Find the answer to your Linux question:
Results 1 to 2 of 2
My problem consists of Samba + Winbindd + Ldap + Kerberos not authenticating with Active Directory. For example, if I do 'smbclient -L localhost -U username%password(active directory account)' I get ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2005
    Posts
    1

    samba ldap winbindd kerberos with active directory errors


    My problem consists of Samba + Winbindd + Ldap + Kerberos not
    authenticating with Active Directory. For example, if I do 'smbclient -L
    localhost -U username%password(active directory account)' I get
    NT_STATUS_LOGIN_FAILURE. Ive debugged for quite sometime trying to
    pinpoint some sort of configuration that needs to be changed or added.
    To my experience I think the problem resolves at ldap, but I cannot find
    anything. I can do a kerberos successfully(kinit), wbinfo
    succesfully(wbinfo -u), join the domain successfully(net ads join), a
    ldapsearch successfully(ldapsearch -h host.domain.com). The
    smb.conf,krb5.conf configs were pulled from other older but stable Linux
    servers and were modified for each server.

    I see a lot of folks posting similar problems relating to openLADP but
    cannot seem to relate exactly what I'm experiencing. I'm stumped.

    The thing that is realy throwing me is that i seem to be able in some
    odd way to authenticate to my active directory accounts using the
    smbclient command, I just can't do it unless an account with the same
    name exists on my BSD box.

    I ran the following test:
    1) created a user named smbuser with the password "password"
    2) placed the user in the mitsadmin group to give access to the share
    3) tried an smbclient -L localhost -Usmbuser, the error returned was:

    #####################################
    session setup failed: NT_STATUS_LOGON_FAILURE
    #####################################

    4) i then created an account smbuser with the password "diffpass"
    5) tried an smbclient -L localhost -Usmbuser again this with the AD
    passwd "pasword" and got:

    #####################################
    Domain=[TECH] OS=[Unix] Server=[Samba 3.0.11]

    Sharename Type Comment
    --------- ---- -------
    IPC$ IPC IPC Service (FreeBSD Samba Server)
    ADMIN$ IPC IPC Service (FreeBSD Samba Server)
    Domain=[TECH] OS=[Unix] Server=[Samba 3.0.11]

    Server Comment
    --------- -------
    CDSRV4 FreeBSD Samba Server
    ADC3

    Workgroup Master
    --------- -------
    TECH ADC3
    #####################################

    5) tried an smbclient -L localhost -Usmbuser again this with the unix
    passwd "diffpass" and got:

    session setup failed: NT_STATUS_LOGON_FAILURE

    It seems there may be some intermediate step before the AD lookup that
    may be holding up authentication.

    The error message in my log file is as follows

    #####################################
    [2005/03/21 14:53:37, 3] auth/auth.c:check_ntlm_password(219)
    check_ntlm_password: Checking password for unmapped user
    [TECH]\[smbuser]@[C
    DSRV4] with the new password interface
    [2005/03/21 14:53:37, 3] auth/auth.c:check_ntlm_password(222)
    check_ntlm_password: mapped user is: [TECH]\[smbuser]@[CDSRV4]
    [2005/03/21 14:53:37, 3] smbd/sec_ctx.c:push_sec_ctx(256)
    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
    [2005/03/21 14:53:37, 3] smbd/uid.c:push_conn_ctx(365)
    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
    [2005/03/21 14:53:37, 3] smbd/sec_ctx.c:set_sec_ctx(288)
    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2005/03/21 14:53:37, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2005/03/21 14:53:37, 3] auth/auth_util.c:make_server_info_info3(1156)
    User smbuser does not exist, trying to add it
    [2005/03/21 14:53:37, 0] auth/auth_util.c:make_server_info_info3(1163)
    make_server_info_info3: pdb_init_sam failed!
    [2005/03/21 14:53:37, 2] auth/auth.c:check_ntlm_password(312)
    check_ntlm_password: Authentication for user [smbuser] -> [smbuser]
    FAILED
    with error NT_STATUS_NO_SUCH_USER
    [2005/03/21 14:53:37, 3] smbd/process.c:timeout_processing(1334)
    timeout_processing: End of file from client (client has disconnected).
    [2005/03/21 14:53:37, 3] smbd/sec_ctx.c:set_sec_ctx(288)
    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2005/03/21 14:53:37, 2] smbd/server.c:exit_server(609)
    Closing connections
    [2005/03/21 14:53:37, 3] smbd/connection.c:yield_connection(69)
    Yielding connection to
    [2005/03/21 14:53:37, 3] smbd/server.c:exit_server(652)
    Server exit (normal exit)
    #####################################

    Versions of packages installed:
    samba-3.0.11.tar.gz
    openldap-2.2.24.tgz
    freebsd-5.3-RELEASE-i386
    heimdal-0.6.1(kerberos)
    *compilied samba with ldap,winbindd,krb5


    Configuration Files:

    smb.conf
    #####################################
    [global]
    workgroup = TECH
    netbios name = SERVER3
    realm = host.domain.com
    security = ads
    encrypt passwords = yes
    password server = server.host.domain.com
    wins server = server.host.domain.com
    name resolve order = lmhosts host wins bcast
    log file = /var/log/samba/%m.log
    server string = FreeBSD Samba Server
    log level = 10
    allow trusted domains = No
    winbind use default domain = yes
    winbind trusted domains only = No
    winbind cache time = 10
    winbind enum users = yes
    winbind enum groups = yes
    template shell = /bin/sh
    template homedir = /home/%D/%U
    idmap uid = 10000-50000
    idmap gid = 10000-20000

    #============================ Share Definitions
    ==============================

    #Used for reimaging labs
    [IMAGES]
    comment = Ghost Images
    path = /data/pub/images
    browseable = no
    read only = no
    write list = @mitsadmin
    read list = @techs, ghost
    #####################################


    krb5.conf
    #####################################
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    ticket_lifetime = 24000
    default_realm = HOST.DOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false

    [realms]
    HOST.DOMAIN.COM = {
    kdc = server.host.domain.com:88
    admin_server = server.host.domain.com:749
    default_domain = host.domain.com
    }

    [domain_realm]
    .host.domain.com = HOST.DOMAIN.COM
    host.domain.com = HOST.DOMAIN.COM

    [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }
    #####################################

    nsswitch.conf
    #####################################
    passwd: files winbind
    group: files winbind
    hosts: files dns
    #####################################

  2. #2
    Just Joined! rvalba's Avatar
    Join Date
    Mar 2007
    Posts
    1

    same problem with me

    Hi,

    My problem are excactly like yours..and ive been working this for weeks now. Im just new with linux and new with this company. any solution for this problem? Thank you very much

    Reymark

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •