samba ldap winbindd kerberos with active directory errors

xtrusion · 03-21-2005, 04:24 PM

My problem consists of Samba + Winbindd + Ldap + Kerberos not
authenticating with Active Directory. For example, if I do 'smbclient -L
localhost -U username%password(active directory account)' I get
NT_STATUS_LOGIN_FAILURE. Ive debugged for quite sometime trying to
pinpoint some sort of configuration that needs to be changed or added.
To my experience I think the problem resolves at ldap, but I cannot find
anything. I can do a kerberos successfully(kinit), wbinfo
succesfully(wbinfo -u), join the domain successfully(net ads join), a
ldapsearch successfully(ldapsearch -h host.domain.com). The
smb.conf,krb5.conf configs were pulled from other older but stable Linux
servers and were modified for each server.

I see a lot of folks posting similar problems relating to openLADP but
cannot seem to relate exactly what I'm experiencing. I'm stumped.

The thing that is realy throwing me is that i seem to be able in some
odd way to authenticate to my active directory accounts using the
smbclient command, I just can't do it unless an account with the same
name exists on my BSD box.

I ran the following test:
1) created a user named smbuser with the password "password"
2) placed the user in the mitsadmin group to give access to the share
3) tried an smbclient -L localhost -Usmbuser, the error returned was:

#####################################
session setup failed: NT_STATUS_LOGON_FAILURE
#####################################

4) i then created an account smbuser with the password "diffpass"
5) tried an smbclient -L localhost -Usmbuser again this with the AD
passwd "pasword" and got:

#####################################
Domain=[TECH] OS=[Unix] Server=[Samba 3.0.11]

Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (FreeBSD Samba Server)
ADMIN$ IPC IPC Service (FreeBSD Samba Server)
Domain=[TECH] OS=[Unix] Server=[Samba 3.0.11]

Server Comment
--------- -------
CDSRV4 FreeBSD Samba Server
ADC3

Workgroup Master
--------- -------
TECH ADC3
#####################################

5) tried an smbclient -L localhost -Usmbuser again this with the unix
passwd "diffpass" and got:

session setup failed: NT_STATUS_LOGON_FAILURE

It seems there may be some intermediate step before the AD lookup that
may be holding up authentication.

The error message in my log file is as follows

#####################################
[2005/03/21 14:53:37, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[TECH]\[smbuser]@[C
DSRV4] with the new password interface
[2005/03/21 14:53:37, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [TECH]\[smbuser]@[CDSRV4]
[2005/03/21 14:53:37, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/03/21 14:53:37, 3] smbd/uid.c:push_conn_ctx(365)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/03/21 14:53:37, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/03/21 14:53:37, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/03/21 14:53:37, 3] auth/auth_util.c:make_server_info_info3(1156)
User smbuser does not exist, trying to add it
[2005/03/21 14:53:37, 0] auth/auth_util.c:make_server_info_info3(1163)
make_server_info_info3: pdb_init_sam failed!
[2005/03/21 14:53:37, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [smbuser] -> [smbuser]
FAILED
with error NT_STATUS_NO_SUCH_USER
[2005/03/21 14:53:37, 3] smbd/process.c:timeout_processing(1334)
timeout_processing: End of file from client (client has disconnected).
[2005/03/21 14:53:37, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/03/21 14:53:37, 2] smbd/server.c:exit_server(609)
Closing connections
[2005/03/21 14:53:37, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2005/03/21 14:53:37, 3] smbd/server.c:exit_server(652)
Server exit (normal exit)
#####################################

Versions of packages installed:
samba-3.0.11.tar.gz
openldap-2.2.24.tgz
freebsd-5.3-RELEASE-i386
heimdal-0.6.1(kerberos)
*compilied samba with ldap,winbindd,krb5

Configuration Files:

smb.conf
#####################################
[global]
workgroup = TECH
netbios name = SERVER3
realm = host.domain.com
security = ads
encrypt passwords = yes
password server = server.host.domain.com
wins server = server.host.domain.com
name resolve order = lmhosts host wins bcast
log file = /var/log/samba/%m.log
server string = FreeBSD Samba Server
log level = 10
allow trusted domains = No
winbind use default domain = yes
winbind trusted domains only = No
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/sh
template homedir = /home/%D/%U
idmap uid = 10000-50000
idmap gid = 10000-20000

#============================ Share Definitions
==============================

#Used for reimaging labs
[IMAGES]
comment = Ghost Images
path = /data/pub/images
browseable = no
read only = no
write list = @mitsadmin
read list = @techs, ghost
#####################################

krb5.conf
#####################################
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = HOST.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
HOST.DOMAIN.COM = {
kdc = server.host.domain.com:88
admin_server = server.host.domain.com:749
default_domain = host.domain.com
}

[domain_realm]
.host.domain.com = HOST.DOMAIN.COM
host.domain.com = HOST.DOMAIN.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
#####################################

nsswitch.conf
#####################################
passwd: files winbind
group: files winbind
hosts: files dns
#####################################