Matt Anderson wrote:
Dear Help,
We are in the process of setting up a new domain using Active Directory on
Windows Server 2003R2. One of our goals was to use Active Directory for
authentication on our AIX box (running version 6.1). I was able to successfully
set up Kerberos, and the LDAP client to connect to our AD server so that you can
now log in to the AIX box with users found in Active Directory. However, no
matter what I try, I am unable to get Samba (also running on the same AIX box)
to authenticate against the same AD server. Oh, and I'm running Samba 3.0.28
(from the AIX binaries available on the Samba website).
When I try and connect from a test machine (running Windows XP SP2) I get the
following in the logs (machine: Novel-Idea, username: test01, domain: TEST):
check_ntlm_password: Checking password for unmapped user
[EMAIL PROTECTED] with the new password interface
[2008/08/08 09:55:29, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [EMAIL PROTECTED]
[2008/08/08 09:55:29, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/08/08 09:55:29, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/08/08 09:55:29, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/08/08 09:55:29, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/08 09:55:29, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [test01] -> [test01] FAILED with
error NT_STATUS_NO_SUCH_USER
[2008/08/08 09:55:29, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
However, I can get successful results using wbinfo:
From wbinfo -u:
administrator
guest
support_388945a0
krbtgt
test02
host_aixplay1
test01
testcopy
From wbinfo -g:
BUILTIN+administrators
BUILTIN+users
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
testgrp1
testgrp2
testgrp3
staff
From wbinfo -a test01%password:
plaintext password authentication succeeded
challenge/response password authentication succeeded
From wbinfo -K test01%password
plaintext kerberos password authentication for [test01%password] succeeded (requ
esting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
Have you tried to look at the user account information using ldapsearch?
Just to ensure the POSIX account data is present in AD.
If you are attempting to authenticate as a domain user try the username
as DOMAIN\Username.
So, it makes me think that I'm missing something obvious in my smb.conf, but
after searching around, I haven't found much.
Any help would be greatly appreciated. See my configs below:
SMB.CONF
# Global parameters
[global]
workgroup = TEST
realm = TEST.LOCAL
security = ADS
encrypt passwords = yes
password server = IP.OF.AD.SERVER
log level = 3
log file = /opt/pware/samba/3.0.28/var/log.%m
max log size = 50
# idmap backend = ad
# idmap uid = 100000-40000000
# idmap gid = 100000-40000000
idmap domains = TEST
idmap config TEST:backend = ad
idmap config TEST:default = yes
idmap config TEST:schema_mode = rfc2307
idmap config DOMAIN:range = 100000-40000000
# auth methods = winbind
# use kerberos keytab = yes
# ldap ssl = no
winbind separator = +
winbind use default domain = Yes
winbind nested groups = Yes
winbind enum users = yes
winbind enum groups = yes
# winbind nss info = rfc2307
[anyone]
path = /home/anyone
guest ok = yes
browseable = yes
[testing]
path = /home/testing
guest ok = no
valid users = test01
admin users = test01
write list = test01
KRB5.CONF
[libdefaults]
default_realm = TEST.LOCAL
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
[realms]
TEST.LOCAL = {
kdc = adtest.test.local:88
admin_server = adtest.test.local:749
default_domain = test.local
}
[domain_realm]
.test.local = TEST.LOCAL
adtest.test.local = TEST.LOCAL
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
--
Jason Gerfen
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
