[Samba] Re: NT_STATUS_ACCESS_DENIED with winbindd authentication - Probable fix
Hi, I was able to stop the nasty ACCESS_DENIED errors in the winbindd logs by setting client schannel = no in the smb.conf file. Is it possible that this is related to the Windows 2003 sp1 problem ? ( even though our DC is NT4 SP6 ) Sridhar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT_STATUS_ACCESS_DENIED with winbindd authentication
I looked at the code in nsswitch/winbindd_pam.c, specifically in the
winbindd_pam_auth_crap function. and this section of code looks like it
might be where the problem lies:
snip
do {
ZERO_STRUCT(info3);
ZERO_STRUCT(ret_creds);
retry = False;
/* Don't shut this down - it belongs to the connection cache code */
result = cm_get_netlogon_cli(contact_domain, trust_passwd, sec_channel_type,
False, cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, (could not open handle to NETLOGON pipe (error: %s)\n,
nt_errstr(result)));
goto done;
}
result = cli_netlogon_sam_network_logon(cli, mem_ctx,
ret_creds,
name_user, name_domain,
workstation,
state-request.data.auth_crap.chal,
lm_resp, nt_resp,
info3);
attempts += 1;
/* We have to try a second time as cm_get_netlogon_cli
might not yet have noticed that the DC has killed
our connection. */
if ( cli-fd == -1 ) {
retry = True;
continue;
}
/* if we get access denied, a possible cause was that we had and open
connection to the DC, but someone changed our machine account password
out from underneath us using 'net rpc changetrustpw' */
if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
DEBUG(3,(winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe
the trust account
password was changed and we didn't know it. Killing connections to domain
%s\n,
contact_domain-name));
winbindd_cm_flush();
retry = True;
cli = NULL;
}
} while ( (attempts 2) retry );
snip
( sorry about the formatting )
The winbindd logs report that the sam_logon returned ACCESS_DENIED and that
the connections to the domain are being killed, after which the sam_logon is
retried. This re-try seems to succeed in most cases, but my guess is that it
fails occasionally.
Thanks in advance for your time and interest
Sridhar
On Apr 4, 2005 10:22 PM, Sridhar Venkatakrishnan [EMAIL PROTECTED]
wrote:
Our DC is an NT4 SP6 box. I haven't been able to reproduce this
problem reliably, but if I keep trying to access a printer share, the
operations time out occasionally.
Thanks
Sridhar
On Apr 4, 2005 8:28 AM, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sridhar Venkatakrishnan wrote:
| Hi,
|
| We're running a print server having the following specifications:
|
| Samba 3.0.11
| Suse 9.1
| Kernel 2.6.5-7.108 kernel
|
| A few days back none of the users were able to log onto the print
| server. The debug 10 logs show the following lines:
|
| [2005/03/29 11:21:05, 5] auth/auth.c:check_ntlm_password(271)
| check_ntlm_password: winbind authentication for user [**user-name**]
| FAILED with error NT_STATUS_ACCESS_DENIED
|
| Does anyone have any ideas about why winbindd would throw up
| an ACCESS_DENIED?
Is you DC a Windows 2003 SP1 box ? Are you using
'security = domain' ? If so this is a known issue we are still
investigating.
cheers, jerry
=
Alleviating the pain of Windows(tm) --- http://www.samba.org
GnuPG Key - http://www.plainjoe.org/gpg_public.asc
I never saved anything for the swim back. Ethan Hawk in Gattaca
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCUV0dIR7qMdg1EfYRAkn7AKCG2B6lNUR1qFPflyOpsTQnFJtnsACffisJ
dE7kBevU2iV1MibVEyBGu9A=
=TZfy
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT_STATUS_ACCESS_DENIED with winbindd authentication
Hi, Why do you think this iks the source of your problem? That aspect of you post is unclear to me. What is currently happening is this: I try to access a print share multiple times, by running smbclient //PRINTSERVER/sharename -UDOMAIN\\username%password -c ls repeatedly. I do this to provide a rough simulation of heavy load on the print server . For some of the access's the following shows up in the winbindd logs : [2005/04/06 09:57:41, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(556) winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe the trust account password was changed and we didn't know it. Killing connections to domain DOMAIN I looked at the code, and what seems to be happening is this: winbindd tries a sam_logon and the DC returns NT_STATUS_ACCESS_DENIED ( or samba thinks the DC returned NT_STATUS_ACCESS_DENIED) after which winbindd re-tries the sam logon. In most cases the retry succeeds, however, it occasionally fails. When this happens, the winbindd authentication fails and the user gets an NT_STATUS_ACCESS_DENIED to the print share. What has me confused is this : Why should the DC return NT_STATUS_ACCESS_DENIED for a sam logon? The trust account password hasnt been changed and I can't think of any other reasons. I had a cursory look at the rpc_api_pipe_req function in rpc_client/cli_pipe.c and figured out that the netsec (schannel) algorithm was being used for the encoding of the challenge/response. I don't know too much about the NTLM authentication protocol and so I'm still trying to figure out if its a configuration problem with our DC or something else. (Jerry - Sorry about the duplicate mail to you ) Thanks, Sridhar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] NT_STATUS_ACCESS_DENIED with winbindd authentication
Hi, We're running a print server having the following specifications: Samba 3.0.11 Suse 9.1 Kernel 2.6.5-7.108 kernel A few days back none of the users were able to log onto the print server. The debug 10 logs show the following lines: [2005/03/29 11:21:05, 5] auth/auth.c:check_ntlm_password(271) check_ntlm_password: winbind authentication for user [**user-name**] FAILED with error NT_STATUS_ACCESS_DENIED Does anyone have any ideas about why winbindd would throw up an ACCESS_DENIED? Thanks Sridhar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT_STATUS_ACCESS_DENIED with winbindd authentication
Our DC is an NT4 SP6 box. I haven't been able to reproduce this problem reliably, but if I keep trying to access a printer share, the operations time out occasionally. Thanks Sridhar On Apr 4, 2005 8:28 AM, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sridhar Venkatakrishnan wrote: | Hi, | | We're running a print server having the following specifications: | | Samba 3.0.11 | Suse 9.1 | Kernel 2.6.5-7.108 kernel | | A few days back none of the users were able to log onto the print | server. The debug 10 logs show the following lines: | | [2005/03/29 11:21:05, 5] auth/auth.c:check_ntlm_password(271) | check_ntlm_password: winbind authentication for user [**user-name**] | FAILED with error NT_STATUS_ACCESS_DENIED | | Does anyone have any ideas about why winbindd would throw up | an ACCESS_DENIED? Is you DC a Windows 2003 SP1 box ? Are you using 'security = domain' ? If so this is a known issue we are still investigating. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCUV0dIR7qMdg1EfYRAkn7AKCG2B6lNUR1qFPflyOpsTQnFJtnsACffisJ dE7kBevU2iV1MibVEyBGu9A= =TZfy -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] XP SP1 Clients wont print to Samba / Cups Server
Hi, Did you check the permissions of the spooling directory specified in the samba share? It would be the directory pointed to by the 'path' parameter of the printer share. You could also set the debug level of the smbd daemon to 10 and look at the logs. A quick grep for ACCESS_DENIED and WERR might throw up interesting results. Sridhar [EMAIL PROTECTED] wrote: Hi All, I have gained my basic Linux / Samba knowledge from using SME server (www.contribs.org) More recently I have started to use Trustix Linux to build servers for specific things for example as a print server. I installed Trustix and the most recent Cups/Samba rpm's from the repository (I am pretty sure they are the latest stable releases) but I can check version numbers if this helps. I am going to desrcribe symptoms that may (hopefully) have been encountered by others on the list. I installed Samba and created a very basic (based on the doc Stand-Alone Servers) single folder share and added a printer using cups. I have the following scenario ; I have a 20 x XP SP1 PC's and a MSB 2K PDC I am trying to create a print server I have built it and installed Cups/Samba I can see the machine, printer and folder share in nethood I can copy files from any PC to the folder share I can view printer in the cups webmin I can control and print test pages from cups webmin I can run swat webmin and check my v basic config I can Add Printer as usual using XP drivers The printer shows as 'Ready' in printers faxes As soon as (instantly) I click print I get a dialogue saying 'Cant print, unable to create document' At no time do I see a print job appear in the queue using cups webmin I have googled until I am dizzy on this. Whats annoying is that it all looks like its going to work apart from the very last thing (the most important bit) i.e. Actually doing the job. I admit I have limited knowledge and dont mind being told to RTFM (if you could include links to the relevent sections:) When I read the Samba docs on basic printing using cups I was really pleased (I didnt want to spend 3 months studying docs just to get a simple printer server working:) Any help would be really appreciated (Paypal available:) Thanks (I have a just a few hairs left!!) Graham Bentley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] lsaenumacctwithrights
Hi, I've installed the samba 3.0.11 release after building it from source. I'm trying to use rpcclient to enumerate all accounts with a specific right. The man page for rpcclient says the 'lsaenumacctwithrights' command is available but when I try to use the command rpcclient doesn't recognise it. A quick grep of the source base shows that the command isn't implemented. However, googling for lsaenumacctwithrights throws up a list of changelogs which seem to indicate that the command was included as part of the source. Has anybody used this command before and is there an alternative? Thanks in advance, Sridhar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Migrating from NT4 to Samba - correct strategy
Hi, Just changing the domain name might not work. From what I can tell, all your client machines are joined to the NT domain. These are not part of the samba domain and so nobody will be able to log in from them. You would have to create machine accounts for all the client machines, remove them from the domain and then rejoin them to the domain. Or you could use pwdump2.exe to get the machine trust account passwords for the NT domain. The output of this command could be dumped directly into the smbpasswd file (but I dont know if that still holds) and you should have all the machine accounts. However, there is one issue you'll have to look out forNT machines automatically change their machine trust passwords every week and so this swap can't be done over a long period or the passwords would have changed. Hope this helps Sridhar Josir Gomes wrote Thanks for replying. There´s just 20 clients on each domain and they have the same name and password on both domain. I could simply change the domain name on each station but all users will loose their local profiles. So I imagine that it is more productive to simply change the domain name and turn off the old NT server. Is there any pitfall that I can encounter ? Simply changing the domain name in the smb.conf is enough ? It´s easy as that ? Thanks in advance, Josir Gomes Josir Gomes wrote: Hi folks, I have 2 domains: LX01 (WinNT) e LX04 (Samba) and I want consolidate them into one domain LX01. All the stations is looking for LX01. All users are equal on both servers. Can I just turn the WinNT off and rename the Samba server to LX01 ? Is there any problem ? you forgot to mention how many clients on each domain, sometime when clients is less than 50, starting new domain from scartch is the 'correct' way. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Multiple winbindd processes
Hi, I finally made the patch and uploaded it. You can access it at the following URL: http://www.sridharv.net/samba/patch-multwinbinddpr-vs-3.0.11pre1.diff The patch is against the samba 3.0.11pre1 release. It should work against 3.0.9 and 3.0.10 as well but I haven't tried it. cd-ing into the source directory and using patch -p1 should do the trick. Please read the REAME.winbind-patch file in the nsswitch directory before you start using this patch. If you find any bugs or you think of any improvements then please let me know :) Thanks Sridhar [EMAIL PROTECTED] wrote: On Tuesday 11 January 2005 06:16, [EMAIL PROTECTED] wrote: Hi, I had posted in the technical list about this sometime back. However, I don't think anything was available at that time, so I went ahead and wrote a small patch that allows multiple winbindd process to run at the same time :) . What it does is to create a seperate pipe for each winbindd process. However, this would need a patch for the nss library as well and I've only worked out a patch for the linux nss library. I'd also added a couple of extra parameters to the smb.conf file that allowed for specification of a list of domains that could be veto-ed or allowed. I could send you the patch if you're interested. I'm really interested. Thank you :-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Multiple winbindd processes
I forgot to add the Makefile.in changes to the patch. I've uploaded the fixed version at the same URL. Thanks Sridhar Sridhar Venkatakrishnan wrote: Hi, I finally made the patch and uploaded it. You can access it at the following URL: http://www.sridharv.net/samba/patch-multwinbinddpr-vs-3.0.11pre1.diff The patch is against the samba 3.0.11pre1 release. It should work against 3.0.9 and 3.0.10 as well but I haven't tried it. cd-ing into the source directory and using patch -p1 should do the trick. Please read the REAME.winbind-patch file in the nsswitch directory before you start using this patch. If you find any bugs or you think of any improvements then please let me know :) Thanks Sridhar [EMAIL PROTECTED] wrote: On Tuesday 11 January 2005 06:16, [EMAIL PROTECTED] wrote: Hi, I had posted in the technical list about this sometime back. However, I don't think anything was available at that time, so I went ahead and wrote a small patch that allows multiple winbindd process to run at the same time :) . What it does is to create a seperate pipe for each winbindd process. However, this would need a patch for the nss library as well and I've only worked out a patch for the linux nss library. I'd also added a couple of extra parameters to the smb.conf file that allowed for specification of a list of domains that could be veto-ed or allowed. I could send you the patch if you're interested. I'm really interested. Thank you :-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Multiple winbindd processes
Hi, I had posted in the technical list about this sometime back. However, I don't think anything was available at that time, so I went ahead and wrote a small patch that allows multiple winbindd process to run at the same time :) . What it does is to create a seperate pipe for each winbindd process. However, this would need a patch for the nss library as well and I've only worked out a patch for the linux nss library. I'd also added a couple of extra parameters to the smb.conf file that allowed for specification of a list of domains that could be veto-ed or allowed. I could send you the patch if you're interested. Sridhar Vladimir Levijev [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/01/2005 11:10 PM To: samba@lists.samba.org cc: Subject:[Samba] Multiple winbindd processes Hi, My problem is that I'd like to have one GNU/Linux box with Samba installed serve multiple domains. I have 2 Domains separated from each other. Connected Samba box to both domains and joined them successfully. Running 2 smbd and 2 nmbd processes bound to the appropreate network interface, with different settings serving appropreate domans. Samba server is visible in both networks but here is the problem. I can start 2 winbindd processes for each domain controller, but only one is actually working. So only users from that one are able to authenticate. Using 'lsof' showed that both winbindd processes are connected to the pipe, but only the last one started is actually listening to requests? The question is, what do I need to do to make 2 winbindd processes work simultaneously? Is there a solution available, or I will need to write a patch for winbind? TIA, -- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
