# Samba, Kerberos Authentication Problem against Active Directory



## suggestme (Oct 31, 2011)

Hi, 

I am configuring FreeRadius server on FreeBSD to perform authentication against Active Directory using Kerberos & Samba. I installed Samba, Kerberos server packages and did configuration changes on smb.conf file and /etc/krb5.conf file accordingly. From root I tried the command:

`# net ads join -U [b]username[/b] -S [b]nt-server-hostname.company.com[/b]`

It gives me the output as: (which I think might be OK)


```
Enter [B]username's[/B] password:
Using short domain name -- "   "
Joined '    ' to realm '      '
DNS update failed!
```
If I just try another command, it gives error:

`# net join -U [b]Administrator[/b]`

It gives the output as :


```
Failed to join domain: failed to find DC for domain '     '
ADS join did not work, falling back to RPC...
Unable to find a suitable server for domain '    '
Unable to find a suitable server for domain '    '
```

I get authentication error when I try the following command as:

`# wbinfo -a [b]user[/b]%[b]password[/b]`


```
plaintext password authentication failed
Could not authenticate user [B]username[/B]%[B]password[/B] with plaintext password
could not obtain winbind interface details!
could not obtain winbind separator!
challenge/response password authentication failed
Could not authenticate user [B]username[/B] with challenge/response
```

Can anyone please tell me what might be the problem?

Thanks


----------



## AndyUKG (Nov 2, 2011)

Did you setup the smb.conf with things like server name, PDC, domain name, security type as required? What documentation are you following for Samba?


----------



## suggestme (Nov 2, 2011)

AndyUKG,

Yes I changed some configurations in smb.conf. I am following "deployingradius.com" steps for it. Some of the configurations I changed on smb.conf are as shown on *BOLD LETTER*:


```
workgroup = [B]MYDOMAIN[/B]

security = [B]ads[/B]

password server = [B]nt-server-hostname.company.com[/B]

realm = [B]REALM.COMPAMY.COM[/B]

[B]winbind separator = +[/B]
```
I also changed some configurations on /etc/krb5.conf, changes I have made is shown in *BOLD LETTER*:


```
[libdefaults]
        default_realm = [B]REALM.COMPANY.COM[/B]	
        clockskew = 300
	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}
	

[realms]


	[B]REALM.COMPANY.COM[/B] = {
		kdc = [B]nt-server-hostname.company.com[/B]	
}
	OTHER.REALM = {
		v4_instance_convert = {
			kerberos = kerberos
			computer = computer.some.other.domain
		}
	}
[domain_realm]
	[B].my.domain [/B]= [B]REALM.COMPANY.COM[/B]
```
While executing [cmd=]# wbinfo -a user%password [/cmd]command it was giving winbind interface and separator error so, I just added 
	
	



```
winbind separator = +
```
 It eliminated that error, but still can't authenticate the user. Other errors are occuring as I mentioned in previous post.


Thanks,


----------



## Sylhouette (Nov 2, 2011)

I once pointed out to someone how I join to a Windows AD server.

You can find it here
http://forums.freebsd.org/showthread.php?t=20007

regards,
Johan Hendriks


----------



## suggestme (Nov 2, 2011)

Sylhouette / Johan,

Thank you so much for the thread suggestion. I followed up all the configuration details mentioned under the thread provided But still I am having following issues.

I can join the domain by using the command:

[cmd=]# net ads join -U username -S nt-server-hostname.company.com[/cmd]

but can't join it by just using the command 

[cmd=]# net join -U Administrator[/cmd]

My server is already showing up under the list of users under Domain users list. But if I try to see users or groups respectively using:

[cmd=]# wbinfo -u[/cmd]
[cmd=]# wbinfo -g[/cmd]

It doesn't show any users or groups. Also no error shows, just seems like no effect.

Also like before, while using the command:

[cmd=]# wbinfo -a user%password[/cmd]

It is not working and giving the same error as I mentioned in previous post.

Thanks


----------



## Sylhouette (Nov 2, 2011)

> [cmd=]net join -U Administrator[/cmd]



It should read.

[cmd=]net ads join -Uadministrator[/cmd]

Do you have your /etc/resolv.conf entries pointed at your windows AD server?

Regards
Johan Hendriks


----------



## suggestme (Nov 2, 2011)

Sylhouette,



```
# net ads join -U Administrator

Failed to join domain: failed to find DC for domain '   '
```

It also doesn't work. It gives the error. It's so strange that the following command allows to join the domain but I can't see the user and group using *wbinfo -u* and *wbinfo -g* commands. 

[cmd=]# net ads join -U username -S nt-server-hostname.company.com[/cmd]


----------



## Sylhouette (Nov 2, 2011)

It looks like it can not find the domain. Can you show your /etc/nsswitch, /etc/krb5.conf, /etc/hosts and /etc/resolv.conf file?

regards 
Johan


----------



## suggestme (Nov 2, 2011)

Sylhouette,

Sorry, I forgot to mention the answer of:

Do you have your /etc/resolv.conf entries pointed at your windows AD server.

I can see two entries in this file:


```
domain  '     '           -----> It shows the domain name
nameserver      '     '   -----> It shows correct IP address of server
```

Thanks,


----------



## Sylhouette (Nov 2, 2011)

Ok I did reread your question.



> ```
> workgroup = MYDOMAIN
> security = ads
> password server = nt-server-hostname.company.com
> ...



Your workgroup must be the same name as your domain. So if your windows server is nt-server-hostname.company.com your workgroup name must be company. Your realm reads REALM.COMPANY.COM, this must read 
	
	



```
realm = COMPANY.COM
```

The same thing goes for your /etc/krb5.conf file.

One more thing did you install the kerberos port, if so, do you need to edit /usr/local/etc/krb5.conf instead of /etc/krb5.conf. As I never install the kerberos port, I can not tell you if that is the case.

Also the krb5.conf file has a lot of things I do not know (I am not an expert). Try to use a config as minimal as needed, and later add things you need if you miss them.

In your case it would probably look like this.

```
[libdefaults]
        default_realm = COMPANY.COM
        clockskew = 600

[realms]
        COMPANY.COM = {
                kdc = tcp/nt-server-hostname.company.com
}

[domain_realms]
        .company.com = COMPANY.COM
```

Also your host must be in the same domain. so your /etc/hosts file must read something like this, where 192.168.1.1 is the ipaddress of your FreeBSD server.


```
192.168.1.1          bsd-server-hostname.company.com bsd-server-hostname
192.168.1.1          bsd-server-hostname.company.com
```

and in your /etc/rc.conf file your hosname must be set accordingly

```
hostname="bsd-server-hostname.company.com"
```

Your /etc/resolv.conf file must contain the following

```
domain company.com
nameserver 192.168.1.10
```

where 192.168.1.10 is the ip address off your AD server.

regards
Johan


----------



## DutchDaemon (Nov 3, 2011)

Guys, format your posts correctly. This includes file names, path names, commands, etc. It really adds to the readability of your posts (and better use of my time). Thanks.


----------



## Sylhouette (Nov 3, 2011)

I will try to use the tags more.

It is not my intention to waste your time.
BTW for what it is worth, i think you do a really excellent job here on the forums.

Ik zeg vooral zo doorgaan. 

And i will watch my post format.

regards
Johan


----------



## suggestme (Nov 3, 2011)

DutchDaemon,

I will try my best to format my posts correctly. I am new forum member so, trying to get used to with it. Sorry for any inconvenience caused by this.


Sylhouette,

I checked all the configurations and did all the modifications but I am still getting the same issue. Yes I installed Kerberos port. So, at first I was also confused with krb5.conf  location. There was no krb5.conf file in /etc/krb5.conflocation before. It was in /usr/ports/net/samba35/work/samba-3.5.6/source4/setup/krb5.conf location from which I copied the file to /etc location. So there are krb5.conf files in two locations with the same configuration. I copied these because I read in so many sites the location of krb5.conf in /etc/krb5.conf . I am also new to FreeBSD and these samba, kerberos installation. So, I don't know this might be the issue.

Can anyone please suggest me anything in this matter. This time I am already suffering from this problem for so many days.

Thanks


----------



## Sylhouette (Nov 3, 2011)

Could you just copy and paste your config files.

that would be /etc/krb5.conf /etc/nsswitch /etc/hosts /usr/local/etc/smb.conf /etc/resolv.conf /etc/rc.conf

The name of the domain controller and its ipaddress.

Maybe i do not answer today anymore because i am on the road.!

regards
Johan


----------



## suggestme (Nov 3, 2011)

Hello,

Finally I am able to authenticate user against Active Directory using Samba & Kerberos. I just rechecked and modified the configurations; Most importantly, synchronized the time with my Domain server time using NTP /etc/ntp.conf, and restarted the Samba & Kerberos Server. Now user authentication for Plaintext password and Challenge/response is successful. 

Thank you so much AndyUKG & Sylhouette for all your feedbacks.
Also Thank you so much DutchDaemon for giving your valuable time for moderating this forum. This forum is really very helpful.


----------



## Sylhouette (Nov 4, 2011)

Nice to hear.
The funny thing is that i had the same issue once, and it was also the time.
But i got messages in my logs, something about time scew to great i believe.

regards
Johan


----------



## Avery Freeman (Sep 21, 2017)

Sorry to revive old thread, but I am setting up FreeBSD 11.1-CURRENT as an AD member, and I just want to say that this helped me.  The issues are still relevant in late 2017.

I did not find many threads that helped with my issues related specifically to FreeBSD, and this thread is old, so I thought mentioning that the info still works might help someone else with the same issues if they run across it like I did in my search.

I synchronized the member's datetime using the DC as the NTP in /etc/ntp.conf and restarted ntpd, and then I could join without error.

I also created /etc/nsswitch and /etc/krb5.conf as described in a thread Sylhouette replied to here: https://forums.freebsd.org/threads/20007/ 

I'm not sure this was necessary, I would recommend other people just try synchronizing NTP with the DC first.

Thanks!


----------



## SirDice (Sep 22, 2017)

Avery Freeman said:


> FreeBSD 11.1-CURRENT


That version does not exist.


----------

