From: Rob Moser on
Hello folks.

Brand new 3.5.4 install of samba, on a brand new redhat 5.5 install,
trying to connect to a windows domain and allow AD users access. I used
a series of how-tos to set things up, and modified the smb.conf and
krb5.conf files from an existing (working, 3.2.8) system. I apparently
join the domain ok, and I can authenticate an AD user using wbinfo, but
when I try to use the same user with smbclient I get a
NT_STATUS_NO_SUCH_USER response. I thought perhaps that smbclient was
somehow not associating the username with the correct domain, but
explicitly stating the domain didn't help. Googling about on the
problem found me (among a lot of dross) someone with similar symptoms
who claimed to fix his problem by adding "client NTLMv2 auth = Yes" to
his smb.conf, so I tried that, but got no joy there either. Much
diagnostic text follows; apologies for the bulk, but figured its better
to put too much in than leave too much out.

Any suggestions would be most appreciated; thanks.

- rob.

[root(a)dev-acadprtsrv3 log]# kinit -V rmoser
Password for rmoser(a)STUDENTS.FROOT.NAU.EDU:
Authenticated to Kerberos v5

[root(a)dev-acadprtsrv3 log]# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rmoser(a)STUDENTS.FROOT.NAU.EDU
Valid starting Expires Service principal
06/30/10 14:19:56 07/01/10 00:20:00
krbtgt/STUDENTS.FROOT.NAU.EDU(a)STUDENTS.FROOT.NAU.EDU
renew until 07/01/10 14:19:56

[root(a)dev-acadprtsrv3 log]# net ads testjoin -U rmoser
Join is OK

[root(a)dev-acadprtsrv3 log]# wbinfo -t
checking the trust secret for domain NAU-STUDENTS via RPC calls succeeded

[root(a)dev-acadprtsrv3 log]# wbinfo -a NAU-STUDENTS\\rmoser
Enter NAU-STUDENTS\rmoser's password:
plaintext password authentication succeeded
Enter NAU-STUDENTS\rmoser's password:
challenge/response password authentication succeeded

[root(a)dev-acadprtsrv3 log]# smbclient -d3 -U NAU-STUDENTS\\rmoser -L
dev-acadprtsrv3.ucc.nau.edu
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=fe80::9015:73ff:fe64:54cf%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=134.114.138.189 bcast=134.114.138.255
netmask=255.255.255.0
Client started (version 3.5.4).
Enter NAU-STUDENTS\rmoser's password:
resolve_lmhosts: Attempting lmhosts lookup for name
dev-acadprtsrv3.ucc.nau.edu<0x20>
resolve_wins: Attempting wins lookup for name
dev-acadprtsrv3.ucc.nau.edu<0x20>
resolve_wins: using WINS server 134.114.138.35 and tag '*'
Got a positive name query response from 134.114.138.35 ( 134.114.138.189 )
Connecting to 134.114.138.189 at port 445
Doing spnego session setup (blob length=131)
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.48018.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=cifs/dev-acadprtsrv3.ucc.nau.edu(a)STUDENTS.FROOT.NAU.EDU
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE

[root(a)dev-acadprtsrv3 log]# tail /var/log/samba/log.smbd
[2010/06/30 14:12:22.530813, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [rmoser] -> [rmoser]
FAILED with error NT_STATUS_NO_SUCH_USER
[2010/06/30 14:22:52.071828, 0] lib/util_sock.c:1505(matchname)
matchname: host name/address mismatch: ::ffff:134.114.138.189 !=
dev-acadprtsrv3.ucc.nau.edu
[2010/06/30 14:22:52.072189, 0] lib/util_sock.c:1626(get_peer_name)
Matchname failed on dev-acadprtsrv3.ucc.nau.edu ::ffff:134.114.138.189
[2010/06/30 14:22:52.072281, 2] lib/access.c:406(check_access)
Allowed connection from UNKNOWN (::ffff:134.114.138.189)
[2010/06/30 14:22:52.113502, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [rmoser] -> [rmoser]
FAILED with error NT_STATUS_NO_SUCH_USER

[root(a)dev-acadprtsrv3 log]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Processing section "[tmp]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
workgroup = NAU-STUDENTS
realm = STUDENTS.FROOT.NAU.EDU
netbios aliases = dev-acadprtsrv3.ucc.nau.edu
server string = Samba Server
security = ADS
client NTLMv2 auth = Yes
log level = 2
max log size = 500000
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=8192 SO_KEEPALIVE
printcap name = cups
wins server = 134.114.138.35
idmap alloc backend = tdb
idmap uid = 10000 - 4000000
idmap gid = 10000 - 4000000
winbind use default domain = Yes
idmap alloc config:range = 10000 - 4000000
idmap config FROOT:range = 3000001 - 4000000
idmap config FROOT:backend = tdb
idmap config FROOT:default = no
idmap config NAU:range = 2000001 - 3000000
idmap config NAU:backend = tdb
idmap config NAU:default = no
idmap config NAU-STUDENTS:range = 10000 - 2000000
idmap config NAU-STUDENTS:backend = tdb
idmap config NAU-STUDENTS:default = yes
hosts allow = 127., 134.114., 10.5.

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
default devmode = No
browseable = No

[print$]
path = /var/lib/samba/drivers
write list = "@NAU-STUDENTS\Domain Admins", "@domain admins"
force user = root
force group = "domain admins"
force create mode = 0664
force directory mode = 0774
browseable = No

[tmp]
path = /tmp

[root(a)dev-acadprtsrv3 log]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = STUDENTS.FROOT.NAU.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
STUDENTS.FROOT.NAU.EDU = {
kdc = students.froot.nau.edu
}
NAU.FROOT.NAU.EDU = {
kdc = nau.froot.nau.edu
}
FROOT.NAU.EDU = {
kdc = froot.nau.edu
}

[domain_realm]
.students.froot.nau.edu = STUDENTS.FROOT.NAU.EDU

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba