
     krb4_convert = true
     krb4_get_tickets = false|

/etc/nsswitch.conf

|     passwd:         compat winbind
     group:          compat winbind
     shadow:         compat

     hosts:          files mdns4_minimal [NOTFOUND=return] dns wins
     networks:       files

     protocols:      db files
     services:       db files
     ethers:         db files
     rpc:            db files

     netgroup:       nis|


net ads join -U username

succesfully joins the domain
kinit account at MYDOMAIN.COM
klist confirms ticket created
su domainuser = "user not in passwd"
log out and try to log in with domain user = "invalid password"
log in with local account type
wbinfo -u shows domain users
wbinfo -g shows domain groups

not sure what else to try?
these exact steps work in Ubuntu 12.04

steve

2014-Apr-25 15:41 UTC

head link

[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

On Fri, 2014-04-25 at 11:27 -0400, Geoff Rowland wrote:

> 
> not sure what else to try?
Look at the log at the time of the login.

Unless 14.04 has changed radically, I'd:
tail -f /var/log/syslog

Anything?
HTH
Steve

Rowland Penny

2014-Apr-25 16:11 UTC

head link

[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

On 25/04/14 16:27, Geoff Rowland wrote:> To be safe, I performed a clean installation of Ubuntu 14.04 to make 
> sure the upgrade process wasn't breaking things.  I am able to join a 
> domain, however it will always tell me invalid password when trying to 
> log in with a domain account.  I guess that the major change was going 
> from Samba3 to Samba4 with these versions. I don't see anything crazy 
> in the samba logs.  Am I missing something?  here are the steps I 
> followed:
>
> apt-get install krb5-config krb5-user winbind samba smbclient 
> libnss-winbind libpam-winbind
>
> config files:
>
> smb.conf (had a more complex one but using this simple one for testing):
>
> |[global]
>
>     workgroup = MYDOMAIN
>     security = ADS
>     realm = MYDOMAIN.COM
>     netbios name = trusty
>
>     idmap config *:backend = tdb
>     idmap config *:range = 70001-80000
>     idmap config MYDOMAIN:backend = ad
>     idmap config MYDOMAIN:schema_mode = rfc2307
>     idmap config MYDOMAIN:range = 500-40000
>
>     winbind nss info = rfc2307
>     [test]
>     path = /srv/samba/test
>     read only = no
>
> |
>
> krb5.conf:
>
> |[libdefaults]
>     default_realm = MYDOMAIN.COM
>     ticket_lifetime = 24000
>     allow_weak_crypto = yes
>     [realms]
>     MYDOMAIN.COM = {
>             kdc = my.domain.com
>             admin_server = my.domain.com
>             default_domain = MYDOMAIN.COM
>     }
>
>
>     [domain_realm]
>     .mydomain.com = MYDOMAIN.COM
>     mydomain.com = MYDOMAIN.COM
>     [login]
>     krb4_convert = true
>     krb4_get_tickets = false|
>
> /etc/nsswitch.conf
>
> |     passwd:         compat winbind
>     group:          compat winbind
>     shadow:         compat
>
>     hosts:          files mdns4_minimal [NOTFOUND=return] dns wins
>     networks:       files
>
>     protocols:      db files
>     services:       db files
>     ethers:         db files
>     rpc:            db files
>
>     netgroup:       nis|
>
>
> net ads join -U username
>
> succesfully joins the domain
> kinit account at MYDOMAIN.COM
> klist confirms ticket created
> su domainuser = "user not in passwd"
> log out and try to log in with domain user = "invalid password"
> log in with local account type
> wbinfo -u shows domain users
> wbinfo -g shows domain groups
>
> not sure what else to try?
> these exact steps work in Ubuntu 12.04
>Hi, does 'getent passwd' show your domain users ?

Rowland

Apparently Analagous Threads

Search for more apparently analagous threads

samba - Apr 2014 - problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

Apparently Analagous Threads