Prev: Long delays when launching programs for the first timein my Windows 7 Profile (Samba 3.4.3 as PDC)
Next: Samba3 to samba4 migration
From: Rob Moser on 30 Jun 2010 18:30 Hello folks. Brand new 3.5.4 install of samba, on a brand new redhat 5.5 install, trying to connect to a windows domain and allow AD users access. I used a series of how-tos to set things up, and modified the smb.conf and krb5.conf files from an existing (working, 3.2.8) system. I apparently join the domain ok, and I can authenticate an AD user using wbinfo, but when I try to use the same user with smbclient I get a NT_STATUS_NO_SUCH_USER response. I thought perhaps that smbclient was somehow not associating the username with the correct domain, but explicitly stating the domain didn't help. Googling about on the problem found me (among a lot of dross) someone with similar symptoms who claimed to fix his problem by adding "client NTLMv2 auth = Yes" to his smb.conf, so I tried that, but got no joy there either. Much diagnostic text follows; apologies for the bulk, but figured its better to put too much in than leave too much out. Any suggestions would be most appreciated; thanks. - rob. [root(a)dev-acadprtsrv3 log]# kinit -V rmoser Password for rmoser(a)STUDENTS.FROOT.NAU.EDU: Authenticated to Kerberos v5 [root(a)dev-acadprtsrv3 log]# klist -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: rmoser(a)STUDENTS.FROOT.NAU.EDU Valid starting Expires Service principal 06/30/10 14:19:56 07/01/10 00:20:00 krbtgt/STUDENTS.FROOT.NAU.EDU(a)STUDENTS.FROOT.NAU.EDU renew until 07/01/10 14:19:56 [root(a)dev-acadprtsrv3 log]# net ads testjoin -U rmoser Join is OK [root(a)dev-acadprtsrv3 log]# wbinfo -t checking the trust secret for domain NAU-STUDENTS via RPC calls succeeded [root(a)dev-acadprtsrv3 log]# wbinfo -a NAU-STUDENTS\\rmoser Enter NAU-STUDENTS\rmoser's password: plaintext password authentication succeeded Enter NAU-STUDENTS\rmoser's password: challenge/response password authentication succeeded [root(a)dev-acadprtsrv3 log]# smbclient -d3 -U NAU-STUDENTS\\rmoser -L dev-acadprtsrv3.ucc.nau.edu lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface eth0 ip=fe80::9015:73ff:fe64:54cf%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: added interface eth0 ip=134.114.138.189 bcast=134.114.138.255 netmask=255.255.255.0 Client started (version 3.5.4). Enter NAU-STUDENTS\rmoser's password: resolve_lmhosts: Attempting lmhosts lookup for name dev-acadprtsrv3.ucc.nau.edu<0x20> resolve_wins: Attempting wins lookup for name dev-acadprtsrv3.ucc.nau.edu<0x20> resolve_wins: using WINS server 134.114.138.35 and tag '*' Got a positive name query response from 134.114.138.35 ( 134.114.138.189 ) Connecting to 134.114.138.189 at port 445 Doing spnego session setup (blob length=131) got OID=1.2.840.113554.1.2.2 got OID=1.2.840.48018.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=cifs/dev-acadprtsrv3.ucc.nau.edu(a)STUDENTS.FROOT.NAU.EDU Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE [root(a)dev-acadprtsrv3 log]# tail /var/log/samba/log.smbd [2010/06/30 14:12:22.530813, 2] auth/auth.c:314(check_ntlm_password) check_ntlm_password: Authentication for user [rmoser] -> [rmoser] FAILED with error NT_STATUS_NO_SUCH_USER [2010/06/30 14:22:52.071828, 0] lib/util_sock.c:1505(matchname) matchname: host name/address mismatch: ::ffff:134.114.138.189 != dev-acadprtsrv3.ucc.nau.edu [2010/06/30 14:22:52.072189, 0] lib/util_sock.c:1626(get_peer_name) Matchname failed on dev-acadprtsrv3.ucc.nau.edu ::ffff:134.114.138.189 [2010/06/30 14:22:52.072281, 2] lib/access.c:406(check_access) Allowed connection from UNKNOWN (::ffff:134.114.138.189) [2010/06/30 14:22:52.113502, 2] auth/auth.c:314(check_ntlm_password) check_ntlm_password: Authentication for user [rmoser] -> [rmoser] FAILED with error NT_STATUS_NO_SUCH_USER [root(a)dev-acadprtsrv3 log]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Processing section "[printers]" Processing section "[print$]" Processing section "[tmp]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = NAU-STUDENTS realm = STUDENTS.FROOT.NAU.EDU netbios aliases = dev-acadprtsrv3.ucc.nau.edu server string = Samba Server security = ADS client NTLMv2 auth = Yes log level = 2 max log size = 500000 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 SO_KEEPALIVE printcap name = cups wins server = 134.114.138.35 idmap alloc backend = tdb idmap uid = 10000 - 4000000 idmap gid = 10000 - 4000000 winbind use default domain = Yes idmap alloc config:range = 10000 - 4000000 idmap config FROOT:range = 3000001 - 4000000 idmap config FROOT:backend = tdb idmap config FROOT:default = no idmap config NAU:range = 2000001 - 3000000 idmap config NAU:backend = tdb idmap config NAU:default = no idmap config NAU-STUDENTS:range = 10000 - 2000000 idmap config NAU-STUDENTS:backend = tdb idmap config NAU-STUDENTS:default = yes hosts allow = 127., 134.114., 10.5. [printers] comment = All Printers path = /var/spool/samba printable = Yes default devmode = No browseable = No [print$] path = /var/lib/samba/drivers write list = "@NAU-STUDENTS\Domain Admins", "@domain admins" force user = root force group = "domain admins" force create mode = 0664 force directory mode = 0774 browseable = No [tmp] path = /tmp [root(a)dev-acadprtsrv3 log]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = STUDENTS.FROOT.NAU.EDU dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] STUDENTS.FROOT.NAU.EDU = { kdc = students.froot.nau.edu } NAU.FROOT.NAU.EDU = { kdc = nau.froot.nau.edu } FROOT.NAU.EDU = { kdc = froot.nau.edu } [domain_realm] .students.froot.nau.edu = STUDENTS.FROOT.NAU.EDU [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |