LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 01-07-2013, 06:41 PM   #1
varouj
LQ Newbie
 
Registered: Oct 2012
Posts: 8

Rep: Reputation: Disabled
Problem with Joining Samba3 to Samba4 AD Domain


Hello everyone
Once Again I am having a problem with Samba3 in Samba4 Domain.
I recently installed two Samba4 Active Directory Domain Controllers on CentOS 6.3 which are working perfectly, and I had joined a Samba3 Server to this domain and everything went well. I could authenticate users on samba3 server and could see all the groups in the domain, but I was having permissions problem accessing the share that I have created on the Samba3 server. I could see the Share but could not access it and with the help of "Ser Olmy" from this forum, (See here) I discovered that disabling the "selinux" would solve the issue. Everything was working well before the New Year. Today when I tried to access the share I got the Same problem, so I thought I might restart the server and after restart I had the following error messages in /var/log/messages.

Jan 7 15:42:58 samba3 winbindd[2346]: [2013/01/07 15:42:58.674815, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
Jan 7 15:42:58 samba3 winbindd[2346]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials

I noticed that I could no longer see the users or groups when I ran wbinf -u and wbinfo -g.


Here are the step I took to try and resolve the problem but without success:

1- Removed the samba3 machine from Samba4 AD
2- Stopped smb and winbind
3- deleted all tdb files from /var/lib/samba
4- started the smb and winbind services
5 - ran:
root@Samba3 ~]# kinit administrator
Password for administrator@DOMAIN.COMPANY.COM:
Warning: Your password will expire in 17 days on Fri Jan 25 15:00:57 2013
[root@Samba3 ~]#

6- Next I arn:
[root@Samba3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOMAIN.COMPANY.COM

Valid starting Expires Service principal
01/07/13 16:17:58 01/08/13 02:17:58 krbtgt/DOMAIN>COMPANY.COM@DOMAIN.COMPANY.COM
renew until 01/08/13 16:17:28

7- The I tried the following commands in turn

[root@Samba3 ~]# net ads join -U administrator
Enter administrator's password:
[2013/01/07 16:21:03.456721, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

[root@Samba3 ~]# net ads testjoin
[2013/01/07 16:25:09.437670, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
[2013/01/07 16:25:09.665259, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Join to domain is not valid: Invalid credentials


[root@Samba3 ~]# net rpc join -U administrator
Enter administrator's password:
Joined domain DOMAIN.

[root@Samba3 ~]# net rpc testjoin
Join to 'DOMAIN' is OK

[root@GLEN-Samba1 ~]# net ads info -U Administrator
Enter Administrator's password:
LDAP server: 192.168.1.101
LDAP server name: samba-ad.domain.company.com
Realm: DOMAIN.COMPANY.COM
Bind Path: dc=DOMAIN,dc=COMPANY,dc=COM
LDAP port: 389
Server time: Mon, 07 Jan 2013 16:27:56 PST
KDC server: 10.100.1.101
Server time offset: 26

[root@Samba3 ~]# net rpc info -U Administrator
Enter Administrator's password:
Domain Name: DOMAIN
Domain SID: S-1-5-21-2572227374-1339717712-1008418335
Sequence number: 1
Num users: 17
Num domain groups: 12
Num local groups: 26

[root@Samba3 ~]# wbinfo -a vavanessians%somepassword
plaintext password authentication succeeded
challenge/response password authentication succeeded

[root@Samba3 ~]# wbinfo -K 'vavanessians%somepassword'
plaintext kerberos password authentication for [vavanessians%somepassword] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0


but when I run "wbinfo -u" or "wbinfo -g" I get nothing

My configuration files are:


[root@Samba3 ~]# cat /etc/krb5.conf
[libdefaults]
ticket_lifetime = 24h
default_realm = DOMAIN.COMPANY.COM
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
[realms]
DOMAIN.COMPANY.COM = {
kdc = 192.168.1.101
default_domain = DOMAIN.COMPANY.COM
}
[domain_realm]
.domain.company.com = DOMAIN.COMPANY.COM
domain.company.com = DOMAIN.COMPANY.COM
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog

[root@Samba3 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.128 samba3.domain.company.com samba3
192.168.1.101 samba-ad.domain.company.com samba-ad





[root@Samba3 ~]# cat /etc/samba/smb.conf
[global]
netbios name = Samba3
workgroup = DOMAIN
realm = DOMAIN.COMPANY.COM
preferred master = no
server string = Samba File Server
security = ads
encrypt passwords = yes

log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +

idmap uid = 600-20000
idmap gid = 600-20000
os level = 20

password server = *
dns proxy = no
template shell = /bin/bash
template homedir = /home/%U



[Data]
comment = The Old Novel O-Drive
path = /data
browseable = yes
read only = noSer Olmy
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = "DOMAIN+Dmain Admins"
admin users = "DOMAIN+Domain Admins"





/etc/nsswitch.conf
passwd: compat winbind
shadow: compathttp://www.linuxquestions.org/questions/linux-enterprise-47/permission-problem-on-a-samba3-share-in-a-samba4-domain-4175443161/
group: compat winbind


[root@Samba3 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so cached_login use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient [default=bad success=ok user_unkown=ignore] pam_krb5.so
account sufficient [default = bad success=ok user_unknown=ignore] pam_winbind.so cached_login use_first_pass
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session required pam_winbind.so use_first_pass


Thank you in advance for any help you can provide.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba4 domain not seeing imported users ,Groups and Machine Accounts from samba3 domain treedstang Linux - Server 0 01-06-2013 11:45 PM
Permission Problem on a Samba3 Share in a Samba4 Domain. varouj Linux - Enterprise 4 12-27-2012 05:06 PM
[SOLVED] joining samba3 to samba4 pdc swagcute Linux - Server 13 08-03-2012 08:15 PM
Problem in joining to W2K domain soup21 Linux - Networking 2 11-30-2005 10:49 PM
Adding WindowsXP Professional to a Samba3 domain.(password problem) slyth1982 Linux - Networking 0 05-05-2004 11:05 AM


All times are GMT -5. The time now is 06:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration