Hello,

I've spent the last couple of days following the HOW-TO's on how to
make a Linux server running Samba part of a Windows 2003 Active
Directory, and a lot of supplemental research from these groups and
elsewhere, but now I'm totally stuck and I can't seem to find the
answer anywhere.

Basically, most of the configuration seems to be working:

- The Linux box is showing up in "Active Directory Users and
Computers".

- "getent group" and "getent passwd" also show the Active Directory
groups and users.

- "kinit" appears to run OK, it asks for the password of the specified
user and then finishes with no further messages or errors displayed.

- "klist" shows the following:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: @OFFICE.GROOVYTRAIN.COM

Valid starting Expires Service principal
02/22/05 20:21:42 02/23/05 06:21:27
kbtgt/OFFICE.GROOVYTRAIN.COM@OFFICE.GROOVYTRAIN.COM

- "net ads join" runs successfully:

[2005/02/23 11:43:54, 0] libads/ldap.c:ads_add_machine_acct(1405)
ads_add_machine_acct: Host account for eastlondon already exists -
modifying old account
Using short domain name -- OFFICE
Joined 'EASTLONDON' to realm 'OFFICE.GROOVYTRAIN.COM'

- "wbinfo -g" returns the list of Active Directory groups.

- "wbinfo -u" returns the list of Active Directory users.

- I can use "smbclient -k" to connect to shares on the Windows
machines without requiring a username and password.

However, I can't access the Samba shares from the Windows machines
(both Windows 2000 and Windows 2003).

Using "c:\>net use W: \\eastlondon\www" produces the following output:

The password or user name is invalid for \\eastlondon\www.

Enter the user name for 'eastlondon': jamesg@office.groovytrain.com
Enter the password for eastlondon:
System error 1326 has occurred.

Logon failure: unknown user name or bad password.

And creates the following entries in "log.smbd":

[2005/02/23 11:50:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username OFFICE+ is invalid on this system

And in "log.winbindd":

[2005/02/23 12:00:32, 1]
nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user '' does not exist

Using "c:\>net use W: \\\www" produces the
following output:

Enter the user name for '': jamesg
Enter the password for :
System error 1311 has occurred.

There are currently no logon servers available to service the logon
request.

It creates nothing in "log.smbd", but creates the following entries in
"log.winbindd":

[2005/02/23 12:12:00, 0] libsmb/smb_signing.c:signing_good(240)
signing_good: BAD SIG: seq 1
[2005/02/23 12:12:00, 0] libsmb/clientgen.c:cli_receive_smb(121)
SMB Signature verification failed on incoming packet!

The following error is generated in the System Log on the Active
Directory controller:

While processing a TGS request for the target server
host/eastlondon.groovytrain.com, the account
EASTLONDON$@OFFICE.GROOVYTRAIN.COM did not have a suitable key for
generating a Kerberos ticket (the missing key has an ID of 8). The
requested etypes were 16. The accounts available etypes were 3 1.

I'm using Samba 3.0.11 and MIT Kerberos 1.2.7 on Redhat 9.

My krb5.conf is as follows:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = OFFICE.GROOVYTRAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5

[realms]
OFFICE.GROOVYTRAIN.COM = {
kdc = circle.office.groovytrain.com
admin_server = circle.office.groovytrain.com
default_domain = office.groovytrain.com
}

[domain_realm]
.office.groovytrain.com = OFFICE.GROOVYTRAIN.COM
office.groovytrain.com = OFFICE.GROOVYTRAIN.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

My smb.conf is as follows:

[global]
workgroup = OFFICE
netbios name = EASTLONDON
realm = OFFICE.GROOVYTRAIN.COM
security = ADS
password server = circle

winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
idmap uid = 10000-20000
idmap gid = 10000-20000

client use spnego = yes

[www]
path = /usr/local/www
comment = Web content
valid users = "OFFICE\Domain Users"

If anyone can shed any light on what might be the problem, I'd be most
grateful. If you'd require any further information about my setup,
please let me know.

Many thanks,

James