Hello, I'm trying to connect my Debian 4 samba box to my Windows 2003Server Active Directory. I successfully joined the domain, with net ads join. Wireshark captures a lot of packets going over the wire, and I get the message "joined the domain successfully". In my AD, under 'computers', the samba box appeared. So that all works. Asking a kerberos ticket for a user with kinit is also successful. So kerberos is working fine. Wbinfo -u gives me all the users I have in my AD, and wbinfo -g does the same with all the groups. wbinfo -t also working fine. But when I try wbinfo -a rutger%rutger, I get plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user rutger%rutger with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user rutger with challenge/response Same result with wbinfo -K. It says the user does not exist, but it is there when I do a wbinfo -u. Same output with ntlm_auth and with --diagnostics: ntlm_auth --request-nt-key --domain=PROJECT --username=rutger password: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
project:/etc# ntlm_auth --request-nt-key --domain=PROJECT --username=rutger --diagnostics password: No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test LM failed! No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test LM and NTLM failed! No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test NTLM failed! No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test NTLM in LM failed! No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test NTLM in both failed! No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test NTLMv2 failed! No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test NTLMv2 and LMv2 failed! No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test LMv2 failed! No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test NTLMv2 and LMv2, LMv2 broken failed! No such user (0xc0000064) No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test NTLM and LM, LM broken failed! No such user (0xc0000064) No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test Plaintext failed! No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test Plaintext LM broken failed! No such user (0xc0000064) No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test Plaintext NT only failed! No such user (0xc0000064) [2008/02/16 16:42:05, 1] utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597) Test Plaintext LM only failed! The wbinfo -a and ntlm_auth result in NO data send over the wire. Is wbinfo not correcty using Kerberos? Why are no packages send over the wire when I do wbinfo -a? The ip of the AD is in /etc/hosts Thanks a lot for your help, I'm really desperate! Rutger Here are the smb.conf and krb5.conf files: --smb.conf-- project:/etc# testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[print$]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = PROJECT realm = PROJECT.LOCAL server string = %h server security = ADS obey pam restrictions = Yes password server = project-ad.project.local passdb backend = tdbsam passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No panic action = /usr/share/samba/panic-action %d idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash invalid users = root [homes] comment = Home Directories valid users = %S read only = No create mask = 0700 directory mask = 0700 browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers --krb5.conf-- [logging] default = FILE:/war/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = PROJECT.LOCAL # dns_lookup realm = false # dns_lookup_kdc = false # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] PROJECT.LOCAL = { kdc = PROJECT-AD.PROJECT.LOCAL } [domain_realm] .project.local = PROJECT.LOCAL project.local = PROJECT.LOCAL [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [login] krb4_convert = true krb4_get_tickets = false -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba