Did you know LQ has a Linux Hardware Compatibility List?
Go Back > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.


  Search this Thread
Old 01-07-2013, 06:41 PM   #1
LQ Newbie
Registered: Oct 2012
Posts: 8

Rep: Reputation: Disabled
Problem with Joining Samba3 to Samba4 AD Domain

Hello everyone
Once Again I am having a problem with Samba3 in Samba4 Domain.
I recently installed two Samba4 Active Directory Domain Controllers on CentOS 6.3 which are working perfectly, and I had joined a Samba3 Server to this domain and everything went well. I could authenticate users on samba3 server and could see all the groups in the domain, but I was having permissions problem accessing the share that I have created on the Samba3 server. I could see the Share but could not access it and with the help of "Ser Olmy" from this forum, (See here) I discovered that disabling the "selinux" would solve the issue. Everything was working well before the New Year. Today when I tried to access the share I got the Same problem, so I thought I might restart the server and after restart I had the following error messages in /var/log/messages.

Jan 7 15:42:58 samba3 winbindd[2346]: [2013/01/07 15:42:58.674815, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
Jan 7 15:42:58 samba3 winbindd[2346]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials

I noticed that I could no longer see the users or groups when I ran wbinf -u and wbinfo -g.

Here are the step I took to try and resolve the problem but without success:

1- Removed the samba3 machine from Samba4 AD
2- Stopped smb and winbind
3- deleted all tdb files from /var/lib/samba
4- started the smb and winbind services
5 - ran:
root@Samba3 ~]# kinit administrator
Password for administrator@DOMAIN.COMPANY.COM:
Warning: Your password will expire in 17 days on Fri Jan 25 15:00:57 2013
[root@Samba3 ~]#

6- Next I arn:
[root@Samba3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOMAIN.COMPANY.COM

Valid starting Expires Service principal
01/07/13 16:17:58 01/08/13 02:17:58 krbtgt/DOMAIN>COMPANY.COM@DOMAIN.COMPANY.COM
renew until 01/08/13 16:17:28

7- The I tried the following commands in turn

[root@Samba3 ~]# net ads join -U administrator
Enter administrator's password:
[2013/01/07 16:21:03.456721, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

[root@Samba3 ~]# net ads testjoin
[2013/01/07 16:25:09.437670, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
[2013/01/07 16:25:09.665259, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Join to domain is not valid: Invalid credentials

[root@Samba3 ~]# net rpc join -U administrator
Enter administrator's password:
Joined domain DOMAIN.

[root@Samba3 ~]# net rpc testjoin
Join to 'DOMAIN' is OK

[root@GLEN-Samba1 ~]# net ads info -U Administrator
Enter Administrator's password:
LDAP server:
LDAP server name:
Bind Path: dc=DOMAIN,dc=COMPANY,dc=COM
LDAP port: 389
Server time: Mon, 07 Jan 2013 16:27:56 PST
KDC server:
Server time offset: 26

[root@Samba3 ~]# net rpc info -U Administrator
Enter Administrator's password:
Domain Name: DOMAIN
Domain SID: S-1-5-21-2572227374-1339717712-1008418335
Sequence number: 1
Num users: 17
Num domain groups: 12
Num local groups: 26

[root@Samba3 ~]# wbinfo -a vavanessians%somepassword
plaintext password authentication succeeded
challenge/response password authentication succeeded

[root@Samba3 ~]# wbinfo -K 'vavanessians%somepassword'
plaintext kerberos password authentication for [vavanessians%somepassword] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

but when I run "wbinfo -u" or "wbinfo -g" I get nothing

My configuration files are:

[root@Samba3 ~]# cat /etc/krb5.conf
ticket_lifetime = 24h
default_realm = DOMAIN.COMPANY.COM
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
kdc =
default_domain = DOMAIN.COMPANY.COM
profile = /etc/krb5kdc/kdc.conf
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog

[root@Samba3 ~]# cat /etc/hosts localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 samba3 samba-ad

[root@Samba3 ~]# cat /etc/samba/smb.conf
netbios name = Samba3
workgroup = DOMAIN
preferred master = no
server string = Samba File Server
security = ads
encrypt passwords = yes

log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +

idmap uid = 600-20000
idmap gid = 600-20000
os level = 20

password server = *
dns proxy = no
template shell = /bin/bash
template homedir = /home/%U

comment = The Old Novel O-Drive
path = /data
browseable = yes
read only = noSer Olmy
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = "DOMAIN+Dmain Admins"
admin users = "DOMAIN+Domain Admins"

passwd: compat winbind
shadow: compat
group: compat winbind

[root@Samba3 ~]# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient
auth sufficient nullok try_first_pass
auth sufficient use_first_pass
auth sufficient cached_login use_first_pass
auth requisite uid >= 500 quiet
auth required

account required
account sufficient
account sufficient uid < 500 quiet
account sufficient [default=bad success=ok user_unkown=ignore]
account sufficient [default = bad success=ok user_unknown=ignore] cached_login use_first_pass
account required

password requisite try_first_pass retry=3 type=
password sufficient sha512 shadow nullok try_first_pass use_authtok
password sufficient use_authtok
password sufficient cached_login use_authtok
password required

session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required
session optional
session required use_first_pass

Thank you in advance for any help you can provide.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba4 domain not seeing imported users ,Groups and Machine Accounts from samba3 domain treedstang Linux - Server 0 01-06-2013 11:45 PM
Permission Problem on a Samba3 Share in a Samba4 Domain. varouj Linux - Enterprise 4 12-27-2012 05:06 PM
[SOLVED] joining samba3 to samba4 pdc swagcute Linux - Server 13 08-03-2012 08:15 PM
Problem in joining to W2K domain soup21 Linux - Networking 2 11-30-2005 10:49 PM
Adding WindowsXP Professional to a Samba3 domain.(password problem) slyth1982 Linux - Networking 0 05-05-2004 11:05 AM

All times are GMT -5. The time now is 10:01 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration