[Samba] Re: Trouble authenticating to Samba shares with Win 2k3 ADS

[Andreas Ladanyi]

Hay Andrew,

i read you use "idmap backend = ad".
Did you install the AD schemata addon for POSIX data. For example MS SFU 
or AD4UNIX ?

in our environment we installed MS SFU 3.5. This is a part of the 2003 
R2 server Installation, but you have set a tick in "windows 
compenent7software setup" to install it.

Bye, Andy


I may have a deficiency in understanding the procedure for ADS
authentication with samba, but most of the server setup works so far.  I
have bound a Red Hat Enterprise 5 server to our windows domain, it shows
up in DNS and ADS, I can ping it, but I can't get samba shares to be
accessible to users, or even get the smbclient to return shares
properly.

 

wbinfo -g returns the domain groups properly

wbinfo -u return the domain users properly

 

[EMAIL PROTECTED] samba]# wbinfo -a 'DNAME\uname'%secret 

plaintext password authentication succeeded

challenge/response password authentication succeeded

 

[EMAIL PROTECTED] samba]# wbinfo -K 'DNAME\uname'%secret 

plaintext kerberos password authentication for [DNAME\uname%secret]
succeeded (requesting cctype: FILE)

credentials were put in: FILE:/tmp/krb5cc_0

 

[EMAIL PROTECTED] samba]# wbinfo -t

checking the trust secret via RPC calls succeeded

 

So that all works fine.  smbclient chokes though:

 

[EMAIL PROTECTED] samba]# smbclient -L solar -U 'DNAME\uname'

Password:

session setup failed: NT_STATUS_LOGON_FAILURE

 

[EMAIL PROTECTED] samba]# smbclient -L solar -U uname

Password:

session setup failed: NT_STATUS_LOGON_FAILURE

 

or if I even use a samba user that I have setup with smbpasswd

 

[EMAIL PROTECTED] samba]# smbclient -L solar -U sambaname

Password:

session setup failed: NT_STATUS_LOGON_FAILURE

 

The only log file in /var/log/samba that shows any changes is log.nmbd

 

[2008/07/23 08:18:47, 0] nmbd/nmbd_namequery.c:query_name_response(109)

  query_name_response: Multiple (2) responses received for a query on
subnet 192.168.77.244 for name DNAME<1d>.

  This response was from IP 192.168.77.216, reporting an IP address of
192.168.77.216.

 

Here is my smb.conf

 

# Samba config file created using SWAT

# from 127.0.0.1 (127.0.0.1)

# Date: 2008/07/17 09:25:15

 

[global]

   workgroup = DNAME

   realm = DNAME.LOCAL

   netbios aliases = solar.dname.local, solar.dname.com

   server string = Samba %v %h

   interfaces = 192.168.77.244

   security = ADS

#  security = user

   auth methods = winbind

   use kerberos keytab = Yes

   encrypt passwords = yes

   winbind enum users = Yes

   winbind enum groups = Yes

   preferred master = No

   local master = No

   domain master = No

   ldap ssl = no

   idmap domains = DNAME

   idmap uid = 10000-20000

   idmap gid = 10000-20000

 

[T_drive]

   writeable = yes

   valid users = sambaname,'DNAME\uname'

   public = yes

   path = /data/T_drive

 

Here is krb5.conf

 

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

default_realm = DNAME.LOCAL

 

[realms]

DNAME.LOCAL = {

   default_domain =

   kdc = nvautil01.DNAME.local:

   admin_server = nvadom01:

}

 

[domain_realm]

dname.local = DNAME.LOCAL

 

pam.d directory samba file

 

[EMAIL PROTECTED] samba]# more /etc/pam.d/samba

#%PAM-1.0

auth    sufficient      pam_krb5afs.so

account sufficient      pam_krb5afs.so

auth    sufficient      pam_winbind.so

account sufficient      pam_winbind.so

session sufficient      pam_krb5afs.so

password       sufficient  pam_krb5afs.so

auth     required       pam_unix.so

account  required       pam_unix.so

session sufficient      pam_winbind.so

password       sufficient  pam_winbind.so


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba