After upgrading from samba 3.4.8 to 3.5.5, on Debian squeeze, active directory authentication stopped working against Windows 2008 Standard server SP1. I was still able to view user accounts using 'wbinfo -u' and 'net ads user' but authentication would fail. After downgrading again to "3.4.8~dfsg-2_amd64" (debian build) authentication once again worked. Joining the affected environment to the windows domain using 'net ads join' and 'net ads keytab create' continued to work across all versions despite authentication failing I have included my smb.conf and krb5.conf and nsswitch.conf files below smb.conf: ---------------------------------------------------------------------------- [global] # Debuging domain auth issues: debug level = 10 workgroup = DOMAIN security = ads kerberos method = system keytab winbind use default domain = true realm = DOMAIN.NET disable netbios = yes name resolve order = host lmhosts hosts allow = 127.0.0.1 192.168.1.0/24 hosts deny = 0.0.0.0/0 password server = 192.168.1.2, 192.168.1.3, * idmap config DOMAIN:default = yes idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:backend = ad idmap config DOMAIN:range = 10000-20000 idmap backend = ad winbind offline logon = yes winbind nested groups = yes winbind separator = + winbind cache time = 3600 winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes winbind nss info = rfc2307 template homedir = /home/%U template shell = /bin/bash client ntlmv2 auth = yes encrypt passwords = true local master = no domain master = no preferred master = no dns proxy = no server string = Samba Server Version %v socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 # Fix character set issues: # http://www.unixresources.net/linux/lf/59/archive/00/00/13/18/131896.html dos charset = 850 unix charset = UTF-8 nsswitch.conf ---------------------------------------------------------------------------- passwd: files winbind group: files winbind shadow: files winbind krb5.conf ---------------------------------------------------------------------------- [libdefaults] default_realm = DOMAIN.NET default_keytab_name = FILE:/etc/krb5.keytab dns_lookup_realm = true dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] FRONTINTERNAL.NET = { kdc = DC02.DOMAIN.NET:88 kdc = DC03.DOMAIN.NET:88 default_domain = domain.net admin_server = DC02.DOMAIN.NET:749 } [domain_realm] .domain.net = DOMAIN.NET domain.net = DOMAIN.NET [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 krb4_convert = false }
Hi, could you please attach a level 10 log of all winbindd for a failed authentication attempt (wbinfo -a), (i.e all files /var/log/samba/log.w*) Thanks - Michael
Created attachment 6044 [details] A tar file of /var/log/samba after attempting wbinfo -a as user simonalman DOMAIN is FRONTINTERNAL and user simonalman in the log files. I've tarred up all the files in /var/log/samba after attempting a wbinfo -a. Let me know if you need anything further. Kind Regards Simon
the manual system keytab config looks not well. Recent Samba versions work well, please file a new bug if you see bugs with up to date samba versions.