Bug 7706 - Active Directory authentication fails on 3.5.5
Summary: Active Directory authentication fails on 3.5.5
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.5.5
Hardware: x64 Linux
: P3 major
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
Depends on:
Reported: 2010-09-30 09:43 UTC by Simon Alman
Modified: 2018-03-22 00:38 UTC (History)
1 user (show)

See Also:

A tar file of /var/log/samba after attempting wbinfo -a as user simonalman (460.00 KB, application/x-tar)
2010-11-02 04:17 UTC, Simon Alman
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Alman 2010-09-30 09:43:53 UTC
After upgrading from samba 3.4.8 to 3.5.5, on Debian squeeze, active directory authentication stopped working against Windows 2008 Standard server SP1. 

I was still able to view user accounts using 'wbinfo -u' and 'net ads user' but authentication would fail. After downgrading again to "3.4.8~dfsg-2_amd64" (debian build) authentication once again worked.

Joining the affected environment to the windows domain using 'net ads join' and 'net ads keytab create' continued to work across all versions despite authentication failing

I have included my smb.conf and krb5.conf and nsswitch.conf files below


# Debuging domain auth issues:
debug level = 10

workgroup = DOMAIN
security = ads
kerberos method = system keytab
winbind use default domain = true
realm = DOMAIN.NET

disable netbios = yes
name resolve order = host lmhosts
hosts allow =
hosts deny =

password server =,, *

idmap config DOMAIN:default = yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 10000-20000

idmap backend = ad
winbind offline logon = yes
winbind nested groups = yes
winbind separator = +
winbind cache time = 3600
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind nss info = rfc2307

template homedir = /home/%U
template shell = /bin/bash
client ntlmv2 auth = yes
encrypt passwords = true

local master = no
domain master = no
preferred master = no
dns proxy = no

server string = Samba Server Version %v


# Fix character set issues:
# http://www.unixresources.net/linux/lf/59/archive/00/00/13/18/131896.html
dos charset = 850
unix charset = UTF-8 

passwd:     files winbind
group:      files winbind
shadow:     files winbind 

        default_realm = DOMAIN.NET
        default_keytab_name = FILE:/etc/krb5.keytab
        dns_lookup_realm = true
        dns_lookup_kdc = true
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

                kdc = DC02.DOMAIN.NET:88
                kdc = DC03.DOMAIN.NET:88
                default_domain = domain.net
                admin_server = DC02.DOMAIN.NET:749

        .domain.net = DOMAIN.NET
        domain.net = DOMAIN.NET
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        krb4_convert = false
Comment 1 Michael Adam 2010-11-01 19:15:31 UTC

could you please attach a level 10 log of all winbindd for a failed authentication attempt (wbinfo -a), (i.e all files /var/log/samba/log.w*)

Thanks - Michael
Comment 2 Simon Alman 2010-11-02 04:17:26 UTC
Created attachment 6044 [details]
A tar file of /var/log/samba after attempting wbinfo -a as user simonalman

DOMAIN is FRONTINTERNAL and user simonalman in the log files. I've tarred up all the files in /var/log/samba after attempting a wbinfo -a. Let me know if you need anything further.

Kind Regards

Comment 3 Björn Jacke 2018-03-22 00:38:35 UTC
the manual system keytab config looks not well. Recent Samba versions work well, please file a new bug if you see bugs with up to date samba versions.