failed session setup with NT_STATUS_LOGON_FAILURE
trying to connect a Centos4.6 server to an Windows 2000 Active Directory Domain.
I am able to do: kinit username@DOMAIN.LOCAL with success. but when I do: net ads join -U username@DOMAIN.LOCAL I get failed session setup with NT_STATUS_LOGON_FAILURE Cannot connect to server using kerberos. Failed to join domain: Logon failure. ===SMB.CONF========================================================= [global] # Setup Authentication # workgroup = DOMAIN realm = DOMAIN.LOCAL netbios name = linux-test server string = linux-test security = ADS encrypt passwords = Yes preferred master = No template shell = /bin/bash template homedir = /DOMAIN/users/%U enhanced browsing = no wins support = no wins server = 192.168.0.1 winbind use default domain = yes winbind enum groups = yes winbind enum users = yes client schannel = no client use spnego = no server signing = no password server = server1.domain.local # Setup Log Files # log file = /var/log/samba/samba.log log level = 4 # INSTALL SENDFILE for Faster download # # of Large files # socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 use sendfile = yes kernel oplocks = no oplocks = no fake oplocks = yes # SHARES # ===END SMB.CONF================================================= ===KRB5.CONF==================================================== # # Replace /etc/krb5.conf with this file. # [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = false [realms] DOMAIN.LOCAL = { kdc = server1.domain.local default_domain = domain.local kdc = server1.domain.local } [domain_realm] domain.local = DOMAIN.LOCAL .domain.local = DOMAIN.LOCAL [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ===END KRB5.CONF===================================================== ===Software versions================================================= [root@linux-test samba]# rpm -qa samba* samba-common-3.0.25b-1.el4_6.4 samba-3.0.25b-1.el4_6.4 samba-client-3.0.25b-1.el4_6.4 [root@linux-test samba]# rpm -qa krb5* krb5-libs-1.3.4-54 krb5-workstation-1.3.4-54 krb5-devel-1.3.4-54 [root@linux-test samba]# /etc/init.d/smb status smbd (pid 5005 4974) is running... nmbd (pid 4978) is running... [root@linux-test samba]# service winbind status winbindd is stopped [root@linux-test samba]# echo $HOSTNAME linux-test.domain.local ===END Software Versions============================================== ===SOME OUTPUT========================================================== [root@linux-test samba]# net ads join -S 192.168.0.1 -Uusername username's password: Failed to join domain: Logon failure [root@linux-test samba]# ==END OUTPUT=========================================================== Any suggestions? I am running out of ideas. |
- Have you tried authenticating using kinit?
- Try to raise the log level and post /var/log/samba/log.windbind - You might want to define which GID and UID need to be mapped. Here is my samba [global] [global] workgroup = PARK realm = PARK.DOMAIN server string = %h server wins support = No security = ADS allow trusted domains = No obey pam restrictions = Yes password server = ice.park.DOMAIN passdb backend = tdbsam log level = 10 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No panic action = /usr/share/samba/panic-action %d template shell = /bin/bash winbind separator = + winbind cache time = 15 idmap uid = 1000-50000000 idmap gid = 1000-50000000 idmap backend = rid:PARK=1000-50000000 template homedir = /home/%D/%U template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes invalid users = root include = /etc/samba/dhcp.conf (I'm still stuck with the getting correct PAM stack, but that is a different problem ;-) |
Yes kinit works fine. just can't seem to join domain.
|
Try changing the administrator password on the MS server.
|
password seems to be taking cause if I type the wrong password I get:
failed: Preauthentication failed Failed to join domain: Logon failure |
Anybody who figured this issue?
|
You might want to post a few configuration files. I'm not sure you want to asume that a problem from a few years back is identical to yours.
|
Ok, my setup is as follows
-Win2008R2 AD with "Identity Management for Unix"/"Services for NIS" component -Centos 4.8 x86_64 -Kerberos configured (pam_krb5, krb5.conf etc) -Ldap configures (ldap.conf configured with ad bind credentials) -nssswitch.conf using "files ldap" for passwd, shadow and groups -minimal smb.conf configured with workgroup, security(ads), real, use kerberos , and password server(s) -ALl working find for auth - can run getent passwd sucessfully - AD users can login successfully - can run "id username" successfully - can run kinit successfully -Note that I am not using samba (no smbd running) -Note that I am not using winbind (no winbindd running) -And I don't intend to use these. PROBLEM I wanted to join this centos machine to AD I just want the machine to appear in AD and of course there are security benefits of doing this (2 way auth) - So I ran "net ads join -U ADuser%password" and its returning "Failed to join domain: Logon failure" its -d10 is returning; Quote:
Quote:
PS: There are very serious reasons why I can't and should not upgrade my centos [root@centos4 ~]# rpm -qa |grep krb krb5-devel-1.3.4-60.el4_7.2 pam_krb5-2.1.17-6.el4 krb5-auth-dialog-0.2-1 krb5-workstation-1.3.4-60.el4_7.2 krb5-libs-1.3.4-60.el4_7.2 [root@centos4 ~]# rpm -qa |grep ldap openldap-2.2.13-12.el4 python-ldap-2.0.1-2 nss_ldap-253-5.el4_7.1 openldap-clients-2.2.13-12.el4 [root@centos4 ~]# rpm -qa |grep samba samba-client-3.0.28-0.el4.9 samba-common-3.0.28-0.el4.9 samba-3.0.28-0.el4.9 |
All times are GMT -5. The time now is 04:12 PM. |