[TriLUG] Samba and Active Directory

Matt Nash mattnash at intrex.net
Fri Sep 1 11:04:49 EDT 2006


In my smb.conf I have 2 lines that you don't:
client use spnego = yes
client ntlmv2 auth = yes

I used this page to configure winbind and krb5:
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

I know you don't have ubuntu, but the instructions are general enough 
that it should work.

Brian Blater (BBList) wrote:
> I have setup an OpenSUSE 10.1 box running samba that I would like our
> windows users to attach to various shares. These users have no account
> on the SUSE box, just an AD account and I don't want them to actually
> login to the box. I would like to have samba use the AD credentials of
> the logged in windows user and authenticate them to access the shares.
>
> I have followed several how-tos and several things I've found with
> Google, but it just isn't working. The user is still asked for username
> and password.
>
> Here is what I have so far:
>
> I've installed Samba, winbind and KRB5. I've added the server to AD and
> it shows in the AD computer container.
>
> I configured /etc/krb5.conf as follows:
> [libdefaults]
>         default_realm = TTA.RIDETTA.ORG
>
> [realms]
>         TTA.RIDETTA.ORG = {
>                 kdc = tta-tw-w02.tta.ridetta.org
>                 kdc = tta-6p-w01.tta.ridetta.org
>                 kdc = tta-bus-w02.tta.ridetta.org
>                 admin_server = tta-tw-w02.tta.ridetta.org
>         }
>
> [logging]
>     kdc = FILE:/var/log/krb5/krb5kdc.log
>     admin_server = FILE:/var/log/krb5/kadmind.log
>     default = SYSLOG:NOTICE:DAEMON
>
> I can then authenticate a user against AD:
> susetest:~ # kinit ituser
> Password for ituser at TTA.RIDETTA.ORG:
> susetest:~ # 
>
> I have modified /etc/samba/smb.conf as follows:
>  [global]
>         unix charset = LOCALE
>         workgroup = TTA
>         realm = TTA.RIDETTA.ORG
>         security = ADS
>         username map = /etc/samba/smbusers
>         log level = 1
>         syslog = 0
>         log file = /var/log/samba/%m
>         max log size = 50
>         printing = cups
>         printcap name = cups
>         ldap ssl = no
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         template shell = /bin/bash
>         winbind separator = +
>         domain logons = No
>         domain master = No
>         password server = tta-tw-w02.tta.ridetta.org
>         auth methods = winbind
> ...
> [testing]
>         comment =
>         ;;inherit acls = Yes
>         path = /home/testing/
>         writeable = yes
>         force create = 0775
>         create mask = 0775
>         directory mask = 0775
>         browseable = yes
>         guest ok = no
>         printable = no
>         read only = No
>         valid users = @"TTA+sambausers"
>
> Winbind is started and running and I can run the following:
> susetest:~ # wbinfo -u | grep ituser
> TTA+ituser
> susetest:~ #
> susetest:~ # wbinfo -g | grep sambausers
> TTA+sambausers
> susetest:~ #
>
> I've modified /etc/pam.d/samba as follows:
> susetest:~ # more /etc/pam.d/samba
> #%PAM-1.0
> auth     include        /lib/security/pam_winbind.so
> account  include        /lib/security/pam_winbind.so
>
> and I've modified /etc/nsswitch.conf as follows:
> susetest:~ # more /etc/nsswitch.conf
> ...
> passwd: files winbind
> shadow: files
> group:  files winbind
> ...
>
> I am then able to list the accounts and groups as follows:
> susetest:~ # getent passwd | grep ituser
> TTA+ituser:*:10100:10000:IT User:/home/TTA/ituser:/bin/bash
> susetest:~ #
> susetest:~ # getent group | grep sambausers
> TTA+sambausers:x:10026:TTA+ituser
> susetest:~ #
>
> Now for a test using the samba server as a linux client this is what I
> get:
> susetest:~ # kinit ituser
> Password for ituser at TTA.RIDETTA.ORG:
> susetest:~ # smbclient //susetest/testing -k -d 3 -l
> lp_load: refreshing parameters
> Initialising global parameters
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> Processing section "[global]"
> added interface ip=10.5.2.7 bcast=10.5.255.255 nmask=255.255.0.0
> Client started (version 3.0.22-13.18-SUSE-CODE10).
> Connecting to 127.0.0.2 at port 445
> Doing spnego session setup (blob length=121)
> got OID=1 2 840 113554 1 2 2
> got OID=1 2 840 48018 1 2 2
> got OID=1 3 6 1 4 1 311 2 2 10
> got principal=cifs/susetest.tta.ridetta.org at TTA.RIDETTA.ORG
> Doing kerberos session setup
> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0]
> expiration Fri, 01 Sep 2006 19:27:17 EDT
> SPNEGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE
> susetest:~ #
>
> If the users logs into a windows workstation and tries to connect to
> the share it just prompts for a username and password and even then
> won't grant access.
>
> I've googled the "session setup failed: NT_STATUS_LOGON_FAILURE" error
> and the only thing I get is it is an incorrect username or password.
>
> I've checked the various log files in /var/log/samba and this what I
> see there:
> [2006/09/01 04:32:07, 1] libsmb/clikrb5.c:ads_krb5_mk_req(488)
>   ads_krb5_mk_req: krb5_get_credentials failed for
> tta-bus-w02$@TTA.RIDETTA.ORG (Requested effective lifetime is
> negative or too short)
> [2006/09/01 09:05:30, 0]
> nsswitch/winbindd_dual.c:child_read_request(49)
>   Got invalid request length: 0
> [2006/09/01 09:28:47, 0] auth/auth_util.c:make_server_info_info3(1297)
>   make_server_info_info3: pdb_init_sam failed!
> [2006/09/01 09:19:14, 0] smbd/server.c:main(805)
>   smbd version 3.0.22-13.18-SUSE-CODE10 started.
>   Copyright Andrew Tridgell and the Samba Team 1992-2006
> [2006/09/01 09:19:14, 0] param/loadparm.c:map_parameter(2691)
>   Unknown parameter encountered: "force create"
> [2006/09/01 09:19:14, 0] param/loadparm.c:lp_do_parameter(3436)
>   Ignoring unknown parameter "force create"
> [2006/09/01 09:22:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(303)
>   Username TTA+TTA160C$ is invalid on this system
> [2006/09/01 09:22:19, 0] lib/util_sock.c:write_data(557)
>   write_data: write failure in writing to client 10.5.2.4. Error
> Connection reset by peer
> [2006/09/01 09:22:19, 0] lib/util_sock.c:send_smb(765)
>   Error writing 4 bytes to client. -1. (Connection reset by peer)
> [2006/09/01 09:22:29, 0] lib/util_sock.c:write_data(557)
>   write_data: write failure in writing to client 0.0.0.0. Error
> Connection reset by peer
> [2006/09/01 09:22:29, 0] lib/util_sock.c:send_smb(765)
>   Error writing 4 bytes to client. -1. (Connection reset by peer)
>
> So, there it is. I am totally at a loss as to what the problem is. Can
> anybody see anything wrong here and point me in the right direction?
> Sorry this is so long, I just wanted to make sure I had all the
> information here for troubleshooting.
>
> Thank you for any help you can give me.
>
> Brian
>   




More information about the TriLUG mailing list