just like:
http://lists.samba.org/archive/samba/2004-May/085521.html
http://lists.samba.org/archive/samba/2004-May/085808.html
huh?
Another *just* came in also:
http://lists.samba.org/archive/samba/2004-May/085881.html
Well, this one has many persons puzzeled. The best place so far is:
<http://www.linuxquestions.org/questions/showthread.php?s=&threadid=161506>http://www.linuxquestions.org/questions/showthread.php?s=&threadid=161506
I guess that the Samba community is still (which of course we are part of) does not have the solution for this problem, since it has not been answered/adressed by anybody in great lenght/detail. The HOWTO adresses it in: http://se.samba.org/samba/docs/man/howto/domain-member.html#ads-member but really that is no HOWTO. As long as it does not show you HOW-TO.
I also guess that some people that have followed this thread for a while are starting to get bugged by me :)
Sorry I can't help you, I have not figured it out either.
YS Anders Berg
At 18:18 13.05.2004 -0400, William R. Lorenz wrote:
Samba Team,
I've been trying to get my Samba server to authenticate users against a Windows 2000 Active Directory domain controller, and it just doesn't work. I've encountered a TREMENDOUS amount of postings from people who have run into the same issue, and there's never any responses with a resolution. I must have viewed more than 500 postings over the course of the day.
I have a seemingly valid Samba configuration file. All of the `wbinfo -u`, `wbinfo -g`, `getent passwd`, and `getent group` commands work just fine. Howver, `wbinfo -t` and `wbinfo -a` don't work, and I can't authenticate users against the domain controller. As an example:
[EMAIL PROTECTED] samba]# net ads join -U Administrator Administrator's password: [2004/05/13 17:49:30, 0] libads/ldap.c:ads_add_machine_acct(1006) Host account for nasone already exists - modifying old account Using short domain name -- ECHUDSON Joined 'NASONE' to realm 'HUDSON-OFFICE.ECEDIINC.COM' [EMAIL PROTECTED] samba]# net rpc join -U Administrator Password: Joined domain ECHUDSON. [EMAIL PROTECTED] samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_UNSUCCESSFUL (0xc0000001) Could not check secret [EMAIL PROTECTED] samba]#
After trying to do the `wbinfo -t`, I see the following in 'winbindd.log':
[2004/05/13 17:49:41, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/05/13 17:49:41, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336) rpc_auth_pipe: wrong schannel auth len 24 [2004/05/13 17:49:41, 0] rpc_client/cli_netlogon.c:cli_nt_setup_creds(249) cli_nt_setup_creds: request challenge failed [2004/05/13 17:49:41, 2] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98) Checking the trust account password returned NT_STATUS_UNSUCCESSFUL
I am using Samba 3.0.4, as distributed in Fedora Core 1 RPM format on the main Samba website @ http://www.samba.org/. Here's the details:
[EMAIL PROTECTED] samba]# rpm -qa | grep ^samba samba-common-3.0.4-2 samba-client-3.0.4-2 samba-3.0.4-2 [EMAIL PROTECTED] samba]# rpm -qa | grep ^krb5 krb5-libs-1.3.1-6 krb5-workstation-1.3.1-6 [EMAIL PROTECTED] samba]#
The output of `wbinfo -a` produces the following:
[EMAIL PROTECTED] samba]# wbinfo -a Administrator plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user Administrator with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error messsage was: No logon servers Could not authenticate user Administrator with challenge/response [EMAIL PROTECTED] samba]#
And this results in the following in 'winbindd.log':
[2004/05/13 17:53:04, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/05/13 17:53:04, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336) rpc_auth_pipe: wrong schannel auth len 24 [2004/05/13 17:53:04, 0] rpc_client/cli_netlogon.c:cli_nt_setup_creds(249) cli_nt_setup_creds: request challenge failed [2004/05/13 17:53:04, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(612) NTLM CRAP authentication for user [ECHUDSON]\[Administrator] returned NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
NTLM CRAP authentication is right -- this just doesn't want to work! ;)
Here's the contents of my '/etc/samba/smb.conf' configuration file:
[EMAIL PROTECTED] samba]# grep -v ^\; /etc/samba/smb.conf [global] workgroup = ECHUDSON realm = HUDSON-OFFICE.LOCAL server string = NASONE hosts allow = 10.0.0.0/24 load printers = no
security = ads auth methods = winbind password server = ARIEL name resolve order = bcast wins host wins server = 10.0.0.150 10.0.0.151
log level = 2 log file = /var/log/samba/samba-global.log log file = /var/log/samba/%m.log max log size = 0
winbind separator = + encrypt passwords = yes idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind cache time = 15 template shell = /sbin/nologin template homedir = /dev/null/%D/%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = 10.0.0.180/24 10.0.1.180/24
os level = 33 local master = no domain master = no preferred master = no domain logons = no
wins support = no dns proxy = no
[volume01] comment = volume01 path = /mnt/volumes/lv01 public = no writable = no printable = no valid users = @"ECHUDSON+Domain Admins" write list = @"ECHUDSON+Domain Admins" create mask = 0664 directory mask = 0775 nt acl support = yes [EMAIL PROTECTED] samba]#
Here's a one example of other people having the same issue (I searched long and hard for any resolutions many of these had found, to no avail!):
http://lists.samba.org/archive/samba-technical/2003-July/030983.html
I'd grab others, but I've already closed lots of browser windows. ;)
Here's some additional Kerberos information this is probably pertinent:
[EMAIL PROTECTED] root]# kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: [EMAIL PROTECTED] root]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal 05/13/04 18:13:23 05/14/04 04:14:36 krbtgt/[EMAIL PROTECTED] renew until 05/14/04 18:13:23 05/13/04 18:15:33 05/14/04 04:14:36 [EMAIL PROTECTED] renew until 05/14/04 18:13:23
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [EMAIL PROTECTED] root]#
And finally, let's get in a good test of Kerberos with the -k flag:
[EMAIL PROTECTED] root]# smbclient -U Administrator -k //10.0.0.150/GENSRVNT OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: \> ls . D 0 Thu Apr 1 15:37:04 2004 .. D 0 Thu Apr 1 15:37:04 2004 [ADDITIONAL DIRECTORY LISTING TRIMMED] smb: \> quit [EMAIL PROTECTED] root]#
Does anyone have any ideas?!?!
-- _ __ __ ___ _| | William R. Lorenz <[EMAIL PROTECTED]> \ V V / '_| | http://www.clevelandlug.net/ ; "Every revolution was \./\./|_| |_| first a thought in one man's mind." - Ralph Waldo Emerson
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
***************************************************************** Denne fotnoten bekrefter at denne e-postmeldingen ble skannet av MailSweeper og funnet fri for virus. ***************************************************************** This footnote confirms that this email message has been swept by MailSweeper for the presence of computer viruses. *****************************************************************
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
