Bug 1775 - authentication problems with W2000 sp3 Active directory, krb5 and Redhat 9
authentication problems with W2000 sp3 Active directory, krb5 and Redhat 9
Status: RESOLVED DUPLICATE of bug 1717
Product: Samba 3.0
Classification: Unclassified
Component: winbind
All Linux
: P3 critical
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2004-09-15 15:37 UTC by step
Modified: 2004-10-28 07:03 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description step 2004-09-15 15:37:05 UTC

This problem was also here on 3.0.6.I tried to update without success

I started two weeks ago mounting a 3.0.6 samba box on a updated Redhat 9
distribution. All In the compile ( under 3.06 ) works fine. 

I used the 
      --with smbmount
flags to compile.

I follow the official guide for this purpose. The net ads join -U is ok. The net
ads testjoin is OK.
All the kerberos authentication is working ( i can login with AD authentications
on my linux box through winbind. wbginfo -u and wbginfo -g return the good
things. Same for getent. Same for kinit.

My AD are  W2000 servers SP3 machines
The client is an w2000 PRo SP4 machine

Using an IP address I can access the share with no futher login. But When I try
using the server's name, It pops me the authentication request with an
authentication error message. No way to pass !!! I tested all the syntaxes I
thought about.

I search in the log and I get 2 errors :

In log.winbind : a krb5_cc_get_principals ( no cache found ) error once while
In log.smbd : a spnego authentication failure each time i want to connect
(written 3 times each time).

I continued to search and I found that there is no principal listed while doing
a "ktutil l".  and while doing a net ads to list the trusted domains, I get a
BUILTIN and <SRV-NAME> answer but nothing about the domain.

I tried to make by hand the krb5.keytab to authenticate my machine but, even
while using the new "use keytab" option in smb.conf winbind always "clean" the
principals list. For that, I followed the microsoft howto about kerberos V5.

I think that, for some reason, the net ads join do not get or can not use all
the stuff from the AD ( such as machine authentication). I also read that using
IP to access the share, you do not use the kerberos authentication but NTML (
such as a NT server member).

I'm a little lost. Please help. 
The server is at my job. I can test everything you wanted me to do. I have the
logs at work . I will post everything tomorrow.
I wanted to demonstrate the utility of samba for file sharing but for the moment
, I hide myself. :-)
Comment 1 step 2004-09-16 02:29:29 UTC
more Info : The numeric way only works if I disable spnego using smb options.

The warning while launching winbindd : 

[2004/09/16 07:13:23, 1] nsswitch/winbindd.c:main(854)
  winbindd version 3.0.7 started.
  Copyright The Samba Team 2000-2004
[2004/09/16 07:13:23, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
  krb5_cc_get_principal failed (No credentials cache found)

The errors During authentication :

[2004/09/16 07:17:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/09/16 07:17:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/09/16 07:17:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/09/16 07:17:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

My smb.conf parameters

# Samba config file created using SWAT
# from (
# Date: 2004/08/27 14:23:03

# Global parameters
        name resolve order = host wins bcast
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#Active Directory Stuff
        realm = CG71.LOCAL
        security = ADS
#krb5 Stuff
        password server = *
        encrypt passwords = yes
#unix password sync = yes
        passwd program = /usr/bin/passwd %u
        #pam password change = yes
        #obey pam restrictions = yes
        #use kerberos keytab = yes
# Server Role Stuff
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        preserve case = no
        short preserve case = no
        default case = lower
        case sensitive = no
        allow trusted domains = yes
# permissions handling
        inherit permissions = yes
        inherit acls = yes
        nt acl support = yes
        ea support = yes
        map acl inherit = yes
        store dos attributes = yes
# wins Stuff
        netbios name = SRV-EDEN01
        workgroup = CG71
        wins server = <IP WINS>
# winbind Stuff
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        template homedir = /home/win2k/%D/%U
        template shell = /bin/bash
# others
        unix charset = ISO8859-15

        comment = partage principal
        path = /mnt/Mes_Fichiers/partage
        vfs objects = audit recycle
        recycle:maxsize = 10000000
        recycle:keeptree = yes
        read only = no
        guest ok = no

My krb5.conf file :

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = CG71.LOCAL
 default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
 default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
 default_keytab_name = FILE:/etc/krb5.keytab

        CG71.LOCAL = {
                kdc = <name-of-AD-server>:88
                admin_server = <name-of-AD-server>:749
                default_domain = CG71.LOCAL

        .cg71.local = CG71.LOCAL
        cg71.local = CG71.LOCAL



        pam = {
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false

my pam samba file
auth required /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so nullok shadow
account required /lib/security/pam_winbind.so
account required /lib/security/pam_pwdb.so
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth

my pam system-auth

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so
auth        sufficient    /lib/security/$ISA/pam_krb5.so likeauth nillok
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so
password    required      /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

my pam authconfig

#auth       sufficient  /lib/security/$ISA/pam_rootok.so
#auth       required    /lib/security/$ISA/pam_stack.so service=system-auth
#account    required    /lib/security/$ISA/pam_permit.so
#session    required    /lib/security/$ISA/pam_permit.so
auth    required        /lib/security/pam_securetty.so
auth    required        /lib/security/pam_nologin.so
auth    sufficient      /lib/security/pam_winbind.so
auth    required        /lib/security/pam_pwdb.so use_first_pass shadow nullok
account required        /lib/security/pam_winbind.so

my resolv.conf

search cg71.local
domain cg71.local
nameserver <IP of nameserver 1>
nameserver <IP of nameserver 2>

Comment 2 step 2004-09-16 03:55:58 UTC
This Config works without pb using a win NT client with spnego..
So it's a problem of W2000 clients with samba.
Probably not through samba and AD...
Comment 3 step 2004-10-10 08:57:47 UTC

*** This bug has been marked as a duplicate of 1717 ***