RE: [Samba] Unable to join Samba
On 5/15/08 Augustin wrote: When I execute net ads join -U Administrator I get the following error /libexec/ld-elf.so.1: /usr/lib/libkrb5.so.8: Undefined symbol init_error_table It sounds like you're missing some libraries. Did you compile krb5 yourself or is it an rpm? If you compiled it yourself, you'll need to modify the configure or makefile scripts to point to the correct libraries. Also make sure you have the necessary devel libraries before you compile. As another check, run ldd on winbind and make sure you have all the library files listed. Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3.0.28 failing to authenticate on Win2003 ServerActive Directory
http://www.howtoforge.com/samba-domaincontroller-swat-fedora8-p3 I believe these directions are for setting up Samba as an NT4 style PDC. From your description it sounds like you want the samba server to be a domain member server in a Win2003 AD and use winbind to authenticate users. If that's the case and you followed the directions on that website, then your samba config is definitely not going to work for you. I suggest reading chapters 3 and 6 here if you haven't already: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ Here's some good troubleshooting tips: http://us3.samba.org/samba/docs/using_samba/ch12.html#samba2-CHP-12-SECT -2.5.3 Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Langdon Stevenson Sent: Sunday, May 11, 2008 11:36 PM To: samba@lists.samba.org Subject: [Samba] Samba 3.0.28 failing to authenticate on Win2003 ServerActive Directory I have set up a Fedora 8 server running Samba 3.0.28a-0.fc8 (the Fedora yum package version). I have successfully joined the server to the AD realm of a Win2003 server on the office network. Configuration was done following this guide: http://www.howtoforge.com/samba-domaincontroller-swat-fedora8-p3 However Authentication against the AD server does not work. When I test winbind with: # wbinfo -u I get: Error looking up domain users I have also found the following output in /var/log/messages/ It is generated each time Samba is started (note: date and time have been removed for clarity) srv winbindd[6850]: [2008/05/06 11:18:14, 0] param/loadparm.c:service_ok(3031) srv winbindd[6850]: WARNING: No path in service public - making it unavailable! srv winbindd[6851]: [2008/05/06 11:18:14, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache() srv winbindd[6851]: initialize_winbindd_cache: clearing cache and re-creating with version number 1 srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:fault_report(41) srv winbindd[6853]: === srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:fault_report(42) srv winbindd[6853]: INTERNAL ERROR: Signal 11 in pid 6853 (3.0.28a-0.fc8) srv winbindd[6853]: Please read the Trouble-Shooting section of the Samba3-HOWTO srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:fault_report(44) srv winbindd[6853]: srv winbindd[6853]: From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:fault_report(45) srv winbindd[6853]: === srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/util.c:smb_panic(1655) srv winbindd[6853]: PANIC (pid 6853): internal error srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/util.c:log_stack_trace(1759) srv winbindd[6853]: BACKTRACE: 19 stack frames: srv winbindd[6853]:#0 winbindd(log_stack_trace+0x2d) [0xb7d5de9d] srv winbindd[6853]:#1 winbindd(smb_panic+0x5d) [0xb7d5dfcd] srv winbindd[6853]:#2 winbindd [0xb7d48a4a] srv winbindd[6853]:#3 [0x12d420] srv winbindd[6853]:#4 winbindd(pwd_get_cleartext+0x18) [0xb7d9b638] srv winbindd[6853]:#5 winbindd(cm_connect_sam+0x156) [0xb7ce89f6] srv winbindd[6853]:#6 winbindd [0xb7cea8f9] srv winbindd[6853]:#7 winbindd [0xb7ced6e7] srv winbindd[6853]:#8 winbindd [0xb7cd2649] srv winbindd[6853]:#9 winbindd [0xb7cd2d29] srv winbindd[6853]:#10 winbindd [0xb7cd31a8] srv winbindd[6853]:#11 winbindd(winbindd_dual_list_trusted_domains+0x78) [0xb7ce3008] srv winbindd[6853]:#12 winbindd [0xb7cf3622] srv winbindd[6853]:#13 winbindd(init_child_connection+0x19a) [0xb7ccfdaa] srv winbindd[6853]:#14 winbindd(async_domain_request+0xb6) [0xb7cf4f86] srv winbindd[6853]:#15 winbindd(rescan_trusted_domains+0x110) [0xb7cd03f0] srv winbindd[6853]:#16 winbindd(main+0x75d) [0xb7cc5e0d] srv winbindd[6853]:#17 /lib/libc.so.6(__libc_start_main+0xe0) [0x2e3390] srv winbindd[6853]:#18 winbindd [0xb7cc42a1] srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:dump_core(181) srv winbindd[6853]: dumping core in /var/log/samba/cores/winbindd srv winbindd[6853]: The Samba config file /etc/samba/smb.conf [global] log file = /var/log/samba/log.%m workgroup = SLA realm = SLA.COM.AU preferred master = no server string = Merit1 security = ADS encrypt passwords = yes log level = 3 max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 600-2 idmap gid = 600-2 template shell = /bin/bash template homedir = /home/domain/%D/%U [homes] comment = Home Direcotries valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path =
[Samba] winbind, mod_auth_pam, and plaintext passwords
We have a working samba file server using winbind to authenticate with a Win2003 server in native mode. [2008/05/10 18:22:54, 5] nsswitch/winbindd_cm.c:set_dc_type_and_flags(1651) set_dc_type_and_flags: domain STARTREK is in native mode. [2008/05/10 18:22:54, 5] nsswitch/winbindd_cm.c:set_dc_type_and_flags(1654) set_dc_type_and_flags: domain STARTREK is running active directory. I now want to allow the apache web server (running on the same machine as samba) to utilize winbind to authenticate users with domain credentials. I have installed and configured apache with mod_auth_pam. When I access a protected website I get a login box but it doesn't allow me to login with my domain user/pass. The apache log gives the following error: [Sat May 10 22:47:20 2008] [error] [client 192.168.1.48] PAM: user 'matt.humrick' - not authenticated: User not known to the underlying authentication module This along with an strace of apache shows that winbind is being used via mod_auth_pam for authentication with no obvious errors. Tcpdump also shows packets being exchanged between winbind and the AD Windows server. The following error appears in the winbind log: [2008/05/10 22:39:09, 6] nsswitch/winbindd.c:new_connection(628) accepted socket 19 [2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn INTERFACE_VERSION [2008/05/10 22:39:09, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [31171]: request interface version [2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2008/05/10 22:39:09, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [31171]: request location of privileged pipe [2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn PAM_AUTH [2008/05/10 22:39:09, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751) [31171]: pam auth matt.humrick [2008/05/10 22:39:09, 5] nsswitch/winbindd_pam.c:winbindd_pam_auth(764) Plain text authentication for matt.humrick returned NT_STATUS_NO_SUCH_USER (PAM: 10) I get a similar plaintext authentication error with wbinfo -a: wbinfo -a matt.humrick%x plaintext password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: Access denied Could not authenticate user matt.humrick%x with plaintext password challenge/response password authentication succeeded So, challenge/response authentication succeeded but plaintext authentication fails. This appears to be a configuration issue to me. Obviously apache gives a plaintext user/pass to winbind vs. the challenge/response method used by an WinXP client (which is working fine). What do I need to do to allow apache to authenticate with winbind? I've read through the smb.conf man page and looked at several settings relating to plaintext passwords. However, I'm a bit confused as to when these settings should be used and whether they will break the existing functionality between the WinXP clients, winbind, and Win2003 AD server. Thanks, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba shares and active directory
I've had this happen occasionally. Give these smb.conf settings a try: netbios name = xxx password server = xxx client signing = yes server signing = yes use spnego = yes client use spnego = no Whenever I encountered this problem adjusting the signing/spnego options fixed it. Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ekul taylor Sent: Friday, May 09, 2008 3:49 PM To: samba@lists.samba.org Subject: [Samba] samba shares and active directory I'm hoping someone can point me in the right direction. I know I'm very close but I'm missing one little piece. I have added a samba machine to my domain using net ads and winbind and it's working lovely. I can log into the linux server with my active directory credentials but I am unable to access shares on the samba server from windows using active directory credentials. When I try to connect to the samba server from windows I can see the share listed but choosing it gives me a password box even though I am logged into windows as a user who is a member of the squid group smb.conf: [global] workgroup = GLCC realm = GLCC.ON.CA preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash [squidlog] comment = squid logs path = /var/log/squid valid users = @GLCC+squid read only = No browsable = yes wbinfo -u wbinfo -g shows the domain user and group information and getent group shows the squid group with my user as a member any help would be greatly appreciated Luke Taylor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbindd hangs up while retreiving usernames.
This sounds similar to a problem I was having. Have a look at the following thread to see if it fixes your problem: http://lists.samba.org/archive/samba/2008-April/140109.html Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] select() timeout on winbindd_privileged pipe
On 4/24/08 Jerry wrote:
You are tracing the client. But the log only shows the
parent winbindd process. I would check the child
processes because I'll bet you have more traffic that
will illuminate what is going on in those logs.
Thanks for the tip. I took your advice and ran 'strace -ff' on winbind
and found the problem. It was trying to use mDNS to locate the kdc.
However, our domain is unicast and uses the .local extension. I added
the line 'mdns off' to the /etc/host.conf file (apparently it defaults
to on) and it eliminated the 30 second timeout pause :)
Here's the line in the strace output that tipped me off:
17:24:34 sendto(20,
\241q\1\0\0\1\0\0\0\0\0\0\20_kerberos-master\4_u..., 54, 0,
{sa_family=AF_INET, sin_port=htons(5353),
sin_addr=inet_addr(224.0.0.251)}, 28) = 54
17:24:34 poll([{fd=20, events=POLLIN}], 1, 5000) = 0
This poll() call is what was actually timing out. The timeout was 5s and
it did this multiple times. Now that mDNS is turned off it makes this
request directly to the kdc rather than trying to search for it.
WoooHooo!
Thanks,
Matt
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] select() timeout on winbindd_privileged pipe
I have an issue where winbind will occasionally pause for 30 seconds.
# strace -T -t ls -l /share
16:52:20 read(4, /var/lib/samba/winbindd_privileg..., 35) = 35
0.09
16:52:20 lstat(/var/lib/samba/winbindd_privileged,
{st_mode=S_IFDIR|0750, st_size=72, ...}) = 0 0.11
16:52:20 lstat(/var/lib/samba/winbindd_privileged/pipe,
{st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 0.11
16:52:20 socket(PF_FILE, SOCK_STREAM, 0) = 5 0.11
16:52:20 fcntl(5, F_GETFL) = 0x2 (flags O_RDWR) 0.06
16:52:20 fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 0.07
16:52:20 fcntl(5, F_GETFD) = 0 0.06
16:52:20 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 0.06
16:52:20 connect(5, {sa_family=AF_FILE,
path=/var/lib/samba/winbindd_privileged/pipe}, 110) = 0 0.18
16:52:20 close(4) = 0 0.11
16:52:20 select(6, [5], NULL, NULL, {0, 0}) = 0 (Timeout) 0.07
16:52:20 write(5,
(\10\0\0\4\0\0\0d\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 2088) =
2088 0.11
16:52:20 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.997279
16:52:25 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999895
16:52:30 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999885
16:52:35 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.14
16:52:40 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999891
16:52:45 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.16
16:52:50 select(6, [5], NULL, NULL, {5, 0}) = 1 (in [5], left {4,
968000}) 0.033682
16:52:50 read(5, \354\f\0\0\2\0\0\0STARTREK-phx_api_release..., 3240)
= 3240 0.14
Notice the chain of select() calls between 16:52:20 and 16:52:50 that
all timeout after 5 seconds for a total of 30 seconds!
The winbind log has the following error when this occurs:
[2008/04/18 16:52:20, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found)
[2008/04/18 16:52:50, 4] libsmb/clikrb5.c:ads_krb5_mk_req(610)
ads_krb5_mk_req: Advancing clock by 13 seconds to cope with clock skew
[2008/04/18 16:52:50, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Fri, 18 Apr 2008 17:13:03 MST
The ads_krb5_mk_req function has a while loop that loops 3 times 'while
(!creds_ready (i maxtries))' (i=0, maxtries=3). This corresponds
with 3 requests to the kdc for info during the period of the pause:
16:52:20.839894 IP 192.168.1.210.32891 192.168.1.207.88: v5
16:52:20.840419 IP 192.168.1.207.88 192.168.1.210.32891:
16:52:30.837599 IP 192.168.1.210.32891 192.168.1.207.88: v5
16:52:30.838482 IP 192.168.1.207.88 192.168.1.210.32891: v5
16:52:40.837652 IP 192.168.1.210.32891 192.168.1.207.88:
16:52:40.838606 IP 192.168.1.207.88 192.168.1.210.32891:
I don't understand why the select call appears to continue to block even
though the Samba machine (192.168.1.210) gets a response from the
Windows server (maybe I'm just interpreting the data wrong??).
I used 'net ads -U username keytab create to generate my keytab file (it
looks good as far as I can tell). 'net cache list' also reveals several
entries. Klist also shows a default principal entry. I'm not sure why it
can't find a credentials cache.
I've upgraded my krb5 from 1.4.3 to 1.6.2 without effect. Here's version
info:
Samba 3.0.28 (3.0.25a and 3.0.25c also had this problem)
Linux 2.6.16 (x64)
At this point I have no idea how to fix this problem. I've read more
samba how-to's than I thought possible and checked the relevant config
files. Everything is working ok except for this pause. I've upgraded the
relevant software but the problem persists.
Matt
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Annoying Winbind Pause While Looking Up Permissions
Our linux SLES10 fileserver is running Samba (3.0.28) and is a domain
member in a Win2003 AD. Everything has been working fine for several
months with the exception of an annoying pause that occurs while
browsing shares. The pause will last 30 seconds and occurs roughly once
every 5-10 minutes. The pause is universal, meaning, that all Windows
clients trying to browse or access files will see this pause, as well
as, any Linux processes (like doing 'ls -l'). Basically, any command
that requires winbind to determine access privileges pauses. This only
occurs for objects that have AD users or groups.
Here's the system info:
Samba 3.0.28 (3.0.25a and 3.0.25c also had this problem)
Krb5 1.4.3
Linux 2.6.16 (x64)
All of the usual tests work:
wbinfo -t
wbinfo -u
wbinfo -g
net ads join
kinit
etc...
I finally had time to investigate this further. All I did was 'ls -l
/share' where /share contained files with domain permissions. The
command paused for 30 seconds before finally listing the files
correctly. All Windows clients experience this same pause at the same
time also. Here's the data I collected:
# tcpdump -n -r tcpdump
reading from file tcpdump, link-type EN10MB (Ethernet)
16:52:20.838780 IP 192.168.1.210.44072 192.168.1.207.389: P
117:143(26) ack 214 win 1460 nop,nop,timestamp 1551335289 70870460
16:52:20.838951 IP 192.168.1.207.389 192.168.1.210.44072: P
214:333(119) ack 143 win 65393 nop,nop,timestamp 70870460 1551335289
16:52:20.839894 IP 192.168.1.210.32891 192.168.1.207.88: v5
16:52:20.840419 IP 192.168.1.207.88 192.168.1.210.32891:
16:52:20.873183 IP 192.168.1.210.58864 192.168.1.207.445: . ack 1771
win 2800 nop,nop,timestamp 1551335298 70870460
16:52:20.877180 IP 192.168.1.210.44072 192.168.1.207.389: . ack 333
win 1460 nop,nop,timestamp 1551335299 70870460
16:52:30.837599 IP 192.168.1.210.32891 192.168.1.207.88: v5
16:52:30.838482 IP 192.168.1.207.88 192.168.1.210.32891: v5
16:52:40.837652 IP 192.168.1.210.32891 192.168.1.207.88:
16:52:40.838606 IP 192.168.1.207.88 192.168.1.210.32891:
16:52:50.837439 IP 192.168.1.210.44072 192.168.1.207.389: P
143:1410(1267) ack 333 win 1460 nop,nop,timestamp 1551342789 70870460
16:52:50.838112 IP 192.168.1.207.389 192.168.1.210.44072: P
333:383(50) ack 1410 win 64126 nop,nop,timestamp 70870761 1551342789
192.168.1.210 is the Linux server running Samba and 192.168.1.207 is the
Windows domain controller. You'll notice that everything is humming
along smoothly through time 16:52:20. Between 16:52:20 and 16:52:50 is
the 30 second delay. My understanding is that port 88 is related to
Kerberos. Running tcpdump while executing the same command again yields
instant results with identical network traffic minus the port 88
requests.
# strace -T -t ls -l /share
16:52:20 read(4, /var/lib/samba/winbindd_privileg..., 35) = 35
0.09
16:52:20 lstat(/var/lib/samba/winbindd_privileged,
{st_mode=S_IFDIR|0750, st_size=72, ...}) = 0 0.11
16:52:20 lstat(/var/lib/samba/winbindd_privileged/pipe,
{st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 0.11
16:52:20 socket(PF_FILE, SOCK_STREAM, 0) = 5 0.11
16:52:20 fcntl(5, F_GETFL) = 0x2 (flags O_RDWR) 0.06
16:52:20 fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 0.07
16:52:20 fcntl(5, F_GETFD) = 0 0.06
16:52:20 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 0.06
16:52:20 connect(5, {sa_family=AF_FILE,
path=/var/lib/samba/winbindd_privileged/pipe}, 110) = 0 0.18
16:52:20 close(4) = 0 0.11
16:52:20 select(6, [5], NULL, NULL, {0, 0}) = 0 (Timeout) 0.07
16:52:20 write(5,
(\10\0\0\4\0\0\0d\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 2088) =
2088 0.11
16:52:20 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.997279
16:52:25 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999895
16:52:30 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999885
16:52:35 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.14
16:52:40 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999891
16:52:45 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.16
16:52:50 select(6, [5], NULL, NULL, {5, 0}) = 1 (in [5], left {4,
968000}) 0.033682
16:52:50 read(5, \354\f\0\0\2\0\0\0STARTREK-phx_api_release..., 3240)
= 3240 0.14
Notice the chain of select() calls between 16:52:20 and 16:52:50 that
all timeout after 5 seconds for a total of 30 seconds!
Finally, here's the relevant section of the winbind log:
[2008/04/18 16:52:20, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2008/04/18 16:52:20, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 192.168.1.207:389 192.0.2.224:389
[2008/04/18 16:52:20, 5] libads/ldap.c:ads_try_connect(180)
ads_try_connect: sending CLDAP request to 192.168.1.207 (realm:
STARTREK.LOCAL)
[2008/04/18 16:52:20, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 192.168.1.207
[2008/04/18 16:52:20, 4] libads/ldap.c:ads_current_time(2414)
time offset is 23 seconds
[2008/04/18
