Re: [Samba] Problem with AD users and groups (SOLVED)

2013-06-08 Thread Marcelo Ruriani 

To list (and everyone who helped me)

I tracked down the problem to the init.d script. (The one you 
download from samba) Something is just not quite configured right. Once 
I moved that out of my /etc/init.d directory and restarted manually. As 
they say: "It's all good!" I will have to take a look at that script 
later. For now. . .


Thank you to everyone, Samba 4 is a great program!!

Marcelo
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem with AD users and groups

2013-06-07 Thread Marc Muehlfeld 

Hello Marcelo,

Am 07.06.2013 03:30, schrieb Marcelo Ruriani:

Thank you for the reply. To answer your questions. I am using the
internal DNS. The DNS testing reveals that host -t SRV _ldap (and so on)
plus host -t SRV _kerberos (and so on) return with a "not found" error.
The A record test works fine.


Can you run

# samba_dnsupdate --verbose|grep "Failed nsupdate"

Entries that aren't found, can't be updated by that command, but let you 
know which are missing, like the SRV for _ldap._tcp.samdom.example.com:


# samba_dnsupdate --verbose|grep "Failed nsupdate"
Failed nsupdate: SRV _ldap._tcp.samdom.example.com 
dc1.samdom.example.com 389 : [Errno 2] No such file or directory



Then add the missing entries manually again:

# samba-tool dns add localhost samdom.example.com 
_ldap._tcp.samdom.example.com SRV "dc1.samdom.example.com 389 0 100"


Here's my test environment zone. There you can see the values for the 
SRV records you have to re-add. http://cpaste.org/1914/


! Create a backup of your samba directory before you do that !


After you have added the records, they should be resolvable again, of 
course.


Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem with AD users and groups

2013-06-07 Thread Marc Muehlfeld 

Hello Marcelo,

Am 07.06.2013 16:51, schrieb Ricky Nance:

 by the way, why isn't samba listening on port 88 in
your last mail?


* Can you check, if something else is listening on the kerberos port 88:

# netstat -taunp | grep ":88"



* Please also show us the [global] part of your smb.conf. Expecially the 
"server services =" line. Maybe "kdc" is disabled.




* Does the log say anything, why kdc doesn't listen on :88?



> My questions are if the worst were if I had to re-provision, would
> the re-provision be enough? OR Woul d I have to do the entire
> compile, make, install procedure? Thanks.

How big is your installation? If it's not very small or a test 
environment, I think I would continue searching for the problem, instead 
of setup everything again.




As it sounds like your Samba AD was working before, did anything changed 
on your DC since the last restart of Samba? Maybe required packages have 
been removed, a new compiled Samba version was installed, etc.



Regards,
Marc



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem with AD users and groups

2013-06-07 Thread Ricky Nance 
Re provisioning will wipe out your entire samba DB, so I would try to avoid
that if at all possible, figure out if something else is listening on port
88, stop it, and restart samba (its the kerberos stuff).  The smbclient
command isn't all that helpful (sometimes it is, sometimes not), so you may
try it with a higher debug level (-d10) but don't paste that here as it
will get quite lengthy, use a pastebin and give us the link if you don't
mind (if you think its more helpful that is).

Good luck,
Ricky


On Fri, Jun 7, 2013 at 12:56 PM, Marcelo Ruriani <
systemad...@helpinghandsofgreenup.org> wrote:

>  On 6/7/13 10:51 AM, Ricky Nance wrote:
>
> I'd double check on the samba server it self if you can connect to it
> using smbclient... `smbclient //localhost/sysvol -Uadministrator`  if
> that fails try `smbclient //localhost/sysvol -d5 -Uadministrator` and paste
> the output in your reply. If it succeeds then you can pretty much bet on a
> connectivity issue... by the way, why isn't samba listening on port 88 in
> your last mail? It might be worth it to try a `killall samba && sleep 5 &&
> samba -i -M single -d3` and look for any error messages ... anyway those
> are just a couple of my suggestions.
>
>  Ricky
>
>
> On Thu, Jun 6, 2013 at 8:30 PM, Marcelo Ruriani <
> systemad...@helpinghandsofgreenup.org> wrote:
>
>> On 6/6/13 5:15 PM, Marc Muehlfeld wrote:
>>
>>> Hello Marcelo,
>>>
>>> Am 06.06.2013 22:47, schrieb Marcelo Ruriani:
>>>
 It seems I locked myself out. I have tried these steps: turn off the
 firewall, ntacl sysvol reset, and dis-join from domain.
 The ntacl sysvol reset returns errors (which I'll post if necessary) the
 dis-join worked fine but I cannot re-join to the domain because it
 doesn't detect our domain and throws up an error "domain could not be
 contacted" and "DNS name doesn't exist".

>>>
>>> * IP connection between the hosts is fine? (ping each other)
>>>
>>> * Do you use the internal DNS or Bind DLZ?
>>>
>>> * Is Samba/Bind listening on port 53? Use 'netstat -taunp', to make
>>> sure, that nothing else is listening on this port and prevent the correct
>>> DNS to start up.
>>>
>>> * Can you check:
>>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS
>>>
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>  Dear List & Mark,
>>
>> Thank you for the reply. To answer your questions. I am using the
>> internal DNS. The DNS testing reveals that host -t SRV _ldap (and so on)
>> plus host -t SRV _kerberos (and so on) return with a "not found" error. The
>> A record test works fine.
>>
>> Samba is listening on TCP port 53, 636, 1024, 3268, 3269, 389, 135 (and
>> UDP 53)
>> smbd is listening on TCP port 139, 445
>>
>> The clients ping the server (ip and domain name) fine and the server
>> pings the clients fine.
>>
>> My followup question will appear after this reply.
>>
>> Marcelo
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>  To list, Mark, Ricky,
>
> I must admit I am unsure why it isn't listening on port 88! I will do
> that "kill all samba" thing later and reply if that does the trick. On the
> tests you asked me to do, this is my output of terminal: (I apologize for
> formatting)
>
> root@ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol
> -U%administrator
>
> Domain=[AD.HHG.COM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-94f11e9]
>
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> root@ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol -d5
> -U%administrator
>
> INFO: Current debug levels:
>
> all: 5
>
> tdb: 5
>
> printdrivers: 5
>
> lanman: 5
>
> smb: 5
>
> rpc_parse: 5
>
> rpc_srv: 5
>
> rpc_cli: 5
>
> passdb: 5
>
> sam: 5
>
> auth: 5
>
> winbind: 5
>
> vfs: 5
>
> idmap: 5
>
> quota: 5
>
> acls: 5
>
> locking: 5
>
> msdfs: 5
>
> dmapi: 5
>
> registry: 5
>
> lp_load_ex: refreshing parameters
>
> Initialising global parameters
>
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>
> INFO: Current debug levels:
>
> all: 5
>
> tdb: 5
>
> printdrivers: 5
>
> lanman: 5
>
> smb: 5
>
> rpc_parse: 5
>
> rpc_srv: 5
>
> rpc_cli: 5
>
> passdb: 5
>
> sam: 5
>
> auth: 5
>
> winbind: 5
>
> vfs: 5
>
> idmap: 5
>
> quota: 5
>
> acls: 5
>
> locking: 5
>
> msdfs: 5
>
> dmapi: 5
>
> registry: 5
>
> params.c:pm_process() - Processing configuration file
> "/usr/local/samba/etc/smb.conf"
>
> Processing section "[global]"
>
> doing parameter workgroup = AD.HHG.COM
>
> doing parameter realm = HHG.COM
>
> doing parameter netbios name = AD
>
> doing parameter server role = active directory domain controller
>
> doing parameter dns forwarder = 192.168.1.1
>
> pm_process() returned Yes
>
> added interface eth0 ip=fe80::222:19ff:fe95:7f31%eth0
> bcast=fe80:::::%eth0 netmask=:::::
>
> added interface eth0 ip=192.168.1.10 bcast=192.168.1.255
> netmask=255.255.255.0
>
> Netbios name list:-
>
> my_netbios_name

Re: [Samba] Problem with AD users and groups

2013-06-07 Thread Marcelo Ruriani 

On 6/7/13 10:51 AM, Ricky Nance wrote:
I'd double check on the samba server it self if you can connect to it 
using smbclient... `smbclient //localhost/sysvol -Uadministrator`  
if that fails try `smbclient //localhost/sysvol -d5 -Uadministrator` 
and paste the output in your reply. If it succeeds then you can pretty 
much bet on a connectivity issue... by the way, why isn't samba 
listening on port 88 in your last mail? It might be worth it to try a 
`killall samba && sleep 5 && samba -i -M single -d3` and look for any 
error messages ... anyway those are just a couple of my suggestions.


Ricky


On Thu, Jun 6, 2013 at 8:30 PM, Marcelo Ruriani 
> wrote:


On 6/6/13 5:15 PM, Marc Muehlfeld wrote:

Hello Marcelo,

Am 06.06.2013 22:47, schrieb Marcelo Ruriani:

It seems I locked myself out. I have tried these steps:
turn off the
firewall, ntacl sysvol reset, and dis-join from domain.
The ntacl sysvol reset returns errors (which I'll post if
necessary) the
dis-join worked fine but I cannot re-join to the domain
because it
doesn't detect our domain and throws up an error "domain
could not be
contacted" and "DNS name doesn't exist".


* IP connection between the hosts is fine? (ping each other)

* Do you use the internal DNS or Bind DLZ?

* Is Samba/Bind listening on port 53? Use 'netstat -taunp', to
make sure, that nothing else is listening on this port and
prevent the correct DNS to start up.

* Can you check:
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS



Regards,
Marc

Dear List & Mark,

Thank you for the reply. To answer your questions. I am using
the internal DNS. The DNS testing reveals that host -t SRV _ldap
(and so on) plus host -t SRV _kerberos (and so on) return with a
"not found" error. The A record test works fine.

Samba is listening on TCP port 53, 636, 1024, 3268, 3269, 389, 135
(and UDP 53)
smbd is listening on TCP port 139, 445

The clients ping the server (ip and domain name) fine and the
server pings the clients fine.

My followup question will appear after this reply.

Marcelo

-- 
To unsubscribe from this list go to the following URL and read the

instructions: https://lists.samba.org/mailman/options/samba



To list, Mark, Ricky,

I must admit I am unsure why it isn't listening on port 88! I will 
do that "kill all samba" thing later and reply if that does the trick. 
On the tests you asked me to do, this is my output of terminal: (I 
apologize for formatting)


root@ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol 
-U%administrator


Domain=[AD.HHG.COM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-94f11e9]

tree connect failed: NT_STATUS_ACCESS_DENIED

root@ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol -d5 
-U%administrator


INFO: Current debug levels:

all: 5

tdb: 5

printdrivers: 5

lanman: 5

smb: 5

rpc_parse: 5

rpc_srv: 5

rpc_cli: 5

passdb: 5

sam: 5

auth: 5

winbind: 5

vfs: 5

idmap: 5

quota: 5

acls: 5

locking: 5

msdfs: 5

dmapi: 5

registry: 5

lp_load_ex: refreshing parameters

Initialising global parameters

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

INFO: Current debug levels:

all: 5

tdb: 5

printdrivers: 5

lanman: 5

smb: 5

rpc_parse: 5

rpc_srv: 5

rpc_cli: 5

passdb: 5

sam: 5

auth: 5

winbind: 5

vfs: 5

idmap: 5

quota: 5

acls: 5

locking: 5

msdfs: 5

dmapi: 5

registry: 5

params.c:pm_process() - Processing configuration file 
"/usr/local/samba/etc/smb.conf"


Processing section "[global]"

doing parameter workgroup = AD.HHG.COM

doing parameter realm = HHG.COM

doing parameter netbios name = AD

doing parameter server role = active directory domain controller

doing parameter dns forwarder = 192.168.1.1

pm_process() returned Yes

added interface eth0 ip=fe80::222:19ff:fe95:7f31%eth0 
bcast=fe80:::::%eth0 netmask=:::::


added interface eth0 ip=192.168.1.10 bcast=192.168.1.255 
netmask=255.255.255.0


Netbios name list:-

my_netbios_names[0]="AD"

Client started (version 4.1.0pre1-GIT-94f11e9).

Opening cache file at /usr/local/samba/var/lock/gencache.tdb

Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb

sitename_fetch: No stored sitename for HHG.COM

name localhost#20 found.

Connecting to ::1 at port 445

Socket options:

SO_KEEPALIVE = 0

SO_REUSEADDR = 0

SO_BROADCAST = 0

TCP_NODELAY = 1

TCP_KEEPCNT = 9

TCP_KEEPIDLE = 7200

TCP_KEEPINTVL = 75

IPTOS_LOWDELAY = 0

IPTOS_THROUGHPUT = 0

SO_SNDBUF = 173200

SO_RCVBUF = 87380

SO_SNDLOWAT = 1

SO_RCVLOWAT = 1

SO_SNDTIMEO = 0

SO_RCVTIMEO = 0

TCP_QUICKACK = 1

TCP_DEFER_ACCEPT = 0

session request ok

Domain=[AD.HHG.COM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-94f

Re: [Samba] Problem with AD users and groups

2013-06-07 Thread Ricky Nance 
I'd double check on the samba server it self if you can connect to it using
smbclient... `smbclient //localhost/sysvol -Uadministrator`  if that
fails try `smbclient //localhost/sysvol -d5 -Uadministrator` and paste the
output in your reply. If it succeeds then you can pretty much bet on a
connectivity issue... by the way, why isn't samba listening on port 88 in
your last mail? It might be worth it to try a `killall samba && sleep 5 &&
samba -i -M single -d3` and look for any error messages ... anyway those
are just a couple of my suggestions.

Ricky


On Thu, Jun 6, 2013 at 8:30 PM, Marcelo Ruriani <
systemad...@helpinghandsofgreenup.org> wrote:

> On 6/6/13 5:15 PM, Marc Muehlfeld wrote:
>
>> Hello Marcelo,
>>
>> Am 06.06.2013 22:47, schrieb Marcelo Ruriani:
>>
>>> It seems I locked myself out. I have tried these steps: turn off the
>>> firewall, ntacl sysvol reset, and dis-join from domain.
>>> The ntacl sysvol reset returns errors (which I'll post if necessary) the
>>> dis-join worked fine but I cannot re-join to the domain because it
>>> doesn't detect our domain and throws up an error "domain could not be
>>> contacted" and "DNS name doesn't exist".
>>>
>>
>> * IP connection between the hosts is fine? (ping each other)
>>
>> * Do you use the internal DNS or Bind DLZ?
>>
>> * Is Samba/Bind listening on port 53? Use 'netstat -taunp', to make sure,
>> that nothing else is listening on this port and prevent the correct DNS to
>> start up.
>>
>> * Can you check: https://wiki.samba.org/index.**
>> php/Samba_AD_DC_HOWTO#Testing_**DNS
>>
>>
>>
>> Regards,
>> Marc
>>
> Dear List & Mark,
>
> Thank you for the reply. To answer your questions. I am using the
> internal DNS. The DNS testing reveals that host -t SRV _ldap (and so on)
> plus host -t SRV _kerberos (and so on) return with a "not found" error. The
> A record test works fine.
>
> Samba is listening on TCP port 53, 636, 1024, 3268, 3269, 389, 135 (and
> UDP 53)
> smbd is listening on TCP port 139, 445
>
> The clients ping the server (ip and domain name) fine and the server pings
> the clients fine.
>
> My followup question will appear after this reply.
>
> Marcelo
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem with AD users and groups

2013-06-06 Thread Marcelo Ruriani 

On 6/6/13 5:15 PM, Marc Muehlfeld wrote:

Hello Marcelo,

Am 06.06.2013 22:47, schrieb Marcelo Ruriani:

It seems I locked myself out. I have tried these steps: turn off the
firewall, ntacl sysvol reset, and dis-join from domain.
The ntacl sysvol reset returns errors (which I'll post if necessary) the
dis-join worked fine but I cannot re-join to the domain because it
doesn't detect our domain and throws up an error "domain could not be
contacted" and "DNS name doesn't exist".


* IP connection between the hosts is fine? (ping each other)

* Do you use the internal DNS or Bind DLZ?

* Is Samba/Bind listening on port 53? Use 'netstat -taunp', to make 
sure, that nothing else is listening on this port and prevent the 
correct DNS to start up.


* Can you check: 
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS




Regards,
Marc

Dear List & Mark,

Thank you for the reply. To answer your questions. I am using the 
internal DNS. The DNS testing reveals that host -t SRV _ldap (and so on) 
plus host -t SRV _kerberos (and so on) return with a "not found" error. 
The A record test works fine.


Samba is listening on TCP port 53, 636, 1024, 3268, 3269, 389, 135 (and 
UDP 53)

smbd is listening on TCP port 139, 445

The clients ping the server (ip and domain name) fine and the server 
pings the clients fine.


My followup question will appear after this reply.

Marcelo
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem with AD users and groups

2013-06-06 Thread Marc Muehlfeld 

Hello Marcelo,

Am 06.06.2013 22:47, schrieb Marcelo Ruriani:

It seems I locked myself out. I have tried these steps: turn off the
firewall, ntacl sysvol reset, and dis-join from domain.
The ntacl sysvol reset returns errors (which I'll post if necessary) the
dis-join worked fine but I cannot re-join to the domain because it
doesn't detect our domain and throws up an error "domain could not be
contacted" and "DNS name doesn't exist".


* IP connection between the hosts is fine? (ping each other)

* Do you use the internal DNS or Bind DLZ?

* Is Samba/Bind listening on port 53? Use 'netstat -taunp', to make 
sure, that nothing else is listening on this port and prevent the 
correct DNS to start up.


* Can you check: 
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS




Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Problem with AD users and groups

2013-06-06 Thread Marcelo Ruriani 

To all,
I have run into a problem. I am running Samba 4.1.0 pre1-git-94f11e9 and 
I shut down our server to do regular maintenance. Unknown to me at the 
time, a machine was connected. I know, ugh!! Anyway, when I rebooted and 
tried to use the AD users and groups tool, I get an error stating that 
"naming convention cannot be located because the system detected a 
possible attempt to compromise security".


It seems I locked myself out. I have tried these steps: turn off the 
firewall, ntacl sysvol reset, and dis-join from domain.
The ntacl sysvol reset returns errors (which I'll post if necessary) the 
dis-join worked fine but I cannot re-join to the domain because it 
doesn't detect our domain and throws up an error "domain could not be 
contacted" and "DNS name doesn't exist".


I will say before this event everything worked very well. Any 
suggestions? I will supply more info if requested. I have a followup 
question after I see the replies.


Marcelo
System Administrator
Helping Hands of Greenup
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Problem with AD

2007-06-26 Thread Stephan Ellis 

Hi All,

 New to the list here.  I am trying to connect my samba box to an Windows
Server 2003 box (yuck).  My users want to be able to access shares on the
samba box with the same credentials they used to login into the windows
domain.  Am I correct in thinking this is possible?  As far as I can tell
from numerous tutorials and docs, I am.  Anyway, I downloaded MIT's
kerberos5 1.6.1, dod configure (with no extra options), make && make
install, everything worked just fine.

Here is my krb5.conf
---SNIP---
[logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log

[libdefaults]
   default_realm = EAGLE-SYSTEMS.LOCAL

[realms]
   EAGLE-SYSTEMS.LOCAL = {
   kdc = esass001.eagle-systems.local
   }

[domain_realms]
   .kerberos.server = EAGLE-SYSTEMS.LOCAL
--SNIP-



I ran kinit and It seems to have worked!  Awesome, here is what klist says
--SNIP---
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]

Valid starting ExpiresService principal
06/26/07 09:39:03  06/26/07 19:39:07  krbtgt/EAGLE-
[EMAIL PROTECTED]
   renew until 06/27/07 09:39:03


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
---SNIP-

Next, I compiled samba 3.0.25a on Slackware Linux 11.  Here are the option I
used with configure:

./configure --with-ads --with-krb5=/usr/local --with-winbind --with-libmsrpc
--with-acl-support --with-ldap

It configures, compiles and installs without errors.

Here is my smb.conf
--SNIP--
[global]
workgroup = EAGLE-SYSTEMS
realm = EAGLE-SYSTEMS.LOCAL
preferred master = no
server string = Eagle FTP Server
security = ADS
password server = 192.168.0.20
encrypt passwords = yes
log level = 3
client use spnego = Yes
netbios name = FTP
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
printcap name = cups
printing = cups
idmap uid = 1-2
idmap gid = 1-2

[safety]
path = /home/safety
comment = Safety Officer
valid users = sellis
read only = No
browseable = No
-SNIP--

Notice that for the safety share, I have a valid user called sellis, which
is a user in the Active Directory.

I ran testparm and it said everything was ok. I fired up smbd and nmbd and
they run fine. Next I ran:


# ./net ads join -U esasadmin
esasadmin's password:
Using short domain name -- EAGLE-SYSTEMS
Joined 'FTP' to realm 'EAGLE-SYSTEMS.LOCAL'

And it seems to have worked.  I look under 'Computers' in active directory
and sure enough, FTP shows up in the list.

Next I edited /etc/nsswitch.conf and changed the passw and group lines to
look like this:
passwd: compat winbind
group:  compat winbind

No I fired up winbindd and it looked good.  However, when ever I run wbinfo
-u, I see no list of users (it says: Error looking up domain users).  I
check to make sure winbindd is still running, but I it isn't.
I looked and the logs for winbindd (specifically log.wb-EAGLE-SYSTEMS) and
it shows this:
-SNIP-
[2007/06/26 14:50:50, 3]
nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains(121)
 [  898]: list trusted domains
[2007/06/26 14:50:50, 0] lib/fault.c:fault_report(41)
 ===
[2007/06/26 14:50:50, 0] lib/fault.c:fault_report(42)
 INTERNAL ERROR: Signal 11 in pid 899 (3.0.25a)
 Please read the Trouble-Shooting section of the Samba3-HOWTO
[2007/06/26 14:50:50, 0] lib/fault.c:fault_report(44)

 From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2007/06/26 14:50:50, 0] lib/fault.c:fault_report(45)
 ===
[2007/06/26 14:50:50, 0] lib/util.c:smb_panic(1632)
 PANIC (pid 899): internal error
[2007/06/26 14:50:50, 0] lib/util.c:log_stack_trace(1736)
 BACKTRACE: 24 stack frames:
  #0 ./winbindd(log_stack_trace+0x26) [0x800bec88]
  #1 ./winbindd(smb_panic+0x76) [0x800beb18]
  #2 ./winbindd [0x800ac248]
  #3 ./winbindd [0x800ac256]
  #4 [0xe420]
  #5 ./winbindd(cm_connect_sam+0x79) [0x8005b915]
  #6 ./winbindd [0x8005ebbb]
  #7 ./winbindd [0x8005f6f2]
  #8 ./winbindd [0x8004970f]
  #9 ./winbindd [0x80049bb9]
  #10 ./winbindd [0x8004ccb2]
  #11 ./winbindd(winbindd_dual_list_trusted_domains+0x9d) [0x80056b5c]
  #12 ./winbindd [0x80063f40]
  #13 ./winbindd [0x800656f5]
  #14 ./winbindd [0x80063bba]
  #15 ./winbindd(async_request+0x154) [0x800637cc]
  #16 ./winbindd(init_child_connection+0x219) [0x80047221]
  #17 ./winbindd(async_domain_request+0xed) [0x80063ced]
  #18 ./winbindd [0x80046c76]
  #19 ./winbindd(rescan_trusted_domains+0x45) [0x80046ffb]
  #20 ./winbindd [0x8003f95d]
  #21 ./winbindd(main+0x652) [0x800404b3]
  #22 /lib/tls/libc.so.6(__libc_start_main+0xd4) [0xb7c60e14]
  #23 ./winbindd [0x8003e661]
[2007/06/26 14:50:50, 0] lib/fault.c:dump_core(181)
 dumping core in /usr/local/samba/var/cores/winbindd
--SNIP--


The interesting thing is that wbi

[Samba] Problem with AD/Samba and too many AD groups

2005-08-11 Thread dwhitlow1 
I have a Redhat Enterprise Linux (v3.0) box running Samba 3.0.9-1.3E.3. 
This box only has two Samba shares created on it, each of them with a 
single "valid user" entry. The relevant smb.conf information is 
included below.

The problem is that when user1 tries to connect to \\server\user1 and 
authenticate via AD, the connection fails with a "unknown username or 
bad password" error on their Windows box. On the Samba server, the 
error in the logs relates to NT_STATUS_WRONG_PASSWORD. Here's the catch 
though. When I remove that account from a couple of AD groups, the 
connection succeeds. It appears there is some limit on the number of 
groups that user1 can be a member of. wbinfo -G DOMAIN\\USER1 returns 
~423 AD groups. When I get that number down under ~400, the connection 
works fine. As an aside, user2 belongs to ~180 groups and has no 
problems connecting.

Is there some limit within Samba that can be increased to allow for a 
user to be a member of >400 AD groups? I don't want to remove the user 
from the groups they are a member of if at all possible. Some are dis 
lists, others needed for security and so on.

NGROUPS_MAX is set to 32, but we are obviously way past that limit for 
both accounts, so I don't know if that setting comes into play or not.

Any help on this would be greatly appreciated. Thanks in advance,

Don


# Global parameters
[global]
workgroup = QG
realm = QG.COM
security = ADS
log file = /var/log/samba/%m.log
dns proxy = no
ldap ssl = no
idmap uid = 1-10
idmap gid = 1-10
winbind cache time = 60
winbind enum users = no
winbind enum groups = no
log level = 3

[user1]
path = /user1
valid users = DOMAIN\USER1
read only = No
create mask = 0700
directory mask = 0700
browseable = No

[user2]
path = /user2
valid users = DOMAIN\USER2
read only = No
create mask = 0700
directory mask = 0700
browseable = No


-- Log file output

[2005/08/11 09:27:14, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user [domain]
[EMAIL PROTECTED] with the new password interface
[2005/08/11 09:27:14, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [EMAIL PROTECTED]
[2005/08/11 09:27:14, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/08/11 09:27:14, 3] smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/08/11 09:27:14, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/08/11 09:27:14, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/08/11 09:27:14, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [user1] -> [user1] 
FAILED
with error NT_STATUS_WRONG_PASSWORD
[2005/08/11 09:27:17, 3] smbd/process.c:process_smb(1091)
  Transaction 5 of length 16626

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba