I see a lot of folks posting similar problems relating to openLADP but cannot seem to relate exactly what I'm experiencing. I'm stumped.
The thing that is realy throwing me is that i seem to be able in some odd way to authenticate to my active directory accounts using the smbclient command, I just can't do it unless an account with the same name exists on my BSD box.
I ran the following test: 1) created a user named smbuser with the password "password" 2) placed the user in the mitsadmin group to give access to the share 3) tried an smbclient -L localhost -Usmbuser, the error returned was:
##################################### session setup failed: NT_STATUS_LOGON_FAILURE #####################################
4) i then created an account smbuser with the password "diffpass"
5) tried an smbclient -L localhost -Usmbuser again this with the AD passwd "pasword" and got:
##################################### Domain=[TECH] OS=[Unix] Server=[Samba 3.0.11]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (FreeBSD Samba Server)
ADMIN$ IPC IPC Service (FreeBSD Samba Server)
Domain=[TECH] OS=[Unix] Server=[Samba 3.0.11] Server Comment
--------- -------
CDSRV4 FreeBSD Samba Server
ADC3 Workgroup Master
--------- -------
TECH ADC3
#####################################5) tried an smbclient -L localhost -Usmbuser again this with the unix passwd "diffpass" and got:
session setup failed: NT_STATUS_LOGON_FAILURE
It seems there may be some intermediate step before the AD lookup that may be holding up authentication.
The error message in my log file is as follows
#####################################
[2005/03/21 14:53:37, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED]
DSRV4] with the new password interface
[2005/03/21 14:53:37, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [EMAIL PROTECTED]
[2005/03/21 14:53:37, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/03/21 14:53:37, 3] smbd/uid.c:push_conn_ctx(365)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/03/21 14:53:37, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/03/21 14:53:37, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/03/21 14:53:37, 3] auth/auth_util.c:make_server_info_info3(1156)
User smbuser does not exist, trying to add it
[2005/03/21 14:53:37, 0] auth/auth_util.c:make_server_info_info3(1163)
make_server_info_info3: pdb_init_sam failed!
[2005/03/21 14:53:37, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [smbuser] -> [smbuser] FAILED
with error NT_STATUS_NO_SUCH_USER
[2005/03/21 14:53:37, 3] smbd/process.c:timeout_processing(1334)
timeout_processing: End of file from client (client has disconnected).
[2005/03/21 14:53:37, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/03/21 14:53:37, 2] smbd/server.c:exit_server(609)
Closing connections
[2005/03/21 14:53:37, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2005/03/21 14:53:37, 3] smbd/server.c:exit_server(652)
Server exit (normal exit)
#####################################
Versions of packages installed: samba-3.0.11.tar.gz openldap-2.2.24.tgz freebsd-5.3-RELEASE-i386 heimdal-0.6.1(kerberos) *also compilied samba with ldap,winbindd,krb5
Configuration Files:
smb.conf
#####################################
[global]
workgroup = TECH
netbios name = SERVER3
realm = host.domain.com
security = ads
encrypt passwords = yes
password server = server.host.domain.com
wins server = server.host.domain.com
name resolve order = lmhosts host wins bcast
log file = /var/log/samba/%m.log
server string = FreeBSD Samba Server
log level = 10
allow trusted domains = No
winbind use default domain = yes
winbind trusted domains only = No
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/sh
template homedir = /home/%D/%U
idmap uid = 10000-50000
idmap gid = 10000-20000#============================ Share Definitions ==============================
#Used for reimaging labs [IMAGES] comment = Ghost Images path = /data/pub/images browseable = no read only = no write list = @mitsadmin read list = @techs, ghost #####################################
krb5.conf ##################################### [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] ticket_lifetime = 24000 default_realm = HOST.DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false
[realms]
HOST.DOMAIN.COM = {
kdc = server.host.domain.com:88
admin_server = server.host.domain.com:749
default_domain = host.domain.com
}[domain_realm] .host.domain.com = HOST.DOMAIN.COM host.domain.com = HOST.DOMAIN.COM
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
#####################################nsswitch.conf ##################################### passwd: files winbind group: files winbind hosts: files dns #####################################
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
