I'm trying to configure a Fedora 7 machine to authenticate access to shares via AD. This works fine on other RHEL machines, but the same configuration on Fedora maddeningly does not.
I've tried oodles of different configurations, and am currently using something based on: http://wiki.samba.org/index.php/Samba_&_Active_Directory Here is my krb5.conf file: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = ESRI.COM ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac dns_lookup_realm = false dns_lookup_kdc = false [realms] ESRI.COM = { kdc = dc1.esri.com:88 admin_server = dc1.esri.com:749 default_domain = esri.com kdc = dc1.esri.com } [domain_realm] .esri.com = ESRI.COM esri.com = ESRI.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } I am able to kinit just fine and to net ads join. wbinfo -a and more works just fine. I can use smbclient to view shares on other members of the domain with and without -k perfectly. winbind appears to be running without issue. # net ads testjoin Join is OK Now, my smb.conf: [global] workgroup = AVWORLD realm = ESRI.COM preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 500 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes ;winbind separator = + idmap uid = 10000-9999999999 idmap gid = 10000-9999999999 ;template primary group = "Domain Users" template shell = /bin/bash ; Some things that may or may not be useful. ;passdb backend = tdbsam ;idmap backend = ad ;winbind nss info = rfc2307 [public] comment = gumnut public read-only share path = /home/public public = yes However, when trying to access this machine (GUMNUT) from a Windows client or using smbclient from the local machine, I get a failure -- smbclient says NT_STATUS_LOGON_FAILURE and the corresponding Samba logfile says: [2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_alloc(131) Finding user AVWORLD\ray5147 [2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(75) Trying _Get_Pwnam(), username as lowercase is avworld\ray5147 [2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(83) Trying _Get_Pwnam(), username as given is AVWORLD\ray5147 [2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(93) Trying _Get_Pwnam(), username as uppercase is AVWORLD\RAY5147 [2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(102) Checking combinations of 0 uppercase letters in avworld\ray5147 [2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(108) Get_Pwnam_internals didn't find user [AVWORLD\ray5147]! [2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_alloc(131) Finding user ray5147 [2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(75) Trying _Get_Pwnam(), username as lowercase is ray5147 [2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(93) Trying _Get_Pwnam(), username as uppercase is RAY5147 [2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(102) Checking combinations of 0 uppercase letters in ray5147 [2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(108) Get_Pwnam_internals didn't find user [ray5147]! [2007/09/06 23:19:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(439) Username AVWORLD\ray5147 is invalid on this system [2007/09/06 23:19:54, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE Given the command: smbclient -L GUMNUT -U ray5147 -W AVWORLD At this point I am stumped. I believe we are running Windows 2003 AD servers and it's just not clear to me why the above is failing. Where can I look to begin troubleshooting this? Thanks! Ray -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
