[Samba] ADS Trouble authorizing users.

Hi all,

I've set up a CentOS machine with samba version 3.0.28-1.el5_2.1 to join a
Windows 2003 ADS. Everything seemed to go fine while joining the domain:

[root@mailserver ~]# net ads join -U administrator
administrator's password:
Using short domain name -- MYDOMAIN
Joined 'MAILSERVER' to realm 'MYDOMAIN.LOCAL'

The trouble I'm having is authorizing users.

When connecting the the CentOS machine from a windows XP machine it pops up
a username and password dialog. Entering in my details just pops it up
again as it would if I'd entered them incorrectly. Nothing is recored in
the logs on the CentOS machine (either in /var/log/messages or
/var/log/samba/smbd.log) and I am unable to procced.

If I try a username in the dialog box that does not exist on the domain I
get an error in /var/log/messages:

Aug 28 12:58:06 mailserver smbd[23786]: [2008/08/28 12:58:06, 0]
auth/auth_domain.c:domain_client_validate(260)
Aug 28 12:58:06 mailserver smbd[23786]: domain_client_validate: unable to
validate password for user dave in domain MYDOMAIN to Domain controller
MANS01.MYDOMAIN.LOCAL. Error was NT_STATUS_NO_SUCH_USER.


I'm guessing its a problem with the way the CentOS machine is passing on the
logon details but without an error message I'm a bit stuck. Any help would
be greatful.

Cheers.

Config files below:

/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
MYDOMAIN.LOCAL = {
kdc = mans01
admin_server = mans01
default_domain = mydomain.local
}

[domain_realm]
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

/etc/smaba/smb.conf

[global]

workgroup = MYDOMAIN
netbios name = mailserver
server string = Samba Server 3.0
security = ads
realm = MYDOMAIN.LOCAL
password server = mans01
encrypt passwords = yes
printcap name = /etc/printcap
load printers = yes
printing = cups
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
preferred master = no
dns proxy = no

#============================ Share Definitions
==============================

[public]
comment = Share
path = /home/public
public = yes
writable = yes
printable = no
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Chris Bolton wrote:
> Hi all,
>
> I've set up a CentOS machine with samba version 3.0.28-1.el5_2.1 to join a
> Windows 2003 ADS. Everything seemed to go fine while joining the domain:
>
> [root@mailserver ~]# net ads join -U administrator
> administrator's password:
> Using short domain name -- MYDOMAIN
> Joined 'MAILSERVER' to realm 'MYDOMAIN.LOCAL'
>
> The trouble I'm having is authorizing users.
>
> When connecting the the CentOS machine from a windows XP machine it pops up
> a username and password dialog. Entering in my details just pops it up
> again as it would if I'd entered them incorrectly. Nothing is recored in
> the logs on the CentOS machine (either in /var/log/messages or
> /var/log/samba/smbd.log) and I am unable to procced.
>
> If I try a username in the dialog box that does not exist on the domain I
> get an error in /var/log/messages:
>
> Aug 28 12:58:06 mailserver smbd[23786]: [2008/08/28 12:58:06, 0]
> auth/auth_domain.c:domain_client_validate(260)
> Aug 28 12:58:06 mailserver smbd[23786]: domain_client_validate: unable to
> validate password for user dave in domain MYDOMAIN to Domain controller
> MANS01.MYDOMAIN.LOCAL. Error was NT_STATUS_NO_SUCH_USER.

Have you tried looking at the samba guides?

NT_STATUS_NO_SUCH_USER means just that, Samba cannot find the username
in Active Directory

Some tools to help you are 'getent passwd | grep <username>', 'wbinfo -i
<username>'

You can also turn up the logging with the 'log level' directive in the
smb.conf

>
>
> I'm guessing its a problem with the way the CentOS machine is passing on the
> logon details but without an error message I'm a bit stuck. Any help would
> be greatful.
>
> Cheers.
>
> Config files below:
>
> /etc/krb5.conf
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = MYDOMAIN.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> MYDOMAIN.LOCAL = {
> kdc = mans01
> admin_server = mans01
> default_domain = mydomain.local
> }
>
> [domain_realm]
> .mydomain.local = MYDOMAIN.LOCAL
> mydomain.local = MYDOMAIN.LOCAL
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> /etc/smaba/smb.conf
>
> [global]
>
> workgroup = MYDOMAIN
> netbios name = mailserver
> server string = Samba Server 3.0
> security = ads
> realm = MYDOMAIN.LOCAL
> password server = mans01
> encrypt passwords = yes
> printcap name = /etc/printcap
> load printers = yes
> printing = cups
> log file = /var/log/samba/%m.log
> max log size = 0
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> local master = no
> domain master = no
> preferred master = no
> dns proxy = no
>
> #============================ Share Definitions
> ==============================
>
> [public]
> comment = Share
> path = /home/public
> public = yes
> writable = yes
> printable = no


--
Jas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba