# SAMBA + AD problems with authentication

## njcwotx

I have had a working Samba + AD setup working for at least a year now.  We have had few problems with it.  However, I now have a huge problem on a production share that I need to resolve quickly.

First, I have 2 Samba boxes, both run Gentoo.  

Box 1 is my Gentoo Workstation/Test box, it is updated regularly and is working fine except for this Samba problem.  (version 3.0.14a-r2)  

Box 2 is a production server that contains CAD drawings for a number of engineers in a Windows 2000 Active Directory environment, it has not been updated since it was installed onto gentoo a year ago, it worked fine until yesterday. (version 3.0.4-r1)

Box 1 stopped authenticating windows users accessing the shares several months ago after an emerge world.  Box 2 did not have this problem since it was not updated.  My samba computers at home also stopped authenticating windows users.  In short, a user already authenticated to Windows AD would simply connect via a UNC to \\server\share without being challenged via a user/pass box.  Now, a user/pass box pops up and the user/pass combo will not work, it just keeps popping back up.

Now for some reason Box 2 has started doing this and I have not updated it at all.

Here is my samba config from Box1 for starters.

```

[global]

workgroup = DOMAIN

realm = DOMAIN.COM

security = ADS

netbios name = SERVER

map to guest = Bad User

obey pam restrictions = No

username map = /etc/samba/smbusers

ldap ssl = No

idmap uid = 10000-20000

idmap gid = 10000-20000

winbind separator = +

server string = Samba Server %v

encrypt passwords = Yes

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[public]

comment = Public Files

force user = samba

force group = DOMAIN+"domain admins"

browseable = Yes

guest ok = Yes

public = Yes

read only = No

create mode = 0766

valid users = DOMAIN+user, DOMAIN+"Domain Admins"

inherit permissions = Yes

inherit acls = Yes

path = /samba/public 

```

EDIT:  Adding /var/log/samba/log.smbd, it has some interesting errors

```
[2005/10/11 11:26:41, 0] smbd/server.c:main(798)

  smbd version 3.0.14a started.

  Copyright Andrew Tridgell and the Samba Team 1992-2004

[2005/10/11 11:26:41, 0] printing/print_cups.c:cups_cache_reload(85)

  Unable to connect to CUPS server localhost - Connection refused

[2005/10/11 11:26:41, 0] printing/print_cups.c:cups_cache_reload(85)

  Unable to connect to CUPS server localhost - Connection refused

[2005/10/11 11:26:45, 0] libads/kerberos.c:ads_kinit_password(146)

  kerberos_kinit_password host/SERVER@DOMAIN.COM failed: Client not found in Kerberos database

[2005/10/11 11:26:45, 0] printing/nt_printing.c:nt_printing_init(386)

  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED

[2005/10/11 11:29:31, 0] smbd/server.c:main(798)

  smbd version 3.0.14a started.

  Copyright Andrew Tridgell and the Samba Team 1992-2004

[2005/10/11 11:29:31, 0] printing/print_cups.c:cups_cache_reload(85)

  Unable to connect to CUPS server localhost - Connection refused

[2005/10/11 11:29:31, 0] printing/print_cups.c:cups_cache_reload(85)

  Unable to connect to CUPS server localhost - Connection refused

[2005/10/11 11:29:31, 0] libads/kerberos.c:ads_kinit_password(146)

  kerberos_kinit_password host/SERVER@DOMAIN.COM failed: Client not found in Kerberos database

[2005/10/11 11:29:31, 0] printing/nt_printing.c:nt_printing_init(386)

  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED

[2005/10/11 11:29:55, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)

  Failed to verify incoming ticket!

[2005/10/11 11:29:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)

  Failed to verify incoming ticket!

[2005/10/11 11:29:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)

  Failed to verify incoming ticket!
```

----------

## slam_head

The location of the tdb files have changed, so in your upgrade you probably lost your domain membership.  Just rejoin your computer to the domain.

----------

## njcwotx

Still no luck.

Have tried several times to rejoin the domain.  Including deleting the entry and rejoining some time later.  This problem occurs on an un-updated box still running the same as it has had all year.  I am beginning to wonder if the latest security roll-up is getting in the way.  This seems to be a kerberos issue, though I can get a new tickit with kinit.  klist shows it to be good.

Here is what the log.winbindd shows when I reboot.  The issue is in the last line.  (this is the updated box 1 server)

```
[2005/10/11 19:03:25, 1] nsswitch/winbindd.c:main(864)

  winbindd version 3.0.14a started.

  Copyright The Samba Team 2000-2004

[2005/10/11 19:03:30, 0] libads/kerberos.c:ads_kinit_password(146)

  kerberos_kinit_password host/SERVER@DOMAIN.COM failed: Client not found in Kerberos database

[2005/10/11 19:03:30, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)

  ads_connect for domain DOMAIN failed: Client not found in Kerberos database

```

wbinfo -u will not read the domain

Box 2 has same problem, however, when I use wbinfo -u I still see a list of DOMAIN users, klist and kinit all seem to work fine.  Something is up with the kerberos authentication.

Here is the errors in log.smbd  (from box 2, the older samba that has not been updated that died yesterday)

```
[2005/10/11 19:57:21, 0] smbd/server.c:main(757)

  smbd version 3.0.4 started.

  Copyright Andrew Tridgell and the Samba Team 1992-2004

[2005/10/11 19:57:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)

  Username DOMAIN+user$ is invalid on this system

[2005/10/11 19:57:24, 1] smbd/service.c:make_connection_snum(619)

  10.10.10.67 (10.10.10.67) connect to service originals initially as user

 engr (uid=11337, gid=11337) (pid 6029)

[2005/10/11 19:57:25, 1] smbd/service.c:make_connection_snum(619)

  10.10.10.32 (10.10.10.32) connect to service originals initially as user

 engr (uid=11337, gid=11337) (pid 6030)

[2005/10/11 19:57:25, 1] smbd/service.c:make_connection_snum(619)

  10.10.10.32 (10.10.10.32) connect to service sandbox initially as user e

ngr (uid=11337, gid=11337) (pid 6031)

[2005/10/11 19:57:27, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)

  Username DOMAIN+user$ is invalid on this system

[2005/10/11 19:57:27, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)

  Username DOMAIN+user$ is invalid on this system

[2005/10/11 19:57:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)

  Username DOMAIN+user$ is invalid on this system

[2005/10/11 19:57:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)

  Username DOMAIN+user$ is invalid on this system

[2005/10/11 19:57:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)

  Username DOMAIN+user$ is invalid on this system

[2005/10/11 19:57:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)

  Username DOMAIN+user$ is invalid on this system

[2005/10/11 19:57:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)

  Username DOMAIN+user$ is invalid on this system

[2005/10/11 19:57:34, 1] smbd/service.c:close_cnum(801)

  10.10.10.67 (10.10.10.67) closed connection to service originals

[2005/10/11 19:57:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)

  Failed to verify incoming ticket!

[2005/10/11 19:57:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)

  Failed to verify incoming ticket!

[2005/10/11 19:58:32, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)

  Failed to verify incoming ticket!

[2005/10/11 19:58:32, 1] smbd/service.c:make_connection_snum(619)

  10.10.10.67 (10.10.10.67) connect to service solidworks initially as use

r engr (uid=11337, gid=11337) (pid 6029)

[2005/10/11 19:58:36, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)

  Failed to verify incoming ticket!

[2005/10/11 19:58:36, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)

  Failed to verify incoming ticket!

[2005/10/11 20:00:32, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)

  Failed to verify incoming ticket!

[2005/10/11 20:00:32, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)

  Failed to verify incoming ticket!

```

this is log.winbindd (on box2)

```

[2005/10/11 19:32:59, 1] nsswitch/winbindd.c:main(843)

  winbindd version 3.0.4 started.

  Copyright The Samba Team 2000-2004

[2005/10/11 19:32:59, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)

  Added domain DOMAIN DOMAIN.COM S-0-0

[2005/10/11 19:33:03, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)

  krb5_cc_get_principal failed (No credentials cache found)

[2005/10/11 19:33:05, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)

  Added domain DOMAIN2  S-1-5-21-96029189-1361121977-763373030

[2005/10/11 19:33:05, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)

  Added domain BUILTIN  S-1-5-32

[2005/10/11 19:33:05, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)

  Added domain SERVER  S-1-5-21-4191538162-1669343715-178638133

[2005/10/11 19:33:49, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)

  user 'nchoate' does not exist

[2005/10/11 19:33:49, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)

  user 'nchoate' does not exist

[2005/10/11 19:33:49, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)

  user 'NCHOATE' does not exist

[2005/10/11 19:33:51, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group drafting in domain DOMAIN does not exist

[2005/10/11 19:33:51, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group engineer in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group applications in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group Domain Admins in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)

  user 'user$' does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)

  user 'user$' does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group drafting in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group engineer in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group applications in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group Domain Admins in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group drafting in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group engineer in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group applications in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group Domain Admins in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group drafting in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group engineer in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group applications in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group Domain Admins in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group drafting in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group engineer in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group applications in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group Domain Admins in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group drafting in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group engineer in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group applications in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group Domain Admins in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group drafting in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group engineer in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group applications in domain DOMAIN does not exist

[2005/10/11 19:33:52, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group Domain Admins in domain DOMAIN does not exist

[2005/10/11 19:34:11, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)

  user 'user$' does not exist

[2005/10/11 19:34:11, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)

  user 'user$' does not exist

[2005/10/11 19:34:12, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)

  user 'apache' does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group drafting in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group engineer in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group applications in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group Domain Admins in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group drafting in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group engineer in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group applications in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group Domain Admins in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group drafting in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group engineer in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group applications in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group Domain Admins in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group drafting in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group engineer in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group applications in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group Domain Admins in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group drafting in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group engineer in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group applications in domain DOMAIN does not exist

[2005/10/11 19:34:18, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)

  group Domain Admins in domain DOMAIN does not exist

[2005/10/11 19:34:34, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)

  user 'root' does not exist

[2005/10/11 19:34:34, 1] nsswitch/winbindd_group.c:winbindd_getgrgid(381)

  could not lookup sid

[2005/10/11 19:34:56, 1] nsswitch/winbindd_group.c:winbindd_getgrgid(381)

  could not lookup sid
```

Something to keep in mind here.  I have several Samba installs.  ALL OF THEM NOW FAIL.  The first ones to die a couple months ago were the ones after I updated.  Now the ones that were never updated have disconnected as well.  I have tried many, many things.  Rejoining the domain, playing with smb.conf configs, and many more.  I have a suspicion that some windows updates are changing something in win AD and I now may have to get my linux stuff changed to reflect this possibly.  The box that died yesterday was not updated, but there were some rollup patches that have been autoupdating on our DCs for a while now.  

Im grabbing at straws, but I need to get this going.  My boss is an anti-linux proponent, and said he is going to make me go back to winblows if I can't make this work!  I went to Samba because I have these huge engineering files that need speed above simplicity.  We went to Samba in the past to get this speed and I want to keep it.

----------

## slam_head

I'm not sure when 'kerberos' was added as a USE flag to samba.  Try this:

```
smbd -b|grep KRB
```

This should return several lines, but if you get back nothing samba was built without kerberos support, which can be fixed by adding 'kerberos' to your use line in /etc/make.conf and emerging samba again.  You can also run

```
emerge -pv samba
```

That will show what flags would be used in a new build.

----------

## Alvedon

I'm a total noob, but check that your time really is synced with your domain controllers.

//Daniel

----------

## njcwotx

I had already checked the time sync issues.

I resolved the wbinfo issue on box1.  Now im down to the permissions again.  LDAP (a.k.a. AD) is still not seeming to resolve other hosts, users.  Although when I wbinfo -u or getent passwd or such it will show the entire list of users and groups and hosts on the domain.

I am not sure when this occured, but some other person in another city had moved several ou= containers into my cities container due to a recent move.  They did this without bothering to let me know and I have a suspicion this is what broke the linux openldap/kerberos/samba stuff.  unfortunately, it makes it look like linux's fault to my boss  :Sad: 

at this point all boxes have the same basic issue.  Im getting things that say either a workstation or a user group cannot be found in the database.  Though I know they are.  Because I can actually map domain users and groups to file permissions in linux.  for example I can type something like "chown DOMAIN+user folder" and have the permisison map to the domain user and show up in linux.  I can kinit and talk to the database, get tickets and such.  I can access the \\server level in 'my computer' but not '\\server\share' without it popping up a user login box.  I can however, give 'guest ok = yes' to a share and my users can get to files without any security associated with it.

btw, i have tried many different things, broken and rebroken options and rejoined the domain so many times I have seen a number of different issues.  However, what is listed above is the main issue.  All the wbinfo stuff and some others were side-effects of previous attemps to fix.

----------

## njcwotx

OK!  I got box1 working...had to add the @ in front of my @DOMAIN+group entries, kill the computer account in AD and start over from scratch, and play with some smb.conf configs, but I still have to figure out the other box2 issue that is not working.  Nothing had changed over the weekend here...

Now only if I can figure out this one on box2...and I will be back in business.

```
[2005/10/13 00:11:53, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)

  Username DOMAIN+WORKSTATION$ is invalid on this system
```

update...

trying to apply permissons directly to shares on box2 is failing.  Commands like 'chgrp DOMAIN+group folder' are failing on box2, unlike box1 where they did work.  This is something I can work on tommorrow...its late...

Now after a couple of days, I believe the root of all this was somebody moving a number of objects around in W2k AD containers, killing my ldap stuff on my samba servers.  Had I figured out right away to delete and re-add the accounts, this may have gone smoother.  Now I think im cleaning up all the other stuff I tried getting to fix it.

----------

