The Samba-Bugzilla – Bug 396
Winbind can't authenticate to Windows 2003 domain controller
Last modified: 2005-11-14 09:26:18 UTC
I'm running into a NT_STATUS_NO_LOGON_SERVERS while trying to authenticate
using winbind. I've tried this using four machines, all of which worked under
wbinfo -u returns with a valid user list, the net ads testjoin works correctly.
wbinfo -t fails as well as a manual attempt to authenticate using wbinfo -a.
I've already sent my smb.conf and log.winbindd to Jeremy. This is pretty much a
showstopper for our implementation.
Another useful bit of info...it DOES in fact attempt a connection to the
correct domain controller...tons of smb signing errors in the winbind log.
What version of Kerberos are you using? You need one
that supports a working RC4-HMAC implementation like
MIT kerb5 1.3. I've tested locally with MIT
Kerb5 1.3.1 and everything works correctly.
Created attachment 162 [details]
Winbind log (Level 9), Wbinfo -t
Tried it with MIT Keberos 1.3.1, still no success.... Wbinfo -u still works
however the wbinfo -t command still fails as well as authentication when trying
to conenct to a share.....
I've flushed my logs and created a clean winbindd log for the wbinfo -t command.
Hopefully this helps...
Thank you very much for your attention to this!
The log file shows signing errors. I'm pretty sure that
this is going to turn out to be a local configuration issue.
Are you sure that the resulting smbd is linked with the
correct version of the MIT libs?
I'm inclined to agree. I re-compiled the 3.0.0 version and am able to
authenticate using winbind and the wbinfo -a command. Wbinfo -t works as well.
However, now when a user tries to connect to the share i have set up, winbind
still fails out with the NT_STATUS_NO_LOGON_SERVERS. Any ideas? Because I'm
using RedHat 9, I can't out and out replace my kerberos with 1.3, rather i've
compiled and installed it into /usr, and kept the red hat one in place
As always, thanks for your assistance.
OK, i've gotten past the NO_LOGON_SERVERS issue...but the only way i can get
this beast to work (authenticating inbound users using ADS) is to maintain user
accounts on the host....it does check their password against the AD, but if
there isn't already a matching username on the linux machine, it comes back and
challenges over and over. This was not the behaviour in alpha23, which was the
last working version i've used.
After doing tons of comparision between my working install and the 3.0.0
version, I discovered that I was missing the libnss_winbind.so.2 and
I'm not sure why they're not compiling on my system, but i was able to take
them from the RPM and set up the links myself. It is now behaving as I expect
please close this one out!
I realize that I may have already taken up too much of your time, and I really
appreciate it! Thanks for your help on this issue!
w00t! configuration issues. Closing this one out. Thanks
for letting me know.