LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-14-2008, 06:33 PM   #1
a1danel
LQ Newbie
 
Registered: Apr 2007
Location: California
Distribution: Debian/Redhat/Fedora
Posts: 18

Rep: Reputation: 0
failed session setup with NT_STATUS_LOGON_FAILURE


trying to connect a Centos4.6 server to an Windows 2000 Active Directory Domain.

I am able to do:

kinit username@DOMAIN.LOCAL

with success. but when I do:

net ads join -U username@DOMAIN.LOCAL

I get failed session setup with NT_STATUS_LOGON_FAILURE
Cannot connect to server using kerberos.
Failed to join domain: Logon failure.

===SMB.CONF=========================================================

[global]

# Setup Authentication #

workgroup = DOMAIN
realm = DOMAIN.LOCAL
netbios name = linux-test
server string = linux-test
security = ADS
encrypt passwords = Yes
preferred master = No
template shell = /bin/bash
template homedir = /DOMAIN/users/%U
enhanced browsing = no
wins support = no
wins server = 192.168.0.1
winbind use default domain = yes
winbind enum groups = yes
winbind enum users = yes
client schannel = no
client use spnego = no
server signing = no
password server = server1.domain.local

# Setup Log Files #

log file = /var/log/samba/samba.log
log level = 4

# INSTALL SENDFILE for Faster download #
# of Large files #

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

use sendfile = yes
kernel oplocks = no
oplocks = no
fake oplocks = yes

# SHARES #

===END SMB.CONF=================================================

===KRB5.CONF====================================================

#
# Replace /etc/krb5.conf with this file.
#

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
DOMAIN.LOCAL = {
kdc = server1.domain.local
default_domain = domain.local
kdc = server1.domain.local
}

[domain_realm]
domain.local = DOMAIN.LOCAL
.domain.local = DOMAIN.LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


===END KRB5.CONF=====================================================

===Software versions=================================================
[root@linux-test samba]# rpm -qa samba*
samba-common-3.0.25b-1.el4_6.4
samba-3.0.25b-1.el4_6.4
samba-client-3.0.25b-1.el4_6.4

[root@linux-test samba]# rpm -qa krb5*
krb5-libs-1.3.4-54
krb5-workstation-1.3.4-54
krb5-devel-1.3.4-54

[root@linux-test samba]# /etc/init.d/smb status
smbd (pid 5005 4974) is running...
nmbd (pid 4978) is running...

[root@linux-test samba]# service winbind status
winbindd is stopped

[root@linux-test samba]# echo $HOSTNAME
linux-test.domain.local




===END Software Versions==============================================

===SOME OUTPUT==========================================================

[root@linux-test samba]# net ads join -S 192.168.0.1 -Uusername
username's password:
Failed to join domain: Logon failure
[root@linux-test samba]#

==END OUTPUT===========================================================


Any suggestions? I am running out of ideas.

Last edited by a1danel; 01-14-2008 at 06:36 PM.
 
Old 01-16-2008, 02:54 AM   #2
crazyivan
Member
 
Registered: Mar 2007
Distribution: Debian, Ubuntu server
Posts: 40

Rep: Reputation: 15
- Have you tried authenticating using kinit?

- Try to raise the log level and post /var/log/samba/log.windbind

- You might want to define which GID and UID need to be mapped.

Here is my samba [global]

[global]
workgroup = PARK
realm = PARK.DOMAIN
server string = %h server
wins support = No
security = ADS
allow trusted domains = No
obey pam restrictions = Yes
password server = ice.park.DOMAIN
passdb backend = tdbsam
log level = 10
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
template shell = /bin/bash
winbind separator = +
winbind cache time = 15
idmap uid = 1000-50000000
idmap gid = 1000-50000000
idmap backend = rid:PARK=1000-50000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
invalid users = root
include = /etc/samba/dhcp.conf

(I'm still stuck with the getting correct PAM stack, but that is a different problem ;-)
 
Old 01-24-2008, 01:50 PM   #3
a1danel
LQ Newbie
 
Registered: Apr 2007
Location: California
Distribution: Debian/Redhat/Fedora
Posts: 18

Original Poster
Rep: Reputation: 0
Yes kinit works fine. just can't seem to join domain.
 
Old 01-25-2008, 04:43 AM   #4
crazyivan
Member
 
Registered: Mar 2007
Distribution: Debian, Ubuntu server
Posts: 40

Rep: Reputation: 15
Try changing the administrator password on the MS server.
 
Old 07-16-2008, 04:21 PM   #5
a1danel
LQ Newbie
 
Registered: Apr 2007
Location: California
Distribution: Debian/Redhat/Fedora
Posts: 18

Original Poster
Rep: Reputation: 0
password seems to be taking cause if I type the wrong password I get:

failed: Preauthentication failed
Failed to join domain: Logon failure
 
Old 03-21-2012, 11:53 AM   #6
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 50
Anybody who figured this issue?
 
Old 03-22-2012, 03:10 AM   #7
crazyivan
Member
 
Registered: Mar 2007
Distribution: Debian, Ubuntu server
Posts: 40

Rep: Reputation: 15
You might want to post a few configuration files. I'm not sure you want to asume that a problem from a few years back is identical to yours.
 
Old 03-23-2012, 07:55 AM   #8
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 50
Ok, my setup is as follows
-Win2008R2 AD with "Identity Management for Unix"/"Services for NIS" component
-Centos 4.8 x86_64
-Kerberos configured (pam_krb5, krb5.conf etc)
-Ldap configures (ldap.conf configured with ad bind credentials)
-nssswitch.conf using "files ldap" for passwd, shadow and groups
-minimal smb.conf configured with workgroup, security(ads), real, use kerberos , and password server(s)
-ALl working find for auth
- can run getent passwd sucessfully
- AD users can login successfully
- can run "id username" successfully
- can run kinit successfully
-Note that I am not using samba (no smbd running)
-Note that I am not using winbind (no winbindd running)
-And I don't intend to use these.

PROBLEM
I wanted to join this centos machine to AD
I just want the machine to appear in AD and of course there are security benefits of doing this (2 way auth)
- So I ran "net ads join -U ADuser%password"

and its returning "Failed to join domain: Logon failure"
its -d10 is returning;
Quote:
...
[2012/03/23 11:22:18, 3] libsmb/cliconnect.c:cli_session_setup(1008)
SPNEGO login failed: Logon failure
[2012/03/23 11:22:18, 1] libsmb/cliconnect.c:cli_full_connection(1653)
failed session setup with NT_STATUS_LOGON_FAILURE
[2012/03/23 11:22:18, 1] utils/net.c:connect_to_ipc_krb5(297)
Cannot connect to server using kerberos. Error was NT_STATUS_LOGON_FAILURE
[2012/03/23 11:22:18, 1] utils/net_ads.c:net_ads_join(1548)
call of net_join_domain failed: Logon failure
[2012/03/23 11:22:18, 10] intl/lang_tdb.c:lang_tdb_init(138)
lang_tdb_init: /usr/lib/samba/en_GB.UTF-8.msg: No such file or directory
Failed to join domain: Logon failure
[2012/03/23 11:22:18, 2] utils/net.c:main(1075)
return code = -1
klist returns this:
Quote:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADuser@DOMAIN.COM

Valid starting Expires Service principal
03/22/12 22:01:37 03/23/12 08:01:42 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 03/23/12 22:01:37

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Any body knows what could be wonky or whether its possible?

PS: There are very serious reasons why I can't and should not upgrade my centos
[root@centos4 ~]# rpm -qa |grep krb
krb5-devel-1.3.4-60.el4_7.2
pam_krb5-2.1.17-6.el4
krb5-auth-dialog-0.2-1
krb5-workstation-1.3.4-60.el4_7.2
krb5-libs-1.3.4-60.el4_7.2

[root@centos4 ~]# rpm -qa |grep ldap
openldap-2.2.13-12.el4
python-ldap-2.0.1-2
nss_ldap-253-5.el4_7.1
openldap-clients-2.2.13-12.el4

[root@centos4 ~]# rpm -qa |grep samba
samba-client-3.0.28-0.el4.9
samba-common-3.0.28-0.el4.9
samba-3.0.28-0.el4.9

Last edited by chitambira; 03-23-2012 at 08:03 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
samba: session setup failed: Call returned zero bytes (EOF) theYinYeti Linux - Server 2 09-13-2007 07:37 AM
Session setup failed in samba beyond911 Linux - Server 2 09-07-2007 01:38 AM
smbmount session setup failed: ERRDOS toadeny Linux - Networking 9 12-14-2005 06:21 AM
Samba 5670: session setup failed: ERRDOS ? fatum112 Linux - Software 14 11-24-2005 04:29 AM
Samba: Session setup failed:NT_STATUS_LOGON_FAILURE wnaLinux Slackware 3 12-21-2004 07:12 PM


All times are GMT -5. The time now is 08:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration