Problem with Joining Samba3 to Samba4 AD Domain

varouj · 01-07-2013, 06:41 PM

Hello everyone
Once Again I am having a problem with Samba3 in Samba4 Domain.
I recently installed two Samba4 Active Directory Domain Controllers on CentOS 6.3 which are working perfectly, and I had joined a Samba3 Server to this domain and everything went well. I could authenticate users on samba3 server and could see all the groups in the domain, but I was having permissions problem accessing the share that I have created on the Samba3 server. I could see the Share but could not access it and with the help of "Ser Olmy" from this forum, (See here) I discovered that disabling the "selinux" would solve the issue. Everything was working well before the New Year. Today when I tried to access the share I got the Same problem, so I thought I might restart the server and after restart I had the following error messages in /var/log/messages.

Jan 7 15:42:58 samba3 winbindd[2346]: [2013/01/07 15:42:58.674815, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
Jan 7 15:42:58 samba3 winbindd[2346]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials

I noticed that I could no longer see the users or groups when I ran wbinf -u and wbinfo -g.

Here are the step I took to try and resolve the problem but without success:

1- Removed the samba3 machine from Samba4 AD
2- Stopped smb and winbind
3- deleted all tdb files from /var/lib/samba
4- started the smb and winbind services
5 - ran:
root@Samba3 ~]# kinit administrator
Password for administrator@DOMAIN.COMPANY.COM:
Warning: Your password will expire in 17 days on Fri Jan 25 15:00:57 2013
[root@Samba3 ~]#

6- Next I arn:
[root@Samba3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOMAIN.COMPANY.COM

Valid starting Expires Service principal
01/07/13 16:17:58 01/08/13 02:17:58 krbtgt/DOMAIN>COMPANY.COM@DOMAIN.COMPANY.COM
renew until 01/08/13 16:17:28

7- The I tried the following commands in turn

[root@Samba3 ~]# net ads join -U administrator
Enter administrator's password:
[2013/01/07 16:21:03.456721, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

[root@Samba3 ~]# net ads testjoin
[2013/01/07 16:25:09.437670, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
[2013/01/07 16:25:09.665259, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Join to domain is not valid: Invalid credentials

[root@Samba3 ~]# net rpc join -U administrator
Enter administrator's password:
Joined domain DOMAIN.

[root@Samba3 ~]# net rpc testjoin
Join to 'DOMAIN' is OK

[root@GLEN-Samba1 ~]# net ads info -U Administrator
Enter Administrator's password:
LDAP server: 192.168.1.101
LDAP server name: samba-ad.domain.company.com
Realm: DOMAIN.COMPANY.COM
Bind Path: dc=DOMAIN,dc=COMPANY,dc=COM
LDAP port: 389
Server time: Mon, 07 Jan 2013 16:27:56 PST
KDC server: 10.100.1.101
Server time offset: 26

[root@Samba3 ~]# net rpc info -U Administrator
Enter Administrator's password:
Domain Name: DOMAIN
Domain SID: S-1-5-21-2572227374-1339717712-1008418335
Sequence number: 1
Num users: 17
Num domain groups: 12
Num local groups: 26

[root@Samba3 ~]# wbinfo -a vavanessians%somepassword
plaintext password authentication succeeded
challenge/response password authentication succeeded

[root@Samba3 ~]# wbinfo -K 'vavanessians%somepassword'
plaintext kerberos password authentication for [vavanessians%somepassword] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

but when I run "wbinfo -u" or "wbinfo -g" I get nothing

My configuration files are:

[root@Samba3 ~]# cat /etc/krb5.conf
[libdefaults]
ticket_lifetime = 24h
default_realm = DOMAIN.COMPANY.COM
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
[realms]
DOMAIN.COMPANY.COM = {
kdc = 192.168.1.101
default_domain = DOMAIN.COMPANY.COM
}
[domain_realm]
.domain.company.com = DOMAIN.COMPANY.COM
domain.company.com = DOMAIN.COMPANY.COM
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog

[root@Samba3 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.128 samba3.domain.company.com samba3
192.168.1.101 samba-ad.domain.company.com samba-ad

[root@Samba3 ~]# cat /etc/samba/smb.conf
[global]
netbios name = Samba3
workgroup = DOMAIN
realm = DOMAIN.COMPANY.COM
preferred master = no
server string = Samba File Server
security = ads
encrypt passwords = yes

log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +

idmap uid = 600-20000
idmap gid = 600-20000
os level = 20

password server = *
dns proxy = no
template shell = /bin/bash
template homedir = /home/%U

[Data]
comment = The Old Novel O-Drive
path = /data
browseable = yes
read only = noSer Olmy
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = "DOMAIN+Dmain Admins"
admin users = "DOMAIN+Domain Admins"

/etc/nsswitch.conf
passwd: compat winbind
shadow: compathttp://www.linuxquestions.org/questions/linux-enterprise-47/permission-problem-on-a-samba3-share-in-a-samba4-domain-4175443161/
group: compat winbind

[root@Samba3 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so cached_login use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient [default=bad success=ok user_unkown=ignore] pam_krb5.so
account sufficient [default = bad success=ok user_unknown=ignore] pam_winbind.so cached_login use_first_pass
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session required pam_winbind.so use_first_pass

Thank you in advance for any help you can provide.