RE: [Samba] Unable to join Samba
On 5/15/08 Augustin wrote: When I execute net ads join -U Administrator I get the following error /libexec/ld-elf.so.1: /usr/lib/libkrb5.so.8: Undefined symbol init_error_table It sounds like you're missing some libraries. Did you compile krb5 yourself or is it an rpm? If you compiled it yourself, you'll need to modify the configure or makefile scripts to point to the correct libraries. Also make sure you have the necessary devel libraries before you compile. As another check, run ldd on winbind and make sure you have all the library files listed. Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3.0.28 failing to authenticate on Win2003 ServerActive Directory
http://www.howtoforge.com/samba-domaincontroller-swat-fedora8-p3 I believe these directions are for setting up Samba as an NT4 style PDC. From your description it sounds like you want the samba server to be a domain member server in a Win2003 AD and use winbind to authenticate users. If that's the case and you followed the directions on that website, then your samba config is definitely not going to work for you. I suggest reading chapters 3 and 6 here if you haven't already: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ Here's some good troubleshooting tips: http://us3.samba.org/samba/docs/using_samba/ch12.html#samba2-CHP-12-SECT -2.5.3 Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Langdon Stevenson Sent: Sunday, May 11, 2008 11:36 PM To: samba@lists.samba.org Subject: [Samba] Samba 3.0.28 failing to authenticate on Win2003 ServerActive Directory I have set up a Fedora 8 server running Samba 3.0.28a-0.fc8 (the Fedora yum package version). I have successfully joined the server to the AD realm of a Win2003 server on the office network. Configuration was done following this guide: http://www.howtoforge.com/samba-domaincontroller-swat-fedora8-p3 However Authentication against the AD server does not work. When I test winbind with: # wbinfo -u I get: Error looking up domain users I have also found the following output in /var/log/messages/ It is generated each time Samba is started (note: date and time have been removed for clarity) srv winbindd[6850]: [2008/05/06 11:18:14, 0] param/loadparm.c:service_ok(3031) srv winbindd[6850]: WARNING: No path in service public - making it unavailable! srv winbindd[6851]: [2008/05/06 11:18:14, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache() srv winbindd[6851]: initialize_winbindd_cache: clearing cache and re-creating with version number 1 srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:fault_report(41) srv winbindd[6853]: === srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:fault_report(42) srv winbindd[6853]: INTERNAL ERROR: Signal 11 in pid 6853 (3.0.28a-0.fc8) srv winbindd[6853]: Please read the Trouble-Shooting section of the Samba3-HOWTO srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:fault_report(44) srv winbindd[6853]: srv winbindd[6853]: From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:fault_report(45) srv winbindd[6853]: === srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/util.c:smb_panic(1655) srv winbindd[6853]: PANIC (pid 6853): internal error srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/util.c:log_stack_trace(1759) srv winbindd[6853]: BACKTRACE: 19 stack frames: srv winbindd[6853]:#0 winbindd(log_stack_trace+0x2d) [0xb7d5de9d] srv winbindd[6853]:#1 winbindd(smb_panic+0x5d) [0xb7d5dfcd] srv winbindd[6853]:#2 winbindd [0xb7d48a4a] srv winbindd[6853]:#3 [0x12d420] srv winbindd[6853]:#4 winbindd(pwd_get_cleartext+0x18) [0xb7d9b638] srv winbindd[6853]:#5 winbindd(cm_connect_sam+0x156) [0xb7ce89f6] srv winbindd[6853]:#6 winbindd [0xb7cea8f9] srv winbindd[6853]:#7 winbindd [0xb7ced6e7] srv winbindd[6853]:#8 winbindd [0xb7cd2649] srv winbindd[6853]:#9 winbindd [0xb7cd2d29] srv winbindd[6853]:#10 winbindd [0xb7cd31a8] srv winbindd[6853]:#11 winbindd(winbindd_dual_list_trusted_domains+0x78) [0xb7ce3008] srv winbindd[6853]:#12 winbindd [0xb7cf3622] srv winbindd[6853]:#13 winbindd(init_child_connection+0x19a) [0xb7ccfdaa] srv winbindd[6853]:#14 winbindd(async_domain_request+0xb6) [0xb7cf4f86] srv winbindd[6853]:#15 winbindd(rescan_trusted_domains+0x110) [0xb7cd03f0] srv winbindd[6853]:#16 winbindd(main+0x75d) [0xb7cc5e0d] srv winbindd[6853]:#17 /lib/libc.so.6(__libc_start_main+0xe0) [0x2e3390] srv winbindd[6853]:#18 winbindd [0xb7cc42a1] srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:dump_core(181) srv winbindd[6853]: dumping core in /var/log/samba/cores/winbindd srv winbindd[6853]: The Samba config file /etc/samba/smb.conf [global] log file = /var/log/samba/log.%m workgroup = SLA realm = SLA.COM.AU preferred master = no server string = Merit1 security = ADS encrypt passwords = yes log level = 3 max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 600-2 idmap gid = 600-2 template shell = /bin/bash template homedir = /home/domain/%D/%U [homes] comment = Home Direcotries valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path =
[Samba] winbind, mod_auth_pam, and plaintext passwords
We have a working samba file server using winbind to authenticate with a Win2003 server in native mode. [2008/05/10 18:22:54, 5] nsswitch/winbindd_cm.c:set_dc_type_and_flags(1651) set_dc_type_and_flags: domain STARTREK is in native mode. [2008/05/10 18:22:54, 5] nsswitch/winbindd_cm.c:set_dc_type_and_flags(1654) set_dc_type_and_flags: domain STARTREK is running active directory. I now want to allow the apache web server (running on the same machine as samba) to utilize winbind to authenticate users with domain credentials. I have installed and configured apache with mod_auth_pam. When I access a protected website I get a login box but it doesn't allow me to login with my domain user/pass. The apache log gives the following error: [Sat May 10 22:47:20 2008] [error] [client 192.168.1.48] PAM: user 'matt.humrick' - not authenticated: User not known to the underlying authentication module This along with an strace of apache shows that winbind is being used via mod_auth_pam for authentication with no obvious errors. Tcpdump also shows packets being exchanged between winbind and the AD Windows server. The following error appears in the winbind log: [2008/05/10 22:39:09, 6] nsswitch/winbindd.c:new_connection(628) accepted socket 19 [2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn INTERFACE_VERSION [2008/05/10 22:39:09, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [31171]: request interface version [2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2008/05/10 22:39:09, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [31171]: request location of privileged pipe [2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn PAM_AUTH [2008/05/10 22:39:09, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751) [31171]: pam auth matt.humrick [2008/05/10 22:39:09, 5] nsswitch/winbindd_pam.c:winbindd_pam_auth(764) Plain text authentication for matt.humrick returned NT_STATUS_NO_SUCH_USER (PAM: 10) I get a similar plaintext authentication error with wbinfo -a: wbinfo -a matt.humrick%x plaintext password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: Access denied Could not authenticate user matt.humrick%x with plaintext password challenge/response password authentication succeeded So, challenge/response authentication succeeded but plaintext authentication fails. This appears to be a configuration issue to me. Obviously apache gives a plaintext user/pass to winbind vs. the challenge/response method used by an WinXP client (which is working fine). What do I need to do to allow apache to authenticate with winbind? I've read through the smb.conf man page and looked at several settings relating to plaintext passwords. However, I'm a bit confused as to when these settings should be used and whether they will break the existing functionality between the WinXP clients, winbind, and Win2003 AD server. Thanks, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba shares and active directory
I've had this happen occasionally. Give these smb.conf settings a try: netbios name = xxx password server = xxx client signing = yes server signing = yes use spnego = yes client use spnego = no Whenever I encountered this problem adjusting the signing/spnego options fixed it. Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ekul taylor Sent: Friday, May 09, 2008 3:49 PM To: samba@lists.samba.org Subject: [Samba] samba shares and active directory I'm hoping someone can point me in the right direction. I know I'm very close but I'm missing one little piece. I have added a samba machine to my domain using net ads and winbind and it's working lovely. I can log into the linux server with my active directory credentials but I am unable to access shares on the samba server from windows using active directory credentials. When I try to connect to the samba server from windows I can see the share listed but choosing it gives me a password box even though I am logged into windows as a user who is a member of the squid group smb.conf: [global] workgroup = GLCC realm = GLCC.ON.CA preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash [squidlog] comment = squid logs path = /var/log/squid valid users = @GLCC+squid read only = No browsable = yes wbinfo -u wbinfo -g shows the domain user and group information and getent group shows the squid group with my user as a member any help would be greatly appreciated Luke Taylor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbindd hangs up while retreiving usernames.
This sounds similar to a problem I was having. Have a look at the following thread to see if it fixes your problem: http://lists.samba.org/archive/samba/2008-April/140109.html Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] select() timeout on winbindd_privileged pipe
On 4/24/08 Jerry wrote: You are tracing the client. But the log only shows the parent winbindd process. I would check the child processes because I'll bet you have more traffic that will illuminate what is going on in those logs. Thanks for the tip. I took your advice and ran 'strace -ff' on winbind and found the problem. It was trying to use mDNS to locate the kdc. However, our domain is unicast and uses the .local extension. I added the line 'mdns off' to the /etc/host.conf file (apparently it defaults to on) and it eliminated the 30 second timeout pause :) Here's the line in the strace output that tipped me off: 17:24:34 sendto(20, \241q\1\0\0\1\0\0\0\0\0\0\20_kerberos-master\4_u..., 54, 0, {sa_family=AF_INET, sin_port=htons(5353), sin_addr=inet_addr(224.0.0.251)}, 28) = 54 17:24:34 poll([{fd=20, events=POLLIN}], 1, 5000) = 0 This poll() call is what was actually timing out. The timeout was 5s and it did this multiple times. Now that mDNS is turned off it makes this request directly to the kdc rather than trying to search for it. WoooHooo! Thanks, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] select() timeout on winbindd_privileged pipe
I have an issue where winbind will occasionally pause for 30 seconds. # strace -T -t ls -l /share 16:52:20 read(4, /var/lib/samba/winbindd_privileg..., 35) = 35 0.09 16:52:20 lstat(/var/lib/samba/winbindd_privileged, {st_mode=S_IFDIR|0750, st_size=72, ...}) = 0 0.11 16:52:20 lstat(/var/lib/samba/winbindd_privileged/pipe, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 0.11 16:52:20 socket(PF_FILE, SOCK_STREAM, 0) = 5 0.11 16:52:20 fcntl(5, F_GETFL) = 0x2 (flags O_RDWR) 0.06 16:52:20 fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 0.07 16:52:20 fcntl(5, F_GETFD) = 0 0.06 16:52:20 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 0.06 16:52:20 connect(5, {sa_family=AF_FILE, path=/var/lib/samba/winbindd_privileged/pipe}, 110) = 0 0.18 16:52:20 close(4) = 0 0.11 16:52:20 select(6, [5], NULL, NULL, {0, 0}) = 0 (Timeout) 0.07 16:52:20 write(5, (\10\0\0\4\0\0\0d\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 2088) = 2088 0.11 16:52:20 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.997279 16:52:25 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999895 16:52:30 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999885 16:52:35 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.14 16:52:40 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999891 16:52:45 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.16 16:52:50 select(6, [5], NULL, NULL, {5, 0}) = 1 (in [5], left {4, 968000}) 0.033682 16:52:50 read(5, \354\f\0\0\2\0\0\0STARTREK-phx_api_release..., 3240) = 3240 0.14 Notice the chain of select() calls between 16:52:20 and 16:52:50 that all timeout after 5 seconds for a total of 30 seconds! The winbind log has the following error when this occurs: [2008/04/18 16:52:20, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2008/04/18 16:52:50, 4] libsmb/clikrb5.c:ads_krb5_mk_req(610) ads_krb5_mk_req: Advancing clock by 13 seconds to cope with clock skew [2008/04/18 16:52:50, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Fri, 18 Apr 2008 17:13:03 MST The ads_krb5_mk_req function has a while loop that loops 3 times 'while (!creds_ready (i maxtries))' (i=0, maxtries=3). This corresponds with 3 requests to the kdc for info during the period of the pause: 16:52:20.839894 IP 192.168.1.210.32891 192.168.1.207.88: v5 16:52:20.840419 IP 192.168.1.207.88 192.168.1.210.32891: 16:52:30.837599 IP 192.168.1.210.32891 192.168.1.207.88: v5 16:52:30.838482 IP 192.168.1.207.88 192.168.1.210.32891: v5 16:52:40.837652 IP 192.168.1.210.32891 192.168.1.207.88: 16:52:40.838606 IP 192.168.1.207.88 192.168.1.210.32891: I don't understand why the select call appears to continue to block even though the Samba machine (192.168.1.210) gets a response from the Windows server (maybe I'm just interpreting the data wrong??). I used 'net ads -U username keytab create to generate my keytab file (it looks good as far as I can tell). 'net cache list' also reveals several entries. Klist also shows a default principal entry. I'm not sure why it can't find a credentials cache. I've upgraded my krb5 from 1.4.3 to 1.6.2 without effect. Here's version info: Samba 3.0.28 (3.0.25a and 3.0.25c also had this problem) Linux 2.6.16 (x64) At this point I have no idea how to fix this problem. I've read more samba how-to's than I thought possible and checked the relevant config files. Everything is working ok except for this pause. I've upgraded the relevant software but the problem persists. Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Annoying Winbind Pause While Looking Up Permissions
Our linux SLES10 fileserver is running Samba (3.0.28) and is a domain member in a Win2003 AD. Everything has been working fine for several months with the exception of an annoying pause that occurs while browsing shares. The pause will last 30 seconds and occurs roughly once every 5-10 minutes. The pause is universal, meaning, that all Windows clients trying to browse or access files will see this pause, as well as, any Linux processes (like doing 'ls -l'). Basically, any command that requires winbind to determine access privileges pauses. This only occurs for objects that have AD users or groups. Here's the system info: Samba 3.0.28 (3.0.25a and 3.0.25c also had this problem) Krb5 1.4.3 Linux 2.6.16 (x64) All of the usual tests work: wbinfo -t wbinfo -u wbinfo -g net ads join kinit etc... I finally had time to investigate this further. All I did was 'ls -l /share' where /share contained files with domain permissions. The command paused for 30 seconds before finally listing the files correctly. All Windows clients experience this same pause at the same time also. Here's the data I collected: # tcpdump -n -r tcpdump reading from file tcpdump, link-type EN10MB (Ethernet) 16:52:20.838780 IP 192.168.1.210.44072 192.168.1.207.389: P 117:143(26) ack 214 win 1460 nop,nop,timestamp 1551335289 70870460 16:52:20.838951 IP 192.168.1.207.389 192.168.1.210.44072: P 214:333(119) ack 143 win 65393 nop,nop,timestamp 70870460 1551335289 16:52:20.839894 IP 192.168.1.210.32891 192.168.1.207.88: v5 16:52:20.840419 IP 192.168.1.207.88 192.168.1.210.32891: 16:52:20.873183 IP 192.168.1.210.58864 192.168.1.207.445: . ack 1771 win 2800 nop,nop,timestamp 1551335298 70870460 16:52:20.877180 IP 192.168.1.210.44072 192.168.1.207.389: . ack 333 win 1460 nop,nop,timestamp 1551335299 70870460 16:52:30.837599 IP 192.168.1.210.32891 192.168.1.207.88: v5 16:52:30.838482 IP 192.168.1.207.88 192.168.1.210.32891: v5 16:52:40.837652 IP 192.168.1.210.32891 192.168.1.207.88: 16:52:40.838606 IP 192.168.1.207.88 192.168.1.210.32891: 16:52:50.837439 IP 192.168.1.210.44072 192.168.1.207.389: P 143:1410(1267) ack 333 win 1460 nop,nop,timestamp 1551342789 70870460 16:52:50.838112 IP 192.168.1.207.389 192.168.1.210.44072: P 333:383(50) ack 1410 win 64126 nop,nop,timestamp 70870761 1551342789 192.168.1.210 is the Linux server running Samba and 192.168.1.207 is the Windows domain controller. You'll notice that everything is humming along smoothly through time 16:52:20. Between 16:52:20 and 16:52:50 is the 30 second delay. My understanding is that port 88 is related to Kerberos. Running tcpdump while executing the same command again yields instant results with identical network traffic minus the port 88 requests. # strace -T -t ls -l /share 16:52:20 read(4, /var/lib/samba/winbindd_privileg..., 35) = 35 0.09 16:52:20 lstat(/var/lib/samba/winbindd_privileged, {st_mode=S_IFDIR|0750, st_size=72, ...}) = 0 0.11 16:52:20 lstat(/var/lib/samba/winbindd_privileged/pipe, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 0.11 16:52:20 socket(PF_FILE, SOCK_STREAM, 0) = 5 0.11 16:52:20 fcntl(5, F_GETFL) = 0x2 (flags O_RDWR) 0.06 16:52:20 fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 0.07 16:52:20 fcntl(5, F_GETFD) = 0 0.06 16:52:20 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 0.06 16:52:20 connect(5, {sa_family=AF_FILE, path=/var/lib/samba/winbindd_privileged/pipe}, 110) = 0 0.18 16:52:20 close(4) = 0 0.11 16:52:20 select(6, [5], NULL, NULL, {0, 0}) = 0 (Timeout) 0.07 16:52:20 write(5, (\10\0\0\4\0\0\0d\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 2088) = 2088 0.11 16:52:20 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.997279 16:52:25 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999895 16:52:30 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999885 16:52:35 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.14 16:52:40 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999891 16:52:45 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.16 16:52:50 select(6, [5], NULL, NULL, {5, 0}) = 1 (in [5], left {4, 968000}) 0.033682 16:52:50 read(5, \354\f\0\0\2\0\0\0STARTREK-phx_api_release..., 3240) = 3240 0.14 Notice the chain of select() calls between 16:52:20 and 16:52:50 that all timeout after 5 seconds for a total of 30 seconds! Finally, here's the relevant section of the winbind log: [2008/04/18 16:52:20, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an ordered list [2008/04/18 16:52:20, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 192.168.1.207:389 192.0.2.224:389 [2008/04/18 16:52:20, 5] libads/ldap.c:ads_try_connect(180) ads_try_connect: sending CLDAP request to 192.168.1.207 (realm: STARTREK.LOCAL) [2008/04/18 16:52:20, 3] libads/ldap.c:ads_connect(394) Connected to LDAP server 192.168.1.207 [2008/04/18 16:52:20, 4] libads/ldap.c:ads_current_time(2414) time offset is 23 seconds [2008/04/18