samba - Apr 2015 - winbind authentication for user FAILED with error NT_STATUS_WRONG_PASSWORD

Hello,

I'm trying to authenticate to a Samba file server version 3.6.6 which is 
joined to a samba AD version 4.1.17.  The problem is that I can't seem 
to login using smbclient -L //172.16.0.229/itdev -U shemgp tothe file 
server and the server displays the error:

winbind authentication for user [shemgp] FAILED with error 
NT_STATUS_WRONG_PASSWORD

even if I use the correct password.  The client says:
session setup failed: NT_STATUS_LOGON_FAILURE

Here's my smb.conf on the file server:

[global]
         workgroup = AIIAS
         realm = AIIAS.EDU
         netbios name = INTRANET
         server string = Intranet Gateway Server
         security = ADS
         pam password change = Yes
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
         map untrusted to domain = Yes
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 1000
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         dns proxy = No
         wins server = 172.16.0.245
         usershare allow guests = Yes
         panic action = /usr/share/samba/panic-action %d
         template homedir = /home/users/%U
         winbind cache time = 100
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind offline logon = Yes
         idmap config AIIAS:schema_mode = rfc2307
         idmap config AIIAS:range = 30000-999999
         idmap config AIIAS:default = yes
         idmap config AIIAS:backend = rid
         idmap config * : range = 1000000-1999999
         idmap config * : backend = tdb
         invalid users = root
[itdev]
         comment = IT Development Docs
         path = /space/shares/itdev
         valid users = itdirector, glenson, shemgp
         force group = f_itdev
         read only = No
         create mask = 0770
         directory mask = 0770

Is there any thing wrong with my setup?

Thanks for your help.

All the best,

Shem Pasamba

On 06/04/15 03:05, Shem Pasamba wrote:
> Hello,
>
> I'm trying to authenticate to a Samba file server version 3.6.6 which 
> is joined to a samba AD version 4.1.17.  The problem is that I can't 
> seem to login using smbclient -L //172.16.0.229/itdev -U shemgp tothe 
> file server and the server displays the error:
>
> winbind authentication for user [shemgp] FAILED with error 
> NT_STATUS_WRONG_PASSWORD
>
> even if I use the correct password.  The client says:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> Here's my smb.conf on the file server:
>
> [global]
>         workgroup = AIIAS
>         realm = AIIAS.EDU
>         netbios name = INTRANET
>         server string = Intranet Gateway Server
>         security = ADS
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
> *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
>         map untrusted to domain = Yes
>         syslog = 0
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         dns proxy = No
>         wins server = 172.16.0.245
>         usershare allow guests = Yes
>         panic action = /usr/share/samba/panic-action %d
>         template homedir = /home/users/%U
>         winbind cache time = 100
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         winbind nss info = rfc2307
>         winbind refresh tickets = Yes
>         winbind offline logon = Yes
>         idmap config AIIAS:schema_mode = rfc2307
>         idmap config AIIAS:range = 30000-999999
>         idmap config AIIAS:default = yes
>         idmap config AIIAS:backend = rid
>         idmap config * : range = 1000000-1999999
>         idmap config * : backend = tdb
>         invalid users = root
> [itdev]
>         comment = IT Development Docs
>         path = /space/shares/itdev
>         valid users = itdirector, glenson, shemgp
>         force group = f_itdev
>         read only = No
>         create mask = 0770
>         directory mask = 0770
>
> Is there any thing wrong with my setup?
>
> Thanks for your help.
>
> All the best,
>
> Shem Pasamba
OK, try changing the global part of your smb.conf to this:

[global]
         workgroup = AIIAS
         realm = AIIAS.EDU
         netbios name = INTRANET
         server string = Intranet Gateway Server
         security = ADS
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 1000
         dns proxy = No
         wins server = 172.16.0.245
         usershare allow guests = Yes
         panic action = /usr/share/samba/panic-action %d
         template homedir = /home/users/%U
         template shell = /bin/bash
         winbind cache time = 100
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind refresh tickets = Yes
         winbind offline logon = Yes
         idmap config AIIAS:range = 30000-999999
         idmap config AIIAS:backend = rid
         idmap config * : range = 1000000-1999999
         idmap config * : backend = tdb
         invalid users = root

The users ID is calculated using this formula:

ID = RID - BASE_RID + LOW_RANGE_ID

The BASE_RID is 0 unless set in smb.conf, so this becomes:

ID = RID - 0 + 30000

Which means (unless you have changed samba4) that your first AD user 
should be 31000

So, after making the suggested changes, what does 'getent passwd shemgp'
?

Rowland