?
Solved

Samba cannot authenticate against 2003 ADS. pdb_init_sam failed!

Posted on 2005-04-07
16
Medium Priority
?
4,746 Views
Last Modified: 2008-01-09
I'm trying to get Samba to connect to a 2003 Server ADS.  I have successfully joined the computer to the domain by doing a "net ads join" and can see users with "wbinfo -u".  I can authenticate correctly using kinit.

However, whenever I try to connect from a XP client I get

         System error 1326 has occurred.
         Logon failure: unknown user name or bad password.

on the client and

         [2005/04/07 13:52:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)  
           Username DDS\aclient$ is invalid on this system
        [2005/04/07 13:52:08, 0] auth/auth_util.c:make_server_info_info3(1134)
          make_server_info_info3: pdb_init_sam failed!

in the server log, where  "aclient" is the client machine name.

Any ideas?

I'm using 2003 Server with SP2 & all hotfixes & the standard build of Samba &winbind from Centos-4 (AKA RHEL 4).
0
Comment
Question by:DrBeaker
  • 8
  • 4
  • 2
  • +1
15 Comments
 
LVL 2

Author Comment

by:DrBeaker
ID: 13726355
My samba.com:


[global]
        workgroup = DDS
        server string = ddsunx02
        printcap name = /etc/printcap
        load printers = yes
        cups options = raw
#       log file = /var/log/samba/%m.log
        log file = /var/log/samba/my.log
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = no
        idmap uid = 20000000-33554431
        idmap gid = 20000000-33554431
        template shell = /bin/false
        password server = office1.ourdomain.dom
        realm = OURDOMAIN.DOM
        security = ADS
        encrypt passwords = yes
        winbind use default domain = no
        client use spnego = yes
[homes]
        comment = Home Directories
        browseable = no
        writeable = yes
#[printers]
#       comment = All Printers
#       path = /var/spool/samba
#       browseable = no
#       printable = yes
[pub]
        path = /var/SAMBA/public
        public = yes
        only guest = yes
        writable = yes
        printable = no
        browseable = yes
0
 
LVL 2

Author Comment

by:DrBeaker
ID: 13726362
my kbr5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = OURDOMAIN.DOM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 OURDOMAIN.DOM = {
  kdc = office1.ourdomain.dom
  admin_server = office1.ourdomain.dom
  default_domain = ourdomain.dom
 }

[domain_realm]
 .ourdomain.dom = OURDOMAIN.DOM
 ourdomain.dom = OURDOMAIN.DOM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

0
 
LVL 2

Author Comment

by:DrBeaker
ID: 13726389
I just noticed that when I do a "service winbind start" I get
[2005/04/07 14:03:16, 0] sam/idmap_tdb.c:db_idmap_init(506)
  idmap_init: Unable to open idmap database
[2005/04/07 14:03:16, 0] sam/idmap.c:idmap_init(113)
  idmap_init: could not initialise tdb cache backend!
[2005/04/07 14:03:16, 1] nsswitch/winbindd.c:main(897)
  Could not init idmap -- netlogon proxy only
[2005/04/07 14:03:16, 0] nsswitch/winbindd_cache.c:wcache_flush_cache(64)
  Failed to open winbindd_cache.tdb!

In the samba log.  This might give somene a clue?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Expert Comment

by:wesly_chen
ID: 13730050
> Logon failure: unknown user name or bad password.
1. Check /etc/nsswitch.conf for "winbind"
----------
passwd:      files winbind
shadow:      files winbind
group:       files winbind
hosts:       files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:      files
netmasks:    files
networks:    files
protocols:   files winbind
rpc:         files
services:    files winbind
netgroup:    files winbind
publickey:   nisplus
automount:   files
aliases:     files nisplus
-------------

2. Use "<domain>\user" as login name, not just "user".

3. Make sure the diretory is created:
/home/<domain>/<user>

Wesly
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 13730058
0
 
LVL 2

Author Comment

by:DrBeaker
ID: 13736190
Thanks Wes, but that didn't help.  I read through the reference you gave & checked everything but still no joy,

I'm sure the " idmap_init: Unable to open idmap database " etc on starting winbind must be significant.
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 13746160
What's your version of SAMBA?
0
 

Expert Comment

by:rmszaphod
ID: 13794900
Samba Version / OS would be helpful.  This definately looks like a PAM/Winbind problem.  Here's what I did for FreeBSD 5.3/Samba 3.0.9+

/etc/pam.d/login (itallics are changes):

cd /etc/pam.d
cp login old.login
ee or vi login:

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_self.so             no_warn
auth            include         system
auth            sufficient      /usr/local/lib/pam_winbind.so
# account
account         requisite       pam_securetty.so
account         include         system
account         sufficient      /usr/local/lib/pam_winbind.so

# session
session         include         system

onfigure nsswitch.conf

ee or vi /etc/nsswitch.conf

passwd: files winbind
shadow: files winbind
group:  files winbind
hosts:  dns winbind ldap files nis
automount:      files winbind ldap nisplus
aliases:        files winbind ldap nisplus

The whole article is viewable at http://www.fsklaw.com/fbsdconfig.html
0
 

Expert Comment

by:rmszaphod
ID: 13794932
Oh yeah.  I haven't updated this yet.  Dunno if Linux is doing something like this, but you can also use a file called pam.conf in /etc.  For samba-ldap I have done this.  Use as an example of configing PAM not as the exact config:

login   auth sufficient /usr/local/lib/pam_ldap.so

telnet auth sufficient /usr/local/lib/pam_ldap.so
telnet  auth required   /usr/lib/security/pam_unix.so.1 try_first_pass

sshd    auth sufficient /usr/local/lib/pam_ldap.so try_first_pass

ftp     auth sufficient /usr/local/lib/pam_ldap.so

rlogin  auth sufficient /usr/local/lib/pam_ldap.so
rlogin  auth required   /usr/lib/security/pam_unix.so.1 try_first_pass

dtlogin auth sufficient /usr/local/lib/pam_ldap.so
dtlogin auth required   /usr/lib/security/pam_unix.so.1 try_first_pass

rsh     auth required   /usr/lib/security/pam_rhosts_auth.so.1

other   auth sufficient /usr/local/lib/pam_ldap.so try_first_pass

# Account management
login   account required  /usr/local/lib/pam_ldap.so
login   account sufficient /usr/lib/security/pam_unix.so.1

dtlogin account required  /usr/local/lib/pam_ldap.so
dtlogin account required /usr/lib/security/pam_unix.so.1
other   account required  /usr/local/lib/pam_ldap.so
other   account sufficient /usr/lib/security/pam_unix.so.1

# Session management, not implemented by pam_ldap
other   session required /usr/lib/security/pam_unix.so.1

#
# Password management
#
#other  password required /usr/lib/security/pam_unix.so.1
#other   password required /usr/lib/security/pam_ldap.so
other   password required /usr/local/lib/pam_ldap.so
0
 
LVL 2

Author Comment

by:DrBeaker
ID: 13955820
Back from vacation - I'll try this & advise
0
 
LVL 2

Author Comment

by:DrBeaker
ID: 13960770
smbd --version reports
Version 3.0.10-1.4E
0
 
LVL 2

Author Comment

by:DrBeaker
ID: 14086437
I eventually tracked the problem.  There is an issue with the "targeted" policy not allowing winbind to create its working files etc, so it fails.  Turning off SELinux solved the problem.  Less drastic solutions include:

1) turning it off just for winbind
2) setting it to permissive mode
3) correcting the profile.

Having done 1) I'm now looking at doing 3) (and trying to find if anyone's done it already).    
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 14087801
Did you need SELinux, which is still buggy and troublesome?
Why not just leave it off?
0
 
LVL 2

Author Comment

by:DrBeaker
ID: 14091664
Aside from this issue. it's given me no problems & seems worthwhile.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 16359974
PAQed with points refunded (250)

DarthMod
Community Support Moderator
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses
Course of the Month17 days, 8 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question