Authentication problem between Samba and AD - SMB

This is a discussion on Authentication problem between Samba and AD - SMB ; Hi, everyone, I'm trying to use Active Directory for Samba authentication, and it was working fine until I moved my servers into a test environment. Now, whenever I try to authenticate a user, I get the following error messages on ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Authentication problem between Samba and AD

  1. Authentication problem between Samba and AD

    Hi, everyone,

    I'm trying to use Active Directory for Samba authentication, and it was
    working fine until I moved my servers into a test environment. Now,
    whenever I try to authenticate a user, I get the following error
    messages on the Samba side with a level 4 debug:

    $ smbclient -d 4 -U tomm -L soltest1
    (Loads of output excised)
    SPNEGO login failed: Access denied
    session setup failed: NT_STATUS_ACCESS_DENIED

    On the DC, everything looks fine except for one message in the Security
    log:

    Event ID 675
    User: NT AUTHORITY/SYSTEM
    Description:
    Pre-authentication failed:
    User Name: soltest1$ (soltest1 is the unqualified name of the Samba
    server)
    User ID: DOMAIN\soltest1$
    Service Name: krbtgt/DOMAIN
    Pre-Authentication Type: 0x0
    Failure Code: 0x19
    Client Address: 192.168.226.130

    In short, it *looks* like the Samba server is failing
    pre-authentication. I have tried deleting the machine account from the
    domain and adding it back in, but that doesn't fix the problem. I
    *can* add the computer to the domain, and "wbinfo" and "getent" work
    fine, so the Samba server is obviously seeing the domain; it's just
    Kerberos that is having a problem.

    Here's the setup:
    Windows 2000 Advanced Server running AD in Mixed Mode (the project is
    to test migration from Mixed to Native Mode with Samba compatibility)
    Samba 3.0.23b running on Solaris 9 x86

    Relevant snippets from smb.conf:
    security = ADS
    encrypt passwords = Yes
    realm = DOMAIN
    password server = adserver
    wins server = 192.168.226.128 (the IP of the DC)
    ldap ssl = no
    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind enum groups = yes
    winbind enum users = yes
    winbind use default domain = yes

    >From krb5.conf:

    [libdefaults]
    default_realm = DOMAIN
    [realms]
    DOMAIN = {
    kdc = adserver.domain.com
    admin_server = adserver.domain.com
    }
    [domain_realm]
    .domain = DOMAIN
    domain = DOMAIN

    Thanks in advance!

    Tom


  2. Re: Authentication problem between Samba and AD

    I am not expecting you will get a lot of Samba support in the Microsoft
    AD group. You probably want to hunt down the Samba specific groups. I am
    not saying this to be mean but because Samba questions usually go
    unanswered here.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm


    Tom Maddox wrote:
    > Hi, everyone,
    >
    > I'm trying to use Active Directory for Samba authentication, and it was
    > working fine until I moved my servers into a test environment. Now,
    > whenever I try to authenticate a user, I get the following error
    > messages on the Samba side with a level 4 debug:
    >
    > $ smbclient -d 4 -U tomm -L soltest1
    > (Loads of output excised)
    > SPNEGO login failed: Access denied
    > session setup failed: NT_STATUS_ACCESS_DENIED
    >
    > On the DC, everything looks fine except for one message in the Security
    > log:
    >
    > Event ID 675
    > User: NT AUTHORITY/SYSTEM
    > Description:
    > Pre-authentication failed:
    > User Name: soltest1$ (soltest1 is the unqualified name of the Samba
    > server)
    > User ID: DOMAIN\soltest1$
    > Service Name: krbtgt/DOMAIN
    > Pre-Authentication Type: 0x0
    > Failure Code: 0x19
    > Client Address: 192.168.226.130
    >
    > In short, it *looks* like the Samba server is failing
    > pre-authentication. I have tried deleting the machine account from the
    > domain and adding it back in, but that doesn't fix the problem. I
    > *can* add the computer to the domain, and "wbinfo" and "getent" work
    > fine, so the Samba server is obviously seeing the domain; it's just
    > Kerberos that is having a problem.
    >
    > Here's the setup:
    > Windows 2000 Advanced Server running AD in Mixed Mode (the project is
    > to test migration from Mixed to Native Mode with Samba compatibility)
    > Samba 3.0.23b running on Solaris 9 x86
    >
    > Relevant snippets from smb.conf:
    > security = ADS
    > encrypt passwords = Yes
    > realm = DOMAIN
    > password server = adserver
    > wins server = 192.168.226.128 (the IP of the DC)
    > ldap ssl = no
    > winbind uid = 10000-20000
    > winbind gid = 10000-20000
    > winbind enum groups = yes
    > winbind enum users = yes
    > winbind use default domain = yes
    >
    >>From krb5.conf:

    > [libdefaults]
    > default_realm = DOMAIN
    > [realms]
    > DOMAIN = {
    > kdc = adserver.domain.com
    > admin_server = adserver.domain.com
    > }
    > [domain_realm]
    > .domain = DOMAIN
    > domain = DOMAIN
    >
    > Thanks in advance!
    >
    > Tom
    >


  3. Re: Authentication problem between Samba and AD


    Joe Richards [MVP] wrote:
    > I am not expecting you will get a lot of Samba support in the Microsoft
    > AD group. You probably want to hunt down the Samba specific groups. I am
    > not saying this to be mean but because Samba questions usually go
    > unanswered here.
    >
    > joe


    Thanks, Joe. I'm trying to hit this one from both directions. I
    figured if I was wrong about the cause, perhaps someone could point me
    in the right direction.


  4. Re: Authentication problem between Samba and AD

    Just to confuse the matter a little more, it may not be the
    pre-authentication failure that's causing the login failure after all.
    To wit, the next message in the Security log is a logon success for the
    soltest1$ account, and the failure message indicates (per the MS
    support site) that additional pre-authentication will be done. OTOH, I
    still have no idea what's causing the problem, so I'm not ruling this
    out entirely.


  5. Re: Authentication problem between Samba and AD

    You certainly told me. However will I live with myself.

    Quite helpful.


    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm


    Huge wrote:
    >
    > Top posted, unhelpful, incorrect, broken sig separator and excessively
    > long sig. Yep, this was posted from a Microsoft 'froup all right.
    >
    >
    >


  6. Re: Authentication problem between Samba and AD

    Hello Tom,

    try to disable the SMB Signing feature on the Windows 2003 Server side.
    In SAMBA 3.0.2x the SMB Signing is implemented.

    You find more information about SMB Signing here:

    http://support.microsoft.com/?kbid=887429

    --
    Viele Grüße
    Frank Röder
    MVP Windows Server System - Directory Services
    "Ex oriente lux"

  7. Re: Authentication problem between Samba and AD


    Frank Röder [MVP] wrote:
    > Hello Tom,
    >
    > try to disable the SMB Signing feature on the Windows 2003 Server side.
    > In SAMBA 3.0.2x the SMB Signing is implemented.
    >
    > You find more information about SMB Signing here:
    >
    > http://support.microsoft.com/?kbid=887429


    Just wanted to close the loop and indicate that this solution did not
    fix my problem, which I'm still working on. It appears that the
    problem is actually related to a need to seize certain roles following
    the migration to the test environment. Specifically, I'm getting these
    lovely errors from dcdiag /v:

    Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
    A KDC could not be located - All the KDCs are down.

    No KDC = no authentication would be my guess, so I'll fire up ntdsutil
    and have one of the domain controllers seize the GC role. Hopefully
    that will fix my problem once and for all.


  8. Re: Authentication problem between Samba and AD

    Error 1355 is Domain not Found.

    I would recommend getting a network trace. This could be anything from
    an incorrect domain being specified to DNS issues to DCs not responding.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm


    Tom Maddox wrote:
    > Frank Röder [MVP] wrote:
    >> Hello Tom,
    >>
    >> try to disable the SMB Signing feature on the Windows 2003 Server side.
    >> In SAMBA 3.0.2x the SMB Signing is implemented.
    >>
    >> You find more information about SMB Signing here:
    >>
    >> http://support.microsoft.com/?kbid=887429

    >
    > Just wanted to close the loop and indicate that this solution did not
    > fix my problem, which I'm still working on. It appears that the
    > problem is actually related to a need to seize certain roles following
    > the migration to the test environment. Specifically, I'm getting these
    > lovely errors from dcdiag /v:
    >
    > Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
    > A KDC could not be located - All the KDCs are down.
    >
    > No KDC = no authentication would be my guess, so I'll fire up ntdsutil
    > and have one of the domain controllers seize the GC role. Hopefully
    > that will fix my problem once and for all.
    >


  9. Re: Authentication problem between Samba and AD


    Joe Richards [MVP] wrote:
    > Error 1355 is Domain not Found.
    >
    > I would recommend getting a network trace. This could be anything from
    > an incorrect domain being specified to DNS issues to DCs not responding.


    In the end, I wound up restoring both DCs to the VM environment and
    essentially recreating a single site from our domain. Once I did that,
    I had to sort out some disk space issues, requiring me to move the
    SYSVOL staging path to a different drive and reset the staging volume
    size, and then I had to mark the SYSVOL information authoritative on
    one of the DCs and wait for that to sync to both DCs. Finally, having
    completed that operation, my domain came back online.

    For anyone else trying this sort of thing, I recommend restoring a
    minimum of two domain controllers. I also recommend this support
    article:

    http://support.microsoft.com/kb/819268/en-us

    Step 3 was the one that wound up working. Finally, I recommend
    patience and watching what the server is actually doing; seeing the
    (virtual) disks thrash let me know that the FRS was actually doing
    something besides generating useless Event Log messages.

    Also, I have to thank the contributors to this thread for trying to
    help and for giving me my own mini-flamewar to celebrate my return to
    Usenet after being absent for several years.


  10. Re: Authentication problem between Samba and AD

    Oh so your DCs never published sysvol and started responding as DCs...
    That would do it.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm


    Tom Maddox wrote:
    > Joe Richards [MVP] wrote:
    >> Error 1355 is Domain not Found.
    >>
    >> I would recommend getting a network trace. This could be anything from
    >> an incorrect domain being specified to DNS issues to DCs not responding.

    >
    > In the end, I wound up restoring both DCs to the VM environment and
    > essentially recreating a single site from our domain. Once I did that,
    > I had to sort out some disk space issues, requiring me to move the
    > SYSVOL staging path to a different drive and reset the staging volume
    > size, and then I had to mark the SYSVOL information authoritative on
    > one of the DCs and wait for that to sync to both DCs. Finally, having
    > completed that operation, my domain came back online.
    >
    > For anyone else trying this sort of thing, I recommend restoring a
    > minimum of two domain controllers. I also recommend this support
    > article:
    >
    > http://support.microsoft.com/kb/819268/en-us
    >
    > Step 3 was the one that wound up working. Finally, I recommend
    > patience and watching what the server is actually doing; seeing the
    > (virtual) disks thrash let me know that the FRS was actually doing
    > something besides generating useless Event Log messages.
    >
    > Also, I have to thank the contributors to this thread for trying to
    > help and for giving me my own mini-flamewar to celebrate my return to
    > Usenet after being absent for several years.
    >


+ Reply to Thread