Samba/ADS working but connect with host instead of username?

[Zteev]

Hi,

I have successfully compiled Samba with ads support on Aix and joined the box to the ad domain.

The problem is when I try to map a network drive from a win2000 workstation (i do not enter credentials since I'm logged into the domain), the smbd log tells me this :

[2005/01/19 13:07:41, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username NA+WKCH0DHF$ is invalid on this system

(WKCH0DHF is my workstation name)

It then ask for valid credentials, and if I put my domain\user / password credentials, it works perfectly.

Why does it sends the machine name to smbd???

Thanks in advance,

Best regards,

 

[ned209]

I'm not 100% sure but I think the first thing it does is connect with the machine name to the IPC$ share on the samba box and this is failing. What version of kerberos are you running?

when you run wbinfo -u do you see the machine entries as well as the users?

--ned

 

[Zteev]

My kerberos version is Kerberos 5 release 1.3.6.

wbinfo -u returns :
Error looking up domain users.

... whats wrong? is that related to kerberos only?

 

[ned209]

did you run the wbinfo --set-auth-user ?

did you join the domain like this:

net ads join -U Administrator@ALL-CAPITOLS-DOMAIN-THAT-IS-REALLY-YOUR-KERBEROS-REALM.TLD

and you saw the message something like this:

Joined 'STYX' to realm 'NSI-MAIN.NORTHERN-STEEL.COM'

The realm part is important. Otherwise you are joining like its NT4. Also is smbd running before you start winbind?

You've made sure that nscd is not running?

--ned

 

[Zteev]

</usr/local/samba/bin># wbinfo --set-auth-user=myuser%mypassword
could not obtain winbind separator!
could not obtain winbind domain name!

no nscd is running. And smbd is started before winbindd is started.

there is obviously something wrong in my smb.conf about winbind... ?

 

[Zteev]

I fixed something in my smb.conf, it looks better now :

</usr/local/samba/bin># wbinfo --set-auth-user=myuser%mypass
</usr/local/samba/bin># wbinfo -u
^C</usr/local/samba/bin># wbinfo --get-auth-user
DOMAIN+myuser%mypass
</usr/local/samba/bin># wbinfo -u
Error looking up domain users

I still get that error.... any ideas?

Thanks,

 

[ned209]

You're using security = ADS ?

do you see a ticket when you run klist?

try this command as well:

kinit Administrator@ALL-CAPS-DOMAIN-NAME.TLD

it should ask you for admins password. If successful you should see a ticket with the klist command.

--ned

 

[Zteev]

</># klist Administrator@MY.DOMAIN.COM
klist: No credentials cache found (ticket cache FILE:Administrator@MY.DOMAIN.COM)

yes I am using security = ADS

Thanks again,

 

[Zteev]

</># klist Administrator@NA.SMURFIT.COM
klist: No credentials cache found (ticket cache FILE:Administrator@NA.SMURFIT.COM)

Yes i am using security = ADS

thanks again in advance,

regards,

 

[mairving]

Are you sure that winbind is started? This seems to be the message that I get when I run wbinfo when winbind is not started. Also, you can leave the winbind separator out of smb.conf, it will use the default (/) one instead.

Oddly enough I am dealing with a similar issue but it can enumerate the domain accounts and has worked flawlessly until a samba upgrade yesterday.