[Samba] Finally winbind on RH9 working, but why ?

Mon, 04 Aug 2003 07:41:15 -0700 

Hi,

maybe (probably ??) it's me, but it took me more than a week to
get winbindd working on Redhat 9. It works now after changing a 
parameter in smb.conf, but I have NO idea why. Maybe some of you
already had the same problem. If so, PLEASE clearify ! Thanks...
PS as you will see later, getent group also does not work. This is
an independent problem I think... can it have something to do with
spaces in group names ??? 


Here are the config files of the two machines. Both are linux boxes, so
no win machine is involved.


server (PDC):
-------------

Redhat 9 
samba 2.2.8a compiled with 
--with-winbind --with-winbind-auth-challenge

hw : lx50


[EMAIL PROTECTED] source]# more /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=server.one.sunedu


[EMAIL PROTECTED] source]# more /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
172.17.11.5             client.one.sunedu CLIENT client
172.17.11.4             server.one.sunedu SERVER server

(I still have a problem with the name service, that's why)


[EMAIL PROTECTED] lib]# more smb.conf
[global]
   workgroup = MYGROUP
   netbios name = SERVER
   add user script = /usr/sbin/useradd -d /dev/null -s /bin/false -g
machines -M %u
   server string = Samba Server
   printcap name = /etc/printcap
   load printers = yes
   log file = /var/log/samba/log.%m
   max log size = 50
   security = user
  encrypt passwords = yes
  smb passwd file = /etc/samba/smbpasswd
  unix password sync = Yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   local master = yes
   os level = 33
   domain master = yes 
   preferred master = yes
   domain logons = yes
   logon path = \\%L\Profiles\%U
   wins support = yes
   dns proxy = no 
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
 [netlogon]
   comment = Network Logon Service
   path = /home/netlogon
   writable = no
   share modes = no
[Profiles]
    path = /home/profiles
    browseable = no
    guest ok = yes
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

client (domain member) :

Redhat 9 
samba 2.2.8a compiled with 
--with-winbind --with-winbind-auth-challenge


[EMAIL PROTECTED] root]# more /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=client.one.sunedu


[EMAIL PROTECTED] root]# more /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
172.17.11.5             client.one.sunedu client CLIENT
172.17.11.4             server.one.sunedu SERVER server


[EMAIL PROTECTED] lib]# more smb.conf
[global]
server string = SambaBSD-2.2.8 
netbios name = CLIENT
workgroup = MYGROUP
security = domain 
password server = *
encrypt passwords = yes 
wins server = 172.17.11.4
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind separator = .
winbind use default domain = yes
winbind cache time = 0
password level = 8
username level = 8
[tmp]
path = /tmp
browseable = yes
writable = yes
public = no
create mode = 0664
directory mode = 0775


as you can see pretty normal settings. The reason I recompiled samba
is that apparently Redhat forgot to compile with
--with-winbind-auth-challenge which I think is necessary for windbind to
work (correct me ?)


The parameter that made it all work is :

winbind cache time = 0

if I reset this to the default on the client, which is 15, I get the
following results :



[EMAIL PROTECTED] root]# getent passwd
root:x:0:0:root:/root:/bin/bash
... 
client$:x:502:501::/dev/null:/bin/false
root:x:10000:10000:root:/home/MYGROUP/root:/bin/false
jo:x:10001:10000::/home/MYGROUP/jo:/bin/false


[EMAIL PROTECTED] root]# getent group

DOES NOT SHOW THE "win" GROUPS... ANY IDEA WHY? Where are
the groups stored on the samba pdc????


[EMAIL PROTECTED] root]# wbinfo -u
root
jo
[EMAIL PROTECTED] root]# wbinfo -g
Domain Admins
Domain Users
[EMAIL PROTECTED] root]# 
[EMAIL PROTECTED] root]# wbinfo -t
Secret is good
[EMAIL PROTECTED] root]# 
[EMAIL PROTECTED] root]# wbinfo -a jo%welcome
plaintext password authentication succeeded
challenge/response password authentication succeeded 
//thanks to recompiling !!!!!!!!!!

[EMAIL PROTECTED] root]# 

So everything seems ok, but if I try to connect to a local share on the
client in the hope that winbind will provide the user accout jo, it fails 
like this :

[EMAIL PROTECTED] root]# smbclient //CLIENT/tmp -U jo%welcome
added interface ip=172.17.11.5 bcast=172.17.11.255 nmask=255.255.255.0
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.8a]
tree connect failed: NT_STATUS_UNSUCCESSFUL <-----------------------
[EMAIL PROTECTED] root]# smbclient //CLIENT/tmp -U jo%welcome
added interface ip=172.17.11.5 bcast=172.17.11.255 nmask=255.255.255.0
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.8a]
tree connect failed: NT_STATUS_WRONG_PASSWORD <--------------------
[EMAIL PROTECTED] root]#

The weird thing is the different error message the second time, which is
reset to the first one after - you guessed it - 15 seconds... that's how
I figured out it maybe had something to do with teh cache time (ok I was
just lucky to try it).

As soon as I change it back to winbind cache time = 0 is works fine :

[EMAIL PROTECTED] root]# smbclient //CLIENT/tmp -U jo%welcome
added interface ip=172.17.11.5 bcast=172.17.11.255 nmask=255.255.255.0
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.8a]
smb: \> ls
  .                                   D        0  Mon Aug  4 04:02:07 2003
  ..                                  D        0  Fri Aug  1 13:35:41 2003
  jd_sockV4                           A        0  Fri Aug  1 13:36:20 2003
  orbit-root                          D        0  Fri Aug  1 16:07:15 2003
  .font-unix                         DH        0  Fri Aug  1 13:36:21 2003
  .fam_socket                        AH        0  Fri Aug  1 13:44:14 2003
  .gdm_socket                         H        0  Fri Aug  1 13:36:22 2003
  .iroha_unix                        DH        0  Fri Aug  1 13:36:16 2003
  .X11-unix                          DH        0  Fri Aug  1 13:36:22 2003
  .X0-lock                           HR       11  Fri Aug  1 13:36:22 2003
  .ICE-unix                          DH        0  Fri Aug  1 13:44:14 2003
  ssh-XX9OiucF                        D        0  Fri Aug  1 13:44:13 2003
  .winbindd                          DH        0  Mon Aug  4 13:10:59 2003
  test                                D        0  Fri Aug  1 06:01:54 2003
  test2                               D        0  Fri Aug  1 06:07:06 2003
  yahoo                               D        0  Fri Aug  1 16:10:13 2003
  joke                                D        0  Fri Aug  1 16:18:18 2003

                62228 blocks of size 8192. 32583 blocks available
smb: \> 


Is this a feature or a bug ??? The man page of winbindd does not make it
anyclearer for me....hope this can help anybody.


Thanks for any replies.
Jo
Sun Microsystems

NEOlabs - http://www.neolabs.be - mailto:[EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to