Hallo:
I've a CentOS 5.5 joined to Active Directory.
I can authenticate using user/pass from AD (putty, ssh).
But I'm unable to access samba shares on CentOS from WinXP and Linux (it works fine from Windows7).
It has been working up to now, but I don't know what I've done to stop it working.
Trying to initialize all samba I've done:
I've deleted /var/cache/samba/*, /etc/samba/sectets.tdb, leave and joined the computer to Domain, but the problem is the same.
I've another computer with exactly the same release and the same packages and it works fine.
I can create tickets, but if I try so access a samba share from Linux Machine, I receive an error:
user>smbclient -k -L testul0001.test.net
cli_session_setup_blob: recieve failed (NT_STATUS_LOGON_FAILURE)
session setup failed: NT_STATUS_LOGON_FAILURE
And the error log is:
smbd/sesssetup.c:reply_spnego_kerberos(316)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
A strange thing is that I can access with IP \\xxx.xxx.xx.x and logical name from WinXP, but linux clients go on not acceding. I've not register the DNS reverse for fqdn nor for logical name.
Any suggestion?
Thanks
==============================================================
Configuration
Domain: net
Realm: TEST.NET
User: usertom
Server: testul0001.test.net
Client: testul0001.test.net (connect to the same computer)
Domain controler: testgc01.test.net
Server release: CentOS release 5.5 (Final)
==============================================================
Packages installed
samba-common-3.0.33-3.28.el5
samba-client-3.0.33-3.28.el5
samba-3.0.33-3.28.el5
krb5-workstation-1.6.1-36.el5_4.1
krb5-libs-1.6.1-36.el5_4.1
krb5-auth-dialog-0.7-1
pam_krb5-2.2.14-15
==============================================================
1- File configuration
==============================================================
/etc/hosts
--------------------------------------------------------------
# Do not remove the following line, or various programs
# that require network functionality will fail.
192.168.137.224 testul0001.test.net testul0001
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
==============================================================
/etc/nsswitch.conf
--------------------------------------------------------------
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
==============================================================
/etc/samba/smb.conf
--------------------------------------------------------------
[global]
workgroup = TEST
realm = TEST.NET
server string = entdes1
security = ADS
passdb backend = tdbsam
username map = /etc/samba/smbusers
use kerberos keytab = Yes
idmap domains = TEST
idmap config TEST:backend = rid
idmap config TEST:range = 10000-100000
template shell = /bin/bash
winbind use default domain = Yes
winbind offline logon = Yes
# winbind refresh tickets = Yes
allow trusted domains = no
read only = No
create mask = 0770
directory mask = 0770
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
map acl inherit = Yes
cups options = raw
[homes]
comment = Usuario
browseable = No
[datos]
comment = Aplicaciones
path = /datos
volume = datos
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[datos2]
comment = Desarrollo Aplicaciones
path = /datos
volume = datos
public = true
writable = true
==============================================================
/etc/krb5.conf
--------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
TESTGE.DOMG = {
kdc = testgegc01.testge.domg
admin_server = testgegc01.testge.domg
default_domain = testge.domg
}
TEST.NET = {
kdc = testgc01.test.net
kdc = testgc0102.test.net
admin_server = testgc01.test.net
admin_server = testgc0102.test.net
default_domain = test.net
}
[domain_realm]
testge.domg = testge.domg
.testge.domg = testge.domg
test.net = TEST.NET
.test.net = TEST.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
==============================================================
/etc/pam.d/system-auth
--------------------------------------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth requinet pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
# Limitar el acceso a los usuarios del grupo "Usu. de TESTUL0001"
#auth sufficient pam_winbind.so cached_login use_first_pass krb5_auth krb5_ccache_type=FILE require_membership_of=S-1-5-21-2013365486-1763137450-1452329845-72411
auth sufficient pam_winbind.so cached_login use_first_pass
auth requinet pam_deny.so
account requinet pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account requinet pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password requinet pam_deny.so
session optional pam_keyinit.so revoke
session requinet pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session requinet pam_unix.so
==============================================================
2- Current tiquet
klist
klist: You have no tickets cached
Ticket cache: FILE:/tmp/krb5cc_0
Default principal:
usertom@TEST.NET
Valid starting Expires Service principal
01/19/11 13:38:59 01/19/11 23:39:01 krbtgt/TEST.NET@TEST.NET
renew until 01/20/11 13:38:59
01/19/11 13:39:24 01/19/11 23:39:01 cifs/testul0001.test.net@TEST.NET
renew until 01/20/11 13:38:59
Kerberos 4 ticket cache: /tmp/tkt0
==============================================================
3- Content of krb5.keytab
sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/testul0001.test.net@TEST.NET
4 host/testul0001.test.net@TEST.NET
4 host/testul0001.test.net@TEST.NET
4 host/testul0001@TEST.NET
4 host/testul0001@TEST.NET
4 host/testul0001@TEST.NET
4 TESTUL0001$@TEST.NET
4 TESTUL0001$@TEST.NET
4 TESTUL0001$@TEST.NET
==============================================================
smbclient -k -L testul0001.test.net
cli_session_setup_blob: recieve failed (NT_STATUS_LOGON_FAILURE)
session setup failed: NT_STATUS_LOGON_FAILURE
