[Samba] Winbind and home directories....

[Gary Greene]

Is there a way to set a different home directory specifically for a given
user with winbind, other than to change the template home directory? This is
with samba 3.2.7 on OpenSuSE 11.1 as joined to an AD running Windows 2003.
Thanks.

-- 
Gary L. Greene, Jr.
==
Developer and Project Lead for the AltimatOS open source project
Volunteer Developer for the KDE open source project
See http://www.altimatos.com/ and http://www.kde.org/ for more information
==

Please avoid sending me Word or PowerPoint attachments.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Jonathan Petersson]

So I've looked further at this and noticed that samba seams to create
it's own krb5 config-file in
/var/lib/samba/smb_krb5/krb5.conf.PRESIDIO

It seams that if I add custom information to this file it gets
overwritten upon restart of samba.

The contents of this file is
[libdefaults]
default_realm = GARNSER.SE
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

[realms]
GARNSER.SE = {
kdc = 172.16.1.2
}

I'm guessing winbind tries to bind with PRESIDIO given the name of the file.

Anyone else seen this before?

/Jonathan

On Mon, Sep 28, 2009 at 4:14 AM, Andrew Masterson
 wrote:
>> [r...@presidio3 ~]# net ads join -U Administrator
>> Enter Administrator's password:
>> [2009/09/23 23:58:48,  0] libads/kerberos.c:ads_kinit_password(362)
>>   kerberos_kinit_password administra...@garnser.se failed: Cannot find
>> KDC for requested realm
>> Failed to join domain: failed to connect to AD: Cannot find KDC for
>> requested realm
>>
>> Any idea why this is?
>
> Do you have
> DOMAIN.NAME = {
> kdc = pdc.domain.name:88
> ...
> }
> In your krb5.conf?  Is your firewall allowing traffic to/from on port 88? Or 
> do you have
> dns_lookup_kdc = no
> in your krb5.conf file? (the default is supposed to be "yes")
> And can you ping the kdc from your box?  Is DNS resolving properly?
> -=Andrew
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Andrew Masterson]

> [r...@presidio3 ~]# net ads join -U Administrator
> Enter Administrator's password:
> [2009/09/23 23:58:48,  0] libads/kerberos.c:ads_kinit_password(362)
>   kerberos_kinit_password administra...@garnser.se failed: Cannot find
> KDC for requested realm
> Failed to join domain: failed to connect to AD: Cannot find KDC for
> requested realm
>
> Any idea why this is?

Do you have 
DOMAIN.NAME = {
kdc = pdc.domain.name:88
...
}
In your krb5.conf?  Is your firewall allowing traffic to/from on port 88? Or do 
you have 
dns_lookup_kdc = no
in your krb5.conf file? (the default is supposed to be "yes")
And can you ping the kdc from your box?  Is DNS resolving properly?
-=Andrew
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Adam Nielsen]

> [r...@presidio3 ~]# net ads join -U Administrator
> Enter Administrator's password:
> [2009/09/23 23:58:48,  0] libads/kerberos.c:ads_kinit_password(362)
>   kerberos_kinit_password administra...@garnser.se failed: Cannot find
> KDC for requested realm
> Failed to join domain: failed to connect to AD: Cannot find KDC for
> requested realm
> 
> Any idea why this is?

Well I've never seen that before, but according to the list archives:

"This is a krb5 lib thing.  Either hardcode the KDCs in /etc/krb5.conf
or enable DNS SRV lookups in the krb5 libs."

Since I don't have /etc/krb5.conf it would seem that my Kerberos libs
are compiled with DNS SRV lookups enabled.  It looks like using kinit
first is a way around it, but I'd then be worried that further
authentication issues may arise if Samba doesn't know where the KDC is.

Cheers,
Adam.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Jonathan Petersson]

So I reverted back to an old snapshot and gave this a quick test.
Without any kerberos configuration I get the following error-message
when I try to join the domain:

[r...@presidio3 ~]# net ads join -U Administrator
Enter Administrator's password:
[2009/09/23 23:58:48,  0] libads/kerberos.c:ads_kinit_password(362)
  kerberos_kinit_password administra...@garnser.se failed: Cannot find
KDC for requested realm
Failed to join domain: failed to connect to AD: Cannot find KDC for
requested realm

Any idea why this is?

Thanks

/Jonathan

On Wed, Sep 23, 2009 at 11:53 PM, Jonathan Petersson
 wrote:
> Going to try this a bit more tomorrow with a fresh install, please see
> inline responses.
>
> I'm thinking that I may have some kerberos stuff hanging around, I
> noticed that there's a smb_krb5 directory with kdc data in
> /var/lib/samba.
>
> On Wed, Sep 23, 2009 at 11:37 PM, Adam Nielsen  wrote:
>>> Thanks for the input Adam,
>>>
>>> In my case I've full control of the AD domain and just run net ads
>>> join which is successful, shows up in AD.
>>>
>>> Here's my current config, can you see anything in it that I should
>>> consider adding or removing?
>>>
>>> [global]
>>>    workgroup = PRESIDIO
>>>    password server = pdc.garnser.se
>>>    realm = garnser.se
>>
>> I would remove the password server, and (not being that familiar with
>> the set up side of AD) shouldn't the workgroup be GARNSER?  Or the realm
>> be presidio.garnser.se?  Mind you if you can join the domain it would
>> seem these values are correct.
>
> I named my workgroup differently from the domain/realm, I can
> successfully join the domain.
>
>>
>> Just to confirm these values are correct, on a Windows PC, go Control
>> Panel, System, Computer Name (where you can rename the PC) and on that
>> page it should list the domain - is that garnser.se?  That domain should
>> be what is put in the realm.
>
> The domain is equal to the realm.
>
>>
>> Likewise when you log in to a Windows PC, you can choose the domain you
>> want to log in to from a drop-down list.  Is that PRESIDIO?  The value
>> there should be the same as what you put in workgroup.
>
> This is the same.
>
>>
>>>    template shell = /bin/bash
>>
>> This will allow your AD users to SSH into your machine (just checking!)
>
> Yes that's intentional.
>
>>
>>>    netbios name = presidio3
>>
>> Is presidio3.garnser.se the full DNS name of your machine?  Not sure if
>> it makes a difference but it can't hurt to make the NetBIOS and DNS
>> names match.
>
> It's identical.
>
>>
>>>    use kerberos keytab = yes
>>>    client use spnego = yes
>>
>> I don't have either of these two options set.
>>
>>>    auth methods = winbind
>>
>> I don't have "auth methods" set, and the manpage recommends against
>> setting it.
>>
>> Otherwise it looks fine.  After updating these options you could try
>> erasing all Samba's .tdb files to make it forget it belongs to a domain,
>> then add it again fresh.  I would be very surprised if that didn't work.
>
> Thanks again!
>
> /Jonathan
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Jonathan Petersson]

Going to try this a bit more tomorrow with a fresh install, please see
inline responses.

I'm thinking that I may have some kerberos stuff hanging around, I
noticed that there's a smb_krb5 directory with kdc data in
/var/lib/samba.

On Wed, Sep 23, 2009 at 11:37 PM, Adam Nielsen  wrote:
>> Thanks for the input Adam,
>>
>> In my case I've full control of the AD domain and just run net ads
>> join which is successful, shows up in AD.
>>
>> Here's my current config, can you see anything in it that I should
>> consider adding or removing?
>>
>> [global]
>>    workgroup = PRESIDIO
>>    password server = pdc.garnser.se
>>    realm = garnser.se
>
> I would remove the password server, and (not being that familiar with
> the set up side of AD) shouldn't the workgroup be GARNSER?  Or the realm
> be presidio.garnser.se?  Mind you if you can join the domain it would
> seem these values are correct.

I named my workgroup differently from the domain/realm, I can
successfully join the domain.

>
> Just to confirm these values are correct, on a Windows PC, go Control
> Panel, System, Computer Name (where you can rename the PC) and on that
> page it should list the domain - is that garnser.se?  That domain should
> be what is put in the realm.

The domain is equal to the realm.

>
> Likewise when you log in to a Windows PC, you can choose the domain you
> want to log in to from a drop-down list.  Is that PRESIDIO?  The value
> there should be the same as what you put in workgroup.

This is the same.

>
>>    template shell = /bin/bash
>
> This will allow your AD users to SSH into your machine (just checking!)

Yes that's intentional.

>
>>    netbios name = presidio3
>
> Is presidio3.garnser.se the full DNS name of your machine?  Not sure if
> it makes a difference but it can't hurt to make the NetBIOS and DNS
> names match.

It's identical.

>
>>    use kerberos keytab = yes
>>    client use spnego = yes
>
> I don't have either of these two options set.
>
>>    auth methods = winbind
>
> I don't have "auth methods" set, and the manpage recommends against
> setting it.
>
> Otherwise it looks fine.  After updating these options you could try
> erasing all Samba's .tdb files to make it forget it belongs to a domain,
> then add it again fresh.  I would be very surprised if that didn't work.

Thanks again!

/Jonathan
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Adam Nielsen]

> Thanks for the input Adam,
> 
> In my case I've full control of the AD domain and just run net ads
> join which is successful, shows up in AD.
> 
> Here's my current config, can you see anything in it that I should
> consider adding or removing?
> 
> [global]
>workgroup = PRESIDIO
>password server = pdc.garnser.se
>realm = garnser.se

I would remove the password server, and (not being that familiar with
the set up side of AD) shouldn't the workgroup be GARNSER?  Or the realm
be presidio.garnser.se?  Mind you if you can join the domain it would
seem these values are correct.

Just to confirm these values are correct, on a Windows PC, go Control
Panel, System, Computer Name (where you can rename the PC) and on that
page it should list the domain - is that garnser.se?  That domain should
be what is put in the realm.

Likewise when you log in to a Windows PC, you can choose the domain you
want to log in to from a drop-down list.  Is that PRESIDIO?  The value
there should be the same as what you put in workgroup.

>template shell = /bin/bash

This will allow your AD users to SSH into your machine (just checking!)

>netbios name = presidio3

Is presidio3.garnser.se the full DNS name of your machine?  Not sure if
it makes a difference but it can't hurt to make the NetBIOS and DNS
names match.

>use kerberos keytab = yes
>client use spnego = yes

I don't have either of these two options set.

>auth methods = winbind

I don't have "auth methods" set, and the manpage recommends against
setting it.

Otherwise it looks fine.  After updating these options you could try
erasing all Samba's .tdb files to make it forget it belongs to a domain,
then add it again fresh.  I would be very surprised if that didn't work.

Cheers,
Adam.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Jonathan Petersson]

Thanks for the input Adam,

In my case I've full control of the AD domain and just run net ads
join which is successful, shows up in AD.

Here's my current config, can you see anything in it that I should
consider adding or removing?

[global]
   workgroup = PRESIDIO
   password server = pdc.garnser.se
   realm = garnser.se
   security = ads
   winbind use default domain = yes
   winbind trusted domains only = yes
   winbind offline logon = false
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes
   winbind separator = +
   idmap uid = 8000-33554431
   idmap gid = 8000-33554431
   template shell = /bin/bash
   server string = Samba Server Version %v
   netbios name = presidio3
   log file = /var/log/samba/log.%m
   max log size = 1000
   passdb backend = tdbsam
   use kerberos keytab = yes
   encrypt passwords = yes
   preferred master = no
   idmap backend = ad
   client use spnego = yes  
   load printers = yes
   cups options = raw
   auth methods = winbind

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
read only = no

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

Thanks again

/Jonathan

On Wed, Sep 23, 2009 at 10:41 PM, Adam Nielsen  wrote:
>> The kerberos stuff is for the PAM auth although I though this was
>> necessary for the Samba stuff too.
>
> Winbind is also an alternative for this, by making all the AD users
> visible as if they were accounts on the local machine.  Having winbind
> working is also crucial to being able to grant AD groups access to
> certain areas of your filesystem.
>
>> Also, as far as the workgroup-name goes it's true it's the shorter
>> name but in my case the short name is PRESIDIO.
>>
>> Could you send me a copy of your config? I'm obviously a bit off
>> hacking kerberos.
>
> Here's the relevant bit from a server I put into production last night.
>  The machine name is sambaserver.mydomain.com:
>
> workgroup = MYDOMAIN
> netbios name = sambaserver
> security = ads
> realm = MYDOMAIN.COM
>
> Once that's done I precreated the account in AD (otherwise the machine
> account will be created somewhere I haven't been delegated access to)
> then I ran "net ads join -U " where  is an account
> with access to join the machine to the domain (which you choose when
> adding the account to the domain - don't prefix it with MYDOMAIN\\ or
> @MYDOMAIN.COM) and then it may come up with some errors, but running
> "net ads testjoin" will hopefully return "OK".
>
> All the other options in my Samba config are related to shares, winbind,
> etc. but nothing to do with the domain.
>
> Cheers,
> Adam.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Adam Nielsen]

> The kerberos stuff is for the PAM auth although I though this was
> necessary for the Samba stuff too.

Winbind is also an alternative for this, by making all the AD users
visible as if they were accounts on the local machine.  Having winbind
working is also crucial to being able to grant AD groups access to
certain areas of your filesystem.

> Also, as far as the workgroup-name goes it's true it's the shorter
> name but in my case the short name is PRESIDIO.
> 
> Could you send me a copy of your config? I'm obviously a bit off
> hacking kerberos.

Here's the relevant bit from a server I put into production last night.
 The machine name is sambaserver.mydomain.com:

workgroup = MYDOMAIN
netbios name = sambaserver
security = ads
realm = MYDOMAIN.COM

Once that's done I precreated the account in AD (otherwise the machine
account will be created somewhere I haven't been delegated access to)
then I ran "net ads join -U " where  is an account
with access to join the machine to the domain (which you choose when
adding the account to the domain - don't prefix it with MYDOMAIN\\ or
@MYDOMAIN.COM) and then it may come up with some errors, but running
"net ads testjoin" will hopefully return "OK".

All the other options in my Samba config are related to shares, winbind,
etc. but nothing to do with the domain.

Cheers,
Adam.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Jonathan Petersson]

The kerberos stuff is for the PAM auth although I though this was
necessary for the Samba stuff too.

Also, as far as the workgroup-name goes it's true it's the shorter
name but in my case the short name is PRESIDIO.

Could you send me a copy of your config? I'm obviously a bit off
hacking kerberos.

Thanks

/Jonathan

On Wed, Sep 23, 2009 at 8:16 PM, Adam Nielsen  wrote:
>> This specific instance is intended to host shares for which users
>> authenticate with their AD credentials, the normal authentication for
>> the system works fine and so does joining the domain. As mentioned
>> earlier initializing kinit and wbinfo returns the expected results and
>> the server shows up as a member in AD.
>
> I'm a bit confused about what you had to do with kinit, keytabs and
> Kerberos, because we've never touched anything to do with Kerberos and
> people can log on to our domain and browse the shares on our Samba
> servers with the AD username passed through (i.e. no separate log on to
> Samba.)  It sounds like this is what you're trying to achieve.
>
> We just joined each Samba machine to the domain ("net ads join") and it
> worked straight away.
>
> The first time I did this a few years ago I messed around with the
> Kerberos stuff before realising that apparently it's not necessary...
>
> Cheers,
> Adam.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Adam Nielsen]

> This specific instance is intended to host shares for which users
> authenticate with their AD credentials, the normal authentication for
> the system works fine and so does joining the domain. As mentioned
> earlier initializing kinit and wbinfo returns the expected results and
> the server shows up as a member in AD.

I'm a bit confused about what you had to do with kinit, keytabs and
Kerberos, because we've never touched anything to do with Kerberos and
people can log on to our domain and browse the shares on our Samba
servers with the AD username passed through (i.e. no separate log on to
Samba.)  It sounds like this is what you're trying to achieve.

We just joined each Samba machine to the domain ("net ads join") and it
worked straight away.

The first time I did this a few years ago I messed around with the
Kerberos stuff before realising that apparently it's not necessary...

Cheers,
Adam.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Jonathan Petersson]

This specific instance is intended to host shares for which users
authenticate with their AD credentials, the normal authentication for
the system works fine and so does joining the domain. As mentioned
earlier initializing kinit and wbinfo returns the expected results and
the server shows up as a member in AD.

I'll try to replace the workgroup with the realm-data.

Thanks

/Jonathan

On Wed, Sep 23, 2009 at 7:02 PM, Adam Nielsen  wrote:
>> As it seams the server tries to authenticate as pdc$ rather than
>> presidio3$ which is the hostname of the server and the name it's
>> registered as. What could the cause of this be?
>>
>> smb.conf:
>>    workgroup = PRESIDIO
>>    password server = pdc.domain.com
>>    realm = DOMAIN.COM
>>    security = ads
>>       netbios name = presidio3
>
> I think the workgroup is meant to be the short version of the domain, so
> if your realm is DOMAIN.COM your workgroup should be DOMAIN.
>
> Are you trying to join Samba to the domain?  If so, you shouldn't need
> to specify a password server, that's only used to check passwords when
> Samba isn't part of the domain (IIRC.)  If you intend to add Samba as a
> normal PC inside the domain then password authentication will work
> (perhaps courtesy of winbind) without specifying a password server.
>
> Cheers,
> Adam.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Adam Nielsen]

> As it seams the server tries to authenticate as pdc$ rather than
> presidio3$ which is the hostname of the server and the name it's
> registered as. What could the cause of this be?
> 
> smb.conf:
>workgroup = PRESIDIO
>password server = pdc.domain.com
>realm = DOMAIN.COM
>security = ads
>   netbios name = presidio3

I think the workgroup is meant to be the short version of the domain, so
if your realm is DOMAIN.COM your workgroup should be DOMAIN.

Are you trying to join Samba to the domain?  If so, you shouldn't need
to specify a password server, that's only used to check passwords when
Samba isn't part of the domain (IIRC.)  If you intend to add Samba as a
normal PC inside the domain then password authentication will work
(perhaps courtesy of winbind) without specifying a password server.

Cheers,
Adam.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Jonathan Petersson]

Also, looking further at this, shouldn't winbind use the realm rather
than the workgroup for this?

Thanks

/Jonathan

On Wed, Sep 23, 2009 at 11:04 AM, Jonathan Petersson
 wrote:
> Hi all,
>
> I've been working on getting Samba to authenticate via ADS for the
> past few weeks with some lack of success. I had somewhat of a
> breakthrough the other day realizing that the problem was related to
> the kerberos authentication between Samba and the Win 2008 R2 AD
> server. Trying to fix this I generated a keytab with ktpass which I
> uploaded to the server.
>
> I've been successful to join the server in the domain, wbinfo and
> kinit responds as one wants it to but when upon samba and winbind
> starting I'm seeing the following in the logs which I'm guessing is
> the cause for me being unable to authenticate any users:
>
> log.wb-PRESIDIO
>  ads_krb5_mk_req: krb5_get_credentials failed for p...@presidio
> (Cannot find KDC for requested realm)
> [2009/09/23 10:54:31,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(624)
>  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
> find KDC for requested realm
> [2009/09/23 10:54:31,  0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(494)
>  cli_pipe_verify_schannel: auth_len 56.
>
> log.winbindd
> [2009/09/23 10:54:30,  0]
> winbindd/winbindd_cache.c:initialize_winbindd_cache(2577)
>  initialize_winbindd_cache: clearing cache and re-creating with
> version number 1
> [2009/09/23 10:54:31,  1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
>  ads_krb5_mk_req: krb5_get_credentials failed for p...@presidio
> (Cannot find KDC for requested realm)
> [2009/09/23 10:54:31,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(624)
>  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
> find KDC for requested realm
> [2009/09/23 10:54:31,  1] winbindd/winbindd_util.c:trustdom_recv(303)
>  Could not receive trustdoms
>
> As it seams the server tries to authenticate as pdc$ rather than
> presidio3$ which is the hostname of the server and the name it's
> registered as. What could the cause of this be?
>
> smb.conf:
>   workgroup = PRESIDIO
>   password server = pdc.domain.com
>   realm = DOMAIN.COM
>   security = ads
>   idmap uid = 8000-33554431
>   idmap gid = 8000-33554431
>   winbind separator = +
>   template shell = /bin/bash
>   winbind use default domain = yes
>   winbind offline logon = false
> ...
>        server string = presidio3
>
>        netbios name = presidio3
>
> Please advice.
>
> Thanks
>
> /Jonathan
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

[Jonathan Petersson]

Hi all,

I've been working on getting Samba to authenticate via ADS for the
past few weeks with some lack of success. I had somewhat of a
breakthrough the other day realizing that the problem was related to
the kerberos authentication between Samba and the Win 2008 R2 AD
server. Trying to fix this I generated a keytab with ktpass which I
uploaded to the server.

I've been successful to join the server in the domain, wbinfo and
kinit responds as one wants it to but when upon samba and winbind
starting I'm seeing the following in the logs which I'm guessing is
the cause for me being unable to authenticate any users:

log.wb-PRESIDIO
  ads_krb5_mk_req: krb5_get_credentials failed for p...@presidio
(Cannot find KDC for requested realm)
[2009/09/23 10:54:31,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(624)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
find KDC for requested realm
[2009/09/23 10:54:31,  0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(494)
  cli_pipe_verify_schannel: auth_len 56.

log.winbindd
[2009/09/23 10:54:30,  0]
winbindd/winbindd_cache.c:initialize_winbindd_cache(2577)
  initialize_winbindd_cache: clearing cache and re-creating with
version number 1
[2009/09/23 10:54:31,  1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
  ads_krb5_mk_req: krb5_get_credentials failed for p...@presidio
(Cannot find KDC for requested realm)
[2009/09/23 10:54:31,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(624)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
find KDC for requested realm
[2009/09/23 10:54:31,  1] winbindd/winbindd_util.c:trustdom_recv(303)
  Could not receive trustdoms

As it seams the server tries to authenticate as pdc$ rather than
presidio3$ which is the hostname of the server and the name it's
registered as. What could the cause of this be?

smb.conf:
   workgroup = PRESIDIO
   password server = pdc.domain.com
   realm = DOMAIN.COM
   security = ads
   idmap uid = 8000-33554431
   idmap gid = 8000-33554431
   winbind separator = +
   template shell = /bin/bash
   winbind use default domain = yes
   winbind offline logon = false
...
server string = presidio3

netbios name = presidio3

Please advice.

Thanks

/Jonathan
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind idmap question

[James Zuelow]

 

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Christian
> Sent: Thursday, 17 September, 2009 10:01
> To: samba
> Subject: [Samba] winbind idmap question
> 
> Hi,
> 
> how do I tell winbind to use "UserId" from AD, and not doing 
> own mapping
> of ID's ?
> AD is win2003 R2 Std with sfu.
> 
> What I did/tried:
> current (this did not work):
> 
> #  winbind separator = \
> winbind use default domain = Yes
> winbind nested groups = Yes
> #  winbind cache time = 600
> template shell = /bin/bash
> #  template homedir = /home/%D/%U
> template homedir = /home/%U
> idmap uid = 1-2
> idmap gid = 1-2
> winbind enum groups = Yes
> winbind enum users = Yes
> security = domain
> #  security = ads
> # Where do we get our user information from?
> password server = srv-001.domain.local
> 
> tried (did not work, too, and is very slow finding users):
>winbind use default domain = Yes
>winbind nested groups = Yes
>winbind nss info = rfc2307
> 
>idmap domains = DOMAIN
> 
>idmap config DOMAIN:backend = ad
>idmap config DOMAIN:default = Yes
>idmap config DOMAIN:range = 1 - 1
>idmap config DOMAIN:schema_mode = rfc2307
> security = domain
> #  security = ads
> # Where do we get our user information from?
> password server = srv-001.domain.local
> 
> samba version is 3.2.7
> 
> Thanks for your ideas
> Kind Regards
> Chris

>From Samba version 3.2.5 (Debian Lenny) and 3.3.6 (Lenny backports).  This 
>config works for me in both versions, so I'm confident it will work in 3.2.7:

idmap domains = YOUR_DOMAIN
idmap config YOUR_DOMAIN:backend = rid
idmap config YOUR_DOMAIN:base_rid = 0
idmap config YOUR_DOMAIN:range = 1 - 4

We have a Server 2003 native forest/domain not 2003 R2, and we do not have sfu 
deployed.  So the environment is a little different.



James ZuelowCBJ MIS (907)586-0236
Network Specialist...Registered Linux User No. 186591
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind idmap question

[Christian]

Hi,

how do I tell winbind to use "UserId" from AD, and not doing own mapping
of ID's ?
AD is win2003 R2 Std with sfu.

What I did/tried:
current (this did not work):

#  winbind separator = \
winbind use default domain = Yes
winbind nested groups = Yes
#  winbind cache time = 600
template shell = /bin/bash
#  template homedir = /home/%D/%U
template homedir = /home/%U
idmap uid = 1-2
idmap gid = 1-2
winbind enum groups = Yes
winbind enum users = Yes
security = domain
#  security = ads
# Where do we get our user information from?
password server = srv-001.domain.local

tried (did not work, too, and is very slow finding users):
   winbind use default domain = Yes
   winbind nested groups = Yes
   winbind nss info = rfc2307

   idmap domains = DOMAIN

   idmap config DOMAIN:backend = ad
   idmap config DOMAIN:default = Yes
   idmap config DOMAIN:range = 1 - 1
   idmap config DOMAIN:schema_mode = rfc2307
security = domain
#  security = ads
# Where do we get our user information from?
password server = srv-001.domain.local

samba version is 3.2.7

Thanks for your ideas
Kind Regards
Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind enum groups/users = no

[Andrew Masterson]

After a bunch of reading, the most information I can find on turning
these off is that they will speed up certain tasks, and this warning:

"Warning: Turning off group enumeration may cause some programs to
behave oddly."

Does anyone have any more information on what programs may "behave
oddly"?  Is this a server side odd-behaviour, client-side or both?

(Using ls on some small directories seems to take a while presumably
because it is busy getting the updated user/group information from the
PDC, so I was wondering about turning these parameters off.)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind problem with GID range and idmap_rid

[Arendt, Volker]

Hello all,

We get a weird error on our 3.4.0 samba server. The log.winbind-idmap shows the 
following entries:

[2009/08/24 16:35:53,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module ldap already registered!
[2009/08/24 16:35:53,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module tdb already registered!
[2009/08/24 16:35:53,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2009/08/24 16:35:53,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!
[2009/08/24 16:35:53,  1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id)
  Fatal Error: GID range full!! (max: 49)

What can be the cause for this kind of error? Is our idmap_rid not configured 
correctly?  

Please have a look

Volker
smb.conf
---
[global]

# 
# setting base configuration parameters
#
# 
workgroup = FB6
netbios name = FRIGG
server string = AFS
security = ADS
realm = FB6.UNI-WUPPERTAL.DE
auth methods = winbind
# password server = AD logon server
password server = 132.195.120.9 132.195.120.12
wins server = 132.195.120.12
client use spnego = yes
client signing = yes
# added wg. ticket #5344
#client lanman auth = no
#client ntlmv2 auth = yes
encrypt passwords = yes
host msdfs = no
#domain logons = yes

# fuer Samba 3.3.0
# damit keine verschluesselte Verbindung zum Domain Controller
# aufgebaut wird
ldap ssl = no
obey pam restrictions = no

# -
# printer settings
# ??? better disable these settings ???
# -
# printcap name = cups
# disable spoolss = Yes
# show add printer wizard = No
# -
# ID mapping parameters
# mapping windows users to unix users
# this is performed on the basis of sid on windows and
# unix with uid for users and gid for groups
# the backend parameter rid allows to get the same mapping
# form sid to uid because it is determined algorithmically
# that way we get the same mapping even if we use samba on
# several disparate systems
# CHANGE NOTIFICATIO: with v3.3.0 there are changes
# to idmap; idmap domains is no longer supported
# -
#idmap domains = FB6
#idmap backend = rid
idmap backend = tdb
idmap config FB6:backend   = rid
#idmap config FB6:base_rid  = 0
idmap config FB6:range = 1 - 49
idmap uid = 1-49
idmap gid = 1-49

winbind separator =+
winbind use default domain = Yes
winbind enum users = no
winbind enum groups = no
winbind cache time = 60
winbind gid = 1-49
winbind uid = 1-49

#template homedir = /gpfs/fbb/user/%U
#template shell = /opt/pware/bin/bash
#use sendfile = Yes
#printing = cups
#ldap suffix = "dc=FB6, dc=UNI-WUPPERTAL, dc=DE"

#---
# Logging options
#
#---
#
# higher log levels have a negative impact on performance
log level = 3
log file = /opt/pware/var/log/fbb.frigg.log.%m
max log size = 50
debug timestamp = yes
#utmp = yes

#---
# ACL Support
#
#---
map acl inherit = yes
nt acl support = yes
inherit acls = yes
inherit permissions = yes
inherit owner = yes
admin users = @"FB6+domain admins"

#---
# Performance options
#
#---
socket options = TCP_NODELAY IPTOS_LOWDELAY

# comment: VA, 01.05.2008
# deactivated, as it seems that this was our performance killer
# the original values were 8192 each; i have adapted both
# parameter values for AIX configuration
# SO_RCVBUF=16384 SO_SNDBUF=16384


#---
# Include Configuration Files
#
#---
include = /opt/pware/lib/fbb-user.conf
include = /opt/pware/lib/fbb-ls.conf
include = /opt/pware/lib/fbb-apps.conf
include = /opt/pware/lib/fbb-projekte.conf
include = /opt/pware/lib/fbb-profiles.conf
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind error..or else

[Gabriel Petrescu]

HI,

After a quite long period wehere samba was wroking well, sudenly, with
an apparently good reason started do not work. This mean the user are
not able to connect to server, to samba shares.

this is something i could find in logs.

I google it for something like:

[2009/08/21 13:59:16, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.mydomain pipe \NETLOGON fnum
0x400dreturned critical error. Error was Write error: Connection reset
by peer
[2009/08/21 14:04:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386)
  cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x400d
to machine DC01.mydomain.  Error was Write error: Success

but without succes

do you have any ideea how to do it..?

Thanks:)

Gabi

[2009/08/21 09:32:19, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/08/21 09:32:19, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/08/21 09:32:19, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/08/21 09:32:19, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/08/21 09:32:19, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
  ads_sasl_spnego_bind: got server principal name = dc...@mydomain
[2009/08/21 09:32:19, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2009/08/21 09:32:19, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Fri, 21 Aug 2009 19:31:28 CEST
[2009/08/21 13:59:15, 1] libads/cldap.c:recv_cldap_netlogon(247)
  Failed to parse cldap reply
[2009/08/21 13:59:16, 0] lib/util_sock.c:write_data(564)
  write_data: write failure. Error = Connection reset by peer
[2009/08/21 13:59:16, 0] libsmb/clientgen.c:write_socket(158)
  write_socket: Error writing 222 bytes to socket 16: ERRNO =
Connection reset by peer
[2009/08/21 13:59:16, 0] libsmb/clientgen.c:cli_send_smb(188)
  Error writing 222 bytes to client. -1 (Connection reset by peer)
[2009/08/21 13:59:16, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.mydomain pipe \NETLOGON fnum
0x400dreturned critical error. Error was Write error: Connection reset
by peer
[2009/08/21 14:04:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386)
  cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x400d
to machine DC01.mydomain.  Error was Write error: Success
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind authentication issue on 3.2.13/14 and 3.4.0 (was: Crazied NTLM_AUTH on samba 3.4.0)

[Alex Crow]

This is now on Bugzilla, bug 6646.
-- 
This message is intended only for the addressee and may contain 
confidential information.  Unless you are that person, you may not 
disclose its contents or use it in any way and are requested to delete 
the message along with any attachments and notify us immediately. 

"Transact" is operated by Integrated Financial Arrangements plc 
Domain House, 5-7 Singer Street, London  EC2A 4BQ 
Tel: (020) 7608 4900 Fax: (020) 7608 1200
(Registered office: as above; Registered in England and Wales under
number: 3727592) 
Authorised and regulated by the Financial Services Authority (entered on
the FSA Register; number: 190856)


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind authentication issue on 3.2.13/14 and 3.4.0 (was: Crazied NTLM_AUTH on samba 3.4.0)

[Alex Crow]

On Tue, 2009-08-18 at 14:44 +0100, Alex Crow wrote:
> > . For example: 1 time
> > return 0xc0c3 ( NT_STATUS_INVALID_NETWORK_RESPONSE) or 0x1c010002 (???)
> > and much others. I realized one thing: when the response is "Broken Pipe"
> > the ntlm responds "OK" on first after try and back to the errors after this
> > warning...
> > 
> 
> I am seeing similar problems with 3.2.13 on my Squid server.
> 
> If it happens again I will try to get a log.
> 
> Alex Crow

I have upgraded to 3.2.14 and the problem persists.

I am in a Samba Domain (pdc and bdc also running 3.2.14) and I have a
bidirectional trust set up to a remote Samba 3.2.14 domain.

A winbindd log at debug level 10 is available here:

http://www.nanogherkin.com/winbindd_autherrorlog.bz2

There were two instances of the issue, one shortly before 08:30 and the
other shortly before 09:24.

wbinfo authentication will also fail:

wbinfo -a ajc%
plaintext password authentication failed
Could not authenticate user ajc with plaintext password
challenge/response password authentication failed
error code was NT code 0x1c010002 (0x1c010002)
error messsage was: NT code 0x1c010002
Could not authenticate user ajc with challenge/response


I can also tell you that it can be immediately (if temporarily) restored
to operation by running "wbinfo -t". I am trying to keep my users happy
by running this every few seconds but obviously this isn't ideal!

smb.conf on the Squid server follows:

[global]
workgroup = IFA_NET
security = DOMAIN
netbios name = WEBPROXY
interfaces = eth2, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldaps://bdc.ifa.net
username map = /etc/samba/smbusers
log level = 10
syslog = 0
log file = /var/log/samba/%m
max log size = 1048576
smb ports = 139 445
name resolve order = wins lmhosts bcast hosts
time server = no
#printcap name = CUPS
show add printer wizard = Yes
enable privileges = yes
ldap suffix = dc=ifa,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=ifa,dc=net
ldap ssl = no
ldap timeout = 20
#idmap backend = ldap:ldap://192.168.20.137
idmap uid = 1-2
idmap gid = 1-2
#winbind nested groups = yes
winbind trusted domains only = no
winbind use default domain = yes
#winbind enum users = yes
#winbind enum groups = yes
allow trusted domains = yes
#winbind separator = +
map acl inherit = Yes
ea support = Yes
#printing = cups
#printer admin = root
wins server = 192.168.20.137
nt acl support = yes

> -- 
> This message is intended only for the addressee and may contain 
> confidential information.  Unless you are that person, you may not 
> disclose its contents or use it in any way and are requested to delete 
> the message along with any attachments and notify us immediately. 
> 
> "Transact" is operated by Integrated Financial Arrangements plc 
> Domain House, 5-7 Singer Street, London  EC2A 4BQ 
> Tel: (020) 7608 4900 Fax: (020) 7608 1200
> (Registered office: as above; Registered in England and Wales under
> number: 3727592) 
> Authorised and regulated by the Financial Services Authority (entered on
> the FSA Register; number: 190856)
> 
> 
-- 
This message is intended only for the addressee and may contain 
confidential information.  Unless you are that person, you may not 
disclose its contents or use it in any way and are requested to delete 
the message along with any attachments and notify us immediately. 

"Transact" is operated by Integrated Financial Arrangements plc 
Domain House, 5-7 Singer Street, London  EC2A 4BQ 
Tel: (020) 7608 4900 Fax: (020) 7608 1200
(Registered office: as above; Registered in England and Wales under
number: 3727592) 
Authorised and regulated by the Financial Services Authority (entered on
the FSA Register; number: 190856)


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind core dump issue

[Paul Digby]

Greetings

We've moved from using NIS/SFU to using Samba/Winbind connecting to our
Windows 2003 AD domain with an Openldap idmap backend on our Redhat 4/5
servers. We managed to get this mostly working in that users can
authenticate using their domain accounts (thank you Samba team!!!). We do
however keep getting the same error in the log.winbindd-idmap log:

winbindd: ../../../libraries/libldap/getentry.c:48: ldap_next_entry:
Assertion `entry != ((void *)0)' failed.
[2009/08/11 12:00:12,  0] lib/fault.c:fault_report(40)
  ===
[2009/08/11 12:00:12,  0] lib/fault.c:fault_report(41)
  INTERNAL ERROR: Signal 6 in pid 25614 (3.2.13)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2009/08/11 12:00:12,  0] lib/fault.c:fault_report(43)

  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2009/08/11 12:00:12,  0] lib/fault.c:fault_report(44)
  ===
[2009/08/11 12:00:12,  0] lib/util.c:smb_panic(1670)
  PANIC (pid 25614): internal error
[2009/08/11 12:00:12,  0] lib/util.c:log_stack_trace(1774)
  BACKTRACE: 28 stack frames:
   #0 winbindd(log_stack_trace+0x2d) [0x891b0c]
   #1 winbindd(smb_panic+0x8e) [0x89195e]
   #2 winbindd [0x87b660]
   #3 winbindd [0x87b671]
   #4 /lib/tls/libc.so.6 [0x377918]
   #5 /lib/tls/libc.so.6(abort+0xe9) [0x379289]
   #6 /lib/tls/libc.so.6(__assert_fail+0x101) [0x370da1]
   #7 /usr/lib/libldap-2.2.so.7(ldap_next_entry+0x6b) [0x227c3b]
   #8 /usr/lib/samba/idmap/ldap.so [0x2a36e3]
   #9 winbindd [0xb2cec0]
   #10 winbindd(idmap_unixids_to_sids+0x41a) [0xb2dbd3]
   #11 winbindd(idmap_uid_to_sid+0xb9) [0xb30059]
   #12 winbindd(winbindd_dual_uid2sid+0xb0) [0x8031c6]
   #13 winbindd [0x7f842f]
   #14 winbindd [0x7faacf]
   #15 winbindd [0x7f7ff7]
   #16 winbindd(async_request+0x20f) [0x7f79c1]
   #17 winbindd(do_async+0x13c) [0x7fad81]
   #18 winbindd(winbindd_uid2sid_async+0x77) [0x80310c]
   #19 winbindd(winbindd_getpwuid+0xb1) [0x7c9a91]
   #20 winbindd [0x7c60d9]
   #21 winbindd [0x7c6c89]
   #22 winbindd [0x7c6ad4]
   #23 winbindd [0x7c6407]
   #24 winbindd [0x7c7383]
   #25 winbindd(main+0xc7e) [0x7c82e2]
   #26 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x364df3]
   #27 winbindd [0x7c56b1]
[2009/08/11 12:00:12,  0] lib/fault.c:dump_core(201)
  dumping core in /var/log/samba/cores/winbindd

Winbind seems to continue running but users get ID errors like 'cannot find
name for user ID #' and the machine is basically unusable for a minute or so
before it goes away. With the error referring to ldap, I'm not sure if this
is a problem with our ldap database or if it's a problem with winbind.
Initially we just used the latest versions of samba (Version
3.0.9-1.3E.13.2) from the RedHat repos but we found we were having problems
with trusted domains that we didn't have access to nor wanted to
authenticate with. We tried the 'allow trusted domains = no' and 'winbind:
ignore domains = trustdom1 trustdom2' options in smb.conf but I think these
options were not supported in this version. We then installed the 3.2.12
rpms from ftp.sernet.de which fixed that issue and got us to this stage.

Here is some information about our setup:

smbd & winbindd: Version 3.2.13

smb.conf:
[global]
workgroup = domain
realm = krb realm
server string = %h Samba Server Version %v
security = ADS
password server = server1 server2
local master = no
domain master = no
winbind cache time = 7200
max log size = 50
ldap admin dn = cn=manager,dc=example,dc=test,dc=com
ldap idmap suffix = ou=idmap
ldap suffix = dc=example,dc=test,dc=com
idmap backend = ldap:ldap://10.0.1.16
idmap uid = 500-1
idmap gid = 100-1000
template homedir = /home/domain/%U
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = no
#winbind nested groups = yes
winbind: ignore domains = trustdom1 trustdom2
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
cups options = raw

nsswitch.conf:
passwd: files winbind
shadow: files
group:  files winbind

/etc/pam.d/system-auth:
auth   sufficient   pam_env.so
auth   sufficient   pam_unix.so
auth   sufficient   pam_winbind.so try_first_pass

accountsufficient   pam_unix.so
accountsufficient   pam_winbind.so

sessionsufficient   pam_unix.so
sessionsufficient   pam_winbind.so

password   sufficient   pam_unix.so
password   sufficient   pam_winbind.so try_first_pass

I really have no idea where to even start with this error so would really
appreciate any help you can give.

regards

Paul
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and getent

[Gabriel Petrescu]

My status is:

it's working:

smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs.

> Time must be (i think) within 15 min between kdc and client
> net ads info  # Show AD info including time
> date  # Check time on local host
>
> Test if the client has been joined to the domain.
> net ads testjoin  # Shows join is ok

> If you run the following command without specifying a valid domain
> '--user=', or the password is incorrect, you will see this:  "...Client
> not found in Kerberos database"
> net  ads search '(objectCategory=group)'
>
> If you try to run the following command with a valid user, you will see
> a huge dump.
> net --user=myuser ads search '(objectCategory=group)'


it's not working:

getent group

getent password

or to authenticate a group..


another thing:

we have:

samba, winbind, kerberos, time

than to be able to let an AD group to have access read, write to a
folder we need acl or something else?


my main issue are:

how to check the kerberos works fine? all the info over the internet
shows the same..

i installed x on centos to manage samba in a visual maner.. if i want
to create a share and specify which users / groups can access that
share i can not see the users /groups..

so, there is something fishy

testparm from samba is ok

Any help / ideea it will be appreciated:)

Gabi



On Thu, Jul 30, 2009 at 6:05 PM, John Stile wrote:
> I wonder if that means that you didn't join the domain, or you aren't
> joining with a domain admin account, or you aren't performing operations
> using an the credentials of a domain user.
>
> Check you have the libs.
> smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs.
>
> Does /etc/krb5.conf look correct for your domain?
>
> Check you have the libs.
> smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs.
>
> Time must be (i think) within 15 min between kdc and client
> net ads info          # Show AD info including time
> date                  # Check time on local host
>
> Test if the client has been joined to the domain.
> net ads testjoin      # Shows join is ok
>
> If you run the following command without specifying a valid domain
> '--user=', or the password is incorrect, you will see this:  "...Client
> not found in Kerberos database"
> net  ads search '(objectCategory=group)'
>
> If you try to run the following command with a valid user, you will see
> a huge dump.
> net --user=myuser ads search '(objectCategory=group)'
>
> On Thu, 2009-07-30 at 09:26 -0500, Hoover, Tony wrote:
>> Have you configured your /etc/krb5.conf file?
>>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and getent

[John Stile]

I wonder if that means that you didn't join the domain, or you aren't
joining with a domain admin account, or you aren't performing operations
using an the credentials of a domain user.

Check you have the libs.
smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs.

Does /etc/krb5.conf look correct for your domain?

Check you have the libs.
smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs.

Time must be (i think) within 15 min between kdc and client
net ads info  # Show AD info including time
date  # Check time on local host

Test if the client has been joined to the domain.
net ads testjoin  # Shows join is ok

If you run the following command without specifying a valid domain
'--user=', or the password is incorrect, you will see this:  "...Client
not found in Kerberos database"
net  ads search '(objectCategory=group)'

If you try to run the following command with a valid user, you will see
a huge dump.
net --user=myuser ads search '(objectCategory=group)'

On Thu, 2009-07-30 at 09:26 -0500, Hoover, Tony wrote:
> Have you configured your /etc/krb5.conf file?
> 
>  
> 
> 
> 
> 
> Tony Hoover, Network Administrator
> KSU - Salina, College of Technology and Aviation
> (785) 826-2660
> 
> "Don't Blend in..."
> 
>  
> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
> On Behalf Of Gabriel Petrescu
> Sent: Thursday, July 30, 2009 8:39 AM
> To: John Stile
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] winbind and getent
> 
> hi:)
> 
> in my case it's working:
> 
> > wbinfo Shows winbind is doing lookups from ADS
> >  wbinfo -u
> >  wbinfo -g
> >  wbinfo -a mydomain+myuser%mypassword
> 
> and i get an error here:
> 
>  kinit tests
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
> 
> 
> any advice here?
> 
> gabi
> 
> On Wed, Jul 29, 2009 at 6:58 PM, John Stile wrote:
> > On Wed, 2009-07-29 at 22:33 +1000, tsg-samba wrote:
> >> Hi Volker,
> >>
> >> Yes  in smb.conf i have:
> >> winbind enum users = Yes
> >> winbind enum groups = Yes
> >
> > getent Shows nsswitch is correct, to resolve ADS users and groups.
> >  getent passwd
> >  getent group
> >
> > wbinfo Shows winbind is doing lookups from ADS
> >  wbinfo -u
> >  wbinfo -g
> >  wbinfo -a mydomain+myuser%mypassword
> >
> > kinit tests if kerberose can authenticate
> >  kinit myuser
> >
> > If 'wbinfo -g' shows   MYDOMAIN+Domain Users,
> > maybe your share should have a line like:
> >  valid users = @"MYDOMAIN+Domain Users"
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and getent

[Gabriel Petrescu]

yes, and it looks like:

[logging]
default = FILE:/var/log/krb5.log

[libdefaults]
default_realm = MYDOMAIN.LOCAL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
MYDOMAIN.LOCAL = {
kdc = server.mydomain.local
admin_server = server.mydomain.local
default_domain = MYDOMAIN.LOCAL
}

[domain_realm]
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL




On Thu, Jul 30, 2009 at 5:26 PM, Hoover, Tony wrote:
> Have you configured your /etc/krb5.conf file?
>
>
>
>
>
> 
> Tony Hoover, Network Administrator
> KSU - Salina, College of Technology and Aviation
> (785) 826-2660
>
> "Don't Blend in..."
> 
>
> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
> On Behalf Of Gabriel Petrescu
> Sent: Thursday, July 30, 2009 8:39 AM
> To: John Stile
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] winbind and getent
>
> hi:)
>
> in my case it's working:
>
>> wbinfo Shows winbind is doing lookups from ADS
>>  wbinfo -u
>>  wbinfo -g
>>  wbinfo -a mydomain+myuser%mypassword
>
> and i get an error here:
>
>  kinit tests
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
>
> any advice here?
>
> gabi
>
> On Wed, Jul 29, 2009 at 6:58 PM, John Stile wrote:
>> On Wed, 2009-07-29 at 22:33 +1000, tsg-samba wrote:
>>> Hi Volker,
>>>
>>> Yes  in smb.conf i have:
>>>         winbind enum users = Yes
>>>         winbind enum groups = Yes
>>
>> getent Shows nsswitch is correct, to resolve ADS users and groups.
>>  getent passwd
>>  getent group
>>
>> wbinfo Shows winbind is doing lookups from ADS
>>  wbinfo -u
>>  wbinfo -g
>>  wbinfo -a mydomain+myuser%mypassword
>>
>> kinit tests if kerberose can authenticate
>>  kinit myuser
>>
>> If 'wbinfo -g' shows   MYDOMAIN+Domain Users,
>> maybe your share should have a line like:
>>  valid users = @"MYDOMAIN+Domain Users"
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and getent

[Hoover, Tony]

Have you configured your /etc/krb5.conf file?

 




Tony Hoover, Network Administrator
KSU - Salina, College of Technology and Aviation
(785) 826-2660

"Don't Blend in..."

 
-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Gabriel Petrescu
Sent: Thursday, July 30, 2009 8:39 AM
To: John Stile
Cc: samba@lists.samba.org
Subject: Re: [Samba] winbind and getent

hi:)

in my case it's working:

> wbinfo Shows winbind is doing lookups from ADS
>  wbinfo -u
>  wbinfo -g
>  wbinfo -a mydomain+myuser%mypassword

and i get an error here:

 kinit tests
kinit(v5): Client not found in Kerberos database while getting initial
credentials


any advice here?

gabi

On Wed, Jul 29, 2009 at 6:58 PM, John Stile wrote:
> On Wed, 2009-07-29 at 22:33 +1000, tsg-samba wrote:
>> Hi Volker,
>>
>> Yes  in smb.conf i have:
>>         winbind enum users = Yes
>>         winbind enum groups = Yes
>
> getent Shows nsswitch is correct, to resolve ADS users and groups.
>  getent passwd
>  getent group
>
> wbinfo Shows winbind is doing lookups from ADS
>  wbinfo -u
>  wbinfo -g
>  wbinfo -a mydomain+myuser%mypassword
>
> kinit tests if kerberose can authenticate
>  kinit myuser
>
> If 'wbinfo -g' shows   MYDOMAIN+Domain Users,
> maybe your share should have a line like:
>  valid users = @"MYDOMAIN+Domain Users"
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and getent

[Gabriel Petrescu]

hi:)

in my case it's working:

> wbinfo Shows winbind is doing lookups from ADS
>  wbinfo -u
>  wbinfo -g
>  wbinfo -a mydomain+myuser%mypassword

and i get an error here:

 kinit tests
kinit(v5): Client not found in Kerberos database while getting initial
credentials


any advice here?

gabi

On Wed, Jul 29, 2009 at 6:58 PM, John Stile wrote:
> On Wed, 2009-07-29 at 22:33 +1000, tsg-samba wrote:
>> Hi Volker,
>>
>> Yes  in smb.conf i have:
>>         winbind enum users = Yes
>>         winbind enum groups = Yes
>
> getent Shows nsswitch is correct, to resolve ADS users and groups.
>  getent passwd
>  getent group
>
> wbinfo Shows winbind is doing lookups from ADS
>  wbinfo -u
>  wbinfo -g
>  wbinfo -a mydomain+myuser%mypassword
>
> kinit tests if kerberose can authenticate
>  kinit myuser
>
> If 'wbinfo -g' shows   MYDOMAIN+Domain Users,
> maybe your share should have a line like:
>  valid users = @"MYDOMAIN+Domain Users"
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind issue connecting to trusted domain controllers

[jrmailgate-samba]

>> So, is there a way I can specify that winbind only uses the CSS domain and 
>> does not try and connect to the other trusted domains?
>
> allow trusted domains = no
 
Thanks for the suggestion, but this didn't make a difference.

However, I've managed to find the answer / workaround:

The following needs to be set in smb.conf:

winbind:ignore domains = MAT LPS LAB MMSC GRP IMCR UPGRADE CENTRAL MISE 
4THFLOOR AD  CSSDEV NAS

In case it's not obvious, the list is the names of all the trusted domains I 
want Winbind to ignore. I did see a patch that performs the inverse of this (so 
you specify the domains you *want* to search) but as this is not part of the 
mainline code I decided to avoid it as I don't want to be maintaining different 
versions.

Thanks

Julian



  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind + rpc windows

[Herbert G. Fischer]

It's stock Ubuntu 9.04 package.

samba 3.3.2-1u

On 29/julho/2009, at 15:31, Jeremy Allison wrote:


On Wed, Jul 29, 2009 at 03:24:24PM -0300, Herbert G. Fischer wrote:
I've highered log level and got that the dump occurs only when I  
try to

use pam authentication. Using wbinfo (-t/-u/-g) works.

[2009/07/29 15:04:57,  3] winbindd/ 
winbindd_pam.c:winbindd_pam_auth(827)

 [ 3010]: pam auth root
*** glibc detected *** /usr/sbin/winbindd: double free or  
corruption (!

prev): 0x7f10f6f61960 ***
=== Backtrace: =
/lib/libc.so.6[0x7f10f2c88cb8]
/lib/libc.so.6(cfree+0x76)[0x7f10f2c8b276]
/usr/lib/libtalloc.so.1[0x7f10f3192888]
/usr/lib/libtalloc.so.1(talloc_free+0xd8)[0x7f10f3194b38]
/usr/sbin/winbindd[0x7f10f4ffdc57]
/usr/sbin/winbindd[0x7f10f4ffe443]
/usr/sbin/winbindd(main+0xd6a)[0x7f10f4fff299]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f10f2c2f5a6]
/usr/sbin/winbindd[0x7f10f4ffd249]


What version of Samba are you using ? This may be
something that is already fixed in a later version
(hopefully :-).

Jeremy.


Herbert G. Fischer
Locaweb
Eleita pela INFO Exame 2008 o melhor Data Center do Brasil.
Geral: + 55 11 3544-0444 R568


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind + rpc windows

[Jeremy Allison]

On Wed, Jul 29, 2009 at 03:24:24PM -0300, Herbert G. Fischer wrote:
> I've highered log level and got that the dump occurs only when I try to 
> use pam authentication. Using wbinfo (-t/-u/-g) works.
>
> [2009/07/29 15:04:57,  3] winbindd/winbindd_pam.c:winbindd_pam_auth(827)
>   [ 3010]: pam auth root
> *** glibc detected *** /usr/sbin/winbindd: double free or corruption (! 
> prev): 0x7f10f6f61960 ***
> === Backtrace: =
> /lib/libc.so.6[0x7f10f2c88cb8]
> /lib/libc.so.6(cfree+0x76)[0x7f10f2c8b276]
> /usr/lib/libtalloc.so.1[0x7f10f3192888]
> /usr/lib/libtalloc.so.1(talloc_free+0xd8)[0x7f10f3194b38]
> /usr/sbin/winbindd[0x7f10f4ffdc57]
> /usr/sbin/winbindd[0x7f10f4ffe443]
> /usr/sbin/winbindd(main+0xd6a)[0x7f10f4fff299]
> /lib/libc.so.6(__libc_start_main+0xe6)[0x7f10f2c2f5a6]
> /usr/sbin/winbindd[0x7f10f4ffd249]

What version of Samba are you using ? This may be
something that is already fixed in a later version
(hopefully :-).

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind + rpc windows

[Herbert G. Fischer]

I've highered log level and got that the dump occurs only when I try  
to use pam authentication. Using wbinfo (-t/-u/-g) works.


[2009/07/29 15:04:57,  3] winbindd/winbindd_pam.c:winbindd_pam_auth(827)
  [ 3010]: pam auth root
*** glibc detected *** /usr/sbin/winbindd: double free or corruption (! 
prev): 0x7f10f6f61960 ***

=== Backtrace: =
/lib/libc.so.6[0x7f10f2c88cb8]
/lib/libc.so.6(cfree+0x76)[0x7f10f2c8b276]
/usr/lib/libtalloc.so.1[0x7f10f3192888]
/usr/lib/libtalloc.so.1(talloc_free+0xd8)[0x7f10f3194b38]
/usr/sbin/winbindd[0x7f10f4ffdc57]
/usr/sbin/winbindd[0x7f10f4ffe443]
/usr/sbin/winbindd(main+0xd6a)[0x7f10f4fff299]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f10f2c2f5a6]
/usr/sbin/winbindd[0x7f10f4ffd249]

On 29/julho/2009, at 14:23, Herbert G. Fischer wrote:


Hi,

I've managed to configure winbind to use RPC instead of AD to  
authenticate users. I was able to do a few auths and from nothing  
winbind started to crash with the following error message:


Any hint on what may be the error?

I've already deleted all tdb files and restarted the services, and  
the server, and don't get it solved.



[2009/07/29 14:19:01,  0] winbindd/ 
winbindd_cache.c:initialize_winbindd_cache(2577)
 initialize_winbindd_cache: clearing cache and re-creating with  
version number 1
*** glibc detected *** /usr/sbin/winbindd: double free or corruption  
(!prev): 0x7fdcfcd71cb0 ***

=== Backtrace: =
/lib/libc.so.6[0x7fdcfa0a3cb8]
/lib/libc.so.6(cfree+0x76)[0x7fdcfa0a6276]
/usr/lib/libtalloc.so.1[0x7fdcfa5ad888]
/usr/lib/libtalloc.so.1(talloc_free+0xd8)[0x7fdcfa5afb38]
/usr/sbin/winbindd[0x7fdcfc418cd7]
/usr/sbin/winbindd[0x7fdcfc419443]
/usr/sbin/winbindd(main+0xd6a)[0x7fdcfc41a299]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fdcfa04a5a6]
/usr/sbin/winbindd[0x7fdcfc418249]
=== Memory map: 
7fdcf400-7fdcf4021000 rw-p 7fdcf400 00:00 0
7fdcf4021000-7fdcf800 ---p 7fdcf4021000 00:00 0
7fdcf8487000-7fdcf849d000 r-xp  09:02  
25166110   /lib/libgcc_s.so.1
7fdcf849d000-7fdcf869d000 ---p 00016000 09:02  
25166110   /lib/libgcc_s.so.1
7fdcf869d000-7fdcf869e000 r--p 00016000 09:02  
25166110   /lib/libgcc_s.so.1
7fdcf869e000-7fdcf869f000 rw-p 00017000 09:02  
25166110   /lib/libgcc_s.so.1
7fdcf869f000-7fdcf86a1000 r-xp  09:02  
25168786   /usr/lib/gconv/IBM850.so
7fdcf86a1000-7fdcf88a ---p 2000 09:02  
25168786   /usr/lib/gconv/IBM850.so
7fdcf88a-7fdcf88a1000 r--p 1000 09:02  
25168786   /usr/lib/gconv/IBM850.so
7fdcf88a1000-7fdcf88a2000 rw-p 2000 09:02  
25168786   /usr/lib/gconv/IBM850.so
7fdcf88a2000-7fdcf88a5000 r-xp  09:02  
25168896   /usr/lib/gconv/UTF-16.so
7fdcf88a5000-7fdcf8aa4000 ---p 3000 09:02  
25168896   /usr/lib/gconv/UTF-16.so
7fdcf8aa4000-7fdcf8aa5000 r--p 2000 09:02  
25168896   /usr/lib/gconv/UTF-16.so
7fdcf8aa5000-7fdcf8aa6000 rw-p 3000 09:02  
25168896   /usr/lib/gconv/UTF-16.so
7fdcf8aa6000-7fdcf8aa9000 r-xp  09:02  
25167206   /lib/libgpg-error.so.0.3.0
7fdcf8aa9000-7fdcf8ca8000 ---p 3000 09:02  
25167206   /lib/libgpg-error.so.0.3.0
7fdcf8ca8000-7fdcf8ca9000 rw-p 2000 09:02  
25167206   /lib/libgpg-error.so.0.3.0
7fdcf8ca9000-7fdcf8d0e000 r-xp  09:02  
25167204   /lib/libgcrypt.so.11.4.4
7fdcf8d0e000-7fdcf8f0d000 ---p 00065000 09:02  
25167204   /lib/libgcrypt.so.11.4.4
7fdcf8f0d000-7fdcf8f0e000 r--p 00064000 09:02  
25167204   /lib/libgcrypt.so.11.4.4
7fdcf8f0e000-7fdcf8f1 rw-p 00065000 09:02  
25167204   /lib/libgcrypt.so.11.4.4
7fdcf8f1-7fdcf8f27000 r-xp  09:02  
25167712   /lib/libz.so.1.2.3.3
7fdcf8f27000-7fdcf9126000 ---p 00017000 09:02  
25167712   /lib/libz.so.1.2.3.3
7fdcf9126000-7fdcf9127000 r--p 00016000 09:02  
25167712   /lib/libz.so.1.2.3.3
7fdcf9127000-7fdcf9128000 rw-p 00017000 09:02  
25167712   /lib/libz.so.1.2.3.3
7fdcf9128000-7fdcf9138000 r-xp  09:02  
25167237   /usr/lib/libtasn1.so.3.0.16
7fdcf9138000-7fdcf9337000 ---p 0001 09:02  
25167237   /usr/lib/libtasn1.so.3.0.16
7fdcf9337000-7fdcf9338000 r--p f000 09:02  
25167237   /usr/lib/libtasn1.so.3.0.16
7fdcf9338000-7fdcf9339000 rw-p 0001 09:02  
25167237   /usr/lib/libtasn1.so.3.0.16
7fdcf9339000-7fdcf93dc000 r-xp  09:02  
25166586   /usr/lib/libgnutls.so.26.4.6
7fdcf93dc000-7fdcf95db000 ---p 000a3000 09:02  
25166586   /usr/lib/libgnutls.so.26.4.6
7fdcf95db000-7fdcf95e5000 r--p 000a2000 09:02  
25166586   /usr/lib/libgnutls.so.26.4.6
7fdcf95e5000-7fdcf95e6000 rw-p 000ac000 09:02  
251665

[Samba] winbind + rpc windows

[Herbert G. Fischer]

Hi,

I've managed to configure winbind to use RPC instead of AD to  
authenticate users. I was able to do a few auths and from nothing  
winbind started to crash with the following error message:


Any hint on what may be the error?

I've already deleted all tdb files and restarted the services, and the  
server, and don't get it solved.



[2009/07/29 14:19:01,  0] winbindd/ 
winbindd_cache.c:initialize_winbindd_cache(2577)
  initialize_winbindd_cache: clearing cache and re-creating with  
version number 1
*** glibc detected *** /usr/sbin/winbindd: double free or corruption (! 
prev): 0x7fdcfcd71cb0 ***

=== Backtrace: =
/lib/libc.so.6[0x7fdcfa0a3cb8]
/lib/libc.so.6(cfree+0x76)[0x7fdcfa0a6276]
/usr/lib/libtalloc.so.1[0x7fdcfa5ad888]
/usr/lib/libtalloc.so.1(talloc_free+0xd8)[0x7fdcfa5afb38]
/usr/sbin/winbindd[0x7fdcfc418cd7]
/usr/sbin/winbindd[0x7fdcfc419443]
/usr/sbin/winbindd(main+0xd6a)[0x7fdcfc41a299]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fdcfa04a5a6]
/usr/sbin/winbindd[0x7fdcfc418249]
=== Memory map: 
7fdcf400-7fdcf4021000 rw-p 7fdcf400 00:00 0
7fdcf4021000-7fdcf800 ---p 7fdcf4021000 00:00 0
7fdcf8487000-7fdcf849d000 r-xp  09:02  
25166110   /lib/libgcc_s.so.1
7fdcf849d000-7fdcf869d000 ---p 00016000 09:02  
25166110   /lib/libgcc_s.so.1
7fdcf869d000-7fdcf869e000 r--p 00016000 09:02  
25166110   /lib/libgcc_s.so.1
7fdcf869e000-7fdcf869f000 rw-p 00017000 09:02  
25166110   /lib/libgcc_s.so.1
7fdcf869f000-7fdcf86a1000 r-xp  09:02  
25168786   /usr/lib/gconv/IBM850.so
7fdcf86a1000-7fdcf88a ---p 2000 09:02  
25168786   /usr/lib/gconv/IBM850.so
7fdcf88a-7fdcf88a1000 r--p 1000 09:02  
25168786   /usr/lib/gconv/IBM850.so
7fdcf88a1000-7fdcf88a2000 rw-p 2000 09:02  
25168786   /usr/lib/gconv/IBM850.so
7fdcf88a2000-7fdcf88a5000 r-xp  09:02  
25168896   /usr/lib/gconv/UTF-16.so
7fdcf88a5000-7fdcf8aa4000 ---p 3000 09:02  
25168896   /usr/lib/gconv/UTF-16.so
7fdcf8aa4000-7fdcf8aa5000 r--p 2000 09:02  
25168896   /usr/lib/gconv/UTF-16.so
7fdcf8aa5000-7fdcf8aa6000 rw-p 3000 09:02  
25168896   /usr/lib/gconv/UTF-16.so
7fdcf8aa6000-7fdcf8aa9000 r-xp  09:02  
25167206   /lib/libgpg-error.so.0.3.0
7fdcf8aa9000-7fdcf8ca8000 ---p 3000 09:02  
25167206   /lib/libgpg-error.so.0.3.0
7fdcf8ca8000-7fdcf8ca9000 rw-p 2000 09:02  
25167206   /lib/libgpg-error.so.0.3.0
7fdcf8ca9000-7fdcf8d0e000 r-xp  09:02  
25167204   /lib/libgcrypt.so.11.4.4
7fdcf8d0e000-7fdcf8f0d000 ---p 00065000 09:02  
25167204   /lib/libgcrypt.so.11.4.4
7fdcf8f0d000-7fdcf8f0e000 r--p 00064000 09:02  
25167204   /lib/libgcrypt.so.11.4.4
7fdcf8f0e000-7fdcf8f1 rw-p 00065000 09:02  
25167204   /lib/libgcrypt.so.11.4.4
7fdcf8f1-7fdcf8f27000 r-xp  09:02  
25167712   /lib/libz.so.1.2.3.3
7fdcf8f27000-7fdcf9126000 ---p 00017000 09:02  
25167712   /lib/libz.so.1.2.3.3
7fdcf9126000-7fdcf9127000 r--p 00016000 09:02  
25167712   /lib/libz.so.1.2.3.3
7fdcf9127000-7fdcf9128000 rw-p 00017000 09:02  
25167712   /lib/libz.so.1.2.3.3
7fdcf9128000-7fdcf9138000 r-xp  09:02  
25167237   /usr/lib/libtasn1.so.3.0.16
7fdcf9138000-7fdcf9337000 ---p 0001 09:02  
25167237   /usr/lib/libtasn1.so.3.0.16
7fdcf9337000-7fdcf9338000 r--p f000 09:02  
25167237   /usr/lib/libtasn1.so.3.0.16
7fdcf9338000-7fdcf9339000 rw-p 0001 09:02  
25167237   /usr/lib/libtasn1.so.3.0.16
7fdcf9339000-7fdcf93dc000 r-xp  09:02  
25166586   /usr/lib/libgnutls.so.26.4.6
7fdcf93dc000-7fdcf95db000 ---p 000a3000 09:02  
25166586   /usr/lib/libgnutls.so.26.4.6
7fdcf95db000-7fdcf95e5000 r--p 000a2000 09:02  
25166586   /usr/lib/libgnutls.so.26.4.6
7fdcf95e5000-7fdcf95e6000 rw-p 000ac000 09:02  
25166586   /usr/lib/libgnutls.so.26.4.6
7fdcf95e6000-7fdcf95ff000 r-xp  09:02  
25166765   /usr/lib/libsasl2.so.2.0.22
7fdcf95ff000-7fdcf97fe000 ---p 00019000 09:02  
25166765   /usr/lib/libsasl2.so.2.0.22
7fdcf97fe000-7fdcf97ff000 r--p 00018000 09:02  
25166765   /usr/lib/libsasl2.so.2.0.22
7fdcf97ff000-7fdcf980 rw-p 00019000 09:02  
25166765   /usr/lib/libsasl2.so.2.0.22
7fdcf980-7fdcf9817000 r-xp  09:02  
25166130   /lib/libpthread-2.9.so
7fdcf9817000-7fdcf9a16000 ---p 00017000 09:02  
25166130   /lib/libpthread-2.9.so
7fdcf9a16000-7fdcf9a17000 r--p 00016000 09:02  
25166130   /lib/libpthread-2.9.so
7fdcf9a17000-7fdcf9a18000 rw-p 00017000 

Re: [Samba] winbind and getent

[John Stile]

On Wed, 2009-07-29 at 22:33 +1000, tsg-samba wrote:
> Hi Volker,
> 
> Yes  in smb.conf i have:
> winbind enum users = Yes
> winbind enum groups = Yes

getent Shows nsswitch is correct, to resolve ADS users and groups.
  getent passwd 
  getent group

wbinfo Shows winbind is doing lookups from ADS
  wbinfo -u
  wbinfo -g 
  wbinfo -a mydomain+myuser%mypassword

kinit tests if kerberose can authenticate
  kinit myuser

If 'wbinfo -g' shows   MYDOMAIN+Domain Users,
maybe your share should have a line like: 
  valid users = @"MYDOMAIN+Domain Users"
  

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and getent

[tsg-samba]

Hi Volker,

Yes  in smb.conf i have:
winbind enum users = Yes
winbind enum groups = Yes
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and getent

[Volker Lendecke]

On Wed, Jul 29, 2009 at 10:22:28PM +1000, tsg wrote:
> passwd: files winbind
> shadow: files winbind
> group: files winbind
> Could you explain the difference between wbinfo & getent?

You did see the "winbind enum users" and "winbind enum
groups" parameters in smb.conf?

Volker


signature.asc
Description: Digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and getent

[Gabriel Petrescu]

based on all the info i found: books and how to's

if you have a samba server member of the domain you don't need ldap / openldap.

you need samba, samba-common, winbind

add samba server to domain and authentificate user / groups from domain.

i wanted to one samba share to be accesible to only one ad group.

i could have access for users, in their homes, but not for groups.

do i need ldap / openldap? why?

Gabi

On Wed, Jul 29, 2009 at 2:08 PM, Quinn Fissler wrote:
> The different behaviours are caused by the fact that the two methods
> do different things...
>
> They use different libraries and configuration files.
>
> I'm not near a linux box with SaMBa today so I can't show you examples.
>
> You should tell us more about what you're running...
>
> In any case, the first thing to check is /etc/nsswitch.conf
>
> Then look at how you configured AD integration - was it with OpenLDAP?
>
> Check your ldap.conf - you might find more than one...
> /etc/ldap.conf?
> /etc/openldap/ldap.conf?
>
> Which binding credentials do you use?
>
> How about the TLS options?
>
> What about if you query the ldap server with ldapsearch?
>
> A quick web search yields some articles which might help you check
> your approach:
>
> http://www.networkcomputing.com/showArticle.jhtml?articleID=55301455
> http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx
> http://www.linux.com/archive/articles/40983
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and getent

[tsg]

Hi Quinn,

I was following the doco at
http://wiki.samba.org/index.php/Samba_&_Active_Directory

There is no mention there of ldap/tls etc.

There doesn't seem to be a complete tutorial on setting up samba & AD on the
web..  Plenty of doco on it, but all different, and implemented in a
different way.

I'm running CentOS5, samba 3.0.33. Win 2003 R2.

nsswitch.conf :
passwd: files winbind
shadow: files winbind
group: files winbind
Could you explain the difference between wbinfo & getent?

Thanks.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and getent

[Quinn Fissler]

The different behaviours are caused by the fact that the two methods
do different things...

They use different libraries and configuration files.

I'm not near a linux box with SaMBa today so I can't show you examples.

You should tell us more about what you're running...

In any case, the first thing to check is /etc/nsswitch.conf

Then look at how you configured AD integration - was it with OpenLDAP?

Check your ldap.conf - you might find more than one...
/etc/ldap.conf?
/etc/openldap/ldap.conf?

Which binding credentials do you use?

How about the TLS options?

What about if you query the ldap server with ldapsearch?

A quick web search yields some articles which might help you check
your approach:

http://www.networkcomputing.com/showArticle.jhtml?articleID=55301455
http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx
http://www.linux.com/archive/articles/40983
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and getent

[Gabriel Petrescu]

i had the same problem with samba 3.0.28a on ubuntu and nobody could
answer me what's worng...

so.. if you find a solution, please let me know.

i have no resolution..

gabi

On Wed, Jul 29, 2009 at 1:33 PM, tsg wrote:
> Hi,
>
> I have a samba share on centos5 that uses AD authentication.  I can do
> wbinfo -u and it returns the AD users.. but getent only returns the local
> centos users.
>
> Any pointers on where i have gone wrong?
>
> I am trying to chown to an AD user/group, but it is now working..  is the
> format chown domain\user:domain\group path/to/file ?
>
> Thanks..
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind and getent

[tsg]

Hi,

I have a samba share on centos5 that uses AD authentication.  I can do
wbinfo -u and it returns the AD users.. but getent only returns the local
centos users.

Any pointers on where i have gone wrong?

I am trying to chown to an AD user/group, but it is now working..  is the
format chown domain\user:domain\group path/to/file ?

Thanks..
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind issue connecting to trusted domain controllers

[Linux Addict]

>
>
> So, is there a way I can specify that winbind only uses the CSS domain and
> does not try and connect to the other trusted domains?
>


allow trusted domains = no


>
>
> I'm running CentOS 5.3 with Samba 3.0.33-3.7.el5 with the following
> smb.conf:
>
> [global]
>workgroup = CSS
>realm = CSS.AD.EXAMPLE.COM
>server string = Samba Server Version %v
>security = ADS
>passdb backend = tdbsam
>preferred master = No
>winbind use default domain = Yes
>
> Any help much appreciated!!!
>
> Thanks
>
> Julian
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind issue connecting to trusted domain controllers

[jrmailgate-samba]

Hi

I'm following up my original message with more information, but unfortunately 
no real progress. 

I've updated to Samba 3.4.0 and winbindd -V now reports: Version 
3.4.0-SerNet-RedHat

I've also tried setting "password server = 10.1.10.120" which is the IP address 
of one of my local domain controllers. However, following the logs, I'm still 
watching Winbind cycle through the list of all trusted domains and the domain 
controllers within those domains (as detailed below), even when my Samba server 
is unable to connect to those servers.

I can't believe we are the only organisation to want to use Samba in a site 
with links to other, trusted domains, but my Google skills are failing me. Is 
this a configuration problem with the Samba server, or a configuration problem 
with Active Directory itself?

I'm now stuck and don't know how to progress this, so would really appreciate 
some input from the gurus on this list.

Many thanks in anticipation.

Julian





From: "jrmailgate-sa...@yahoo.co.uk" 
To: samba@lists.samba.org
Sent: Thursday, 23 July, 2009 13:12:37
Subject: [Samba] Winbind issue connecting to trusted domain controllers

Hi.

The quick question: Is there a way of forcing a Samba server that is an Active 
Directory member server to limit lookups to it's local domain only and not all 
trusted domains?

The question in more detail:

I have a Samba server that is joined to my local AD domain 
("css.ad.example.com"). There are other domains under ad.example.com such as 
lps.ad.example.com and mat.ad.example.com within the same forest, and 
additional trusts setup to external domains. The problem I have is that 
authentication works "some" of the time and then fails for seemingly random 
amounts of time before working again. I've managed to reproduce this behaviour 
through running wbinfo numerous times in succession and monitoring the output.

Running wbinfo -t returns the following:
checking the trust secret via RPC calls succeeded

However, running wbinfo -u returns:
Error looking up domain users

Having done some debugging with the Samba debug level set to 10, and performing 
packet captures with tcpdump/wireshark, I believe the following is happening:

Winbind is obtaining a list of of trusted domains and is adding them to a list 
using add_trusted_domain.

[2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
  Added domain CSS CSS.AD.EXAMPLE.COM 
S-1-5-21-2722945677-2571981173-1559263515
[2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
  Added domain CENTRAL central.ad.example.com 
S-1-5-21-1546731521-1604605983-311576647
[2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
  Added domain GRP grp.ad.example.com 
S-1-5-21-4165802252-723863699-2563104143
[2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
  Added domain MMSC mmsc-example.com 
S-1-5-21-3925889671-1378681824-3250279791
[2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
  Added domain LPS lps.ad.example.com 
S-1-5-21-3593956825-942678665-1239839976
[2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
  Added domain MAT mat.ad.example.com 
S-1-5-21-227787951-1760200910-3128242332

The last added entry "MAT mat.ad.example.com" is then set as the domain(?):

[2009/07/23 12:09:41, 4] libsmb/namequery_dc.c:ads_dc_name(73)
  ads_dc_name: domain=MAT

Winbind then attempts to get a list of all the domain controllers:

[2009/07/23 12:09:41, 3] libsmb/namequery.c:get_dc_list(1495)
  get_dc_list: preferred server list: ", *"

Winbind attempts to locate the LDAP server in the MAT domain, but fails:

[2009/07/23 12:10:01, 3] libads/dns.c:dns_send_req(303)
  ads_dns_lookup_srv: Failed to resolve 
_ldap._tcp.dc._msdcs.mat.ad.example.com (Connection timed out)
[2009/07/23 12:10:01, 3] libads/dns.c:ads_dns_lookup_srv(363)
  ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT)
[2009/07/23 12:10:01, 4] libsmb/namequery.c:get_dc_list(1522)
  get_dc_list: no servers found

Having failed to obtain the LDAP address by DNS, Winbind then tries to resolve 
the address using lmhosts and WINS. Both fail because although the trusts are 
in place, the Samba server does not have network access to the MAT domain. 
After Winbind exhausts the various options of resolving the MAT domain, it then 
attempts the same with the LPS domain. LPS was the entry added immediately 
before MAT so it appears to be traversing the list of trusted :

[2009/07/23 12:10:24, 4] libsmb/namequery_dc.c:ads_dc_name(73)
  ads_dc_name: domain=LPS
[2009/07/23 12:10:24, 3] libsmb/namequery.c:get_dc_list(1495)
  get_dc_list: preferred server list: ", *"
[2009/07/23 12:10:24, 4] libsmb/

[Samba] Winbind issue connecting to trusted domain controllers

[jrmailgate-sa...@yahoo.co.uk]

Hi.

The quick question: Is there a way of forcing a Samba server that is an Active 
Directory member server to limit lookups to it's local domain only and not all 
trusted domains?

The question in more detail:

I have a Samba server that is joined to my local AD domain 
("css.ad.example.com"). There are other domains under ad.example.com such as 
lps.ad.example.com and mat.ad.example.com within the same forest, and 
additional trusts setup to external domains. The problem I have is that 
authentication works "some" of the time and then fails for seemingly random 
amounts of time before working again. I've managed to reproduce this behaviour 
through running wbinfo numerous times in succession and monitoring the output.

Running wbinfo -t returns the following:
checking the trust secret via RPC calls succeeded

However, running wbinfo -u returns:
Error looking up domain users

Having done some debugging with the Samba debug level set to 10, and performing 
packet captures with tcpdump/wireshark, I believe the following is happening:

Winbind is obtaining a list of of trusted domains and is adding them to a list 
using add_trusted_domain.

[2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
  Added domain CSS CSS.AD.EXAMPLE.COM 
S-1-5-21-2722945677-2571981173-1559263515
[2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
  Added domain CENTRAL central.ad.example.com 
S-1-5-21-1546731521-1604605983-311576647
[2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
  Added domain GRP grp.ad.example.com 
S-1-5-21-4165802252-723863699-2563104143
[2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
  Added domain MMSC mmsc-example.com 
S-1-5-21-3925889671-1378681824-3250279791
[2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
  Added domain LPS lps.ad.example.com 
S-1-5-21-3593956825-942678665-1239839976
[2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
  Added domain MAT mat.ad.example.com 
S-1-5-21-227787951-1760200910-3128242332

The last added entry "MAT mat.ad.example.com" is then set as the domain(?):

[2009/07/23 12:09:41, 4] libsmb/namequery_dc.c:ads_dc_name(73)
  ads_dc_name: domain=MAT

Winbind then attempts to get a list of all the domain controllers:

[2009/07/23 12:09:41, 3] libsmb/namequery.c:get_dc_list(1495)
  get_dc_list: preferred server list: ", *"

Winbind attempts to locate the LDAP server in the MAT domain, but fails:

[2009/07/23 12:10:01, 3] libads/dns.c:dns_send_req(303)
  ads_dns_lookup_srv: Failed to resolve 
_ldap._tcp.dc._msdcs.mat.ad.example.com (Connection timed out)
[2009/07/23 12:10:01, 3] libads/dns.c:ads_dns_lookup_srv(363)
  ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT)
[2009/07/23 12:10:01, 4] libsmb/namequery.c:get_dc_list(1522)
  get_dc_list: no servers found

Having failed to obtain the LDAP address by DNS, Winbind then tries to resolve 
the address using lmhosts and WINS. Both fail because although the trusts are 
in place, the Samba server does not have network access to the MAT domain. 
After Winbind exhausts the various options of resolving the MAT domain, it then 
attempts the same with the LPS domain. LPS was the entry added immediately 
before MAT so it appears to be traversing the list of trusted :

[2009/07/23 12:10:24, 4] libsmb/namequery_dc.c:ads_dc_name(73)
  ads_dc_name: domain=LPS
[2009/07/23 12:10:24, 3] libsmb/namequery.c:get_dc_list(1495)
  get_dc_list: preferred server list: ", *"
[2009/07/23 12:10:24, 4] libsmb/namequery.c:get_dc_list(1605)
  get_dc_list: returning 21 ip addresses in an ordered list
[2009/07/23 12:10:24, 4] libsmb/namequery.c:get_dc_list(1606)
  get_dc_list: 10.236.113.22:389 10.236.62.21:389 10.236.30.22:389 
10.236.100.22:389 10.236.94.21:389 10.236.92.21:389 10.236.114.22:389 
10.91.160.41:389 10.236.113.21:389 10.236.114.21:389 10.91.160.40:389  
10.236.94.22:389 10.236.92.22:389 10.236.112.22:389 10.236.112.21:389 
10.154.110.21:389 10.154.110.22:389 10.91.157.132:389 10.236.62.22:389 
10.236.30.21:389 10.236.100.21:389

In Wireshark, I can see this request being made by the NetrGetAnyDCName call 
and the response from a local domain controller, but the contents of the packet 
are encrypted. This time the IP addresses for the domain controllers on the LPS 
domain are returned (so presumably the local domain controller Winbind is 
querying at this point knows about the LPS domain controllers). 

Winbind then attempts to connect to the first IP address in the list 
(10.236.113.22):

[2009/07/23 12:10:31, 3] libads/ldap.c:ads_try_connect(189)
  ads_try_connect: CLDAP request 10.236.113.22 failed.

This fails so it tries the second in the list and so on. None of these 
addresses will work as the Samba server is unable to connect to these externa

[Samba] Winbind keeps failing after a week

[Kevin Blackwell]

Hello,

Currently I'm running FC11 with samba 3.0.STABLE15.

I'm using samba with squid to log NTLM authentication.

Well, just about every week, my /var/log/samba/log.wb-$DOMAIN file
starts to get full with these lines.

[2009/07/09 07:11:24,  0]
rpc_client/cli_netlogon.c:rpccli_netlogon_set_trust_password(597)
  rpccli_netr_ServerPasswordSet2 failed: NT_STATUS_WRONG_PASSWORD

If i issue a

net ads join -U Administrator%password,

everything returns to normal. What i can't figure out is why the
authentication keeps falling over on a weekly basis.

Anyone have any ideas?

Kevin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind, nscd, solaris 10, nscd.conf, group, passwd

[Pierre B.]

Hello,

we're using Samba 3.0.28 on big sun hardware with solaris 10, and an connction
to an 3 dc windows domain with winbind.

I've found some entries that for using samba with winbind the nscd must be
turned off. But in detail I found descriptions, winbind caches only passwd and
group entries, which are in nsswitch.conf configured.

In fact of solaris 10 nscd, the nscd is fine gradulary configurable via
/etc/nscd.conf; including turned of caching for some of the services,
e.g. passwd and group.

It there another hint why nscd must still turned off?

Or will samba work with turned off passwd and groups in nscd.conf as we switch
off the whole nscd?

We know by tests that we have many other srvice requests which are cached in
nscd, too(e.g.nameservice)

This is a base question. If any need an example configuration I can check that.

MfG...
Pierre B.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind Password Problem

[Linux Addict]

Hello there, I am having weird issue. The problem is when a wrong password
entered when I login or use sudo as AD user, the system uses the same wrong
password next three times and exits , and does not prompt for password
again.

This is not the case when winbind is not used. I suspect this is something
to do with PAM for winbind. Please somene look at my PAM config and let me
know if there is anything worng. Any hint is appreciated.


authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 500 quiet
authsufficientpam_winbind.so cached_login use_first_pass
authrequired  pam_deny.so


account required  pam_access.so
account required  pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
cached_login
account required  pam_permit.so


passwordrequisite pam_cracklib.so try_first_pass retry=3
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass
use_authtok
passwordsufficientpam_winbind.so cached_login use_authtok
passwordrequired  pam_deny.so


session optional  pam_mkhomedir.so skel=/etc/skel/
session required  pam_limits.so
session required  pam_unix.so
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind 3.3.6 + windows 2008 ad

[Norberto Bensa]

On Tue, Jul 7, 2009 at 9:46 AM, Christoph Kaminski wrote:
> [realms]
>        CHAOS.LOCAL = {
>                kdc = beelzebub.chaos.local
>                admin_server = beelzebub.chaos.local
>                master_kdc = beelzebub.chaos.local
>                default_domain = chaos.local

I used to have problems with Ubuntu when my domains ended in .local
and /etc/nsswitch.conf included mdns4 or mdns4_minimal. I don't know
it Debian Sid uses mdns4 but you should check that.

HTH,
Norberto
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind 3.3.6 + windows 2008 ad

[Christoph Kaminski]

James Zuelow schrieb:


Christoph,

Does it work if you put an entry for your DC into /etc/hosts?


no :(

Greetz
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind 3.3.6 + windows 2008 ad

[Volker Lendecke]

On Tue, Jul 07, 2009 at 02:46:02PM +0200, Christoph Kaminski wrote:
> Volker Lendecke schrieb:
>>
>> Try to properly set up /etc/krb5.conf.
>>
>> Volker
>
> Thats my Config, it is wrong somewhere?

Looks ok. Sorry, out of ideas then.

Volker


signature.asc
Description: Digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind 3.3.6 + windows 2008 ad

[Christoph Kaminski]

Volker Lendecke schrieb:


Try to properly set up /etc/krb5.conf.

Volker


Thats my Config, it is wrong somewhere?

[libdefaults] 

default_realm = CHAOS.LOCAL 




# The following krb5.conf variables are only for MIT Kerberos. 

krb4_config = /etc/krb.conf 

krb4_realms = /etc/krb.realms 

kdc_timesync = 1 

ccache_type = 4 

forwardable = true 

proxiable = true 




# The following encryption type specification will be used by MIT 
Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are 

# correct and overriding these specifications only serves to disable new 

# encryption types as they are added, creating interoperability 
problems.
# 

# Thie only time when you might need to uncomment these lines and change 

# the enctypes is if you have local software that will break on ticket 

# caches containing ticket encryption types it doesn't know about (such 
as
# old versions of Sun Java). 




#   default_tgs_enctypes = des3-hmac-sha1 

#   default_tkt_enctypes = des3-hmac-sha1 

#   permitted_enctypes = des3-hmac-sha1 




# The following libdefaults parameters are only for Heimdal Kerberos. 

v4_instance_resolve = false 

v4_name_convert = { 

host = { 

rcmd = host 

ftp = ftp 

} 

plain = { 

something = something-else 

} 

} 

fcc-mit-ticketflags = true 




[realms] 

CHAOS.LOCAL = { 

kdc = beelzebub.chaos.local 

admin_server = beelzebub.chaos.local 

master_kdc = beelzebub.chaos.local 

default_domain = chaos.local 

} 

ATHENA.MIT.EDU = { 

kdc = kerberos.mit.edu:88 

kdc = kerberos-1.mit.edu:88 

kdc = kerberos-2.mit.edu:88 

admin_server = kerberos.mit.edu 

default_domain = mit.edu 

} 

MEDIA-LAB.MIT.EDU = { 

kdc = kerberos.media.mit.edu 

admin_server = kerberos.media.mit.edu 

} 

ZONE.MIT.EDU = { 

kdc = casio.mit.edu 

kdc = seiko.mit.edu 

admin_server = casio.mit.edu 

} 

MOOF.MIT.EDU = { 

kdc = three-headed-dogcow.mit.edu:88 

kdc = three-headed-dogcow-1.mit.edu:88 

admin_server = three-headed-dogcow.mit.edu 

} 

CSAIL.MIT.EDU = { 

kdc = kerberos-1.csail.mit.edu 

kdc = kerberos-2.csail.mit.edu 

admin_server = kerberos.csail.mit.edu 

default_domain = csail.mit.edu 

krb524_server = krb524.csail.mit.edu 

} 

IHTFP.ORG = { 

kdc = kerberos.ihtfp.org 

admin_server = kerberos.ihtfp.org 

} 

GNU.ORG = { 

kdc = kerberos.gnu.org 

kdc = kerberos-2.gnu.org 

kdc = kerberos-3.gnu.org 

admin_server = kerberos.gnu.org 

} 

1TS.ORG = { 

kdc = kerberos.1ts.org 

admin_server = kerberos.1ts.org 

} 

GRATUITOUS.ORG = { 

kdc = kerberos.gratuitous.org 

admin_server = kerberos.gratuitous.org 

} 

DOOMCOM.ORG = { 

kdc = kerberos.doomcom.org 


admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = vice28.fs.andrew.cmu.edu
kdc = vice2.fs.andrew.cmu.edu
kdc = vice11.fs.andrew.cmu.edu
kdc = vice12.fs.andrew.cmu.edu
admin_server = vice28.fs.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementia.org
kdc = kerberos2.dementia.org
admin_server = kerberos.dementia.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}

[domain_realm]
.chaos.local = CHAOS.LOCAL
chaos.local = CHAOS.LOCAL
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
wh

Re: [Samba] winbind 3.3.6 + windows 2008 ad

[Volker Lendecke]

On Tue, Jul 07, 2009 at 12:25:11PM +0200, Christoph Kaminski wrote:
> Christoph Kaminski schrieb:
>> Hi!
>>
>> I have a problem with winbind 3.3.6 (debian sid pkg) and windows 2008 ad...
>>
>> I can Join, I can see the ad users with wbinfo -u but I cant see them  
>> with getent passwd...
>>
>> see this errors in the log file:
>>
>> [2009/07/04 12:44:53,  1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
>>   ads_krb5_mk_req: krb5_get_credentials failed for beelzeb...@chaos  
>> (Cannot resolve network address for KDC in requested realm)
>> [2009/07/04 12:44:53,  1]  
>> libsmb/cliconnect.c:cli_session_setup_kerberos(624)
>>   cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot  
>> resolve network address for KDC in requested realm
>>
>> What wrong?
>>
>> Greetz
>
> No one an idea? :(

Try to properly set up /etc/krb5.conf.

Volker


signature.asc
Description: Digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind 3.3.6 + windows 2008 ad

[Christoph Kaminski]

Christoph Kaminski schrieb:

Hi!

I have a problem with winbind 3.3.6 (debian sid pkg) and windows 2008 ad...

I can Join, I can see the ad users with wbinfo -u but I cant see them 
with getent passwd...


see this errors in the log file:

[2009/07/04 12:44:53,  1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
  ads_krb5_mk_req: krb5_get_credentials failed for beelzeb...@chaos 
(Cannot resolve network address for KDC in requested realm)
[2009/07/04 12:44:53,  1] 
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot 
resolve network address for KDC in requested realm


What wrong?

Greetz


No one an idea? :(

Greetz
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind pam error

[Linux Addict]

Please see below my pam file which uses winbind.
The problem is when a wrong password entered, the system uses the same wrong
password next three times and exits , and does not prompt for password
again.

Any hint is appreciated.

authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 500 quiet
authsufficientpam_winbind.so cached_login use_first_pass
authrequired  pam_deny.so

account required  pam_access.so
account required  pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
cached_login
account required  pam_permit.so

passwordrequisite pam_cracklib.so try_first_pass retry=3
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass
use_authtok
passwordsufficientpam_winbind.so cached_login use_authtok
passwordrequired  pam_deny.so

session optional  pam_mkhomedir.so skel=/etc/skel/
session required  pam_limits.so
session required  pam_unix.so
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind 3.3.6 + windows 2008 ad

[Christoph Kaminski]

Ah forgotten to paste my config:

[global] 



workgroup   = CHAOS 



realm   = CHAOS.LOCAL 



netbios name= moloch 





  server string   = 
%h file server (Samba %v) 




log file 
 = /var/log/samba/log.%m 

max log size= 1000 



syslog  = 0 



panic action= 
/usr/share/samba/panic-action %d 

security= ADS 



password server = beelzebub.chaos.local 





idmap backend 
 = ad 

idmap uid   = 1-2000 



idmap gid   = 1-2000 



winbind nss info= rfc2307 



winbind refresh tickets = yes 



winbind enum users  = yes 



winbind enum groups = yes 





use kerberos keytab 
 = yes 


interfaces  = br0 lo
bind interfaces only= yes
hosts allow = 127.0.0.0/8 , 
192.168.50.0/24, 2001:6f8:1316:1234/64

template homedir= /home/%D/%U
template shell  = /bin/bash
winbind use default domain  = yes
client use spnego   = yes
client ntlmv2 auth  = yes
encrypt passwords   = true
restrict anonymous  = 2
winbind separator   = \
client schannel = no
socket options  = TCP_NODELAY 
SO_RCVBUF=8192 SO_SNDBUF=8192

unix extensions = no


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind 3.3.6 + windows 2008 ad

[Christoph Kaminski]

Hi!

I have a problem with winbind 3.3.6 (debian sid pkg) and windows 2008 ad...

I can Join, I can see the ad users with wbinfo -u but I cant see them 
with getent passwd...


see this errors in the log file:

[2009/07/04 12:44:53,  1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
  ads_krb5_mk_req: krb5_get_credentials failed for beelzeb...@chaos 
(Cannot resolve network address for KDC in requested realm)
[2009/07/04 12:44:53,  1] 
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot 
resolve network address for KDC in requested realm


What wrong?

Greetz
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

RE: [Samba] Samba + Winbind + AD homes does not work

[florian.engelmann]

That fixed it! Thank you very much for your help.

Cheers,
Florian

> -Original Message-
> From: samba-bounces+florian.engelmann=bt@lists.samba.org
> [mailto:samba-bounces+florian.engelmann=bt@lists.samba.org] On Behalf
> Of Günter Kukkukk
> Sent: Wednesday, July 01, 2009 12:49 AM
> To: samba@lists.samba.org
> Subject: Re: [Samba] Samba + Winbind + AD homes does not work
> 
> Am Dienstag, 30. Juni 2009 schrieb d...@briannassaladdressing.com:
> > Florian,
> >
> > Try "valid users = DOM+%S".
> 
> the more generalized form would be:
>"valid users = %D%w%S"
> #%D domain or workgroup name
> #  %w winbind separator
> #  %S current service name
> Some distros use this one as default:
>"valid users = %S, %D%w%S"
> 
> Cheers, Günter
> 
> >
> > Should that fail,  also ensure that the home directories exist (as
> defined in "template homedir ="), and that these directories have the
> correct permissions.
> >
> > Dale
> >
> >
> > -Original message-
> > From: florian.engelm...@bt.com
> > Date: Tue, 30 Jun 2009 10:19:05 -0500
> > To: samba@lists.samba.org
> > Subject: [Samba] Samba + Winbind + AD homes does not work
> >
> > > Hello,
> > > we use winbind to connect our Linux servers to our AD what is working
> > > right now and we use samba to share some Linux directories to our
> > > Windows clients what is also working as intended. The only thing we
> were
> > > not able to get running are the [homes]. The authentication seems to
> be
> > > wrong. Here is our configuration.
> > >
> > > /etc/samba/smb.conf
> > > [global]
> > >netbios name = demu1glc01
> > >workgroup = DOM
> > >realm = DOM.xxx.yyy
> > >preferred master = no
> > >server string = UnixCluster
> > >security = ADS
> > >encrypt passwords = true
> > >;password server = *
> > >password server = demu1w02
> > >allow trusted domains = no
> > >log level = 2
> > >log file = /var/log/samba/%m
> > >max log size = 1000
> > >printcap name = cups
> > >printing = cups
> > >winbind enum users = no
> > >winbind enum groups = no
> > >winbind use default domain = yes
> > >winbind nested groups = yes
> > >winbind separator = +
> > >winbind cache time = 5
> > >idmap backend = rid:DOM=10-500
> > >idmap uid = 10-1000
> > >idmap gid = 10-1000
> > >template homedir = /home/%D/%U
> > >template shell = /bin/bash
> > >
> > > [homes]
> > >comment = Home Direcotries
> > >;path = /pkg/global/home/%D/%U
> > >valid users = %S
> > >;valid users = %D+%U, engelmaf, DOM+engelmann
> > >:valid users = @DOM+de_it-operations_dam, @"DOM+domain users",
> %D+%U,
> > > engelmaf, DOM+engelmann, %S
> > >read only = no
> > >browseable = no
> > >;invalid users = root
> > >
> > > [printers]
> > >comment = All Printers
> > >path = /var/spool/cups
> > >browseable = no
> > >printable = yes
> > >guest ok = yes
> > >
> > > [dml]
> > >comment = Digital Media Library
> > >path= /pkg/tank/dml
> > >valid users = @DOM+de_it-operations_dam, @"DOM+domain users"
> > >writable=yes
> > >browseable=yes
> > >write list = @DOM+de_it-operations_dam
> > >
> > > We are able to connect and write to dml but not to the home
> directories.
> > > Any Idea what could be the problem?
> > >
> > > OS: Debian Lenny
> > > Samba: 3.2.5
> > >
> > > Thank you for your help.
> > >
> > > Regards Florian
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + Winbind + AD homes does not work

[Günter Kukkukk]

Am Dienstag, 30. Juni 2009 schrieb d...@briannassaladdressing.com:
> Florian,
> 
> Try "valid users = DOM+%S".

the more generalized form would be:
   "valid users = %D%w%S"
#%D domain or workgroup name
#%w winbind separator
#%S current service name
Some distros use this one as default:
   "valid users = %S, %D%w%S"

Cheers, Günter

> 
> Should that fail,  also ensure that the home directories exist (as defined in 
> "template homedir ="), and that these directories have the correct 
> permissions.
> 
> Dale
> 
> 
> -Original message-
> From: florian.engelm...@bt.com
> Date: Tue, 30 Jun 2009 10:19:05 -0500
> To: samba@lists.samba.org
> Subject: [Samba] Samba + Winbind + AD homes does not work
> 
> > Hello,
> > we use winbind to connect our Linux servers to our AD what is working
> > right now and we use samba to share some Linux directories to our
> > Windows clients what is also working as intended. The only thing we were
> > not able to get running are the [homes]. The authentication seems to be
> > wrong. Here is our configuration.
> > 
> > /etc/samba/smb.conf
> > [global]
> >netbios name = demu1glc01
> >workgroup = DOM
> >realm = DOM.xxx.yyy
> >preferred master = no
> >server string = UnixCluster
> >security = ADS
> >encrypt passwords = true
> >;password server = *
> >password server = demu1w02
> >allow trusted domains = no
> >log level = 2
> >log file = /var/log/samba/%m
> >max log size = 1000
> >printcap name = cups
> >printing = cups
> >winbind enum users = no
> >winbind enum groups = no
> >winbind use default domain = yes
> >winbind nested groups = yes
> >winbind separator = +
> >winbind cache time = 5
> >idmap backend = rid:DOM=10-500
> >idmap uid = 10-1000
> >idmap gid = 10-1000
> >template homedir = /home/%D/%U
> >template shell = /bin/bash
> > 
> > [homes]
> >comment = Home Direcotries
> >;path = /pkg/global/home/%D/%U
> >valid users = %S
> >;valid users = %D+%U, engelmaf, DOM+engelmann
> >:valid users = @DOM+de_it-operations_dam, @"DOM+domain users", %D+%U,
> > engelmaf, DOM+engelmann, %S
> >read only = no
> >browseable = no
> >;invalid users = root
> > 
> > [printers]
> >comment = All Printers
> >path = /var/spool/cups
> >browseable = no
> >printable = yes
> >guest ok = yes
> > 
> > [dml]
> >comment = Digital Media Library
> >path= /pkg/tank/dml
> >valid users = @DOM+de_it-operations_dam, @"DOM+domain users"
> >writable=yes
> >browseable=yes
> >write list = @DOM+de_it-operations_dam
> > 
> > We are able to connect and write to dml but not to the home directories.
> > Any Idea what could be the problem?
> > 
> > OS: Debian Lenny
> > Samba: 3.2.5
> > 
> > Thank you for your help.
> > 
> > Regards Florian
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + Winbind + AD homes does not work

[dale]

Florian,

Try "valid users = DOM+%S".

Should that fail,  also ensure that the home directories exist (as defined in 
"template homedir ="), and that these directories have the correct permissions.

Dale


-Original message-
From: florian.engelm...@bt.com
Date: Tue, 30 Jun 2009 10:19:05 -0500
To: samba@lists.samba.org
Subject: [Samba] Samba + Winbind + AD homes does not work

> Hello,
> we use winbind to connect our Linux servers to our AD what is working
> right now and we use samba to share some Linux directories to our
> Windows clients what is also working as intended. The only thing we were
> not able to get running are the [homes]. The authentication seems to be
> wrong. Here is our configuration.
> 
> /etc/samba/smb.conf
> [global]
>netbios name = demu1glc01
>workgroup = DOM
>realm = DOM.xxx.yyy
>preferred master = no
>server string = UnixCluster
>security = ADS
>encrypt passwords = true
>;password server = *
>password server = demu1w02
>allow trusted domains = no
>log level = 2
>log file = /var/log/samba/%m
>max log size = 1000
>printcap name = cups
>printing = cups
>winbind enum users = no
>winbind enum groups = no
>winbind use default domain = yes
>winbind nested groups = yes
>winbind separator = +
>winbind cache time = 5
>idmap backend = rid:DOM=10-500
>idmap uid = 10-1000
>idmap gid = 10-1000
>template homedir = /home/%D/%U
>template shell = /bin/bash
> 
> [homes]
>comment = Home Direcotries
>;path = /pkg/global/home/%D/%U
>valid users = %S
>;valid users = %D+%U, engelmaf, DOM+engelmann
>:valid users = @DOM+de_it-operations_dam, @"DOM+domain users", %D+%U,
> engelmaf, DOM+engelmann, %S
>read only = no
>browseable = no
>;invalid users = root
> 
> [printers]
>comment = All Printers
>path = /var/spool/cups
>browseable = no
>printable = yes
>guest ok = yes
> 
> [dml]
>comment = Digital Media Library
>path= /pkg/tank/dml
>valid users = @DOM+de_it-operations_dam, @"DOM+domain users"
>writable=yes
>browseable=yes
>write list = @DOM+de_it-operations_dam
> 
> We are able to connect and write to dml but not to the home directories.
> Any Idea what could be the problem?
> 
> OS: Debian Lenny
> Samba: 3.2.5
> 
> Thank you for your help.
> 
> Regards Florian
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + Winbind + AD homes does not work

[florian.engelmann]

Hello,
we use winbind to connect our Linux servers to our AD what is working
right now and we use samba to share some Linux directories to our
Windows clients what is also working as intended. The only thing we were
not able to get running are the [homes]. The authentication seems to be
wrong. Here is our configuration.

/etc/samba/smb.conf
[global]
   netbios name = demu1glc01
   workgroup = DOM
   realm = DOM.xxx.yyy
   preferred master = no
   server string = UnixCluster
   security = ADS
   encrypt passwords = true
   ;password server = *
   password server = demu1w02
   allow trusted domains = no
   log level = 2
   log file = /var/log/samba/%m
   max log size = 1000
   printcap name = cups
   printing = cups
   winbind enum users = no
   winbind enum groups = no
   winbind use default domain = yes
   winbind nested groups = yes
   winbind separator = +
   winbind cache time = 5
   idmap backend = rid:DOM=10-500
   idmap uid = 10-1000
   idmap gid = 10-1000
   template homedir = /home/%D/%U
   template shell = /bin/bash

[homes]
   comment = Home Direcotries
   ;path = /pkg/global/home/%D/%U
   valid users = %S
   ;valid users = %D+%U, engelmaf, DOM+engelmann
   :valid users = @DOM+de_it-operations_dam, @"DOM+domain users", %D+%U,
engelmaf, DOM+engelmann, %S
   read only = no
   browseable = no
   ;invalid users = root

[printers]
   comment = All Printers
   path = /var/spool/cups
   browseable = no
   printable = yes
   guest ok = yes

[dml]
   comment = Digital Media Library
   path= /pkg/tank/dml
   valid users = @DOM+de_it-operations_dam, @"DOM+domain users"
   writable=yes
   browseable=yes
   write list = @DOM+de_it-operations_dam

We are able to connect and write to dml but not to the home directories.
Any Idea what could be the problem?

OS: Debian Lenny
Samba: 3.2.5

Thank you for your help.

Regards Florian
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind authentication mystery

[Chris Thielen]

Greetings,
I'm running Fedora 11 (Samba 3.3.2) and am trying to configure winbind
authentication against a Windows 2003 server.
I've run kinit and net join successfully, and can wbinfo -u, -g, and -t
successfully, as well as getent passwd and getent group successfully. I
can even use passwd to change domain user passwords.
However, when I try to log in via gdm, ssh, or even su, I do not
succeed. I believe am I suffering from one, possibly two separate
issues.
The first is that all users except the Administrator are told that
their password is expiring, which is not true. Here are the logs of this
event:

Jun 24 15:29:58 history-20 sshd[4656]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=localhost.localdomain  user=cmthielen
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): [pamh:
0x1f06f48] ENTER: pam_sm_authenticate (flags: 0x0001)
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): getting
password (0x0011)
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth):
pam_get_item returned a password
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): Verify
user 'cmthielen'
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): request
wbcLogonUser succeeded
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): user
'cmthielen' granted access
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): Password
has expired (Password was last set: 1245880658, the policy says it
should expire here 1245880657 (now it's: 1245882598))
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): [pamh:
0x1f06f48] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): [pamh:
0x1f06f48] ENTER: pam_sm_acct_mgmt (flags: 0x)
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account):
pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): user
'cmthielen' needs new password
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): [pamh:
0x1f06f48] LEAVE: pam_sm_acct_mgmt returning 12 (PAM_NEW_AUTHTOK_REQD)
Jun 24 15:29:58 history-20 sshd[4656]: Accepted password for cmthielen
from 127.0.0.1 port 36881 ssh2
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh:
0x1f06f48] ENTER: pam_sm_setcred (flags: 0x0002)
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred):
PAM_ESTABLISH_CRED not implemented
Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh:
0x1f06f48] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Jun 24 15:29:58 history-20 sshd[4656]: pam_unix(sshd:session): session
opened for user cmthielen by (uid=0)
Jun 24 15:29:58 history-20 sshd[4660]: pam_winbind(sshd:setcred): [pamh:
0x1f06f48] ENTER: pam_sm_setcred (flags: 0x0002)
Jun 24 15:29:58 history-20 sshd[4660]: pam_winbind(sshd:setcred):
PAM_ESTABLISH_CRED not implemented
Jun 24 15:29:58 history-20 sshd[4660]: pam_winbind(sshd:setcred): [pamh:
0x1f06f48] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Jun 24 15:29:58 history-20 passwd: pam_unix(passwd:chauthtok): user
"cmthielen" does not exist in /etc/passwd
Jun 24 15:29:58 history-20 passwd: pam_winbind(passwd:chauthtok):
getting password (0x0020)
Jun 24 15:30:01 history-20 passwd: pam_winbind(passwd:chauthtok): user
'cmthielen' granted access
Jun 24 15:30:05 history-20 passwd: pam_unix(passwd:chauthtok): user
"cmthielen" does not exist in /etc/passwd
Jun 24 15:30:05 history-20 passwd: pam_winbind(passwd:chauthtok):
getting password (0x)
Jun 24 15:30:11 history-20 passwd: pam_winbind(passwd:chauthtok): user
'cmthielen' OK
Jun 24 15:30:11 history-20 passwd: pam_winbind(passwd:chauthtok): user
'cmthielen' password changed
Jun 24 15:30:11 history-20 passwd: pam_winbind(passwd:chauthtok): user
'cmthielen' granted access
Jun 24 15:30:11 history-20 passwd: Couldn't access gnome keyring
socket: /tmp/keyring-4jRNoE/socket: Permission denied
Jun 24 15:30:11 history-20 passwd: gkr-pam: couldn't change password for
'login' keyring: 255
Jun 24 15:30:13 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh:
0x1f06f48] ENTER: pam_sm_setcred (flags: 0x0004)
Jun 24 15:30:13 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh:
0x1f06f48] ENTER: _pam_delete_cred (flags: 0x0004)

However, if I set my computer back two days, the timestamps work out.
The time on the Windows server is set correctly, and the box even has
it's ntpdate set to use the Windows server.

The second, or possibly the same issue, is that it simply won't log in.
If I use the administrator account, I am not told my password expires,
but my session ends immediately (note: I have use default domain turned
on, so the domain is implied here. If I turn it off and add the correct
prepend syntax, the issue is the same):

[r...@history-20 pam.d]# ssh administra...@localhost
administra...@localhost's passwor

[Samba] winbind is very slow. log.winbind shows errors

[psych jd]

Hi,

Server: Debian Lenny with Samba 3.3.4 .

log.winbindd shows this:

[2009/06/10 09:01:13,  0] libsmb/namequery.c:saf_store(75)
  saf_store: refusing to store 0 length domain or servername!
[2009/06/10 09:01:23,  0] libsmb/clientgen.c:cli_receive_smb(165)
  Receiving SMB: Server stopped responding
[2009/06/10 09:01:23,  1] winbindd/winbindd_cm.c:cm_prepare_connection(967)
  failed tcon_X with NT_STATUS_IO_TIMEOUT
[2009/06/10 09:01:26,  0] libsmb/namequery.c:saf_store(75)
  saf_store: refusing to store 0 length domain or servername!
[2009/06/10 09:01:36,  0] libsmb/clientgen.c:cli_receive_smb(165)
  Receiving SMB: Server stopped responding
[2009/06/10 09:01:36,  1] winbindd/winbindd_cm.c:cm_prepare_connection(967)
  failed tcon_X with NT_STATUS_IO_TIMEOUT
[2009/06/10 09:01:39,  0] libsmb/namequery.c:saf_store(75)
  saf_store: refusing to store 0 length domain or servername!
[2009/06/10 09:01:48,  1]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(755)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR
received from host REY-SERVER, pipe \lsarpc, fnum 0x7445!


Any Ideas?
I dont know what to do with these messages.

Thank you,

JonnyD
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind with ports 445/139 blocked

[Volker Lendecke]

On Mon, Jun 08, 2009 at 11:31:05AM -0700, Nick Bartos wrote:
> I have an annoying problem I'm hoping to get some guidance on.
> 
> I am able to use winbind with our local domain, however it does not work
> with a remote trusted domain (it works fine for a local trusted domain).
> >From the looks of things, winbind requires port 445 or 139 to be open to the
> remote domain controllers, which it is not.
> 
> Apparently these ports are not required for the MS Windows clients to
> authenticate to the remote domain, as they work fine.  Getting the ports
> opened would either take an act of God, or some other deity.  So I was
> hoping that there was a way to make winbind use other services like windows
> does (rpc/ldap/whatever).
> 
> Thoughts?

This is a known deficiency right now, and I'm not 100% sure
that we can fix it properly in the short term. Windows
internally will never look at something like /etc/passwd and
/etc/group for normal operations. Unix programs regularly
do, and we can't really get all the info to also fill in
/etc/passwd and /etc/group for the trusted domains.

What I'd like to ask you is to file a bug in
bugzilla.samba.org. This way it pops up regularly when I
look over it, but I can't promise any deadline at all. I
would just not like to lose this reminder :-)

Volker


pgp2kbbVZxb96.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind with ports 445/139 blocked

[Nick Bartos]

I have an annoying problem I'm hoping to get some guidance on.

I am able to use winbind with our local domain, however it does not work
with a remote trusted domain (it works fine for a local trusted domain).
>From the looks of things, winbind requires port 445 or 139 to be open to the
remote domain controllers, which it is not.

Apparently these ports are not required for the MS Windows clients to
authenticate to the remote domain, as they work fine.  Getting the ports
opened would either take an act of God, or some other deity.  So I was
hoping that there was a way to make winbind use other services like windows
does (rpc/ldap/whatever).

Thoughts?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind Problems resolving groups

[Marc Muehlfeld]

Hello,

on my member server I only see the mapped GID through winbind on my 
filesystem. Owner are displayed fine. Only the group isnt resolved. Access is 
possible because the GIDs are fine.


Example:
-rw-r--r--  1 muehlfeld 30006  429 26. Aug 2008  testfile.txt


wbinfo -g returns:
BUILTIN\administrators
BUILTIN\users

The member server is running 3.3.4. Also the PDC runs 3.3.4 (with 3.0.34 on my 
PDC it worked).


Any idea?

Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [SOLVED] [Samba] Winbind lost domain

[Liutauras Adomaitis]

On Fri, May 29, 2009 at 10:28 AM, Mailing pigna  wrote:
>  I solved the problem.
> In the file smb.conf I put the parameter
> smb port = 139
> changing the parameter
> smb ports = 445 139
> Everything is back to work.
> But do not understand 3 things:
> 1) before winbind is working quietly on the pdc that the proxy, but now if
> you do not rehabilitate the 445 I will have the problems I described.
> 2) In a remote site I have installed a BDC and a proxy, and it works without
> any problems leaving smb port = 139 
> 3) I do not remember why I put smb port = 139:)
>

I put port 139 only then I want to have multi named samba server and
to have one shares on one virtual samba and other shares on the other
virtual samba.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind lost domain

[Liutauras Adomaitis]

On Wed, May 27, 2009 at 5:22 PM, Mailing pigna  wrote:
> Hi all.
> I have a problem whith winbind authentication.
> I have 2 samba domains, DOMA and DOMB, and these domains have trust in one
> another.
>
> On both pdc winbind is installed.
>
> I installed a proxy server using squid with ntlm authentication. I install
> on the server:
> squid
> samba
> winbind
> I have modify the smb.conf on proxy:
> [global]
>  workgroup = DOMA
>  server string = PROXY DOMA
>  password server = xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy
>  security = domain
>  encrypt passwords = yes
>  winbind separator = +
>  winbind uid = 1-2
>  winbind gid = 1-2
>  winbind enum users = yes
>  winbind enum groups = yes
>  winbind use default domain = No
>  log level = 2
>  log file = /var/log/samba/%m.log
>  max log size = 10
>  socket options = TCP_NODELAY
>  wins server = xxx.xxx.xxx.xxx
>
> I have run this comand:
> #net rpc join -S PDC1 -U Administrator
> and the proxy server as joined in the domain
> Now this command executed successful:
> #wbinfo -t
> checking the trust secret via RPC calls succeeded
> #wbinfo -u
> DOMA+user1
> DOMA+user2
> DOMA+user3
> DOMA+user4
> ecc. ecc.
> #wbinfo -a DOMA+user1%pwduser1
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> Until here everything ok.
> Every now and then but it seems that winbind loses the domain and users are
> no longer able to navigate.
> This is the log of winbind:
> [2009/05/27 12:54:21, 1]
> rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
>  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR
> received from remote machine SERVERA pipe \lsarpc fnum 0x74f0!
> [2009/05/27 12:54:28, 1]
> rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
>  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR
> received from remote machine SERVERA pipe \lsarpc fnum 0x751a!
> [2009/05/27 14:48:36, 0] libsmb/clientgen.c:cli_receive_smb(111)
>  Receiving SMB: Server stopped responding
> [2009/05/27 14:48:36, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
>  rpc_api_pipe: Remote machine SERVERA pipe \NETLOGON fnum 0x751ereturned
> critical error. Error was Call timed out: server did not respon
> d after 1 milliseconds
> [2009/05/27 14:48:36, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
>  NTLM CRAP authentication for user [DOMA]\[gonzaga] returned
> NT_STATUS_IO_TIMEOUT (PAM: 4)
> [2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386)
>  cli_rpc_pipe_close: cli_close failed on pipe \samr, fnum 0x751b to machine
> SERVERA. Error was Call timed out: server did not respond a
> fter 1000 milliseconds
> [2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386)
>  cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x751c to
> machine SERVERA. Error was Call timed out: server did not respond
>  after 500 milliseconds
> [2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386)
>  cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x751e to
> machine SERVERA. Error was Call timed out: server did not respo
> nd after 500 milliseconds
> [2009/05/27 14:48:46, 0] libsmb/clientgen.c:cli_receive_smb(111)
>  Receiving SMB: Server stopped responding
> [2009/05/27 14:48:57, 0] libsmb/clientgen.c:cli_receive_smb(111)
>  Receiving SMB: Server stopped responding
> [2009/05/27 14:49:07, 0] libsmb/clientgen.c:cli_receive_smb(111)
>  Receiving SMB: Server stopped responding
> [2009/05/27 14:49:07, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
>  NTLM CRAP authentication for user [DOMA]\[user1] returned
> NT_STATUS_IO_TIMEOUT (PAM: 4)
> [2009/05/27 14:49:26, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
>  NTLM CRAP authentication for user [DOMA]\[user2] returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
> [2009/05/27 14:49:32, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
>  NTLM CRAP authentication for user [DOMA]\[user3] returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
> [2009/05/27 14:49:50, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
>  NTLM CRAP authentication for user [DOMA]\[user4] returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
> [2009/05/27 14:49:52, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
>  NTLM CRAP authentication for user [DOMA]\[user4] returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
> [2009/05/27 14:50:36, 4] nsswitch/winbindd_dual.c:fork_domain_child(1080)
>  child daemon request 47
> [2009/05/27 14:50:36, 8] nsswitch/winbindd_cm.c:connection_ok(1515)
>  connection_ok: Connection to for domain DOMA has NULL cli!
>

[Samba] Winbind lost domain

[Mailing pigna]

Hi all.
I have a problem whith winbind authentication.
I have 2 samba domains, DOMA and DOMB, and these domains have trust in one
another.

On both pdc winbind is installed.

I installed a proxy server using squid with ntlm authentication. I install
on the server:
squid
samba
winbind
I have modify the smb.conf on proxy:
[global]
  workgroup = DOMA
  server string = PROXY DOMA
  password server = xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy
  security = domain
  encrypt passwords = yes
  winbind separator = +
  winbind uid = 1-2
  winbind gid = 1-2
  winbind enum users = yes
  winbind enum groups = yes
  winbind use default domain = No
  log level = 2
  log file = /var/log/samba/%m.log
  max log size = 10
  socket options = TCP_NODELAY
  wins server = xxx.xxx.xxx.xxx

I have run this comand:
#net rpc join -S PDC1 -U Administrator
and the proxy server as joined in the domain
Now this command executed successful:
#wbinfo -t
checking the trust secret via RPC calls succeeded
#wbinfo -u
DOMA+user1
DOMA+user2
DOMA+user3
DOMA+user4
ecc. ecc.
#wbinfo -a DOMA+user1%pwduser1
plaintext password authentication succeeded
challenge/response password authentication succeeded
Until here everything ok.
Every now and then but it seems that winbind loses the domain and users are
no longer able to navigate.
This is the log of winbind:
[2009/05/27 12:54:21, 1]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR
received from remote machine SERVERA pipe \lsarpc fnum 0x74f0!
[2009/05/27 12:54:28, 1]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR
received from remote machine SERVERA pipe \lsarpc fnum 0x751a!
[2009/05/27 14:48:36, 0] libsmb/clientgen.c:cli_receive_smb(111)
  Receiving SMB: Server stopped responding
[2009/05/27 14:48:36, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine SERVERA pipe \NETLOGON fnum 0x751ereturned
critical error. Error was Call timed out: server did not respon
d after 1 milliseconds
[2009/05/27 14:48:36, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
  NTLM CRAP authentication for user [DOMA]\[gonzaga] returned
NT_STATUS_IO_TIMEOUT (PAM: 4)
[2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386)
  cli_rpc_pipe_close: cli_close failed on pipe \samr, fnum 0x751b to machine
SERVERA. Error was Call timed out: server did not respond a
fter 1000 milliseconds
[2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386)
  cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x751c to
machine SERVERA. Error was Call timed out: server did not respond
 after 500 milliseconds
[2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386)
  cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x751e to
machine SERVERA. Error was Call timed out: server did not respo
nd after 500 milliseconds
[2009/05/27 14:48:46, 0] libsmb/clientgen.c:cli_receive_smb(111)
  Receiving SMB: Server stopped responding
[2009/05/27 14:48:57, 0] libsmb/clientgen.c:cli_receive_smb(111)
  Receiving SMB: Server stopped responding
[2009/05/27 14:49:07, 0] libsmb/clientgen.c:cli_receive_smb(111)
  Receiving SMB: Server stopped responding
[2009/05/27 14:49:07, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
  NTLM CRAP authentication for user [DOMA]\[user1] returned
NT_STATUS_IO_TIMEOUT (PAM: 4)
[2009/05/27 14:49:26, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
  NTLM CRAP authentication for user [DOMA]\[user2] returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
[2009/05/27 14:49:32, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
  NTLM CRAP authentication for user [DOMA]\[user3] returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
[2009/05/27 14:49:50, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
  NTLM CRAP authentication for user [DOMA]\[user4] returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
[2009/05/27 14:49:52, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
  NTLM CRAP authentication for user [DOMA]\[user4] returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
[2009/05/27 14:50:36, 4] nsswitch/winbindd_dual.c:fork_domain_child(1080)
  child daemon request 47
[2009/05/27 14:50:36, 8] nsswitch/winbindd_cm.c:connection_ok(1515)
  connection_ok: Connection to for domain DOMA has NULL cli!
[2009/05/27 14:50:36, 5] libsmb/namequery.c:saf_fetch(136)
  saf_fetch: Returning "SERVERA" for "DOMA" domain
[2009/05/27 14:50:36, 5] libads/dns.c:sitename_fetch(706)
  sitename_fetch: No stored sitename for
[2009/05/27 14:50:36, 5] libsmb/namecache.c:namecache_fetch(214)
  name SERVERA#20 found.
[2009/05/27 14:50:36, 6] libsmb/clientgen.c:write_socket(152)
  write_socket(18,72)
[2009/05/27 14:50:36, 6] libsmb/clientgen.c:write_socket(155)
  write_socket(18,72) wrote 72
[2009/05/27 14:50:36, 5] libsmb/cliconnect.c:cli_session_request(1407)
  Sent

Re: [Samba] Multithreaded SAMBA/Winbind

[Nicolas Dorfsman]

Le 18 mai 09 à 22:58, simo a écrit :


On Mon, 2009-05-18 at 22:20 +0200, Nicolas Dorfsman wrote:


   I used TW for servers.

   It is a really heavy application which is probably use
getent()
extensively.
   I'm afraid they're talking about have a MTed winbindd.

   Is there a chance to elminate problem with a cache daemon like
nscd ?


Nscd may cause other problems but you can try.
Another way is to simply use the default behavior in winbindd and  
return

nothing to get*ent() calls.

Any application that relies (let's aside heavily) on get*ent() calls  
is

almost certainly broken ...



Huh. Sorry, bad assertion (my fault). I was meaning many get entries  
in user "databases".--

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Multithreaded SAMBA/Winbind

[simo]

On Mon, 2009-05-18 at 22:20 +0200, Nicolas Dorfsman wrote:
> 
> I used TW for servers.
> 
> It is a really heavy application which is probably use
> getent()  
> extensively.
> I'm afraid they're talking about have a MTed winbindd.
> 
> Is there a chance to elminate problem with a cache daemon like
> nscd ?

Nscd may cause other problems but you can try.
Another way is to simply use the default behavior in winbindd and return
nothing to get*ent() calls.

Any application that relies (let's aside heavily) on get*ent() calls is
almost certainly broken ...

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer 
Principal Software Engineer at Red Hat, Inc. 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Multithreaded SAMBA/Winbind

[Nicolas Dorfsman]

Hi Volker, Hi Chuck,

Le 12 mai 09 à 16:12, Volker Lendecke a écrit :


On Mon, May 11, 2009 at 12:21:34PM -0400, Chuck Noga - CAN wrote:
We have a configuration and audit application called Tripwire  
Enterprise

(7.5) that is running on a Red Enterprise Linux 5.2 server.  On this
server, we are using winbind (samba version 3.0.33) for  
authentication
(against Windows AD).  When we try to run a configuration check on  
users
and permissions we get an error that there is a problematic  
frame :  C

[libnss_winbind.so.2+0x129f]  .I talked to the software vendor
(Tripwire) and they are saying that the winbind must be multithreaded
for this to run.   My question to you..  Is there a samba release  
more
current than the version we are on (3.0.33  most currently  
supported Red

Hat version) that we can upgrade to to give us multithreading
functionality ?   or is there a suggested workaround for this ?


Is it really a requirement that winbind must be
multi-threaded, or is it rather that libnss_winbind must be
thread-safe?



I used TW for servers.

	It is a really heavy application which is probably use getent()  
extensively.

I'm afraid they're talking about have a MTed winbindd.

Is there a chance to elminate problem with a cache daemon like nscd ?


Nicolas

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

RE: [Samba] Multithreaded SAMBA/Winbind

[Chuck Noga - CAN]

Not 100 percent sure.   Is there a way to determine whether our current
libnss_winbind is thread-safe ?  If not, is there a way to make it .   


Thanks for the reply.

 

-Original Message-
From: Volker Lendecke [mailto:volker.lende...@sernet.de] 
Sent: Tuesday, May 12, 2009 10:12 AM
To: Chuck Noga - CAN
Cc: sa...@samba.org
Subject: Re: [Samba] Multithreaded SAMBA/Winbind

On Mon, May 11, 2009 at 12:21:34PM -0400, Chuck Noga - CAN wrote:
> We have a configuration and audit application called Tripwire 
> Enterprise
> (7.5) that is running on a Red Enterprise Linux 5.2 server.  On this 
> server, we are using winbind (samba version 3.0.33) for authentication

> (against Windows AD).  When we try to run a configuration check on 
> users and permissions we get an error that there is a problematic
frame :  C
> [libnss_winbind.so.2+0x129f]  .I talked to the software vendor
> (Tripwire) and they are saying that the winbind must be multithreaded
> for this to run.   My question to you..  Is there a samba release more
> current than the version we are on (3.0.33  most currently supported 
> Red Hat version) that we can upgrade to to give us multithreading
> functionality ?   or is there a suggested workaround for this ?

Is it really a requirement that winbind must be multi-threaded, or is it
rather that libnss_winbind must be thread-safe?

Volker
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Multithreaded SAMBA/Winbind

[Volker Lendecke]

On Mon, May 11, 2009 at 12:21:34PM -0400, Chuck Noga - CAN wrote:
> We have a configuration and audit application called Tripwire Enterprise
> (7.5) that is running on a Red Enterprise Linux 5.2 server.  On this
> server, we are using winbind (samba version 3.0.33) for authentication
> (against Windows AD).  When we try to run a configuration check on users
> and permissions we get an error that there is a problematic frame :  C
> [libnss_winbind.so.2+0x129f]  .I talked to the software vendor
> (Tripwire) and they are saying that the winbind must be multithreaded
> for this to run.   My question to you..  Is there a samba release more
> current than the version we are on (3.0.33  most currently supported Red
> Hat version) that we can upgrade to to give us multithreading
> functionality ?   or is there a suggested workaround for this ?

Is it really a requirement that winbind must be
multi-threaded, or is it rather that libnss_winbind must be
thread-safe?

Volker


pgpuvBpwND1ri.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind generating alot of "Failure Audit" on windows domain controller

[Andreas Larsson]

Hi List,

I'm evaluating the use of samba/winbind to join our linuxhosts into active 
directory. We use win2k3 R2 with rfc2307 schema fields populated on the server 
side. For the most part the project is humming along nicely. 

A couple of days ago i noticed that the domaincontrollers get spammed with a 
lot of messages in the event log. The events look like this:

Failure Audit  - Security - 675

Pre-Authentication failed:
User Name:  machineaccount$
User ID:DOMAIN\machineaccount$
Service Name:   krgtgt/DOMAIN
Pre-Authentication type:0x0
Failure Code:   0x19
Client Address: ipofclient

This message is not fatal in any way, all it means is that the client did not 
pre-authenticate it self to the domaincontroller. The domaincontroller responds 
to the client that it needs pre-auth to proceed, the client then supply the 
pre-auth info. So the "error" in it self is quite harmless, my concern is that 
its appearing a bit to often. Some clients log this message to the 
domaincontroller up to 10-20 times a minute, could this indicate that something 
is broken?

My other concern is that this message will totally flood the logs of the 
domaincontrollers in the event of a full scale rollout on all linux clients. 

The solution i believe is to always send KRB5_PADATA_ENC_TIMESTAMP as pre-auth 
when connecting to a Active Directory domain controller. I have searched for a 
config option to enable this behavior without finding one. I have also searched 
the source code to see where the connection to the domaincontroller is set up. 
I have however been unsuccessful in figuring out how i tell sasl to make the 
connection using pre-auth. 

Unless i have misunderstood my problem i believe this will benefit anyone that 
integrate their samba machines into Active Directory. 

Other solutions i found via google solve the problem by disabling pre-auth all 
together. This solution is totally unacceptable from a security point of view.

For reference i have used samba 3.2.5 from debian lenny and samba 3.3.3 from 
lenny backports to test this. 

Any answers on how to proceed would be appreciated.

Andreas Larsson
SysPartner Consulting AB --
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Multithreaded SAMBA/Winbind

[Chuck Noga - CAN]

Hi.
 
We have a configuration and audit application called Tripwire Enterprise
(7.5) that is running on a Red Enterprise Linux 5.2 server.  On this
server, we are using winbind (samba version 3.0.33) for authentication
(against Windows AD).  When we try to run a configuration check on users
and permissions we get an error that there is a problematic frame :  C
[libnss_winbind.so.2+0x129f]  .I talked to the software vendor
(Tripwire) and they are saying that the winbind must be multithreaded
for this to run.   My question to you..  Is there a samba release more
current than the version we are on (3.0.33  most currently supported Red
Hat version) that we can upgrade to to give us multithreading
functionality ?   or is there a suggested workaround for this ?
 
Any help with this would be greatly appreciated.
 
 
 
Thanks.
 

Chuck Noga
The David J. Joseph Company 
Sys. Infra.  Engineer.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind: Failed to create BUILTIN\Administrators

[Matthias Grimm]

Hello, I'm still testing Samba with security=ads. Everything runs fine 
atm., but when I logon I'm getting this in pc's log:


[2009/05/07 13:17:58,  2] lib/access.c:check_access(406)
  Allowed connection from  (10.255.255.7)
[2009/05/07 13:17:58,  2] lib/access.c:check_access(406)
  Allowed connection from  (10.255.255.7)
[2009/05/07 13:17:58,  1] smbd/service.c:make_connection_snum()
  10.255.255.7 (10.255.255.7) connect to service Software initially as 
user CITRIX\virtualbox$ (uid=654837002, gid=654836227) (pid 23351)

[2009/05/07 13:18:02,  1] smbd/service.c:close_cnum(1323)
  10.255.255.7 (10.255.255.7) closed connection to service Software
[2009/05/07 13:21:23,  2] lib/access.c:check_access(406)
  Allowed connection from  (10.255.255.7)
[2009/05/07 13:21:23,  2] lib/access.c:check_access(406)
  Allowed connection from  (10.255.255.7)
[2009/05/07 13:21:23,  2] smbd/reply.c:reply_special(492)
  netbios connect: name1=SAMBA-ADS   name2=VIRTUALBOX
[2009/05/07 13:21:23,  2] smbd/reply.c:reply_special(499)
  netbios connect: local=samba-ads remote=virtualbox, name type = 0
[2009/05/07 13:21:23,  2] smbd/sesssetup.c:setup_new_vc_session(1368)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.

[2009/05/07 13:21:23,  2] auth/token_util.c:create_local_nt_token(450)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind 
allocate gids?

[2009/05/07 13:21:23,  2] auth/token_util.c:create_local_nt_token(474)
  WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
[2009/05/07 13:21:23,  2] lib/access.c:check_access(406)
  Allowed connection from  (10.255.255.7)
[2009/05/07 13:21:23,  2] auth/token_util.c:create_local_nt_token(450)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind 
allocate gids?

[2009/05/07 13:21:23,  2] auth/token_util.c:create_local_nt_token(474)
  WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
[2009/05/07 13:21:23,  2] lib/access.c:check_access(406)
  Allowed connection from  (10.255.255.7)
[2009/05/07 13:21:23,  2] auth/token_util.c:create_local_nt_token(450)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind 
allocate gids?

[2009/05/07 13:21:23,  2] auth/token_util.c:create_local_nt_token(474)
  WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
[2009/05/07 13:21:23,  2] lib/access.c:check_access(406)
  Allowed connection from  (10.255.255.7)
[2009/05/07 13:21:23,  2] lib/access.c:check_access(406)
  Allowed connection from  (10.255.255.7)
[2009/05/07 13:21:23,  1] smbd/service.c:make_connection_snum()
  10.255.255.7 (10.255.255.7) connect to service profiles initially as 
user CITRIX\mgr1 (uid=654836941, gid=654836225) (pid 23439)

[2009/05/07 13:21:23,  2] smbd/open.c:open_file(551)
  CITRIX\mgr1 opened file NTUSER.DAT read=Yes write=No (numopen=1)
[2009/05/07 13:21:23,  2] smbd/open.c:open_file(551)
  CITRIX\mgr1 opened file ntuser.ini read=Yes write=No (numopen=2)
[2009/05/07 13:21:26,  2] smbd/close.c:close_normal_file(606)
  CITRIX\mgr1 closed file NTUSER.DAT (numopen=1) NT_STATUS_OK
[2009/05/07 13:21:26,  2] smbd/close.c:close_normal_file(606)
  CITRIX\mgr1 closed file ntuser.ini (numopen=0) NT_STATUS_OK
[2009/05/07 13:21:27,  2] auth/token_util.c:create_local_nt_token(450)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind 
allocate gids?

[2009/05/07 13:21:27,  2] auth/token_util.c:create_local_nt_token(474)
  WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
[2009/05/07 13:21:27,  2] lib/access.c:check_access(406)
  Allowed connection from  (10.255.255.7)
[2009/05/07 13:21:27,  2] lib/access.c:check_access(406)
  Allowed connection from  (10.255.255.7)
[2009/05/07 13:21:27,  1] smbd/service.c:make_connection_snum()
  10.255.255.7 (10.255.255.7) connect to service mgr1 initially as user 
CITRIX\mgr1 (uid=654836941, gid=654836225) (pid 23439)


As you could see, it logs on fine. I'm stumbled over it, when trying to 
find out, why one of my Software-GPOs won't work.


Is it only a cosmetic Warning, or could it be related to, that I have 
trouble when login in on and getting the profile when I set paramter 
'valid users = CITRIX\%S'?

Samba is on CentOS 5.3, sernet's samba 3.3.4.

Matthias


--
Matthias Grimm

Systemadministrator

VKF Renzel GmbH
Im Geer 15
D-46419 Isselburg

Rechtsform: GmbH, Sitz: Isselburg, AG Coesfeld, HRB 8004,
Geschaeftsfuehrer: Heinz Renzel, Ansgar Huegging, Joachim Ostendorf

Fon: +49-2874-910-323
mailto:m...@renzel.it
http://www.vkf-renzel.de

Eagles may fly, but weasels don't get sucked into jet engines.

Five exclamation marks, the sure sign of an insane mind.
(Terry Pratchett)
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind, ntlm_auth and multiple AD domains

[lukasz.fiszer]

Hello

In the organization where I work there are serveral labolatories, each
having its own, independent Active Directory Domain (there are no trust
relationships between them). We want to build a central 802.1x
authentication with users credentials being verified in these AD. To
achieve this we configured a central FreeRadius server + winbind and
ntlm_auth from Samba suite. It works perfectly with one AD, but situation
with multiple AD seems to be very troublesome.

The question is - it is possible to have multiple winbind instances, each
binded to a different AD domain and each being interacted (via FreeRadius)
by a different instance of ntlm_auth? Or maybe it is possible to bind one
winbinnd to more than one domain?

I've managed so far to run multiple instances of winbind (each with a
different configuration), but because of pipe in /tmp/ ntlm_auth interacts
only with the most recent one.

We have already considered other solutions (trust between domains, running
multiple configuration on virtual machines) but from many security,
political and redundancy reasons these are not suitable solutions for us.

Any suggestions will be highly appreciated.

Best regards
Lukasz Fiszer
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind errors result in no logins!

[Trimble, Ronald D]

Everyone,
We are currently seeing a very strange problem on our server.  
Everything will be running along smoothly and then all of a sudden, nobody will 
be able to login.  Looking through the logs reveals the following messages...

Apr 24 10:55:15 LINUX-1 httpd2-prefork: pam_winbind(httpd): 
pam_winbind_request: read from socket failed!
Apr 24 10:55:15 LINUX-1 httpd2-prefork: pam_winbind(httpd): internal module 
error (retval = 3, user = 'NA\nda')
Apr 24 10:55:15 LINUX-1 httpd2-prefork: pam_winbind(httpd): [pamh: 0xa0c91c0] 
LEAVE: pam_sm_authenticate returning 3
Apr 24 10:55:17 LINUX-1 httpd2-prefork: pam_winbind(httpd): 
pam_winbind_request: read from socket failed!
Apr 24 10:55:17 LINUX-1 httpd2-prefork: pam_winbind(httpd): internal module 
error (retval = 3, user = 'na\sja')
Apr 24 10:55:17 LINUX-1 httpd2-prefork: pam_winbind(httpd): [pamh: 0x9c58c68] 
LEAVE: pam_sm_authenticate returning 3
Apr 24 10:55:31 LINUX-1 httpd2-prefork: pam_winbind(httpd): [pamh: 0x9c58630] 
ENTER: pam_sm_authenticate (flags: 0x0001)

Also, once the problem begins, the CPU goes to 95%+ for winbind!  The 
apache2_error log shows errors like this...

[Fri Apr 24 16:08:08 2009] [error] [client 192.xxx.xxx.xxx] PAM: user 'na\\naj' 
- not authenticated: Error in service module
[Fri Apr 24 16:08:15 2009] [error] [client 172.xxx.xxx.xxx] PAM: user 'na\\sja' 
- not authenticated: Error in service module
[Fri Apr 24 16:08:29 2009] [error] [client 192.xxx.xxx.xxx] PAM: user 'na\\nda' 
- not authenticated: Error in service module
[Fri Apr 24 16:09:48 2009] [error] [client 192.xxx.xxx.xxx] PAM: user 'na\\nda' 
- not authenticated: Error in service module

Restarting the winbind and smb services clears up the problem immediately, but 
we can't seem to figure out what is going on.  Does anyone have any suggestions 
of things to try?  Have any of you seen this before?

Thanks,
Ron

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind => Add a local user/pass cache ?

[Phibee Network Operation Center]

Hi

Anyone know if we can add a local user/pass cache directly to Winbind
for increase the performence ?

(for limit winbind <=> AD query)

thanks
J.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind error ? idmap Fatal Error: UID range full!

[John Drescher]

On Fri, Mar 20, 2009 at 11:06 AM, Phibee Network Operation Center
 wrote:
> Hi
>
> anyone know this error:
>
> Mar 20 12:01:06 gw winbindd[14756]: [2009/03/20 12:01:06, 0]
> sam/idmap_tdb.c:db_allocate_id(106)
> Mar 20 12:01:06 gw winbindd[14756]:   idmap Fatal Error: UID range full!!
> (max: 2)
> Mar 20 12:01:06 gw winbindd[14756]: [2009/03/20 12:01:06, 0]
> sam/idmap_tdb.c:db_allocate_id(106)
> Mar 20 12:01:06 gw winbindd[14756]:   idmap Fatal Error: UID range full!!
> (max: 2)
> Mar 20 12:01:06 gw winbindd[14756]: [2009/03/20 12:01:06, 0]
> sam/idmap_tdb.c:db_allocate_id(106)
>
>
> and what is the process for resolv it ?
>
Did you try the obvious? I mean increase the uid range in your smb.conf.

John
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind error ? idmap Fatal Error: UID range full!

[Phibee Network Operation Center]

Hi

anyone know this error:

Mar 20 12:01:06 gw winbindd[14756]: [2009/03/20 12:01:06, 0] 
sam/idmap_tdb.c:db_allocate_id(106)
Mar 20 12:01:06 gw winbindd[14756]:   idmap Fatal Error: UID range 
full!! (max: 2)
Mar 20 12:01:06 gw winbindd[14756]: [2009/03/20 12:01:06, 0] 
sam/idmap_tdb.c:db_allocate_id(106)
Mar 20 12:01:06 gw winbindd[14756]:   idmap Fatal Error: UID range 
full!! (max: 2)
Mar 20 12:01:06 gw winbindd[14756]: [2009/03/20 12:01:06, 0] 
sam/idmap_tdb.c:db_allocate_id(106)



and what is the process for resolv it ?

Thanks
jerome

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind log errors: string_to_sid...

[Mike Diggins]

I'm running Winbind 3.0.33 with FreeRadius for windows authentication. Has 
anyone found a solution to these error messages in the samba.log?


[r...@pr01 log]# tail samba.log
[2009/03/12 09:28:33, 0] lib/util_sid.c:string_to_sid(242)
  string_to_sid: Sid S-0-0 is not in a valid format.
[2009/03/12 09:33:33, 0] lib/util_sid.c:string_to_sid(242)
  string_to_sid: Sid S-0-0 is not in a valid format.
[2009/03/12 09:33:33, 0] lib/util_sid.c:string_to_sid(242)
  string_to_sid: Sid S-0-0 is not in a valid format.
[2009/03/12 09:38:35, 0] lib/util_sid.c:string_to_sid(242)
  string_to_sid: Sid S-0-0 is not in a valid format.

I get several a minute. I've found many posts with the same complaint, but 
no solution. Is upgrading (or downgrading) likely to stop it? It seems to 
be a purely cosmetic issue, but I'd still like to find a solution.


winbindd version 3.0.33-3.7.el5 (RH5 RPM)
RedHat Linux 5, release 2 fully patched

-Mike

_

Mike DigginsVoice:  905.525.9140 Ext. 27471
Network Analyst, Enterprise NetworksFAX:905.522.0511
University Technology Services  E-Mail: mike.digg...@mcmaster.ca
McMaster University, Hamilton, Ontario


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind cache seems to change the group membership of a user

[Josef Meile]

Hi,

I'm using the "ChrootDirectory" option for the sshd daemon to jail my ssh
users. Additionally, I'm using the "Match group" option to only jail people
belonging to a specific active directory group. Here are the relevant lines
of the sshd_config file:

LogLevel Debug3
Subsystem sftp internal-sftp
Match group sftpusers
ChrootDirectory /my/chroot/home
ForceCommand internal-sftp

sftpusers is an active directory group.

I logged me in with a user belonging to that group. The first time, the user
will only see the home directories of the other jailed users, so, the real
root path won't be showed. However, if I log a second time, I will see that
I'm in "/my/chroot/home" and thus, I will be able to go to the real root.
After looking at the auth.log file, I saw that the second time that the user
logged in, this is shown:

debug 1: user testuser does not match group list sftpusers at line 86

So, it seems that the group membership is changed in the winbind cache.
Adding this line into my smb.conf file solved the problem only if I login
one second later:

Winbind cache time = 1

I really don't like this since I have some accounts, which are shared by two
users, so, if they login at the same time, one of them will see the real
root. Setting winbind to zero, just causes that the user can't login.

I also tried to create a local unix group called sftpusers and map the
domain group to the linux one, but it also don't work.

The only way I found to solve it was to match users instead of groups into
the sshd_config file; however, this isn't the best way of solve it if you
have several servers where you use the same setup.

Is this is some kind of bug? Or is there any other way of solving it?

Best regards
Josef

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Log Rotation Kills Samba/Winbind?

[Mike Hurst]

It seems as though every weekend, when the log rotations start, our 
Samba/Winbind services fail and need to be restarted. Is this normal?? (We're 
using Winbind for AD integration)... Here is a copy from the messages file.

Mar  8 04:02:01 miux80 nmbd[]: [2009/03/08 04:02:01, 0] 
nmbd/nmbd.c:process(588)
Mar  8 04:02:01 miux80 nmbd[]:   Got SIGHUP dumping debug info.
Mar  8 04:02:01 miux80 nmbd[]: [2009/03/08 04:02:01, 0] 
nmbd/nmbd_workgroupdb.c:dump_workgroups(282)
Mar  8 04:02:01 miux80 nmbd[]:   dump_workgroups()
Mar  8 04:02:01 miux80 nmbd[]:dump workgroup on subnet  10.10.7.10: 
netmask=  255.255.255.0:
Mar  8 04:02:01 miux80 nmbd[]: (1) current master 
browser = 


Mike Hurst
UNIX Administrator
Credit Acceptance Corporation


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind Issue?

[Mike Hurst]

Hello, we are having this issue on two of our RHEL 5.2 servers. We have them 
set up to authenticate to our Windows 2003 domain. Everything works well for a 
while, but for some reason every few days the winbind service will stop 
working, this is what we see in the log file:

[2009/02/25 04:02:01, 0] lib/fault.c:fault_report(41)
  ===
[2009/02/25 04:02:01, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 7078 (3.0.33-3.7.el5)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2009/02/25 04:02:01, 0] lib/fault.c:fault_report(44)

  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2009/02/25 04:02:01, 0] lib/fault.c:fault_report(45)
  ===
[2009/02/25 04:02:01, 0] lib/util.c:smb_panic(1655)
  PANIC (pid 7078): internal error
[2009/02/25 04:02:01, 0] lib/util.c:log_stack_trace(1759)
  BACKTRACE: 16 stack frames:
   #0 winbindd(log_stack_trace+0x2d) [0x34ce4d]
   #1 winbindd(smb_panic+0x5d) [0x34cf7d]
   #2 winbindd [0x337afa]
   #3 [0xb21420]
   #4 /lib/libc.so.6(cfree+0x67) [0xa0b007]
   #5 winbindd [0x342054]
   #6 winbindd(lp_do_parameter+0x511) [0x32b941]
   #7 winbindd [0x32cea5]
   #8 winbindd [0x32e468]
   #9 winbindd(pm_process+0x175) [0x32e8e5]
   #10 winbindd(lp_load+0x158) [0x32bd18]
   #11 winbindd [0x2b2c06]
   #12 winbindd(winbind_check_sighup+0xb0) [0x2b39a0]
   #13 winbindd(main+0xafd) [0x2b46fd]
   #14 /lib/libc.so.6(__libc_start_main+0xdc) [0x9b4dec]
   #15 winbindd [0x2b2641]
[2009/02/25 04:02:01, 0] lib/fault.c:dump_core(181)
  dumping core in /var/log/samba/cores/winbindd
[2009/02/25 07:33:23, 1] nsswitch/winbindd.c:main(1013)
  winbindd version 3.0.33-3.7.el5 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2009/02/25 07:33:23, 0] 
nsswitch/winbindd_cache.c:initialize_winbindd_cache(2229)
  initialize_winbindd_cache: clearing cache and re-creating with version number 
1
[2009/02/25 07:33:24, 0] libsmb/cliconnect.c:cli_session_setup_spnego(859)
  Kinit failed: KDC has no support for encryption type
[2009/02/25 08:02:51, 0] lib/util_sock.c:write_data(564)
  write_data: write failure. Error = Connection reset by peer
[2009/02/25 08:02:51, 0] libsmb/clientgen.c:write_socket(158)
  write_socket: Error writing 108 bytes to socket 18: ERRNO = Connection reset 
by peer
[2009/02/25 08:02:51, 0] libsmb/clientgen.c:cli_send_smb(188)
  Error writing 108 bytes to client. -1 (Connection reset by peer)
[2009/02/25 08:02:51, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2223)
  cli_rpc_pipe_open: cli_nt_create failed on pipe \NETLOGON to machine 
.  Error was Write error: Connection reset by peer


We're running:
samba-common-3.0.33-3.7.el5
samba-3.0.33-3.7.el5
krb5-libs-1.6.1-31.el5
Linux 2.6.18-92.1.13.el5 #1 SMP Thu Sep 4 03:51:01 EDT 2008 i686 i686 i386 
GNU/Linux

Our current workaround is to just restart the winbind service...

Any ideas?

Mike Hurst
UNIX Administrator II
Credit Acceptance Corporation
248.353.2700 ext. 5639
mhu...@creditacceptance.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

RE: [Samba] Winbind/PAM/SLES 8-problem

[danny.petterson]

Hi!

Yeah, I have, but thanx.

 
Greetings from
 
Danny Petterson
 
"Shadows and Dust"

-Original Message-
From: John H Terpstra [mailto:j...@samba.org] 
Sent: 24. februar 2009 14:42
To: samba@lists.samba.org
Subject: Re: [Samba] Winbind/PAM/SLES 8-problem

On Tuesday 24 February 2009 07:23:41 danny.petter...@accenture.com wrote:
> I'm working on getting some old SLES 8-serveres to use winbind, letting
> users authenticate to our Windows AD. All the setup of  samba, winbind,
> adding the server to the AD etc. is working fine, and all kinds of
> wbinfo returns what it is supposed to. BUT - when I try to login (using
> ssh), it utterly ignores winbind, and only tries to validate local
> users. Not one entry in messages or samba-logs about winbind when a
> users tries to logon to the system... I suppose its related to
> PAM-configuration, but Im not sure. This is what Im dealing with:
>
> UnitedLinux-1.0-i386-SP4 (from SPident)
> Linux 2.4.21-251-smp #1 SMP Thu Sep 23 17:22:54 UTC 2004 i686 unknown
> samba3-client-3.0.33-36
> samba3-winbind-3.0.33-36
> samba3-3.0.33-36
>
> This is where I try to use winbind in /etc/pam.d:
>
> common-account:
>
> account sufficient  /lib/security/pam_winbind.so
> account requiredpam_unix2.so

> common-auth:
>
> authsufficient  /lib/security/pam_winbind.so
>
> authrequiredpam_unix2.so nullok_secure use_first_pass
>
> Can't get anything to work with winbind, not sudo, not su, not ssh -
> nothing. But again, all wbinfo, getent passwd, etc works fine.

Have you specified winbind in your nsswitch file?

/etc/nsswitch.conf:

passwd:  files winbind
shadow:  files winbind
group:  file winbind



- John T.



This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise private information.  If you have received it in 
error, please notify the sender immediately and delete the original.  Any other 
use of the email by you is prohibited.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind/PAM/SLES 8-problem

[John H Terpstra]

On Tuesday 24 February 2009 07:23:41 danny.petter...@accenture.com wrote:
> I'm working on getting some old SLES 8-serveres to use winbind, letting
> users authenticate to our Windows AD. All the setup of  samba, winbind,
> adding the server to the AD etc. is working fine, and all kinds of
> wbinfo returns what it is supposed to. BUT - when I try to login (using
> ssh), it utterly ignores winbind, and only tries to validate local
> users. Not one entry in messages or samba-logs about winbind when a
> users tries to logon to the system... I suppose its related to
> PAM-configuration, but Im not sure. This is what Im dealing with:
>
> UnitedLinux-1.0-i386-SP4 (from SPident)
> Linux 2.4.21-251-smp #1 SMP Thu Sep 23 17:22:54 UTC 2004 i686 unknown
> samba3-client-3.0.33-36
> samba3-winbind-3.0.33-36
> samba3-3.0.33-36
>
> This is where I try to use winbind in /etc/pam.d:
>
> common-account:
>
> account sufficient  /lib/security/pam_winbind.so
> account requiredpam_unix2.so

> common-auth:
>
> authsufficient  /lib/security/pam_winbind.so
>
> authrequiredpam_unix2.so nullok_secure use_first_pass
>
> Can't get anything to work with winbind, not sudo, not su, not ssh -
> nothing. But again, all wbinfo, getent passwd, etc works fine.

Have you specified winbind in your nsswitch file?

/etc/nsswitch.conf:

passwd:  files winbind
shadow:  files winbind
group:  file winbind



- John T.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind/PAM/SLES 8-problem

[danny.petterson]

Hi Gurus!

 

I'm working on getting some old SLES 8-serveres to use winbind, letting
users authenticate to our Windows AD. All the setup of  samba, winbind,
adding the server to the AD etc. is working fine, and all kinds of
wbinfo returns what it is supposed to. BUT - when I try to login (using
ssh), it utterly ignores winbind, and only tries to validate local
users. Not one entry in messages or samba-logs about winbind when a
users tries to logon to the system... I suppose its related to
PAM-configuration, but Im not sure. This is what Im dealing with:

 

UnitedLinux-1.0-i386-SP4 (from SPident)

Linux 2.4.21-251-smp #1 SMP Thu Sep 23 17:22:54 UTC 2004 i686 unknown

samba3-client-3.0.33-36

samba3-winbind-3.0.33-36

samba3-3.0.33-36

 

This is where I try to use winbind in /etc/pam.d:

common-account:

account sufficient  /lib/security/pam_winbind.so

account requiredpam_unix2.so

 

common-auth:

authsufficient  /lib/security/pam_winbind.so

authrequiredpam_unix2.so nullok_secure use_first_pass

 

Can't get anything to work with winbind, not sudo, not su, not ssh -
nothing. But again, all wbinfo, getent passwd, etc works fine.

 

Thanx for your help.

 

Greetings from

 

Danny Petterson

 

"Shadows and Dust"

 



This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise private information.  If you have received it in 
error, please notify the sender immediately and delete the original.  Any other 
use of the email by you is prohibited.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind/idmap_nss search request to LDAP

[Pere Rodríguez]

Hello,

I have a PDC and BDC servers with an OpenLDAP backend. It works fine
for a 500 users office.

I also have some servers with LDAP NSS and PAM and Samba with
idmap_nss backend. It also works fine. The configuration for theses
servers is:

[global]

workgroup = AURORA
...
idmap domains = AURORA
idmap config AURORA:backend = nss
idmap config AURORA:readonly = yes
winbind use default domain = no
...


Now, I have detected that when winbind/idmap_nss it searches
 a user in the LDAP it is doing 3 search requests:

1.- Filter: (&(objectClass=posixAccount)(uid=aurora\5972)) -> 0 results

2.- Filter: (&(objectClass=posixAccount)(uid=AURORA\5972)) -> 0 results

3.- Filter: (&(objectClass=posixAccount)(uid=5972)) -> 1 result

The searches 1 and 2 are incorrect because the user id (uid) doesn't
have the domain name in the uid.

How must I configure SAMBA/NSS to do only one search request (the
third search [uid=5972])?

Thanks in advance,

pere
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

AW: [Samba] Winbind-Problem Samba 3.2.8 on AIX 5.3.9 (partially solved)

[Arendt, Volker]

Hi everyone,

We just took one step  forward. We changed the winbind entries for user
and group enumeration from yes to no and change the winbind cache
timeout to 60 seconds. That solved the talloc problem (or so it seems)

Will keep you updated

Regards

Volker
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind-Problem Samba 3.2.8 on AIX 5.3.9

[Arendt, Volker]

Hi everyone,

On a newly installed AIX-LPAR (oslevel 5.3.9) we added the current samba 
version 3.2.8. Installation and configuration did not reveal any problem.

The problems show about 5 Minutes after services startup. After starting the 
samba services the winbind daemon uses lots of CPU time and memory. 
Wbinfo -u and wbinfo -g work after initial startup.

We cannot connect to any share on the machine. The level 10 log of the winbind 
daemon start to show lots of the following messages:

Sending request to child pid 290960 (domain=FB6)
  talloc failed
  timed_events_timeout: 299/999828
  Could not receive async reply from child pid 290960
  fork_domain_child called for domain 'FB6'
  Could not receive trustdoms

The domain process went without any problem, the smb.conf was copied from a 
3.0.26a system and adapted to reflect the new server name.

Config files and level 10 logs are available for smbd, winbindd and 1 client 
system (that tried to connect) and can be provided.

Kind regards

Dr. Volker Arendt
--
Dr. Volker Arendt  mailto:are...@wiwi.uni-wuppertal.de
Gaußstr. 20  Tel : +49(202)4392449
42097 Wuppertal, Deutschland Fax:  +49(202)4393959
Bergische Universität Wuppertal  Wirtschaftswissenschaft (FBB)
--

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind group mapping problem

[Ben Tisdall]

Linux Addict wrote:

> 
> Once for all, go ahead with rid and keep the smb.conf consistent across
> OR use rfc2307.  RID is easier to manage.

Thanks very much for the advice Dale & Linux Addict.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind group mapping problem

[Linux Addict]

On Tue, Feb 10, 2009 at 1:27 PM, Dale Schroeder <
d...@briannassaladdressing.com> wrote:

> Unfortunately, simply switching to idmap_rid at this point will not rectify
> your immediate problem.  Winbind will apply uid's and gid's via a specific
> algorithm, which will once again be different from your current mappings.
> However, if you wish to ensure consistent mappings for the future (new
> server or multiple servers), then you would switch to idmap_rid and manually
> set the ownerships this one time.
> Having multiple servers, it was worth the time and effort for me to do so;
> but of course, this may not be a pressing need for you.
>
> HTH,
> Dale
>
>
> Ben Tisdall wrote:
>
>> Dale Schroeder wrote:
>>
>>
>>> Which winbind idmap backend are you using?
>>> The default tdb backend generates id's randomly (which appears to be
>>> your case), meaning you will have to do a lot of chown commands on box B.
>>> For consistent mappings, use something like idmap_rid.
>>>
>>>
>>> http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2598850
>>>
>>>
>>
>> Thanks very much Dale, I was using the tdb backend.
>>
>> I read the docs but I'm not clear on whether the configuration can
>> simply be  retrofitted to both servers or whether changes to the data
>> itself will be needed.
>>
>> I did make a quick test but aside from ownerships showing as 'user'
>> rather than 'DOMAIN\user' nothing changed in respect of missing UIDs/GIDs.
>>
>> BTW the ultimate aim of was is to validate a server that will actually
>> replace a single ADS domain member. This being the case I suppose I
>> could back up the relevant tdb files, do a leave on the existing server,
>> join the new one and copy the tdbs into place? Still, if I can use
>> idmap_rid without undue hassle it's clearly a better solution.
>>
>> Best,
>>
>> Ben.
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


Once for all, go ahead with rid and keep the smb.conf consistent across OR
use rfc2307.  RID is easier to manage.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind group mapping problem

[Dale Schroeder]

Unfortunately, simply switching to idmap_rid at this point will not 
rectify your immediate problem.  Winbind will apply uid's and gid's via 
a specific algorithm, which will once again be different from your 
current mappings.
However, if you wish to ensure consistent mappings for the future (new 
server or multiple servers), then you would switch to idmap_rid and 
manually set the ownerships this one time.
Having multiple servers, it was worth the time and effort for me to do 
so; but of course, this may not be a pressing need for you.


HTH,
Dale

Ben Tisdall wrote:

Dale Schroeder wrote:
  

Which winbind idmap backend are you using?
The default tdb backend generates id's randomly (which appears to be
your case), meaning you will have to do a lot of chown commands on box B.
For consistent mappings, use something like idmap_rid.

http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2598850



Thanks very much Dale, I was using the tdb backend.

I read the docs but I'm not clear on whether the configuration can
simply be  retrofitted to both servers or whether changes to the data
itself will be needed.

I did make a quick test but aside from ownerships showing as 'user'
rather than 'DOMAIN\user' nothing changed in respect of missing UIDs/GIDs.

BTW the ultimate aim of was is to validate a server that will actually
replace a single ADS domain member. This being the case I suppose I
could back up the relevant tdb files, do a leave on the existing server,
join the new one and copy the tdbs into place? Still, if I can use
idmap_rid without undue hassle it's clearly a better solution.

Best,

Ben.
  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind group mapping problem

[Ben Tisdall]

Dale Schroeder wrote:
> Which winbind idmap backend are you using?
> The default tdb backend generates id's randomly (which appears to be
> your case), meaning you will have to do a lot of chown commands on box B.
> For consistent mappings, use something like idmap_rid.
> 
> http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2598850

Thanks very much Dale, I was using the tdb backend.

I read the docs but I'm not clear on whether the configuration can
simply be  retrofitted to both servers or whether changes to the data
itself will be needed.

I did make a quick test but aside from ownerships showing as 'user'
rather than 'DOMAIN\user' nothing changed in respect of missing UIDs/GIDs.

BTW the ultimate aim of was is to validate a server that will actually
replace a single ADS domain member. This being the case I suppose I
could back up the relevant tdb files, do a leave on the existing server,
join the new one and copy the tdbs into place? Still, if I can use
idmap_rid without undue hassle it's clearly a better solution.

Best,

Ben.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind group mapping problem

[Dale Schroeder]

Which winbind idmap backend are you using?
The default tdb backend generates id's randomly (which appears to be 
your case), meaning you will have to do a lot of chown commands on box B.

For consistent mappings, use something like idmap_rid.

http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2598850

Dale


Ben Tisdall wrote:

Hello all,

I have 2 boxes with identical smb.conf files apart from the netbios
name. The contents of the shares have been copied from one to the other
preserving the UNIX UIDs/GIDs and both boxes join to the AD domain
without problems. The domain sid is the same on both machines.

However, something isn't right with the group mapping:

Box A (shows the correct AD groups with ls -l)

//u...@host//:~$ getent group 10012
OURDOMAIN\domain users:*:10012:

Box B (show mostly UIDs/GIDs with ls -l)

//u...@host//:~$ getent group 10004
OURDOMAIN\domain users:*:10004:

Can anyone give me a clue as to where to start looking to debug this?

Many thanks in advance.

Ben Tisdall
  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind group mapping problem

[Ben Tisdall]

Hello all,

I have 2 boxes with identical smb.conf files apart from the netbios
name. The contents of the shares have been copied from one to the other
preserving the UNIX UIDs/GIDs and both boxes join to the AD domain
without problems. The domain sid is the same on both machines.

However, something isn't right with the group mapping:

Box A (shows the correct AD groups with ls -l)

//u...@host//:~$ getent group 10012
OURDOMAIN\domain users:*:10012:

Box B (show mostly UIDs/GIDs with ls -l)

//u...@host//:~$ getent group 10004
OURDOMAIN\domain users:*:10004:

Can anyone give me a clue as to where to start looking to debug this?

Many thanks in advance.

Ben Tisdall
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind Dies Regularly

[Robinson, Eric]

I have samba 3.0.28 installed on several servers and winbind dies every
couple of days on all of them. The deaths appear to correlate with the
following log messages:

[2009/01/25 04:02:09, 0] lib/util.c:smb_panic(1655)
  PANIC (pid 13395): internal error
[2009/01/25 04:02:09, 0] lib/util.c:log_stack_trace(1759)
  BACKTRACE: 14 stack frames:
   #0 winbindd(log_stack_trace+0x2d) [0x800ccc10]
   #1 winbindd(smb_panic+0x56) [0x800ccd17]
   #2 winbindd [0x800b9205]
   #3 [0xe420]
   #4 winbindd [0x800c508c]
   #5 winbindd(lp_do_parameter+0x56a) [0x800ace25]
   #6 winbindd [0x800acf8d]
   #7 winbindd [0x800b1dfa]
   #8 winbindd(pm_process+0xc6) [0x800b2282]
   #9 winbindd(lp_load+0xb2d) [0x800b0a75]
   #10 winbindd [0x8003e979]
   #11 winbindd(main+0x94a) [0x800403c6]
   #12 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0xb7d42de3]
   #13 winbindd [0x8003e811]
[2009/01/25 04:02:09, 0] lib/fault.c:dump_core(181)
  dumping core in /var/log/samba/cores/winbindd
 
Is this a known issue? What's the fix?

--
Eric




Disclaimer - February 3, 2009 
This email and any files transmitted with it are confidential and intended 
solely for Samba mailing list. If you are not the named addressee you should 
not disseminate, distribute, copy or alter this email. Any views or opinions 
presented in this email are solely those of the author and might not represent 
those of . Warning: Although  has taken reasonable precautions to ensure no 
viruses are present in this email, the company cannot accept responsibility for 
any loss or damage arising from the use of this email or attachments. 
This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind+nss working on one centOS 5.2 box but not another

[Ben Tisdall]

Hi all,

I have an odd situation on my hands:

* Two CentOS 5.2 boxes both joined to an AD domain.

* Same samba version (3.0.28-1.el5_2.1) smb.conf, only the netbios names
differ

* Can enumerate users and groups using winbind -{u,g} on both.

* nss doesn't enumerate users & groups on one (same lib versions, same
conf file).

//ben...@testukmcsstor1//:~$ rpm -qa | grep nss-
nss-tools-3.12.2.0-2.el5.centos
nss-3.12.2.0-2.el5.centos
pkinit-nss-0.7.3-1.el5
nss-3.12.2.0-2.el5.centos

Looks like this may be more of a libnss problem than a samba one, but
can anyone suggest how I can start to troubleshoot?

Thanks in advance,

Ben Tisdall






-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbind and samba 3.2.7

[Harry Jede]

Hi all,

I'm using Samba 3.2.7 with openldap 2.4.13 and have problems with
winbind.

If winbindd is started, he needs two minutes, until he is responding
to queries. That makes it hard to debug problems. May be winbindd 
is waiting for WINS answers?

The problem,
the man page says this:

ldap group suffix (G)
This parameter specifies the suffix that is used for groups when these 
are added to the LDAP directory. If this parameter is unset, the value 
of ldap suffix will be used instead.


But this is not true, or I have a mistake in my configuration.

The LDAP-Search ist done with scope=2 (sub). 2 Posix Entries are found
and resolved to sambaSid correctly. Then the SIDs are searched and this
search use the base from "ldap user suffix".

The result is, that instead of finding 2 users in 2 different OUs,
only 1 user is found.


So, is this a bug?
Is the man page wrong?




The problem is shown here, in the slapd.log.

slapd[27069]: conn=484 op=68 SRCH base="dc=schule,dc=xx" scope=2 deref=3 
filter="(&(uid=domain administratoren)(objectClass=sambaSamAccount))"
slapd[27069]: conn=484 op=68 SRCH attr=uid uidNumber gidNumber homeDirectory 
sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime 
sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath 
sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID 
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName 
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount 
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours 
modifyTimestamp uidNumber
slapd[27069]: conn=484 op=68 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[27069]: conn=484 op=69 SRCH base="o=SCHULE,dc=schule,dc=xx" scope=2 
deref=3 filter="(&(objectClass=sambaGroupMapping)(|(displayName=domain 
administratoren)(cn=domain administratoren)))"
slapd[27069]: conn=484 op=69 SRCH attr=gidNumber sambaSID sambaGroupType 
sambaSIDList description displayName cn objectClass
slapd[27069]: conn=484 op=69 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[27069]: conn=484 op=70 SRCH base="ou=SCHUELER,o=SCHULE,dc=schule,dc=xx" 
scope=2 deref=3 
filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-512)))"
slapd[27069]: conn=484 op=70 SRCH attr=uid sambaSid
slapd[27069]: conn=484 op=70 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[27069]: conn=484 op=71 SRCH base="o=SCHULE,dc=schule,dc=xx" scope=2 
deref=3 
filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-512)))"
slapd[27069]: conn=484 op=71 SRCH attr=cn displayName sambaSid sambaGroupType
slapd[27069]: conn=484 op=71 SEARCH RESULT tag=101 err=0 nentries=1 text=

slapd[27069]: conn=486 op=13 SRCH base="o=SCHULE,dc=schule,dc=xx" scope=2 
deref=3 
filter="(&(objectClass=posixGroup)(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-512))"
slapd[27069]: conn=486 op=13 SRCH attr=memberUid gidNumber
slapd[27069]: conn=486 op=13 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[27069]: conn=486 op=14 SRCH base="dc=schule,dc=xx" scope=2 deref=3 
filter="(&(objectClass=sambaSamAccount)(|(uid=atom)(uid=auge)))"
slapd[27069]: conn=486 op=14 SRCH attr=sambaSID
slapd[27069]: conn=486 op=14 SEARCH RESULT tag=101 err=0 nentries=2 text=
slapd[27069]: conn=486 op=15 SRCH base="dc=schule,dc=xx" scope=2 deref=3 
filter="(&(objectClass=sambaSamAccount)(gidNumber=9009))"
slapd[27069]: conn=486 op=15 SRCH attr=sambaSID
slapd[27069]: conn=486 op=15 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[27069]: conn=486 op=16 SRCH base="ou=SCHUELER,o=SCHULE,dc=schule,dc=xx" 
scope=2 deref=3 
filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-5000)(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-1004)))"
slapd[27069]: conn=486 op=16 SRCH attr=uid sambaSid
slapd[27069]: conn=486 op=16 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[27069]: conn=486 op=17 SRCH base="o=SCHULE,dc=schule,dc=xx" scope=2 
deref=3 
filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-5000)(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-1004)))"
slapd[27069]: conn=486 op=17 SRCH attr=cn displayName sambaSid sambaGroupType
slapd[27069]: conn=486 op=17 SEARCH RESULT tag=101 err=0 nentries=0 text=


[global]
unix charset = LOCALE
workgroup = SCHULE
netbios name = SERVER-1
server string = %h server
interfaces = 192.168.231.48/24, 127.0.0.1/8
bind interfaces only = Yes
security = user
name resolve order = wins bcast host
passdb backend = ldapsam
ldapsam:trusted = yes
ldapsam:editposix = yes
lanman auth = Yes
syslog = 0
max log size = 1000
log level = 0
log file = /var/log/samba/log.%m
log file = /var/log/samba/log.%U

add user script = /usr/sbin/smbldap-useradd -m