Hello,

I'm trying to connect my Debian 4 samba box to my Windows 2003Server Active
Directory.
I successfully joined the domain, with net ads join. Wireshark captures a
lot of packets going over the wire, and I get the message "joined the domain
successfully". In my AD, under 'computers', the samba box appeared. So that
all works.
Asking a kerberos ticket for a user with kinit is also successful. So
kerberos is working fine.

Wbinfo -u gives me all the users I have in my AD, and wbinfo -g does the
same with all the groups. wbinfo -t also working fine.
But when I try wbinfo -a rutger%rutger, I get

plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user rutger%rutger with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user rutger with challenge/response

Same result with wbinfo -K. It says the user does not exist, but it is there
when I do a wbinfo -u.

Same output with ntlm_auth and with --diagnostics:

ntlm_auth --request-nt-key --domain=PROJECT --username=rutger
password:
NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)


project:/etc# ntlm_auth --request-nt-key --domain=PROJECT --username=rutger
--diagnostics
password:
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test LM failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test LM and NTLM failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLM failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLM in LM failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLM in both failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLMv2 failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLMv2 and LMv2 failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test LMv2 failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLMv2 and LMv2, LMv2 broken failed!
No such user (0xc0000064)
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test NTLM and LM, LM broken failed!
No such user (0xc0000064)
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test Plaintext failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test Plaintext LM broken failed!
No such user (0xc0000064)
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test Plaintext NT only failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
Test Plaintext LM only failed!


The wbinfo -a and ntlm_auth result in NO data send over the wire. Is wbinfo
not correcty using Kerberos? Why are no packages send over the wire when I
do wbinfo -a? The ip of the AD is in /etc/hosts


Thanks a lot for your help, I'm really desperate!
Rutger


Here are the smb.conf and krb5.conf files:

--smb.conf--
project:/etc# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
workgroup = PROJECT
realm = PROJECT.LOCAL
server string = %h server
security = ADS
obey pam restrictions = Yes
password server = project-ad.project.local
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
invalid users = root

[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0700
directory mask = 0700
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers



--krb5.conf--

[logging]
default = FILE:/war/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = PROJECT.LOCAL
# dns_lookup realm = false
# dns_lookup_kdc = false

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.

# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
# permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5

# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]

PROJECT.LOCAL = {
kdc = PROJECT-AD.PROJECT.LOCAL
}

[domain_realm]
.project.local = PROJECT.LOCAL
project.local = PROJECT.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[login]
krb4_convert = true
krb4_get_tickets = false


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba