On Sat, 2003-02-01 at 11:57, Rick Segeberg wrote: > Andrew, > > Thanks for your response. This reply is actually not a request for > additional help. After much searching throught the lists and Google > along with a lot of experimentation, I think I've got it (mostly) figure > out. This post is just an effort to help others who might be struggling > with the same issues as I was. I'm sure it's far from perfect and if > anyone has suggestions on improving something, I'd like to hear them. > > Server Information: > Redhad 8.0 w/ kernel 2.4.28-18.8.0 > Samba 3.0 alpha 21 > > Just to be sure, I've started at the beginning and double checked > everything to make sure it matches the documentation I have. Also, I > apologize for the wordiness, but hopefully this will help someone else. > Here's what I've done so far: > > I successfully joined the domain (actually this shows me re-joining): > > # /usr/local/samba/bin/net ads join > [2003/01/30 15:30:04, 0] libads/ldap.c:ads_join_realm(1325) > Host account for lintest already exists - deleting old account > Joined 'LINTEST' to realm 'MYDOMAIN.ORG' > > Then to make sure I could actually authenticate up to the w2k ads > server: > > # ../bin/smbclient //postoffice/c\$ -k > added interface ip=10.1.46.5 bcast=10.1.47.255 nmask=255.255.240.0 > Doing spnego session setup (blob length=113) > Doing kerberos session setup > OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] > smb: \> > > At the prompt, I was able to traverse all directories, etc. > > In following the winbind documentation, I tried joining the domain again > after configuring my smb.conf file (figuring this wouldn't work since > it's quite a bit different than the 1st join command): > > # bin/net rpc join -s PDC -U john.doe
I've just commited clarifications to the documentation, as this only applies to NT4 domains. The new documentation refers to 'net join', which detects which based on your 'security=' setting. > Figuring I've already joined the domain, I proceeded in following the > documentation. I started up winbindd (which shows as running after > issuing "ps ax"), then tried: > [root@lintest samba]# bin/wbinfo -t > checking the trust secret via RPC calls failed > error code was NT_STATUS_ACCESS_DENIED (0xc0000022) > Could not check secret > > Logs show: > > [2003/01/31 08:34:05, 1] > rpc_client/cli_netlogon.c:cli_nt_setup_creds(300) > cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED > [2003/01/31 08:34:05, 0] nsswitch/winbindd_cm.c:cm_get_netlogon_cli(936) > error connecting to domain password server: NT_STATUS_ACCESS_DENIED > > Windows event viewer shows this: > > The session setup from the computer LINTEST failed to authenticate. The > name of the account referenced in the security database is LINTEST$. > The following error occurred: > Access is denied. > > I finally found a fix for this. My nsswitch.conf file had the shadow > line incorrect. It was: That was not the fix for that issue. The only thing that can cause that error is an incorrect join. > ============================== > ## nsswitch.conf > ## created by Rick > > passwd: files winbind > shadow: files winbind > group: files winbind > ============================== > > It is now: > ============================== > ## nsswitch.conf > ## created by Rick > > passwd: files winbind > shadow: files > group: files winbind > ============================= > > Amazing how such a small oversight can effect things. That's because it was something else. > Now this works: > > [root@lintest samba]# bin/wbinfo -t > checking the trust secret via RPC calls succeeded > > Since this fix, my log now show: > > [2003/01/31 09:23:52, 1] > nsswitch/winbindd_util.c:add_trusted_domain(140) > Added domain MYDMN > [2003/01/31 09:24:02, 1] nsswitch/winbindd_util.c:init_domain_list(220) > Retrying startup domain sid fetch for MYDMN > > As you can see, this continues about every 10 seconds. > > I changed my smb.conf file back (I had been experimenting with the > difference in the security = domain vs. = ADS and password = * vs. = > <server name>). I am now able to connect to the samba server from the > domain logged in w2k workstation (without asking for a password). > Yahoo!!! > > BUT - then it occurred to me that the user I'm using is in the > /etc/passwd file (but not in the smbpasswd file). I commented this user > out (using #). After this, the user could not connect to the samba > server. In the documentation, it appears that I need to use "getent > passwd" and "getent group" to pull down the user list and groups from > the server. This doesn't seem to work. Here's what I get: > > #getent passwd > > This seemed to only list the current contents of my /etc/passwd file. > It's my understanding that it should list this and then follow it with > the domain users with their new uids, gids, home direcoties and default > shells. All I got was the /etc/passwd file. > > Log shows: > [2003/01/31 11:22:35, 0] nsswitch/winbindd.c:process_loop(620) > process_loop: Invalid request size from pid 10640: 1304 bytes sent, > should be > 1564 > [2003/01/31 11:22:35, 0] nsswitch/winbindd.c:process_loop(620) > process_loop: Invalid request size from pid 10640: 1304 bytes sent, > should be > 1564 > As I would expect, "getent group" works the same. > > I found a posting from 2002-05-06 with a similar error in which you > thought the winbindd libraries did not match. I'm using the version > that came with the alpha21 package (I thought). > Then I found a posting that showed the libnss_winbind.so libraries are > not created by make (although it didn't say how to do that). Found a > posting via Google > (http://samba.cadcamlab.org/lists/samba-technical/Apr2002/00059.html) > which also indicated that the libnsswitch_winbind.so library is not > created by make. Followed his instructions "make > nsswitch/libnss_winbind.so" from the source directory, then copied it to > /lib and another problem resolved. No more "Invalid request size...." > errors. I'll see about adding some more parinoia/admin sanity checks. > #getent passwd (now works) > #getent group (now works) > > Now my workstation will successfully login to samba server without > asking for a password and without a user/passwd in /etc/passwd or > smbpasswd. However, no other machine can seem to log in (even when > using the same account). No errors or logs on the samba box or the dc. > This seemed odd, so I relogged into my w2k workstation, and now it will > not log in either. Interesting. > > Then I noticed this in the logs: > > [2003/01/31 13:10:12, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(127) > user 'IP-RSEGEBE50172$' does not exist > > However, I have found that this does not seem to matter. What mattered > were the directory permissions (right now I only have [homes] shared > out). By using getent group, I was able to find the group number of a > group that my user belonged to. All I have to do is chown and chmod the > directory to which I want that share available to and it works. > > Here's an example: > > In my ADS, I have group called IT. Using "getent group|grep IT" I find > my group number is 12345. I create a directory on my samba box called > "it_dudes", then issue the following commands as root: > > #chown 12345 it_dudes > #chmod 770 it_dudes > > If you do an ls -l, you'll see a pretty cool listing, like this: > > drwxrwx--- 2 root DOMAIN+IT 4096 Dec 16 10:39 it_dudes > > Now everyone in the "it_dudes" group has full permission to whatever is > there. > > Of course, the above directory has to be shared out appropriately in > smb.conf. My configs (below) only show basic configurations, but you > really should add to it such entries as the umask, default permissions > (of the share that is), etc. > > Notes: > 1) My Windows 2000 ADS domain name is MYDOMAIN.ORG, however my NT domain > name is MYDMN. Anything that shows ADS listings (such as getent group) > always shows the NT domain name. > 2) I did all of my work via telnet windows (actually ssh). It was > helpful to have one of the windows open with "tail -f log.winbindd > |more" running as I could see cause and effect related problems and > successes. Also, my ssh session has a nice big buffer so I can scroll > back and see things I might have missed. > 3) Somewhere in all of this, I added root to the smbpasswd file. I know > it helped, but now I don't remember what it was. > 4) There is a smb startup/stop/restart script at the end of this also. > Very helpful with all the restarts I had to do when making changes. > 5) If I think of or discover anything else, I will post it. -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba