Hi John, The same smb and winbind configuration ( same SUSE box ) works good other Windows AD servers.
"#wbinfo -u" and "#wbinfo -g" returns the users and groups respectively. Thanks for your great help !!! what is the difference between "#net rpc" and "#net ads" ?..if you have time, give some explanation.. Regards, Vivek On Mon, Nov 15, 2010 at 6:56 PM, Vivekanandan Nataraj < viveknata...@gmail.com> wrote: > Hi John, > > Thanks for your reply. > > # net ads testjoin > > [2010/11/15 06:40:27, 0] libads/sasl.c:819(ads_sasl_spnego_bind) > > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials > [2010/11/15 06:40:29, 0] libads/sasl.c:819(ads_sasl_spnego_bind) > > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials > Join to domain is not valid: Invalid credentials > > but, > > # net rpc testjoin > Join to 'SQUID' is OK > > # net ads info -U Administrator > > Enter Administrator's password: > LDAP server: 172.16.1.33 > LDAP server name: EIS.squid.biz > Realm: SQUID.BIZ > Bind Path: dc=SQUID,dc=BIZ > LDAP port: 389 > Server time: Mon, 15 Nov 2010 06:45:33 IST > KDC server: 172.16.1.33 > Server time offset: 43 > > # net rpc info -U Administrator > > Enter Administrator's password: > Domain Name: SQUID > Domain SID: S-1-5-21-419217316-27721265-2755569738 > Sequence number: 548 > Num users: 29 > Num domain groups: 10 > Num local groups: 39 > > # wbinfo -a 'vivek%vivek' > > plaintext password authentication succeeded > > challenge/response password authentication succeeded > > # wbinfo -K 'vivek%vivek' > plaintext kerberos password authentication for [vivek%vivek] failed > (requesting cctype: FILE) > Could not authenticate user [vivek%vivek] with Kerberos (ccache: FILE) > > # kinit vivek > Password for vi...@squid.biz: > # > > Anything need to be modify on the Windows side ??..next step i will remove > the system from the domain and try everything... > > Thanks in advance. > > Regards, > VIvek > > > > On Mon, Nov 15, 2010 at 8:25 AM, John Stile <j...@stilen.com> wrote: > >> "Invalid credentials" points to a problem, thought I'm guessing, with >> the domain membership. >> >> I'm really not sure what it means. >> >> Does 'ads testjoin' show anything? >> >> Would it be too much trouble to remove the system from the domain and >> add it back, assuming that was the the problem? >> >> 1. remove the machine from the domain (on the AD server), >> 2. stop smbd, nmbd, and winbindd. >> 3. find and remove "*.tdb" files. >> 4. Check 'date' vs. 'net date' >> 5. net ads join -U 'SQUID.BIZ+username'%'passwd' >> 6. check 'net ads testjoin' >> 7. check 'net ads info' >> 8. start daemon: 'winbindd -d 3 -i' >> 9. wbinfo -a 'SQUID.BIZ+username'%'password' >> 10. wbinfo -K 'SQUID.BIZ+username'%'password' >> 11. kinit username >> >> On Mon, 2010-11-15 at 00:32 +0530, Vivekanandan Nataraj wrote: >> > Hi John, >> > >> > >> > Thanks for your reply. >> > >> > >> > This is the result :- >> > >> > >> > #wbinfo -u >> > >> > >> > Connected to LDAP server EIS.squid.biz >> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 >> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >> > ads_sasl_spnego_bind: got server principal name = e...@squid.biz >> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] >> > expiration Sun, 14 Nov 2010 22:22:14 IST >> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] >> > expiration Sun, 14 Nov 2010 22:22:26 IST >> > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid >> > credentials >> > ads_connect for domain SQUID failed: Invalid credentials >> > final write to client failed: Broken pipe >> > >> > >> > >> > >> > #wbinfo -g >> > >> > >> > Connected to LDAP server EIS.squid.biz >> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 >> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >> > ads_sasl_spnego_bind: got server principal name = e...@squid.biz >> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] >> > expiration Sun, 14 Nov 2010 22:27:10 IST >> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] >> > expiration Sun, 14 Nov 2010 22:27:12 IST >> > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid >> > credentials >> > ads_connect for domain SQUID failed: Invalid credentials >> > final write to client failed: Broken pipe >> > >> > >> > any problem with krb configuration ??? >> > >> > >> > Regards, >> > Vivek >> > >> > >> > >> > >> > On Sun, Nov 14, 2010 at 11:59 PM, John Stile <j...@stilen.com> wrote: >> > You could try to run winbindd manually (winbindd -d 3 -i), and >> > from >> > another console run 'wbinfo -u', and see if any errors present >> > them >> > selves in the console where you ran winbindd. First make sure >> > no other >> > winbind daemon is running, by testing, as root, with: lsof -i >> > tcp -nP | >> > grep winbind >> > >> > >> > On Sun, 2010-11-14 at 23:41 +0530, Vivekanandan Nataraj wrote: >> > > Hi John, >> > > >> > > >> > > Thanks for your reply. >> > > >> > > >> > > I have modified the nsswitch.conf file and smb.conf as per >> > your >> > > suggestions. >> > > >> > > >> > > Still wbinfo does not list the users... I have rebooted the >> > server >> > > after modification. >> > > >> > > >> > > and #rm -rf /var/lib/samba/* and restart the services and >> > joined the >> > > domain again. but no luck.. >> > > >> > > >> > > nsswitch.conf >> > > [ >> > > shadow: files >> > > passwd: compat winbind >> > > group: compat winbind >> > > >> > > >> > > hosts: files dns wins >> > > networks: files dns >> > > >> > > >> > > services: files >> > > protocols: files >> > > rpc: files >> > > ethers: files >> > > netmasks: files >> > > netgroup: files nis >> > > publickey: files >> > > >> > > >> > > bootparams: files >> > > automount: files nis >> > > aliases: files >> > > ] >> > > >> > > >> > > samba >> > > [ >> > > workgroup = SQUID >> > > realm = SQUID.BIZ >> > > security = ADS >> > > password server = EIS.SQUID.BIZ >> > > printcap name = cups >> > > idmap uid = 1000-20000000 >> > > idmap gid = 1000-20000000 >> > > winbind separator = + >> > > winbind enum users = Yes >> > > winbind enum groups = Yes >> > > winbind use default domain = Yes >> > > winbind nss info = rfc2307 >> > > cups options = raw >> > > ] >> > > >> > > >> > > Any thing i missed ? >> > > >> > > >> > > Thanks in advance.. >> > > >> > > >> > > Regards, >> > > Vivek >> > > >> > > On Sun, Nov 14, 2010 at 10:33 PM, John Stile >> > <j...@stilen.com> wrote: >> > > Does /etc/nsswitch.conf hold winbind? >> > > Something like this: >> > > passwd: compat winbind >> > > group: compat winbind >> > > >> > > Also, >> > > your config doesn't show: >> > > winbind separator = + >> > > >> > > your config doesn't have a fully qualified "password >> > server" >> > > hostname. >> > > >> > > >> > > >> > > On Sun, 2010-11-14 at 11:09 +0530, Vivekanandan >> > Nataraj wrote: >> > > > Hi Guys, >> > > > >> > > > I have configured SAMBA with Windows 2003 AD. But >> > "#wbinfo >> > > -u" and >> > > > "#wbinfo -g" does not list the users >> > > > >> > > > 1. Domain joined successfully. >> > > > >> > > > # net rpc testjoin -U Administrator >> > > > Join to 'DOMAIN' is OK >> > > > >> > > > 2. wbinfo -a works ( User authentication ) >> > > > >> > > > # wbinfo -a 'DOMAIN\user' >> > > > Enter DOMAIN\user's password: >> > > > plaintext password authentication succeeded >> > > > Enter DOMAIN\user's password: >> > > > challenge/response password authentication >> > succeeded >> > > > >> > > > 3. wbinfo -u and wbinfo -g does list nothing >> > > > >> > > > # wbinfo -u >> > > > # wbinfo -g >> > > > >> > > > # wbinfo -r 'DOMAIN\user' >> > > > Could not get groups for user DOMAIN\user >> > > > >> > > > SAMBA config : - >> > > > >> > > > [global] >> > > > workgroup = DOMAIN >> > > > realm = DOMAIN.BIZ >> > > > security = ADS >> > > > password server = EIS >> > > > printcap name = cups >> > > > idmap uid = 1000-20000000 >> > > > idmap gid = 1000-20000000 >> > > > winbind enum users = Yes >> > > > winbind enum groups = Yes >> > > > winbind use default domain = Yes >> > > > winbind nss info = rfc2307 >> > > > cups options = raw >> > > > >> > > > Versions :- >> > > > >> > > > # smbd -V >> > > > Version 3.4.2-1.1.3.1-2229-SUSE-SL11.2 >> > > > >> > > > # winbindd -V >> > > > Version 3.4.2-1.1.3.1-2229-SUSE-SL11.2 >> > > > >> > > > Share your ideas... >> > > > >> > > > Regards, >> > > > Vivek >> > > >> > > >> > > >> > > >> > > >> > >> > >> > >> > >> > >> >> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba