I'm trying to get Samba set up to use ADS authentication against a
Windows 2003 Server running in native mode. I have successfully joined
the domain, and
kinit [EMAIL PROTECTED]
works successfully. I can also use smbclient to connect to shares on
the local machine, so Samba is basically working. However, when I try
to connect from a Windows machine I get
[C:\]net use \\unx02\pub
The password or user name is invalid for \\unx02\pub.
Enter the user name for 'unx02': user
Enter the password for unx02:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
On Unix I get:
[2005/03/23 17:17:48, 1]
smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2005/03/23 17:17:48, 1]
smbd/sesssetup.c:reply_spnego_kerberos(250)
Username MYDOMAIN.DOM\user is invalid on this system
in 92.168.1.105.log, and
[2005/03/23 17:17:48, 0]
nmbd/nmbd_responserecordsdb.c:find_response_record(220)
find_response_record: response packet id 34265 received with
no matching record.
[2005/03/23 17:17:48, 0]
nmbd/nmbd_responserecordsdb.c:find_response_record(220)
find_response_record: response packet id 34266 received with
no matching record.
in nmbd.log.
I tried leaving & rejoining the AD domain but that didn't help - in fact
it may have made it worse as prior to that I didn't get the "Failed to
verify incoming ticket!" message, just "Username MYDOMAIN.DOM\user is
invalid on this system".
If I specify a different username - foo - which doesn't exist in the AD
domain I get
[2005/03/23 17:48:21, 1]
smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2005/03/23 17:48:21, 0]
auth/auth_domain.c:domain_client_validate(199)
domain_client_validate: unable to validate password for user
foo in domain MYDOM
to Domain controller \\W2K3DC. Error was
NT_STATUS_NO_SUCH_USER.
in xpclient.log so it is talking to the AD to some extent.
Interestingly and curiously with I specify an invalid name the record
gets logged in the log file based on the machine name, but where I
specify a valid name it gets logged in the log file for the IP address.
Why?
My smb.conf file is:
[global]
workgroup = MYDOM
server string = unx02
printcap name = /etc/printcap
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
dns proxy = no
idmap uid = 20000000-33554431
idmap gid = 20000000-33554431
template shell = /bin/false
password server = w2k3dc.mydomain.dom
realm = MYDOMAIN.DOM
security = ADS
winbind use default domain = no
[homes]
comment = Home Directories
browseable = no
writeable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes
[pub]
path = /var/SAMBA/public
public = yes
only guest = yes
writable = yes
printable = no
browseable = yes
And my kbr5.conf file is
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.DOM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYDOMAIN.DOM = {
kdc = w2k3dc.mydomain.dom
admin_server = w2k3dc.mydomain.dom
default_domain = mydomain.dom
}
[domain_realm]
.mydomain.dom = MYDOMAIN.DOM
mydomain.dom = MYDOMAIN.DOM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
I'm using Samba Version 3.0.10-1.4E on Centos-4, connecting to a Windows
2003 Server AD domain with all the current hotfixes & patches installed,
and I'm testing the connection from an XP Pro machine with SP2 and
subsequent patches.
Any help or pointers would really be appreciated.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
