-   Linux - Enterprise (
-   -   Problem with Joining Samba3 to Samba4 AD Domain (

varouj 01-07-2013 07:41 PM

Problem with Joining Samba3 to Samba4 AD Domain
Hello everyone
Once Again I am having a problem with Samba3 in Samba4 Domain.
I recently installed two Samba4 Active Directory Domain Controllers on CentOS 6.3 which are working perfectly, and I had joined a Samba3 Server to this domain and everything went well. I could authenticate users on samba3 server and could see all the groups in the domain, but I was having permissions problem accessing the share that I have created on the Samba3 server. I could see the Share but could not access it and with the help of "Ser Olmy" from this forum, (See here) I discovered that disabling the "selinux" would solve the issue. Everything was working well before the New Year. Today when I tried to access the share I got the Same problem, so I thought I might restart the server and after restart I had the following error messages in /var/log/messages.

Jan 7 15:42:58 samba3 winbindd[2346]: [2013/01/07 15:42:58.674815, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
Jan 7 15:42:58 samba3 winbindd[2346]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials

I noticed that I could no longer see the users or groups when I ran wbinf -u and wbinfo -g.

Here are the step I took to try and resolve the problem but without success:

1- Removed the samba3 machine from Samba4 AD
2- Stopped smb and winbind
3- deleted all tdb files from /var/lib/samba
4- started the smb and winbind services
5 - ran:
root@Samba3 ~]# kinit administrator
Password for administrator@DOMAIN.COMPANY.COM:
Warning: Your password will expire in 17 days on Fri Jan 25 15:00:57 2013
[root@Samba3 ~]#

6- Next I arn:
[root@Samba3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOMAIN.COMPANY.COM

Valid starting Expires Service principal
01/07/13 16:17:58 01/08/13 02:17:58 krbtgt/DOMAIN>COMPANY.COM@DOMAIN.COMPANY.COM
renew until 01/08/13 16:17:28

7- The I tried the following commands in turn

[root@Samba3 ~]# net ads join -U administrator
Enter administrator's password:
[2013/01/07 16:21:03.456721, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

[root@Samba3 ~]# net ads testjoin
[2013/01/07 16:25:09.437670, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
[2013/01/07 16:25:09.665259, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Join to domain is not valid: Invalid credentials

[root@Samba3 ~]# net rpc join -U administrator
Enter administrator's password:
Joined domain DOMAIN.

[root@Samba3 ~]# net rpc testjoin
Join to 'DOMAIN' is OK

[root@GLEN-Samba1 ~]# net ads info -U Administrator
Enter Administrator's password:
LDAP server:
LDAP server name:
Bind Path: dc=DOMAIN,dc=COMPANY,dc=COM
LDAP port: 389
Server time: Mon, 07 Jan 2013 16:27:56 PST
KDC server:
Server time offset: 26

[root@Samba3 ~]# net rpc info -U Administrator
Enter Administrator's password:
Domain Name: DOMAIN
Domain SID: S-1-5-21-2572227374-1339717712-1008418335
Sequence number: 1
Num users: 17
Num domain groups: 12
Num local groups: 26

[root@Samba3 ~]# wbinfo -a vavanessians%somepassword
plaintext password authentication succeeded
challenge/response password authentication succeeded

[root@Samba3 ~]# wbinfo -K 'vavanessians%somepassword'
plaintext kerberos password authentication for [vavanessians%somepassword] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

but when I run "wbinfo -u" or "wbinfo -g" I get nothing

My configuration files are:

[root@Samba3 ~]# cat /etc/krb5.conf
ticket_lifetime = 24h
default_realm = DOMAIN.COMPANY.COM
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
kdc =
default_domain = DOMAIN.COMPANY.COM
profile = /etc/krb5kdc/kdc.conf
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog

[root@Samba3 ~]# cat /etc/hosts localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 samba3 samba-ad

[root@Samba3 ~]# cat /etc/samba/smb.conf
netbios name = Samba3
workgroup = DOMAIN
preferred master = no
server string = Samba File Server
security = ads
encrypt passwords = yes

log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +

idmap uid = 600-20000
idmap gid = 600-20000
os level = 20

password server = *
dns proxy = no
template shell = /bin/bash
template homedir = /home/%U

comment = The Old Novel O-Drive
path = /data
browseable = yes
read only = noSer Olmy
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = "DOMAIN+Dmain Admins"
admin users = "DOMAIN+Domain Admins"

passwd: compat winbind
shadow: compat
group: compat winbind

[root@Samba3 ~]# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient
auth sufficient nullok try_first_pass
auth sufficient use_first_pass
auth sufficient cached_login use_first_pass
auth requisite uid >= 500 quiet
auth required

account required
account sufficient
account sufficient uid < 500 quiet
account sufficient [default=bad success=ok user_unkown=ignore]
account sufficient [default = bad success=ok user_unknown=ignore] cached_login use_first_pass
account required

password requisite try_first_pass retry=3 type=
password sufficient sha512 shadow nullok try_first_pass use_authtok
password sufficient use_authtok
password sufficient cached_login use_authtok
password required

session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required
session optional
session required use_first_pass

Thank you in advance for any help you can provide.

All times are GMT -5. The time now is 09:22 PM.