[Samba] winbind problem
Hi, I have a problem with winbind, could anyone help me? Version: root@leela:~# samba -V Version 4.0.5 root@leela:~# uname -a Linux leela 3.2.0-40-generic #64-Ubuntu SMP Mon Mar 25 21:22:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux - First everything went fine: root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash - For example I change a files owner to root: root@leela:~# chown 0 /opt/samba/var/shares/profiles/svtn/ntuser.dat - Everything is still fine: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 root FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - Now changing owner to 300 (Buildin/Administrator): root@leela:~# chown 300 /opt/samba/var/shares/profiles/svtn/ntuser.dat - It needs many seconds to work. root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - And if I look again, all users shown as numbers, not names: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 331008 10164096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 1016 3145728 Apr 8 06:54 ntuser.dat [...] root@leela:~# - And now all samba users gone. winbind -u is empty too. root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] - in the logfile I found this: [2013/04/16 15:44:09, 0] ../lib/util/fault.c:72(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 26194 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/04/16 15:44:09, 0] ../lib/util/fault.c:75(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error - After restart samba root@leela:~# stop samba4 root@leela:~# start samba4 - Alll users back now... root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash Does anyone has an Idea? I've tried an older version (4.0.1) of samba too, same problem. Regards Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind problem
Hi, I have a problem with winbind, could anyone help me? Version: root@leela:~# samba -V Version 4.0.5 root@leela:~# uname -a Linux leela 3.2.0-40-generic #64-Ubuntu SMP Mon Mar 25 21:22:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux - First everything went fine: root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash - For example I change a files owner to root: root@leela:~# chown 0 /opt/samba/var/shares/profiles/svtn/ntuser.dat - Everything is still fine: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 root FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - Now changing owner to 300 (Buildin/Administrator): root@leela:~# chown 300 /opt/samba/var/shares/profiles/svtn/ntuser.dat - It needs many seconds to work. root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - And if I look again, all users shown as numbers, not names: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 331008 10164096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 1016 3145728 Apr 8 06:54 ntuser.dat [...] root@leela:~# - And now all samba users gone. winbind -u is empty too. root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] - in the logfile I found this: [2013/04/16 15:44:09, 0] ../lib/util/fault.c:72(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 26194 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/04/16 15:44:09, 0] ../lib/util/fault.c:75(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error - After restart samba root@leela:~# stop samba4 root@leela:~# start samba4 - Alll users back now... root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash Does anyone has an Idea? I've tried an older version (4.0.1) of samba too, same problem. Regards Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind problem
I also have this problem, using a very recent version from git. (see also: http://www.mail-archive.com/samba@lists.samba.org/msg124657.html ) Periodically, winbind seems to simply crash, and getent passwd other ops (e.g. htop) stall. I'd also be happy to provide any debugging information needed. On Tue, Apr 16, 2013 at 11:29 AM, sa...@nisx.de wrote: Hi, I have a problem with winbind, could anyone help me? Version: root@leela:~# samba -V Version 4.0.5 root@leela:~# uname -a Linux leela 3.2.0-40-generic #64-Ubuntu SMP Mon Mar 25 21:22:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux - First everything went fine: root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash - For example I change a files owner to root: root@leela:~# chown 0 /opt/samba/var/shares/profiles/svtn/ntuser.dat - Everything is still fine: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 root FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - Now changing owner to 300 (Buildin/Administrator): root@leela:~# chown 300 /opt/samba/var/shares/profiles/svtn/ntuser.dat - It needs many seconds to work. root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - And if I look again, all users shown as numbers, not names: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 331008 10164096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 1016 3145728 Apr 8 06:54 ntuser.dat [...] root@leela:~# - And now all samba users gone. winbind -u is empty too. root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] - in the logfile I found this: [2013/04/16 15:44:09, 0] ../lib/util/fault.c:72(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 26194 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/04/16 15:44:09, 0] ../lib/util/fault.c:75(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error - After restart samba root@leela:~# stop samba4 root@leela:~# start samba4 - Alll users back now... root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash Does anyone has an Idea? I've tried an older version (4.0.1) of samba too, same problem. Regards Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind problem
Hi again, I think a have a workaround: Add an local user with ID 300 so that winbind never see querys of that ID: useradd -d /tmp -M -s /bin/false -u 300 -g 100 -o -l samba4-workaround (Ubuntu 12.04) Ive tested it a few times and it seems to work. Mit freundlichen Gren Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de Von: seme...@syndetics.net [mailto:seme...@syndetics.net] Im Auftrag von Nick Semenkovich Gesendet: Dienstag, 16. April 2013 19:48 An: tn Cc: samba@lists.samba.org Betreff: Re: [Samba] winbind problem I also have this problem, using a very recent version from git. (see also: http://www.mail-archive.com/samba@lists.samba.org/msg124657.html http://www.mail-archive.com/samba@lists.samba.org/msg124657.html ) Periodically, winbind seems to simply crash, and getent passwd other ops (e.g. htop) stall. I'd also be happy to provide any debugging information needed. On Tue, Apr 16, 2013 at 11:29 AM, sa...@nisx.de mailto:sa...@nisx.de wrote: Hi, I have a problem with winbind, could anyone help me? Version: root@leela:~# samba -V Version 4.0.5 root@leela:~# uname -a Linux leela 3.2.0-40-generic #64-Ubuntu SMP Mon Mar 25 21:22:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux - First everything went fine: root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash - For example I change a files owner to root: root@leela:~# chown 0 /opt/samba/var/shares/profiles/svtn/ntuser.dat - Everything is still fine: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf 4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 root FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - Now changing owner to 300 (Buildin/Administrator): root@leela:~# chown 300 /opt/samba/var/shares/profiles/svtn/ntuser.dat - It needs many seconds to work. root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf 4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - And if I look again, all users shown as numbers, not names: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 1008 1016 4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 1016 3145728 Apr 8 06:54 ntuser.dat [...] root@leela:~# - And now all samba users gone. winbind -u is empty too. root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] - in the logfile I found this: [2013/04/16 15:44:09, 0] ../lib/util/fault.c:72(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 26194 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/04/16 15:44:09, 0] ../lib/util/fault.c:75(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error - After restart samba root@leela:~# stop samba4 root@leela:~# start samba4 - Alll users back now... root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash Does anyone has an Idea? I've tried an older version (4.0.1) of samba too, same problem. Regards Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de http://www.nisx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind problem with BUILTIN?
I shut my Samba PDC and all members down for some PC rearranging and now having an issue with one member server on Ubuntu 10.12 with Samba 3.5.4 after restarting all. It would not connect, I tried to remove the computer name from LDAP and re-join the domain, that was successfully joined and the entry reappears in LDAP, but it times out when trying to connect to that host via the network or smbclient on the local box. All other workstations (Win2003, WinXP) and the PDC (FreeBSD Unix) are working perfectly. Since it is timing out, I tried the IP address with smbclient and browsing and it works. For some reason, my /etc/resolv.conf was empty, so I fixed, but still timing out. So, I looked at Winbind and found a potential issue with BUILTIN?... [2011/04/12 17:37:49.028871, 10] winbindd/winbindd_util.c:846(find_lookup_domain_from_sid) calling find_domain_from_sid [2011/04/12 17:37:49.029439, 10] winbindd/winbindd_cache.c:418(wcache_fetch_seqnum) wcache_fetch_seqnum: BUILTIN not found [2011/04/12 17:37:49.029462, 10] winbindd/winbindd_cache.c:4709(wcache_store_ndr) could not fetch seqnum for domain BUILTIN [2011/04/12 17:37:56.047749, 6] winbindd/winbindd.c:768(new_connection) accepted socket 22 [2011/04/12 17:37:56.047883, 10] winbindd/winbindd.c:620(process_request) process_request: request fn INTERFACE_VERSION [2011/04/12 17:37:56.047909, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 5304]: request interface version [2011/04/12 17:37:56.047952, 10] winbindd/winbindd.c:716(winbind_client_response_written) winbind_client_response_written[5304:INTERFACE_VERSION]: deliverd response to client [2011/04/12 17:37:56.048022, 10] winbindd/winbindd.c:620(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2011/04/12 17:37:56.048045, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 5304]: request location of privileged pipe [2011/04/12 17:37:56.048101, 10] winbindd/winbindd.c:716(winbind_client_response_written) winbind_client_response_written[5304:WINBINDD_PRIV_PIPE_DIR]: deliverd response to client [2011/04/12 17:37:56.048191, 6] winbindd/winbindd.c:816(winbind_client_request_read) closing socket 22, client exited [2011/04/12 17:37:56.048233, 6] winbindd/winbindd.c:768(new_connection) accepted socket 22 [2011/04/12 17:37:56.048276, 10] winbindd/winbindd.c:593(process_request) process_request: Handling async request 5304:SID_TO_GID [2011/04/12 17:37:56.048298, 3] winbindd/winbindd_sid_to_gid.c:47(winbindd_sid_to_gid_send) sid to gid S-1-5-21-4199262639-1984306771-3339216219-512 [2011/04/12 17:37:56.048347, 10] lib/gencache.c:345(gencache_get_data_blob) Returning expired cache entry: key = IDMAP/SID2GID/S-1-5-21-4199262639-1984306771-3339216219-512, value = , timeout = Wed Dec 31 19:00:00 1969 [2011/04/12 17:37:56.048387, 10] winbindd/winbindd_util.c:843(find_lookup_domain_from_sid) find_lookup_domain_from_sid(S-1-5-21-4199262639-1984306771-3339216219-512) [2011/04/12 17:37:56.048414, 10] winbindd/winbindd_util.c:853(find_lookup_domain_from_sid) calling find_our_domain [2011/04/12 17:37:57.609408, 0] winbindd/winbindd.c:195(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=1) I tried emptying the contents of /var/cache/samba, still no help. Here is smb.conf on the problem PC, which noting has changed since it last worked... [global] netbios name = MEDIA server string = Media Server %v - Music, Videos and Photos workgroup = WEBTENT realm = WEBTENT security = DOMAIN log level = 10 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 name resolve order = wins bcast hosts printcap name = CUPS wins server = 192.168.1.21 ldap suffix = dc=webtent,dc=org ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=webtent,dc=org idmap backend = ldap:ldap://mail.webtent.org idmap uid = 1-2 idmap gid = 1-2 snip shares Can someone help me determine the next step in tracking down this issue? Or, how I could start all over with this box (already tried re-join)? Thanks, Robert -- Robert rob...@webtent.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba winbind problem with trusted domains
--- Original message --- Subject: Re: [Samba] samba winbind problem with trusted domains From: *...@ppu appaji04cn...@gmail.com To: t...@tms3.com Date: Friday, 25/06/2010 4:09 AM hi yes netbios is active on windows machines and i m able to ping samba server with .domain.extension. it is asking for user authentiation but it is not taking when i give user ID and PWD. I had that problem with 3.0.9 on FreeBSD YEARS ago...can't remember what I did. Let's see: In smb.conf, this wouldn't hurt: workgroup = (NETBIOS NAME OF AD DOMAIN) Since you have WIndoze servers, turning on WINS on it and adding: wins server = wins ip addy remote announce = wins ip addy/netbios workgroup name remore browse sync = wins ip addy You also want to do some nbtstat commands on the workstations to see if they are resolving netbios properly. Something else just dawned on me, something about W2K8 and NTLMv2 credentials. IDK maybe the netbios name is trying to auth by NTLMv2 and IP addy by kerberos...Like I said IDK, need to see packets. Cheers, TMS III On Thu, Jun 24, 2010 at 6:26 PM, t...@tms3.com wrote: SNIP thanks for your reply .Those are trusted domains and wbinfo-m is showing all the trusted domains. Anyways I have resolved the problem with Likewise open backend authentication tool. :) . But now I am facing another problem . i am not able to access samba shares using netbios name Is netbios active on windows machines? How is netbios being handled even with full machine FQDN wherears it is accessible with IP address. Is the samba machine in DNS? ping myserver.mydomain.extention can you please help me On Wed, Jun 23, 2010 at 6:16 PM, t...@tms3.com wrote: On Wednesday 23/06/2010 at 12:12 am, *...@ppu wrote: hi all i am new to samba and struggling with trusted domains authentication from many days .i have a win2k3 domain(corp.raju.ad )and win2k8 domain ( testraju.ad) . i have joined samba server as a member to win2k8 domain (testraju.ad) using net ads join commands / i m able to access samba shares using testraju.ad user ID's successfully , while authenticating with corp.raju.ad users i m unable to.log is showing as NT_STATUS NO_SUCH USER In such situations, the forrest testaju.ad must have a trust with corp.raju.ad, which would be controlled by the Windoze DC's. Samba NT style domain trusts are not applicable to member servers. Member servers are little more than domain joined machines. Cheers, TMS III follwing is my smb.conf file [global] log file = /var/log/samba/%m load printers = yes idmap gid = 600-200 interfaces = 127.0.0.1 eth0 encrypt passwords = yes realm = testraju.ad winbind use default domain = true template shell = /bin/bash netbios name = slclinuxfs001 winbind enum users = no idmap uid = 600-200 password server = hsttestadc001.testraju.ad winbind nested groups = YeS workgroup = test winbind enum groups = no security = ADS max log size = 5 bind interfaces only = true log level = 3 #winbind separator = \ [raju] comment = test share path = /tmp/raju browsable = yes available = yes writable = yes readonly = no valid users = @RAJU\domain users @TEST\domain users wbinfo -m is listing all trusted domains . i m able to authenticate trusted domain user with wbinfo --authenticate=raju\\pa72635%password (2 back slashes) i have enabled logging on and following is the client log when i access with trusted domain user ID . [2010/06/23 12:47:38.010714, 3] auth/auth.c:216(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []...@[hicmbsa001] with the new password interface [2010/06/23 12:47:38.010761, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: mapped user is: [slclinuxfs001]...@[hicmbsa001] [2010/06/23 12:47:38.011642, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.011670, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/23 12:47:38.011709, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.011812, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/23 12:47:38.011921, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.011946, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/23 12:47:38.011969, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0
Re: [Samba] samba winbind problem with trusted domains
Hi TMS, thanks for your reply .Those are trusted domains and wbinfo-m is showing all the trusted domains. Anyways I have resolved the problem with Likewise open backend authentication tool. :) . But now I am facing another problem . i am not able to access samba shares using netbios name even with full machine FQDN wherears it is accessible with IP address. can you please help me On Wed, Jun 23, 2010 at 6:16 PM, t...@tms3.com wrote: On Wednesday 23/06/2010 at 12:12 am, *...@ppu wrote: hi all i am new to samba and struggling with trusted domains authentication from many days .i have a win2k3 domain(corp.raju.ad )and win2k8 domain ( testraju.ad) . i have joined samba server as a member to win2k8 domain (testraju.ad) using net ads join commands / i m able to access samba shares using testraju.ad user ID's successfully , while authenticating with corp.raju.ad users i m unable to.log is showing as NT_STATUS NO_SUCH USER In such situations, the forrest testaju.ad must have a trust with corp.raju.ad, which would be controlled by the Windoze DC's. Samba NT style domain trusts are not applicable to member servers. Member servers are little more than domain joined machines. Cheers, TMS III follwing is my smb.conf file [global] log file = /var/log/samba/%m load printers = yes idmap gid = 600-200 interfaces = 127.0.0.1 eth0 encrypt passwords = yes realm = testraju.ad winbind use default domain = true template shell = /bin/bash netbios name = slclinuxfs001 winbind enum users = no idmap uid = 600-200 password server = hsttestadc001.testraju.ad winbind nested groups = YeS workgroup = test winbind enum groups = no security = ADS max log size = 5 bind interfaces only = true log level = 3 #winbind separator = \ [raju] comment = test share path = /tmp/raju browsable = yes available = yes writable = yes readonly = no valid users = @RAJU\domain users @TEST\domain users wbinfo -m is listing all trusted domains . i m able to authenticate trusted domain user with wbinfo --authenticate=raju\\pa72635%password (2 back slashes) i have enabled logging on and following is the client log when i access with trusted domain user ID . [2010/06/23 12:47:38.010714, 3] auth/auth.c:216(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []...@[hicmbsa001] with the new password interface [2010/06/23 12:47:38.010761, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: mapped user is: [slclinuxfs001]...@[hicmbsa001] [2010/06/23 12:47:38.011642, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.011670, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/23 12:47:38.011709, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.011812, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/23 12:47:38.011921, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.011946, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/23 12:47:38.011969, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.012000, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/23 12:47:38.012286, 3] auth/auth.c:265(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2010/06/23 12:47:38.082054, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.082095, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/23 12:47:38.082119, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.082356, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/23 12:47:38.082422, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2180847254-3007464121-335579984-501] [2010/06/23 12:47:38.082464, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-2] [2010/06/23 12:47:38.082503, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-32-546] [2010/06/23 12:47:38.082587, 3] libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init) NTLMSSP Sign/Seal - Initialising with flags: [2010/06/23 12:47:38.082624, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xa2088205 [2010/06/23 12:47:38.082676, 3]
Re: [Samba] samba winbind problem with trusted domains
SNIP thanks for your reply .Those are trusted domains and wbinfo-m is showing all the trusted domains. Anyways I have resolved the problem with Likewise open backend authentication tool. :) . But now I am facing another problem . i am not able to access samba shares using netbios name Is netbios active on windows machines? How is netbios being handled even with full machine FQDN wherears it is accessible with IP address. Is the samba machine in DNS? ping myserver.mydomain.extention can you please help me On Wed, Jun 23, 2010 at 6:16 PM, t...@tms3.com wrote: On Wednesday 23/06/2010 at 12:12 am, *...@ppu wrote: hi all i am new to samba and struggling with trusted domains authentication from many days .i have a win2k3 domain(corp.raju.ad )and win2k8 domain ( testraju.ad) . i have joined samba server as a member to win2k8 domain (testraju.ad) using net ads join commands / i m able to access samba shares using testraju.ad user ID's successfully , while authenticating with corp.raju.ad users i m unable to.log is showing as NT_STATUS NO_SUCH USER In such situations, the forrest testaju.ad must have a trust with corp.raju.ad, which would be controlled by the Windoze DC's. Samba NT style domain trusts are not applicable to member servers. Member servers are little more than domain joined machines. Cheers, TMS III follwing is my smb.conf file [global] log file = /var/log/samba/%m load printers = yes idmap gid = 600-200 interfaces = 127.0.0.1 eth0 encrypt passwords = yes realm = testraju.ad winbind use default domain = true template shell = /bin/bash netbios name = slclinuxfs001 winbind enum users = no idmap uid = 600-200 password server = hsttestadc001.testraju.ad winbind nested groups = YeS workgroup = test winbind enum groups = no security = ADS max log size = 5 bind interfaces only = true log level = 3 #winbind separator = \ [raju] comment = test share path = /tmp/raju browsable = yes available = yes writable = yes readonly = no valid users = @RAJU\domain users @TEST\domain users wbinfo -m is listing all trusted domains . i m able to authenticate trusted domain user with wbinfo --authenticate=raju\\pa72635%password (2 back slashes) i have enabled logging on and following is the client log when i access with trusted domain user ID . [2010/06/23 12:47:38.010714, 3] auth/auth.c:216(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []...@[hicmbsa001] with the new password interface [2010/06/23 12:47:38.010761, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: mapped user is: [slclinuxfs001]...@[hicmbsa001] [2010/06/23 12:47:38.011642, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.011670, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/23 12:47:38.011709, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.011812, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/23 12:47:38.011921, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.011946, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/23 12:47:38.011969, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.012000, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/23 12:47:38.012286, 3] auth/auth.c:265(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2010/06/23 12:47:38.082054, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.082095, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/23 12:47:38.082119, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.082356, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/23 12:47:38.082422, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2180847254-3007464121-335579984-501] [2010/06/23 12:47:38.082464, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-2] [2010/06/23 12:47:38.082503, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-32-546] [2010/06/23
[Samba] samba winbind problem with trusted domains
hi all i am new to samba and struggling with trusted domains authentication from many days .i have a win2k3 domain(corp.raju.ad )and win2k8 domain ( testraju.ad) . i have joined samba server as a member to win2k8 domain (testraju.ad) using net ads join commands / i m able to access samba shares using testraju.ad user ID's successfully , while authenticating with corp.raju.ad users i m unable to.log is showing as NT_STATUS NO_SUCH USER follwing is my smb.conf file [global] log file = /var/log/samba/%m load printers = yes idmap gid = 600-200 interfaces = 127.0.0.1 eth0 encrypt passwords = yes realm = testraju.ad winbind use default domain = true template shell = /bin/bash netbios name = slclinuxfs001 winbind enum users = no idmap uid = 600-200 password server = hsttestadc001.testraju.ad winbind nested groups = YeS workgroup = test winbind enum groups = no security = ADS max log size = 5 bind interfaces only = true log level = 3 #winbind separator = \ [raju] comment = test share path = /tmp/raju browsable = yes available = yes writable = yes readonly = no valid users = @RAJU\domain users @TEST\domain users wbinfo -m is listing all trusted domains . i m able to authenticate trusted domain user with wbinfo --authenticate=raju\\pa72635%password (2 back slashes) i have enabled logging on and following is the client log when i access with trusted domain user ID . [2010/06/23 12:47:38.010714, 3] auth/auth.c:216(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []...@[hicmbsa001] with the new password interface [2010/06/23 12:47:38.010761, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: mapped user is: [slclinuxfs001]...@[hicmbsa001] [2010/06/23 12:47:38.011642, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.011670, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/23 12:47:38.011709, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.011812, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/23 12:47:38.011921, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.011946, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/23 12:47:38.011969, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.012000, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/23 12:47:38.012286, 3] auth/auth.c:265(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2010/06/23 12:47:38.082054, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.082095, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/23 12:47:38.082119, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.082356, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/23 12:47:38.082422, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2180847254-3007464121-335579984-501] [2010/06/23 12:47:38.082464, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-2] [2010/06/23 12:47:38.082503, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-32-546] [2010/06/23 12:47:38.082587, 3] libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init) NTLMSSP Sign/Seal - Initialising with flags: [2010/06/23 12:47:38.082624, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xa2088205 [2010/06/23 12:47:38.082676, 3] smbd/password.c:282(register_existing_vuid) register_existing_vuid: User name: nobody Real name: Nobody [2010/06/23 12:47:38.082731, 3] smbd/password.c:292(register_existing_vuid) register_existing_vuid: UNIX uid 99 is UNIX user nobody, and will be vuid 100 [2010/06/23 12:47:38.097021, 3] smbd/process.c:1485(process_smb) Transaction 3 of length 94 (0 toread) [2010/06/23 12:47:38.097084, 3] smbd/process.c:1294(switch_message) switch message SMBtconX (pid 13230) conn 0x0 [2010/06/23 12:47:38.097120, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/06/23 12:47:38.097407, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/06/23 12:47:38.097438, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/06/23 12:47:38.097460, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec
[Samba] Winbind problem: can't convert sids and gids
I have a problem where I can't browse to a samba share from Windows (Server 2008); instead I get the error: The group name could not be found The winbind log contains the message: could not convert gid 507 to sid Suspecting a permissions problem, I went and looked at the files and the group ownership has been set to BUILTIN\guests, which is not what I want. So I try to chgrp them to the domain group: chgrp -R 'dss users' /file chgrp: invalid group `dss users' But I know that that is the domain group that I want: wbinfo -g | grep dss dss users wbinfo -n 'dss users' S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2) But winbind apparently cannot resolve it to a gid: wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019 Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019 to gid My nsswitch.conf file does list winbind for users and groups. My smb.conf file contains (in part, obviously): idmap alloc backend = tdb idmap alloc config:range = 1 - 400 idmap uid = 1 - 400 idmap gid = 1 - 400 winbind enum users = no winbind enum groups = no winbind nested groups = yes winbind use default domain = yes So it is using a default domain (the correct one; I checked) and I'm not just running out of gids. My various /var/log/samba/log.* files contain almost exactly nothing from the time of the transaction. Any help appreciated, - rob. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind problem: can't convert sids and gids
Which samba version? I had Samba 3.0.x on Solaris 10, and winbind able to allocate uids and gids to users and groups from trusted domain (at least to Windows 2003 domains in mixed mode.) When I switched to a Samba 3.4.x PDC the allocation of new uids and gids broke.I suspect there is some configuration change in smb.conf I needed to make that was not obvious (to me) in the documenation. I have an ldap backend- but temporarily changing to a TDB backend didn't help. I worked around this by manually allocating uids and gids.With ldap you can do this with an ldap editor.But you can also use the wbinfo command to manuallly create uid-to-sid or gid-to-sid mappings with ldap or tdb backend. It isn't really a long term solution but fortunately account additions/deletions are minimal where I work. I did have idmap entries in smb.conf for each domain I wanted to trust, in addition to the entries you listed. On 06/23/2010 02:24 PM, Rob Moser wrote: I have a problem where I can't browse to a samba share from Windows (Server 2008); instead I get the error: The group name could not be found The winbind log contains the message: could not convert gid 507 to sid Suspecting a permissions problem, I went and looked at the files and the group ownership has been set to BUILTIN\guests, which is not what I want. So I try to chgrp them to the domain group: chgrp -R 'dss users' /file chgrp: invalid group `dss users' But I know that that is the domain group that I want: wbinfo -g | grep dss dss users wbinfo -n 'dss users' S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2) But winbind apparently cannot resolve it to a gid: wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019 Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019 to gid My nsswitch.conf file does list winbind for users and groups. My smb.conf file contains (in part, obviously): idmap alloc backend = tdb idmap alloc config:range = 1 - 400 idmap uid = 1 - 400 idmap gid = 1 - 400 winbind enum users = no winbind enum groups = no winbind nested groups = yes winbind use default domain = yes So it is using a default domain (the correct one; I checked) and I'm not just running out of gids. My various /var/log/samba/log.* files contain almost exactly nothing from the time of the transaction. Any help appreciated, - rob. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind problem: can't convert sids and gids
I've had the problem with various versions of 3.3.x - most recently 3.3.8 and 3.3.12. I have an older machine running 3.2.8 which works fine using essentially an identical smb.conf file. My smb.conf file also has the idmap entries for each trusted domain, with non-overlapping id ranges. I did see the manual mapping option in wbinfo, but we have a fairly dynamic user base, so manual configuration didn't seem viable. Thanks for your help though! Hopefully someone can tell us both how to get the automatic mapping working... - rob. On 06/23/2010 12:04 PM, Gaiseric Vandal wrote: Which samba version? I had Samba 3.0.x on Solaris 10, and winbind able to allocate uids and gids to users and groups from trusted domain (at least to Windows 2003 domains in mixed mode.) When I switched to a Samba 3.4.x PDC the allocation of new uids and gids broke.I suspect there is some configuration change in smb.conf I needed to make that was not obvious (to me) in the documenation. I have an ldap backend- but temporarily changing to a TDB backend didn't help. I worked around this by manually allocating uids and gids.With ldap you can do this with an ldap editor.But you can also use the wbinfo command to manuallly create uid-to-sid or gid-to-sid mappings with ldap or tdb backend. It isn't really a long term solution but fortunately account additions/deletions are minimal where I work. I did have idmap entries in smb.conf for each domain I wanted to trust, in addition to the entries you listed. On 06/23/2010 02:24 PM, Rob Moser wrote: I have a problem where I can't browse to a samba share from Windows (Server 2008); instead I get the error: The group name could not be found The winbind log contains the message: could not convert gid 507 to sid Suspecting a permissions problem, I went and looked at the files and the group ownership has been set to BUILTIN\guests, which is not what I want. So I try to chgrp them to the domain group: chgrp -R 'dss users' /file chgrp: invalid group `dss users' But I know that that is the domain group that I want: wbinfo -g | grep dss dss users wbinfo -n 'dss users' S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2) But winbind apparently cannot resolve it to a gid: wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019 Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019 to gid My nsswitch.conf file does list winbind for users and groups. My smb.conf file contains (in part, obviously): idmap alloc backend = tdb idmap alloc config:range = 1 - 400 idmap uid = 1 - 400 idmap gid = 1 - 400 winbind enum users = no winbind enum groups = no winbind nested groups = yes winbind use default domain = yes So it is using a default domain (the correct one; I checked) and I'm not just running out of gids. My various /var/log/samba/log.* files contain almost exactly nothing from the time of the transaction. Any help appreciated, - rob. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind problem on Solaris 9 - samba 3.4.4
Greetings, Have not heard from anyone on this topic. I tried building samba 3.3.10 with same environment - same issue: ld.so.1: su: fatal: relocation error: file /usr/lib/security/pam_winbind.so.1: symbol libintl_bindtextdomain: referenced symbol not found I could access shares from client PCs, but not log onto or su to an active directory user. On 01/13/2010 04:03 PM, Robert M. Martel - CSU wrote: Greetings Samba 3.4.4 built on Solaris 9 with gcc version 3.4.6 This is an Active Directory member server which was working with Samba 3.2.15 installed. I was able to build 3.4.4 without errors as well as access shares as an active directory user from a client PC without any issues so far. When I try to su to an active directory user in a terminal session I get the following error: ld.so.1: su: fatal: relocation error: file /usr/lib/security/pam_winbind.so.1: symbol libintl_bindtextdomain: referenced symbol not found I have SMClintl from SunFreeware installed to support some other packages, there also exists a libintl.so.1 in /usr/lib which is much smaller than the one in /usr/local/lib. I tried changing crle to put /usr/local/lib before /usr/lib but it did not make a difference. Any suggestions on how to resolve this issue? Thanks! Bob -- *** Bob Martel,System Administrator I met someone who looks a lot like you Levin College of Urban Affairs She does the things you do Cleveland State University But she is an IBM (216) 687-2214 r.mar...@csuohio.edu-Jeff Lynne *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind problem on Solaris 9 - samba 3.4.4
Greetings Samba 3.4.4 built on Solaris 9 with gcc version 3.4.6 This is an Active Directory member server which was working with Samba 3.2.15 installed. I was able to build 3.4.4 without errors as well as access shares as an active directory user from a client PC without any issues so far. When I try to su to an active directory user in a terminal session I get the following error: ld.so.1: su: fatal: relocation error: file /usr/lib/security/pam_winbind.so.1: symbol libintl_bindtextdomain: referenced symbol not found I have SMClintl from SunFreeware installed to support some other packages, there also exists a libintl.so.1 in /usr/lib which is much smaller than the one in /usr/local/lib. I tried changing crle to put /usr/local/lib before /usr/lib but it did not make a difference. Any suggestions on how to resolve this issue? Thanks! Bob -- *** Bob Martel,System Administrator I met someone who looks a lot like you Levin College of Urban Affairs She does the things you do Cleveland State University But she is an IBM (216) 687-2214 r.mar...@csuohio.edu-Jeff Lynne *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind problem with GID range and idmap_rid
Hello all, We get a weird error on our 3.4.0 samba server. The log.winbind-idmap shows the following entries: [2009/08/24 16:35:53, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module ldap already registered! [2009/08/24 16:35:53, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2009/08/24 16:35:53, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2009/08/24 16:35:53, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2009/08/24 16:35:53, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: GID range full!! (max: 49) What can be the cause for this kind of error? Is our idmap_rid not configured correctly? Please have a look Volker smb.conf --- [global] # # setting base configuration parameters # # workgroup = FB6 netbios name = FRIGG server string = AFS security = ADS realm = FB6.UNI-WUPPERTAL.DE auth methods = winbind # password server = AD logon server password server = 132.195.120.9 132.195.120.12 wins server = 132.195.120.12 client use spnego = yes client signing = yes # added wg. ticket #5344 #client lanman auth = no #client ntlmv2 auth = yes encrypt passwords = yes host msdfs = no #domain logons = yes # fuer Samba 3.3.0 # damit keine verschluesselte Verbindung zum Domain Controller # aufgebaut wird ldap ssl = no obey pam restrictions = no # - # printer settings # ??? better disable these settings ??? # - # printcap name = cups # disable spoolss = Yes # show add printer wizard = No # - # ID mapping parameters # mapping windows users to unix users # this is performed on the basis of sid on windows and # unix with uid for users and gid for groups # the backend parameter rid allows to get the same mapping # form sid to uid because it is determined algorithmically # that way we get the same mapping even if we use samba on # several disparate systems # CHANGE NOTIFICATIO: with v3.3.0 there are changes # to idmap; idmap domains is no longer supported # - #idmap domains = FB6 #idmap backend = rid idmap backend = tdb idmap config FB6:backend = rid #idmap config FB6:base_rid = 0 idmap config FB6:range = 1 - 49 idmap uid = 1-49 idmap gid = 1-49 winbind separator =+ winbind use default domain = Yes winbind enum users = no winbind enum groups = no winbind cache time = 60 winbind gid = 1-49 winbind uid = 1-49 #template homedir = /gpfs/fbb/user/%U #template shell = /opt/pware/bin/bash #use sendfile = Yes #printing = cups #ldap suffix = dc=FB6, dc=UNI-WUPPERTAL, dc=DE #--- # Logging options # #--- # # higher log levels have a negative impact on performance log level = 3 log file = /opt/pware/var/log/fbb.frigg.log.%m max log size = 50 debug timestamp = yes #utmp = yes #--- # ACL Support # #--- map acl inherit = yes nt acl support = yes inherit acls = yes inherit permissions = yes inherit owner = yes admin users = @FB6+domain admins #--- # Performance options # #--- socket options = TCP_NODELAY IPTOS_LOWDELAY # comment: VA, 01.05.2008 # deactivated, as it seems that this was our performance killer # the original values were 8192 each; i have adapted both # parameter values for AIX configuration # SO_RCVBUF=16384 SO_SNDBUF=16384 #--- # Include Configuration Files # #--- include = /opt/pware/lib/fbb-user.conf include = /opt/pware/lib/fbb-ls.conf include = /opt/pware/lib/fbb-apps.conf include = /opt/pware/lib/fbb-projekte.conf include = /opt/pware/lib/fbb-profiles.conf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind-Problem Samba 3.2.8 on AIX 5.3.9
Hi everyone, On a newly installed AIX-LPAR (oslevel 5.3.9) we added the current samba version 3.2.8. Installation and configuration did not reveal any problem. The problems show about 5 Minutes after services startup. After starting the samba services the winbind daemon uses lots of CPU time and memory. Wbinfo -u and wbinfo -g work after initial startup. We cannot connect to any share on the machine. The level 10 log of the winbind daemon start to show lots of the following messages: Sending request to child pid 290960 (domain=FB6) talloc failed timed_events_timeout: 299/999828 Could not receive async reply from child pid 290960 fork_domain_child called for domain 'FB6' Could not receive trustdoms The domain process went without any problem, the smb.conf was copied from a 3.0.26a system and adapted to reflect the new server name. Config files and level 10 logs are available for smbd, winbindd and 1 client system (that tried to connect) and can be provided. Kind regards Dr. Volker Arendt -- Dr. Volker Arendt mailto:are...@wiwi.uni-wuppertal.de Gaußstr. 20 Tel : +49(202)4392449 42097 Wuppertal, Deutschland Fax: +49(202)4393959 Bergische Universität Wuppertal Wirtschaftswissenschaft (FBB) -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
AW: [Samba] Winbind-Problem Samba 3.2.8 on AIX 5.3.9 (partially solved)
Hi everyone, We just took one step forward. We changed the winbind entries for user and group enumeration from yes to no and change the winbind cache timeout to 60 seconds. That solved the talloc problem (or so it seems) Will keep you updated Regards Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind problem
Hi. I'm trying to authenticate my proxy server (Debian Stable) to the Active Directory domain managed by a Windows 2003 Standard Server, but I have some problems: proxy:~# net join -w TEST.LOCAL -S win2003test -U Administrator Administrator's password: [2008/07/26 15:31:31, 0] libads/kerberos.c:ads_kinit_password(208) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed [2008/07/26 15:31:31, 0] utils/net_ads.c:ads_startup(289) ads_connect: Preauthentication failed ADS join did not work, falling back to RPC... Joined domain TEST. proxy:~# wbinfo -u Error looking up domain users proxy:~# wbinfo -g Error looking up domain groups This is my /etc/samba/smb.conf: [global] server string = Samba Proxy password server = win2003test security = domain encrypt passwords = yes workgroup = TEST.LOCAL winbind separator = @ template homedir = /home/%D/%U template shell = /bin/bash winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY realm = TEST.LOCAL Could you help me to solve this problem, please? Thank you very much! Bye. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem
[global] server string = Samba Proxy password server = win2003test security = domain encrypt passwords = yes workgroup = TEST.LOCAL winbind separator = @ template homedir = /home/%D/%U template shell = /bin/bash winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY realm = TEST.LOCAL You must use security = ads to join an Active Directory domain. Read the smb.conf man page for more information. Also, make sure, that you have the Kerberos libraries installed on your Debian machine (Heimdal or MIT). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
Thanks for all of the helpful advice Ross. I will certainly make some of these changes in the future in a controlled manner. As it turns out, one of our in-house developers has found the problem and submitted a bug against winbind for it. https://bugzilla.samba.org/show_bug.cgi?id=5264 His current patch is against the mod_auth_pam module, which is fine for us. It took the better part of an entire week and many difference debugging builds to figure out exactly what was going on. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 2:26 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Ross, do you have any links to document what you are saying about the password server being set to a domain? I have found several examples of it listing multiple DCs, but not a domain name. Well you could read this mind numbing white paper, http://technet2.microsoft.com/windowsserver/en/library/19a63021-cc53-4ded-a7a3-abaf82e7fb7c1033.mspx?mfr=true or just look at your DNS zone, You will notice for each forward zone for each domain that the DCs in those domains acting as DNS servers register their IP addresses under the zone name, like such: IN A X.X.X.X IN A X.X.X.X IN A X.X.X.X This by nature will force a round-robin lookup for all A queries of the domain name. Windows 2000/2003 goes a step further by ordering the results based on the originating IP and the site networks you configured in sites and services, making sure it delivers IP addresses in your subnet first, filtering out any DC that is reported as down. Try it out with nslookup. Now if you have Unix DNS servers this will of course not happen, you will get round-robin without the filtering or ordering. -Ross -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:06 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps
[Samba] winbind problem
I'm trying to do an ADS share. With a sane nsswitch.conf, that is with these settings: passwd: compat winbind group: compat winbind I get this as the result: # smbclient //no3/ftp -Uwhit Password: Domain=[ABC] OS=[Unix] Server=[Samba 3.0.26a] tree connect failed: NT_STATUS_ACCESS_DENIED Yet with an insane nsswitch.conf, this is with these settings: passwd: winbind group: winbind I get a valid connection: # smbclient //no3/ftp -Uwhit Password: Domain=[ABC] OS=[Unix] Server=[Samba 3.0.26a] smb: \ quit So what's going on? It makes no difference if 'whit' is a UNIX user or not in this. The ADS part of the login goes through either way. But with 'compat' there (or 'files') it runs through a bunch of extra stuff that shows in the log for the connection, beginning with: [2008/02/16 20:31:58, 3] auth/auth.c:check_ntlm_password(221) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2008/02/16 20:31:58, 3] auth/auth.c:check_ntlm_password(224) check_ntlm_password: mapped user is: [EMAIL PROTECTED] and including: [2008/02/16 20:31:58, 3] auth/auth.c:check_ntlm_password(270) check_ntlm_password: winbind authentication for user [whit] succeeded and: [2008/02/16 20:31:58, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [whit] - [whit] - [whit] succeeded and: [2008/02/16 20:31:58, 3] groupdb/mapping.c:pdb_create_builtin_alias(723) pdb_create_builtin_alias: Could not get a gid out of winbind [2008/02/16 20:31:58, 0] auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators [2008/02/16 20:31:58, 2] auth/auth_util.c:create_local_nt_token(914) create_local_nt_token: Failed to create BUILTIN\Administrators group! and the same for BUILTIN\users and lots of other stuff up to: [2008/02/16 20:31:58, 2] smbd/service.c:make_connection_snum(616) user 'whit' (from session setup) not permitted to access this share (FTP) [2008/02/16 20:31:58, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED Now, I'm not wanting any of whatever winbind is doing here beyond authenticating against the ADS for the SMB shares on the Linux box. There are no home directories desired for the SMB users, just the shared shares, and no sort of login to the box for them outside of Samba. So what do I do to turn off this crap that looks like it must have to do with home directories and mapping the UNIX accounts (I'm guessing), that winbind does only if nsswitch gives it access to 'compat' or 'files,' and that denies users access to shares that without all this garbage they can get to just fine. Pardon my English. Regards, Whit -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
-Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 4:37 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: Trimble, Ronald D wrote: Just an FYI... this is not a local group but an AD Domain Local group. We are using Domain Local groups since they can contain users from other domains. Are all these users members of the same domain? If not, do you have the 'allow trusted domains = yes' option set? What does your idmap setup look like? After reading more carefully I have more questions below... -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... These users started getting messages, this means it was working correctly for a while? Yes, it was working for quite some time. And throughout any given day it will work and then stop and then begin working again... all without intervention. When did it stop working? We had a system crash several weeks ago. At that point we upgraded to the latest levels of samba as recommended by Novell. It has not been consistent in performance since. Did anything change around that time that could impact this? Yes, we upgraded samba. From /var/log/apache2/error_log Maybe /var/log/messages, or /var/log/samba/... may have more detail as to why things aren't working. snip lots of sid stuff Can anyone shed some light on what is going on here? This problem has been driving me crazy for several weeks now and I could use all the help I could get. I have a full compliment of logs to go along with all the above information if anyone would be so kind as to take a look. I can make it worth your while... I have a code for two free movie tickets on fandango.com if you can help me solve this. Not much, but better then an email saying thanks. :) Try running your SID output with nscd shut down and see if that is affecting it, otherwise I would start looking at what changed in your environment that might have caused this. I will look into disabling NSCD as you suggested. Maybe permissions on the AD object? Permissions have not changed. The computer object representing this box has adequate rights to query all group objects in AD? The server is a member of the domain and thus has all the rights it needs to query the domain. Just throwing out some ideas here. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
The users who are failing are all in the same domain. What are you referring to in terms of the idmap? -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 4:26 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Just an FYI... this is not a local group but an AD Domain Local group. We are using Domain Local groups since they can contain users from other domains. Are all these users members of the same domain? If not, do you have the 'allow trusted domains = yes' option set? What does your idmap setup look like? -Ross -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008
RE: [Samba] Winbind problem with more details.
Trimble, Ronald D wrote: The users who are failing are all in the same domain. What are you referring to in terms of the idmap? Are you using the old 'idmap backend = rid...' or the newer 'idmap domains = ...' and the 'idmap config DOM: backend = ...' setup? Maybe if you can post the [global] section of your smb.conf substituting any proprietary information first of course. -Ross -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 4:26 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Just an FYI... this is not a local group but an AD Domain Local group. We are using Domain Local groups since they can contain users from other domains. Are all these users members of the same domain? If not, do you have the 'allow trusted domains = yes' option set? What does your idmap setup look like? -Ross -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar
RE: [Samba] Winbind problem with more details.
Here you go... [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx passdb backend = smbpasswd log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 winbind use default domain = no winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 11:09 AM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: The users who are failing are all in the same domain. What are you referring to in terms of the idmap? Are you using the old 'idmap backend = rid...' or the newer 'idmap domains = ...' and the 'idmap config DOM: backend = ...' setup? Maybe if you can post the [global] section of your smb.conf substituting any proprietary information first of course. -Ross -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 4:26 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Just an FYI... this is not a local group but an AD Domain Local group. We are using Domain Local groups since they can contain users from other domains. Are all these users members of the same domain? If not, do you have the 'allow trusted domains = yes' option set? What does your idmap setup look like? -Ross -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130
RE: [Samba] Winbind problem with more details.
Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
Ross S. W. Walker wrote: Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. I just realized that your config is pre-RID mapping so your uid/gid base is in a single tdb file that if lost or broken will seriously mess up your user base! If that is the case then I suggest this: idmap domains = default idmap config default:default = yes idmap alloc backend = tdb idmap uid = 16777216 - 33554431 idmap gid = 16777216 - 33554431 Forget this: idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 But remove these: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 Backup your tdb cache directory and smb.conf first though to be on the safe side. -Ross [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and
RE: [Samba] Winbind problem with more details.
That is a lot of good information... let me give it a shot on a test system to see what happens. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:06 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
Just an FYI, we are currently on 3.0.28. This server was built when 3.0 was just coming around. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:30 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. I just realized that your config is pre-RID mapping so your uid/gid base is in a single tdb file that if lost or broken will seriously mess up your user base! If that is the case then I suggest this: idmap domains = default idmap config default:default = yes idmap alloc backend = tdb idmap uid = 16777216 - 33554431 idmap gid = 16777216 - 33554431 Forget this: idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 But remove these: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 Backup your tdb cache directory and smb.conf first though to be on the safe side. -Ross [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified
RE: [Samba] Winbind problem with more details.
Ross, do you have any links to document what you are saying about the password server being set to a domain? I have found several examples of it listing multiple DCs, but not a domain name. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:06 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
Trimble, Ronald D wrote: Ross, do you have any links to document what you are saying about the password server being set to a domain? I have found several examples of it listing multiple DCs, but not a domain name. Well you could read this mind numbing white paper, http://technet2.microsoft.com/windowsserver/en/library/19a63021-cc53-4ded-a7a3-abaf82e7fb7c1033.mspx?mfr=true or just look at your DNS zone, You will notice for each forward zone for each domain that the DCs in those domains acting as DNS servers register their IP addresses under the zone name, like such: IN A X.X.X.X IN A X.X.X.X IN A X.X.X.X This by nature will force a round-robin lookup for all A queries of the domain name. Windows 2000/2003 goes a step further by ordering the results based on the originating IP and the site networks you configured in sites and services, making sure it delivers IP addresses in your subnet first, filtering out any DC that is reported as down. Try it out with nslookup. Now if you have Unix DNS servers this will of course not happen, you will get round-robin without the filtering or ordering. -Ross -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:06 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. __ This e-mail, and any
RE: [Samba] Winbind problem with more details.
You are 100% correct. I did have a situation several weeks ago where I was forced to delete the cache and as a result I had to go through the entire file structure to reset all the ACLs. It was a mess, but thankfully I have a very simple security model. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:30 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. I just realized that your config is pre-RID mapping so your uid/gid base is in a single tdb file that if lost or broken will seriously mess up your user base! If that is the case then I suggest this: idmap domains = default idmap config default:default = yes idmap alloc backend = tdb idmap uid = 16777216 - 33554431 idmap gid = 16777216 - 33554431 Forget this: idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 But remove these: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 Backup your tdb cache directory and smb.conf first though to be on the safe side. -Ross [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s
RE: [Samba] Winbind problem with more details.
Yes, I will probably give this a try, but I will have to wait until the weekend to do so. Having to rebuild permissions during production hours would be far too stressful. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 2:29 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: You are 100% correct. I did have a situation several weeks ago where I was forced to delete the cache and as a result I had to go through the entire file structure to reset all the ACLs. It was a mess, but thankfully I have a very simple security model. I would seriously think about using idmap_rid as it will make sure if you need to re-create your maps your UIDs and GIDs will be identical each time and on each server. Of course doing so will force you to have to reset ACLs in your file structure again... :-( -Ross -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:30 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. I just realized that your config is pre-RID mapping so your uid/gid base is in a single tdb file that if lost or broken will seriously mess up your user base! If that is the case then I suggest this: idmap domains = default idmap config default:default = yes idmap alloc backend = tdb idmap uid = 16777216 - 33554431 idmap gid = 16777216 - 33554431 Forget this: idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 But remove these: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 Backup your tdb cache directory and smb.conf first though to be on the safe side. -Ross [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross
RE: [Samba] Winbind problem with more details.
Trimble, Ronald D wrote: You are 100% correct. I did have a situation several weeks ago where I was forced to delete the cache and as a result I had to go through the entire file structure to reset all the ACLs. It was a mess, but thankfully I have a very simple security model. I would seriously think about using idmap_rid as it will make sure if you need to re-create your maps your UIDs and GIDs will be identical each time and on each server. Of course doing so will force you to have to reset ACLs in your file structure again... :-( -Ross -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:30 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. I just realized that your config is pre-RID mapping so your uid/gid base is in a single tdb file that if lost or broken will seriously mess up your user base! If that is the case then I suggest this: idmap domains = default idmap config default:default = yes idmap alloc backend = tdb idmap uid = 16777216 - 33554431 idmap gid = 16777216 - 33554431 Forget this: idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 But remove these: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 Backup your tdb cache directory and smb.conf first though to be on the safe side. -Ross [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have
RE: [Samba] Winbind problem with more details.
Trimble, Ronald D wrote: Yes, I will probably give this a try, but I will have to wait until the weekend to do so. Having to rebuild permissions during production hours would be far too stressful. Most definitely. If you plan on doing idmap RID, then have a list of all trusted domains in your environment and add a range for each domain. idmap domains = DOM1 DOM2 DOM3 idmap config DOM1:backend = rid idmap config DOM1:range = 10 - 19 idmap config DOM2:backend = rid idmap config DOM2:range = 20 - 29 idmap config DOM3:backend = rid idmap config DOM3:range = 30 - 39 idmap alloc backend = tdb idmap uid = 10-99 idmap gid = 10-99 This will only allocate uids and gids for those domains. If you want to allocate uids and gids for unknown domains too. idmap domains = DOM1 DOM2 DOM3 UNKNOWN idmap config DOM1:backend = rid idmap config DOM1:range = 10 - 19 idmap config DOM2:backend = rid idmap config DOM2:range = 20 - 29 idmap config DOM3:backend = rid idmap config DOM3:range = 30 - 39 idmap config UNKNOWN:default = yes idmap config UNKNOWN:backend = tdb idmap config UNKNOWN:range = 90-99 idmap alloc backend = tdb idmap uid = 10-99 idmap gid = 10-99 Then you could setup something in pam to make all uids = 90 guest accounts with limited priviledges and the uids/gids will be created on a first needed basis like the old winbind method. You need separate ranges for each domain because RIDs start over again from 1000 in each domain and you wouldn't want conflicting uids and gids. -Ross -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 2:29 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: You are 100% correct. I did have a situation several weeks ago where I was forced to delete the cache and as a result I had to go through the entire file structure to reset all the ACLs. It was a mess, but thankfully I have a very simple security model. I would seriously think about using idmap_rid as it will make sure if you need to re-create your maps your UIDs and GIDs will be identical each time and on each server. Of course doing so will force you to have to reset ACLs in your file structure again... :-( -Ross -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:30 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. I just realized that your config is pre-RID mapping so your uid/gid base is in a single tdb file that if lost or broken will seriously mess up your user base! If that is the case then I suggest this: idmap domains = default idmap config default:default = yes idmap alloc backend = tdb idmap uid = 16777216 - 33554431 idmap gid = 16777216 - 33554431 Forget this: idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 But remove these: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 Backup your tdb cache directory and smb.conf first though to be on the safe side. -Ross [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap
Re: [Samba] Winbind problem with more details.
you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: is na\\guminssa a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: NO, na\\guminssa is NOT a member of
[Samba] Winbind problem with more details.
Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: is na\\guminssa a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: NO, na\\guminssa is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: GROUP: na\\guminssa not in required group(s). [Thu Feb
RE: [Samba] Winbind problem with more details.
Just an FYI... this is not a local group but an AD Domain Local group. We are using Domain Local groups since they can contain users from other domains. -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63
RE: [Samba] Winbind problem with more details.
So what does that tell me? -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:25:25 2008] [error
RE: [Samba] Winbind problem with more details.
Trimble, Ronald D wrote: Just an FYI... this is not a local group but an AD Domain Local group. We are using Domain Local groups since they can contain users from other domains. Are all these users members of the same domain? If not, do you have the 'allow trusted domains = yes' option set? What does your idmap setup look like? -Ross -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp
RE: [Samba] Winbind problem with more details.
Ross S. W. Walker wrote: Trimble, Ronald D wrote: Just an FYI... this is not a local group but an AD Domain Local group. We are using Domain Local groups since they can contain users from other domains. Are all these users members of the same domain? If not, do you have the 'allow trusted domains = yes' option set? What does your idmap setup look like? After reading more carefully I have more questions below... -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... These users started getting messages, this means it was working correctly for a while? When did it stop working? Did anything change around that time that could impact this? From /var/log/apache2/error_log Maybe /var/log/messages, or /var/log/samba/... may have more detail as to why things aren't working. snip lots of sid stuff Can anyone shed some light on what is going on here? This problem has been driving me crazy for several weeks now and I could use all the help I could get. I have a full compliment of logs to go along with all the above information if anyone would be so kind as to take a look. I can make it worth your while... I have a code for two free movie tickets on fandango.com if you can help me solve this. Not much, but better then an email saying thanks. :) Try running your SID output with nscd shut down and see if that is affecting it, otherwise I would start looking at what changed in your environment that might have caused this. Maybe permissions on the AD object? The computer object representing this box has adequate rights to query all group objects in AD? Just throwing out some ideas here. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind problem
Hi everyone, I recently bought a qnap TS-209Pro [www.qnap.com]. This embeds samba 3.0.23d.I configured it to connect to our Active Directory, but as soon as I set winbind enum users and winbind enum groups to yes in the /etc/smb.conf file, winbindd uses 100% of CPU. I've googled the problem and found a lot of problems, less solutions... Does anybody have a clue on this ? I have to admit, I don't really know what I could install and how I could update the embedded OS. I tried a beta version of the fofficial firmware, provided by the manufacturer, but the problem is still there... Any help appreciated. Thanks in advance :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind problem
[2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07307 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2579 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07306 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2578 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07305 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2577 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07304 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2576 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07303 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2575 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07302 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2574 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07301 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2573 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA04MMLC27$ [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2572 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA04MMLC28$ [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2571 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA04MMLC24$ [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2570 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA04MMLC04$ [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2569 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind problem
Hello, I have a Centos 4.4 Linux server that setup Winbind with windows 2003AD integration, the winbind suddenly can't receive AD accounts, I can use wbinfo -u to show AD user name and group etc, but getent passwd isn't pulling across all of the domain accounts. I also had another Centos 4.4 Linux server running Winbind no problem with same 2003AD, the following is the Winbind.log: [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07307 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2579 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07306 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2578 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07305 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2577 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07304 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2576 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07303 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2575 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07302 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2574 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07301 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2573 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA04MMLC27$ [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2572 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA04MMLC28$ [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2571 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA04MMLC24$ [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2570 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA04MMLC04$ Thanks ! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind Problem
Hello, I have a Centos 4.4 Linux server that setup Winbind with windows 2003AD integration, the winbind suddenly can't receive AD accounts, I can use wbinfo -u to show AD user name and group etc, but getent passwd isn't pulling across all of the domain accounts. I also had another Centos 4.4 Linux server running Winbind no problem with same 2003AD, the following is the Winbind.log: [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07307 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2579 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07306 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2578 [2007/10/24 10:09:49, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user sfa07305 _user.c:winbindd_getpwent(566) could not lookup domain user sfa07301 Thanks ! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem
I'm looking into the same kind of problem. I have found that it is related to something on the AD Server itself. By rolling the Windows server back a few days, things work again, without making any changes in Linux. It seems to have something to do with the definition of Security groups or policies in Windows, causing Winbind on Linux to blow up. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind problem
Hello, I have a Centos 4.4 Linux server that setup Winbind with windows 2003AD integration, the winbind suddenly can't receive AD accounts, I can use wbinfo -u to show AD user name and group etc, but getent passwd isn't pulling across all of the domain accounts. Here is the winbind log: [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2439 [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA07ITLC40$ [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2438 [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA07ITLC42$ [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2437 [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA07ITLC37$ [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2436 [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA07ITLC38$ [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2435 [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA07ITLC44$ [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2434 [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) Thx !! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem
0n Fri, Oct 05, 2007 at 06:45:21AM +0800, mail wrote: I have a Centos 4.4 Linux server that setup Winbind with windows 2003AD integration, the winbind suddenly can't receive AD accounts, I can use wbinfo -u to show AD user name and group etc, but getent passwd isn't pulling across all of the domain accounts. Is your idmap range large enough ? Try increaing it. e.g. idmap config dsto:range = 1-50 -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind problem, have workaround but...
I found what may be the key to this whole thing. our domain administrators decided to through a switch in Group policy that limited communication to ntlmv2 only. we've had a a whole lot of admins scratching thier heads as to how to fix it. I think I have it squared away now. the fix was to add client ntlmv2 auth = yes , and host msdfs = no in the globals. rename the secrets.tdb file and rejoin to the domain. i'm not sure what happened in the guts of samba to make it act like it did. but there we are. thanks for the help Greetings list, I have a member server in a w2k3 AD domain that has been happily spinning for a couple of years. As of yesterday morning, we've been having some issues with it. I've had it configured correctly, and haven't touched it. I'll provide the configs if needed. I've kept it updated as time's gone on for security updates etc.. the wonkyness seems to rear is head when winbindd gets restartes. In the log.winbindd file I get a tremendous amount of these 2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON but they stop as soon as I issue # net ads changetrustpw then it seems to connect and all is well until winbind gets restarted. I was following a lot of logs at lev3 yesterday, and some users were able to authenticate, on one machine but not on others..etc.. it was all very wonky until I did the net ads changetrustpw I can provide any information needed. I'm running mandriva corp server 3 with samba 3.014a. patched up to (CVE-2007-2444) (I think that's post 3.023d) I'm perplexed, and not sure what the proper permanent fix for it is. I'm thinking about removing it from the domain, and re-joining it, but I'm not sure what precisely is needed. (what files to delete, which ones to copy off etc..) I don't want to lose the winbindd_idmap.tdb or anything important. (I do back these up...) any help would be greatly appreciated. Kindest regards, Fred dussault -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind problem, have workaround but...
Greetings list, I have a member server in a w2k3 AD domain that has been happily spinning for a couple of years. As of yesterday morning, we've been having some issues with it. I've had it configured correctly, and haven't touched it. I'll provide the configs if needed. I've kept it updated as time's gone on for security updates etc.. the wonkyness seems to rear is head when winbindd gets restartes. In the log.winbindd file I get a tremendous amount of these 2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON but they stop as soon as I issue # net ads changetrustpw then it seems to connect and all is well until winbind gets restarted. I was following a lot of logs at lev3 yesterday, and some users were able to authenticate, on one machine but not on others..etc.. it was all very wonky until I did the net ads changetrustpw I can provide any information needed. I'm running mandriva corp server 3 with samba 3.014a. patched up to (CVE-2007-2444) (I think that's post 3.023d) I'm perplexed, and not sure what the proper permanent fix for it is. I'm thinking about removing it from the domain, and re-joining it, but I'm not sure what precisely is needed. (what files to delete, which ones to copy off etc..) I don't want to lose the winbindd_idmap.tdb or anything important. (I do back these up...) any help would be greatly appreciated. Kindest regards, Fred dussault -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind problem
Hi! I'm not sure if this is the right place for winbind related questions, but i did not find any WB related mailing lists. I have a minor problem with my winbind setup. I'm using winbind+samba to authenticate users from my win2k3 PDC, and everything works fine. Only problem is, whenever a local user logs in (or cron use it) to my linux system i get these entries in my error log: Jun 12 20:00:01 debian pam_winbind[14597]: internal module error (retval = 3, user = `root') Jun 12 20:00:01 debian pam_winbind[14598]: internal module error (retval = 3, user = `mcd') Jun 12 20:02:01 debian pam_winbind[14612]: internal module error (retval = 3, user = `logcheck') Jun 12 20:02:03 debian pam_winbind[14612]: internal module error (retval = 3, user = `amavis') Jun 13 08:28:41 debian pam_winbind[300]: request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER Jun 13 08:28:41 debian pam_winbind[300]: request failed, but PAM error 0! I know this happens because in my pam configuration pam_winbind is front of pam_unix, but is there a way to eliminate these entries? (i guess if i replace the order pam_unix will be the one creating the same lines for my windows users logging in to pop3 server) Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gregorics Tamás wrote: I know this happens because in my pam configuration pam_winbind is front of pam_unix, but is there a way to eliminate these entries? (i guess if i replace the order pam_unix will be the one creating the same lines for my windows users logging in to pop3 server) You should be able to add the unknown_ok option to ignore these users IIRC. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGb+szIR7qMdg1EfYRAonFAJ9Xpe16SCbHET3EAVXNpPX6evnXUQCgjin0 BWEmS0RUyRbfkTNOQ4hDM2s= =4W8h -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind problem
Hello, I can use wbinfo -u or wbinfo -g to see all AD accounts, getent group or getent passwd also can see all AD accounts, but after added one new user in AD, I can use wbinfo -u to see this user, but getent passwd cannot. Thanks -- By linking web mail system -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind Problem after Update from 3.0.21b - 3.0.23b
Hi, we're using Winbind on a Solaris 9 machine to authenticate our Users, who are held in a Windows 2003SP1 AD. We are now using Samba 3.0.21b and everything works as expected. I configured the nsswitch and installed libnss_winbind.so and pam_winbind.so as described in the documentation and winbind is able to resolve the AD users and groups and the useres are able to login to the system. All Samba versions I tried are compiled from source with GCC version 3.2.2 from sunfreeware.com. They are all configured as follows: ./configure --prefix=$PREFIX \ --bindir=$PREFIX/bin \ --sbindir=$PREFIX/sbin \ --libexecdir=$PREFIX/libexec \ --datadir=/var/samba \ --sysconfdir=/etc/samba \ --sharedstatedir=/var/samba \ --localstatedir=/var/samba \ --libdir=/opt/samba/lib \ --enable-shared=yes \ --with-privatedir=/var/samba \ --with-lockdir=/var/lock/samba \ --with-piddir=/var/lock/samba \ --with-configdir=/etc/samba \ --with-logfilebase=/var/log/samba \ --with-libdir=/opt/samba/lib \ --with-readline=/usr/local/lib \ --with-libiconv=/usr/local \ --with-krb5=/opt/mit-krb5 \ --with-automount=yes \ --with-pam=yes \ --with-ads=yes \ --with-acl-support=yes \ --with-pam=yes \ --with-pam_smbpass=yes \ --with-included-popt \ --with-winbind=yes After compiling I copied libnss_windbind.so to /lib and made some symbolic links to: libnss_winbind.so.1 - libnss_winbind.so libnss_winbind.so.2 - libnss_winbind.so nss_winbind.so.1 - libnss_winbind.so nss_winbind.so.2 - libnss_winbind.so I also copied pam_winbind.so to /lib/security. And that worked until version 3.0.22 (which I tried also). Since Version 3.0.23 it doesn't work anymore and winbind isn't able to get the users/groups from our Windows 2003SP1 AD. When I do a wbinfo -u I get Error looking up domain users and the winbind logfile tells me: [2006/08/21 17:28:46, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 18 [2006/08/21 17:28:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn INTERFACE_VERSION [2006/08/21 17:28:46, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(474) [0]: request interface version [2006/08/21 17:28:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2006/08/21 17:28:46, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(507) [0]: request location of privileged pipe [2006/08/21 17:28:46, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 19 [2006/08/21 17:28:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn LIST_USERS [2006/08/21 17:28:46, 3] nsswitch/winbindd_user.c:winbindd_list_users(734) [0]: list users [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(399) refresh_sequence_number: WK time ok [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(427) refresh_sequence_number: WK seq number is now -1 [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:wcache_server_down(297) wcache_server_down: server for Domain WK down [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:centry_expired(469) centry_expired: Key UL/TV for domain WK is good. [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:wcache_fetch(556) wcache_fetch: returning entry UL/TV for domain WK [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:query_user_list(958) query_user_list: [Cached] - cached list for domain WK status: NT_STATUS_UNSUCCESSFUL which does not really helps me to find the problem. The /etc/samba/smb.conf file looks like: [global] workgroup = WK realm = WK.DOMAIN.DE security = ADS winbind separator = \ idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/sh password server = passwd.domain.de # display charset = ISO8859-15 # unix charset = ISO8859-15 winbind use default domain = yes log file = /var/log/samba/log.%m log level = winbind:15 # client use spnego = yes # client schannel = no If I switch back to version 3.0.21b or even 3.0.22 with the same configuration everythings OK immediately and the nsswitch works as it should; winbind is able to lookup the AD users and groups and the users are able to login to the system. I searched the archives but couldn't find anybody with a similar problem when upgrading. And the changelog doesn't tell me anything that I
[Samba] Winbind Problem after Update from 3.0.21b - 3.0.23b
Hi all, we're using Winbind on a Solaris 9 machine to authenticate our Users, who are held in a Windows 2003SP1 AD. We are now using Samba 3.0.21b and everything works as expected. I configured the nsswitch and installed libnss_winbind.so and pam_winbind.so as described in the documentation and winbind is able to resolve the AD users and groups and the useres are able to login to the system. All Samba versions I tried are compiled from source with GCC version 3.2.2 from sunfreeware.com. They are all configured as follows: ./configure --prefix=$PREFIX \ --bindir=$PREFIX/bin \ --sbindir=$PREFIX/sbin \ --libexecdir=$PREFIX/libexec \ --datadir=/var/samba \ --sysconfdir=/etc/samba \ --sharedstatedir=/var/samba \ --localstatedir=/var/samba \ --libdir=/opt/samba/lib \ --enable-shared=yes \ --with-privatedir=/var/samba \ --with-lockdir=/var/lock/samba \ --with-piddir=/var/lock/samba \ --with-configdir=/etc/samba \ --with-logfilebase=/var/log/samba \ --with-libdir=/opt/samba/lib \ --with-readline=/usr/local/lib \ --with-libiconv=/usr/local \ --with-krb5=/opt/mit-krb5 \ --with-automount=yes \ --with-pam=yes \ --with-ads=yes \ --with-acl-support=yes \ --with-pam=yes \ --with-pam_smbpass=yes \ --with-included-popt \ --with-winbind=yes After compiling I copied libnss_windbind.so to /lib and made some symbolic links to: libnss_winbind.so.1 - libnss_winbind.so libnss_winbind.so.2 - libnss_winbind.so nss_winbind.so.1 - libnss_winbind.so nss_winbind.so.2 - libnss_winbind.so I also copied pam_winbind.so to /lib/security. And that worked until version 3.0.22 (which I tried also). Since Version 3.0.23 it doesn't work anymore and winbind isn't able to get the users/groups from our Windows 2003SP1 AD. When I do a wbinfo -u I get Error looking up domain users and the winbind logfile tells me: [2006/08/21 17:28:46, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 18 [2006/08/21 17:28:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn INTERFACE_VERSION [2006/08/21 17:28:46, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(474) [0]: request interface version [2006/08/21 17:28:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2006/08/21 17:28:46, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(507) [0]: request location of privileged pipe [2006/08/21 17:28:46, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 19 [2006/08/21 17:28:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn LIST_USERS [2006/08/21 17:28:46, 3] nsswitch/winbindd_user.c:winbindd_list_users(734) [0]: list users [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(399) refresh_sequence_number: WK time ok [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(427) refresh_sequence_number: WK seq number is now -1 [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:wcache_server_down(297) wcache_server_down: server for Domain WK down [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:centry_expired(469) centry_expired: Key UL/TV for domain WK is good. [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:wcache_fetch(556) wcache_fetch: returning entry UL/TV for domain WK [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:query_user_list(958) query_user_list: [Cached] - cached list for domain WK status: NT_STATUS_UNSUCCESSFUL which does not really helps me to find the problem. The /etc/samba/smb.conf file looks like: [global] workgroup = WK realm = WK.DOMAIN.DE security = ADS winbind separator = \ idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/sh password server = passwd.domain.de # display charset = ISO8859-15 # unix charset = ISO8859-15 winbind use default domain = yes log file = /var/log/samba/log.%m log level = winbind:15 # client use spnego = yes # client schannel = no If I switch back to version 3.0.21b or even 3.0.22 with the same configuration everythings OK immediately and the nsswitch works as it should; winbind is able to lookup the AD users and groups and the users are able to login to the system. I searched the archives but couldn't find anybody with a similar problem when upgrading. And the changelog doesn't tell me anything
[Samba] Winbind Problem after Update from 3.0.21b - 3.0.23b
Hi all, we're using Winbind on a Solaris 9 machine to authenticate our Users, who are held in a Windows 2003SP1 AD. We are now using Samba 3.0.21b and everything works as expected. I configured the nsswitch and installed libnss_winbind.so and pam_winbind.so as described in the documentation and winbind is able to resolve the AD users and groups and the useres are able to login to the system. All Samba versions I tried are compiled from source with GCC version 3.2.2 from sunfreeware.com. They are all configured as follows: ./configure --prefix=$PREFIX \ --bindir=$PREFIX/bin \ --sbindir=$PREFIX/sbin \ --libexecdir=$PREFIX/libexec \ --datadir=/var/samba \ --sysconfdir=/etc/samba \ --sharedstatedir=/var/samba \ --localstatedir=/var/samba \ --libdir=/opt/samba/lib \ --enable-shared=yes \ --with-privatedir=/var/samba \ --with-lockdir=/var/lock/samba \ --with-piddir=/var/lock/samba \ --with-configdir=/etc/samba \ --with-logfilebase=/var/log/samba \ --with-libdir=/opt/samba/lib \ --with-readline=/usr/local/lib \ --with-libiconv=/usr/local \ --with-krb5=/opt/mit-krb5 \ --with-automount=yes \ --with-pam=yes \ --with-ads=yes \ --with-acl-support=yes \ --with-pam=yes \ --with-pam_smbpass=yes \ --with-included-popt \ --with-winbind=yes After compiling I copied libnss_windbind.so to /lib and made some symbolic links to: libnss_winbind.so.1 - libnss_winbind.so libnss_winbind.so.2 - libnss_winbind.so nss_winbind.so.1 - libnss_winbind.so nss_winbind.so.2 - libnss_winbind.so I also copied pam_winbind.so to /lib/security. And that worked until version 3.0.22 (which I tried also). Since Version 3.0.23 it doesn't work anymore and winbind isn't able to get the users/groups from our Windows 2003SP1 AD. When I do a wbinfo -u I get Error looking up domain users and the winbind logfile tells me: [2006/08/21 17:28:46, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 18 [2006/08/21 17:28:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn INTERFACE_VERSION [2006/08/21 17:28:46, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(474) [0]: request interface version [2006/08/21 17:28:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2006/08/21 17:28:46, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(507) [0]: request location of privileged pipe [2006/08/21 17:28:46, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 19 [2006/08/21 17:28:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn LIST_USERS [2006/08/21 17:28:46, 3] nsswitch/winbindd_user.c:winbindd_list_users(734) [0]: list users [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(399) refresh_sequence_number: WK time ok [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(427) refresh_sequence_number: WK seq number is now -1 [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:wcache_server_down(297) wcache_server_down: server for Domain WK down [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:centry_expired(469) centry_expired: Key UL/TV for domain WK is good. [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:wcache_fetch(556) wcache_fetch: returning entry UL/TV for domain WK [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:query_user_list(958) query_user_list: [Cached] - cached list for domain WK status: NT_STATUS_UNSUCCESSFUL which does not really helps me to find the problem. The /etc/samba/smb.conf file looks like: [global] workgroup = WK realm = WK.DOMAIN.DE security = ADS winbind separator = \ idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/sh password server = passwd.domain.de # display charset = ISO8859-15 # unix charset = ISO8859-15 winbind use default domain = yes log file = /var/log/samba/log.%m log level = winbind:15 # client use spnego = yes # client schannel = no If I switch back to version 3.0.21b or even 3.0.22 with the same configuration everythings OK immediately and the nsswitch works as it should; winbind is able to lookup the AD users and groups and the users are able to login to the system. I searched the archives but couldn't find anybody with a similar problem when upgrading. And the changelog doesn't tell me anything
[Samba] Winbind problem w/ ADS domain local group and other-domain members
This one is probably going off into the esoteric side of things, but Samba/winbind doesn't seem to be working quite as expected in one particular area -- domain local groups having members from other trusted domains. I've searched extensively (google and elsewhere...), and have found little/no mention of this particular problem: domain local group members from other trusted domains are not showing up in group lists as enumerated via winbind. Yet group members from the same domain as the domain local group are enumerated/listed properly. In a rather complex ADS arrangement (described below), I have several RHEL4 systems with Samba/Winbind installed and configured. Everything appears to be working properly thus far: users groups from the default domain are properly enumerated and resource permissions are mapping correctly. Users and groups from 2-way trusted domains are also enumerated. (This was evaluated with wbinfo -u|g getent passwd|group.) The domain structure relationships are a bit hairy though, and need to be spelled out: Three independent ADS domains in separate forests:A,B,C A B have an established 2-way trust. A has a 1-way trust: trusting C There is also a single NT4 domain: Z A Z have an established 2-way trust. For simplicity, we will only deal with A B here. The RHEL4 systems are member servers in domain A. This is tested under Samba versions 3.0.10-1.4E2 3.0.21b-3. I can see groups from domain B just fine in the output, and their membership of users from domain B -- these should be the global|universal groups from domain B. Also, both A\g-wiz and B\j-bogus show up properly in output from: wbinfo -u getent passwd The PROBLEM: There are domain local groups defined in A that have members from these other domains. (E.g. domain local group A\dl_grp is defined on the Win2K3 DCs as consisting of two users: A\g-wiz and B\j-bogus.) On the linux systems, the command: getent group shows a group membership for A\dl_grp of only one user: A\g-wiz. Now, when I run the command: net rpc group members dl_grp -S A -U:A\\admin%passwd I receive the full and proper list of users: A\g-wiz B\j-bogus Furthermore, testing user account group membership: net ads user info g-wiz -S A -U:admin%passwd yields the single response: dl_grp net ads user info A\\g-wiz -S A -U:admin%passwd yields an empty list. net ads user info B\\j-bogus -S A -U:admin%passwd yields an empty list. Now, to get more interesting: net rpc user info g-wiz -S A -U:admin%passwd yields the more complete response: dl_grp Domain Users **NOTE the difference between ads rpc methods...** As above with ads, both of the following commands: net rpc user info A\\g-wiz -S A -U:admin%passwd net rpc user info B\\j-bogus -S A -U:admin%passwd ... still yield an empty list. When I test group membership from a Windows-based member server, we get the proper list of both A\g-wiz B\j-bogus. I have tested these scenarios under both versions of Samba mentioned above, as well as with the option winbind use default domain both yes no. I've tested independently with the winbind separator set to \\ and to /. Results were identical under all variations tested. My suspicion is that winbind is somehow limiting its enumeration of group membership to users from the same domain to which the group belongs.I believe this to be incorrect behavior, given that a windows server reports the full list, and that at least one command on the linux system can properly obtain the full list from the W2K3 DCs. (That said, I remain open to the thought that it might be a misconfiguration on my part - despite the apparent normal operation of all other aspects on the linux/samba system.) I am more than willing to work in- or out-of-band to try to narrow down the problem/answer questions/test patches/etc. smb.conf (testparm output) follows: [global] workgroup = ACES realm = COLLEGE.ACESNET.UIUC.EDU netbios name = X-ACES-LBE-2 server string = %L (Samba v%v) security = ADS password server = college.acesnet.uiuc.edu username map = /etc/samba/smbusers log file = /var/log/samba/%m.log max log size = 50 name resolve order = host lmhosts wins bcast deadtime = 15 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No dns proxy = No wins server = 128.###.#.#0, 128.###.#.#1 idmap uid = 1-1 idmap gid = 1-1 template homedir = /home/gaol winbind separator = \ winbind
[Samba] winbind problem?
Hello list, I have recently updated SAMBA with samba 3.0.20a RPM on suse 9.1 because I needed to add it to a windows 2003 domain. I was able to join the machine to the domain and to setup smb.conf to where I can map files with domain users and domain groups. The problem I am having is connecting to the server. When I try to go to \\server file:///\\server I get prompted for username and password. Looking at the winbind log I see that there are two errors: [2005/12/23 11:35:40, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1533) Retrieving response for pid 16177 [2005/12/23 11:35:40, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1533) Retrieving response for pid 16177 [2005/12/23 11:35:40, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1555) Retrieving extra data length=224 [2005/12/23 11:35:40, 10] nsswitch/winbindd_cache.c:cache_store_request_data(1586) Storing request key mch5UA-cih7glLzY [2005/12/23 11:35:40, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1533) Retrieving response for pid 16177 [2005/12/23 11:35:20, 5] nsswitch/winbindd_async.c:getsidaliases_recv(774) getsidaliases returned an error [2005/12/23 11:35:20, 10] nsswitch/winbindd_async.c:gettoken_recvaliases(1023) Could not receive domain local groups I don't know why this is happening or how to fix it. Please Help Thank you Adrian Coroian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem (Trusting domains)
I cannot comment on idmap_rid approach because I am currently using idmap_ldap. I have had a wonderful experience with this setup. Also on all the clients I am running nscd and I have had no troubles. If nscd ever gives you trouble all you have to do is invalidate the cache in question. Rather than shutting down nscd you can simpley do nscd -i passwd to flush the users cache. I must warn you that the idmap_ldap setup is horribly unstable on RHEL3.xand CentOS 3.x. Winbind dies periodically. However on CentOS4/RHEL4 and SLEL 9.3 it is very stable. I am also running Gentoo clients and it is very stable on that too. By the way initially I did all my testing without nscd. I only started to use nscd when I noticed the increased load on ldap server and slow response. On 12/16/05, Simo Sorce [EMAIL PROTECTED] wrote: On Fri, 2005-12-16 at 12:33 +0100, Michael Gasch wrote: it has always been mentioned, that idmap_rid is the better backend in large organizations Sorry ? I do not think idmap_rid is good for v. large organization. Probably the best bet is idmap_ldap. Nscd is ok as long as you know it's downsides. For example on the PDC it is necessary to shut it down while adding or modifying users, and it may be a problem on member servers as it caches both positive _and_ negative lookups. Simo. -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Knowledge is the only wealth that grows as you spend it, and diminishes as you save it. -- ancient Sanskrit saying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem (Trusting domains)
it has always been mentioned, that idmap_rid is the better backend in large organizations greez Adrian Chow wrote: Hi, are you telling me to install nscd and it will solve my problem? Also i read somewhere in the samba website that you should not run nscd with winbind. Is that true?If it is, what are some ways of improving the performance of winbind and how can I make it scale? Thanks for your replies. adrian Vijay Avarachen wrote: I am not sure if this will help but I was getting strange errors and often dead winbinds due to the large amount of users and groups. I have had great success with setting up OpenLDAP for idmap backend. Now all my Linux machines are authenticating users and I also use nscd to speed things up and ease the load on OpenLDAP. On 12/14/05, *Adrian Chow* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: HI all, I have install 2 domains both on linux servers running debian samba 3.0.20b-2+b1. (Latest) I have both domains trusting each other. Domain A have 300 users and the other domain B have 3000 users. I have winbind on the nsswitch.conf for both PDCs. I have not errors runnning wbinfo -u, or wbinfo -g except when I run it on Domain A PDC. Domain users group which all 3000 users are at failed to show up at the output. The rest of the domain groups are displayed. Looking in the winbindd log:- (Domain B PDC = BAUGLIR; Domain B=UWCSTU) [2005/12/14 18:36:42, 10] nsswitch/winbindd_rpc.c:lookup_groupmem(539) rpc: lookup_groupmem UWCSTU sid=S-1-5-21-2723404422-2550591724-2764062575-513 [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:rpc_api_pipe(438) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:rpc_api_pipe(438) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds [2005/12/14 18:36:52, 10] nsswitch/winbindd_rpc.c:lookup_groupmem(539) rpc: lookup_groupmem UWCSTU sid=S-1-5-21-2723404422-2550591724-2764062575-513 [2005/12/14 18:36:52, 3] nsswitch/winbindd_cm.c:connection_ok(819) Connection to BAUGLIR for domain UWCSTU has died or was never started (fd == -1) [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767) cli_rpc_open failed on pipe \samr to machine BAUGLIR. Error was Call timed out: server did not respond after 1 milliseconds Can anyone know who to cache winbind well or increase the pagesize? I guess the timeout is because of the 3000 entries. Regards, adrian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba https://lists.samba.org/mailman/listinfo/samba -- Knowledge is the only wealth that grows as you spend it, and diminishes as you save it. -- ancient Sanskrit saying -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem (Trusting domains)
On Fri, 2005-12-16 at 12:33 +0100, Michael Gasch wrote: it has always been mentioned, that idmap_rid is the better backend in large organizations Sorry ? I do not think idmap_rid is good for v. large organization. Probably the best bet is idmap_ldap. Nscd is ok as long as you know it's downsides. For example on the PDC it is necessary to shut it down while adding or modifying users, and it may be a problem on member servers as it caches both positive _and_ negative lookups. Simo. -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind problem (Trusting domains)
HI all, I have install 2 domains both on linux servers running debian samba 3.0.20b-2+b1. (Latest) I have both domains trusting each other. Domain A have 300 users and the other domain B have 3000 users. I have winbind on the nsswitch.conf for both PDCs. I have not errors runnning wbinfo -u, or wbinfo -g except when I run it on Domain A PDC. Domain users group which all 3000 users are at failed to show up at the output. The rest of the domain groups are displayed. Looking in the winbindd log:- (Domain B PDC = BAUGLIR; Domain B=UWCSTU) [2005/12/14 18:36:42, 10] nsswitch/winbindd_rpc.c:lookup_groupmem(539) rpc: lookup_groupmem UWCSTU sid=S-1-5-21-2723404422-2550591724-2764062575-513 [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:rpc_api_pipe(438) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:rpc_api_pipe(438) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds [2005/12/14 18:36:52, 10] nsswitch/winbindd_rpc.c:lookup_groupmem(539) rpc: lookup_groupmem UWCSTU sid=S-1-5-21-2723404422-2550591724-2764062575-513 [2005/12/14 18:36:52, 3] nsswitch/winbindd_cm.c:connection_ok(819) Connection to BAUGLIR for domain UWCSTU has died or was never started (fd == -1) [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767) cli_rpc_open failed on pipe \samr to machine BAUGLIR. Error was Call timed out: server did not respond after 1 milliseconds Can anyone know who to cache winbind well or increase the pagesize? I guess the timeout is because of the 3000 entries. Regards, adrian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem (Trusting domains)
Hi, are you telling me to install nscd and it will solve my problem? Also i read somewhere in the samba website that you should not run nscd with winbind. Is that true?If it is, what are some ways of improving the performance of winbind and how can I make it scale? Thanks for your replies. adrian Vijay Avarachen wrote: I am not sure if this will help but I was getting strange errors and often dead winbinds due to the large amount of users and groups. I have had great success with setting up OpenLDAP for idmap backend. Now all my Linux machines are authenticating users and I also use nscd to speed things up and ease the load on OpenLDAP. On 12/14/05, *Adrian Chow* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: HI all, I have install 2 domains both on linux servers running debian samba 3.0.20b-2+b1. (Latest) I have both domains trusting each other. Domain A have 300 users and the other domain B have 3000 users. I have winbind on the nsswitch.conf for both PDCs. I have not errors runnning wbinfo -u, or wbinfo -g except when I run it on Domain A PDC. Domain users group which all 3000 users are at failed to show up at the output. The rest of the domain groups are displayed. Looking in the winbindd log:- (Domain B PDC = BAUGLIR; Domain B=UWCSTU) [2005/12/14 18:36:42, 10] nsswitch/winbindd_rpc.c:lookup_groupmem(539) rpc: lookup_groupmem UWCSTU sid=S-1-5-21-2723404422-2550591724-2764062575-513 [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:rpc_api_pipe(438) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:rpc_api_pipe(438) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds [2005/12/14 18:36:52, 10] nsswitch/winbindd_rpc.c:lookup_groupmem(539) rpc: lookup_groupmem UWCSTU sid=S-1-5-21-2723404422-2550591724-2764062575-513 [2005/12/14 18:36:52, 3] nsswitch/winbindd_cm.c:connection_ok(819) Connection to BAUGLIR for domain UWCSTU has died or was never started (fd == -1) [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767) cli_rpc_open failed on pipe \samr to machine BAUGLIR. Error was Call timed out: server did not respond after 1 milliseconds Can anyone know who to cache winbind well or increase the pagesize? I guess the timeout is because of the 3000 entries. Regards, adrian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba https://lists.samba.org/mailman/listinfo/samba -- Knowledge is the only wealth that grows as you spend it, and diminishes as you save it. -- ancient Sanskrit saying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind problem
The problem is actually with winbind, as the following produces identical results: 1) /usr/local/samba/bin/wbinfo -a mydomain\\myname%myrealpassword plaintext password authentication succeeded challenge/response password authentication succeeded 2) /usr/local/samba/bin/wbinfo -a mydomain\\myname%aboguspassword plaintext password authentication failed error code was NT_STATUS_WRONG_PASSWORD (0xc06a) error messsage was: Wrong Password Could not authenticate user mydomain\myname%aboguspassword with plaintext password challenge/response password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: Access denied Could not authenticate user mydomain\myname with challenge/response 3) /usr/local/samba/bin/wbinfo -a mydomain\\myname%myrealpassword plaintext password authentication failed error code was NT_STATUS_WRONG_PASSWORD (0xc06a) error messsage was: Wrong Password Could not authenticate user mydomain\myname%aboguspassword with plaintext password challenge/response password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: Access denied Could not authenticate user mydomain\myname with challenge/response 4) /usr/local/samba/bin/wbinfo -t checking the trust secret via RPC calls succeeded 5) /usr/local/samba/bin/wbinfo -a mydomain\\myname%myrealpassword plaintext password authentication succeeded challenge/response password authentication succeeded John E.P. Hynes System Administrator Prime, Buchholz Associates, Inc. 25 Chestnut Street Portsmouth, NH 03801 Phone: (603) 433-1143 x1193 Fax: (603) 433-8661 E-Mail: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem - 3.0.20a and NT4 domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | We are using 3.0.20a on SLES 9 and are trying to configure | a member server for our NT4 domain. The wbinfo commands | (-u and -g) show correct information. The getent | commands (passwd and group) work fine also. If Samba is | running without winbind, I can see the shares in the | config file (net view \\) from a PC. With winbind | running I get an error message about the computer name | being in an invalid format. Below is a portion of | the log.winbind during the net view \\xxx: | ... | check_ntlm_password: Authentication for user [bdehn] | - [bdehn] FAILED with error NT_STATUS_INVALID_COMPUTER_NAME | | Any help would be greatly appreciated That error is being returned from the DC as far as I can tell. The error log you posted from from smbd. Have you looked at log.winbindd? cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc There's an anonymous coward in all of us. --anonymous -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDTmXbIR7qMdg1EfYRAm3MAKC0/LlKfcDjeXv49+tGqeUYw9QWRACcDay5 grOtQ/a7orpUFXaovEH8rCU= =6Vpr -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem - 3.0.20a and NT4 domain
Jerry, Thank you for taking the time to respond and for everything you do for Samba! After banging my head on the wall for several days I wiped out the Linux system and started over. I setup the system like I had before and continued to have the same problem. After looking at the logs from the first attempt again (and again and again) there was a clue about PAM being the problem. I have to admit that I didn't fully understand how PAM interacted with winbind and how CRUCIAL it's configuration was in the authentication process (even for enumerating shares). I poured over The Official Samba-3 HOWTO and Reference Guide (again) and followed it's lead to PAM configuration. I thought that I had done the same with the original configuration but apparently not. After my changes to PAM, miraculously things are working :O). Bob Dehn Gerald (Jerry) Carter [EMAIL PROTECTED] wrote on 10/13/2005 08:49:15 AM: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | We are using 3.0.20a on SLES 9 and are trying to configure | a member server for our NT4 domain. The wbinfo commands | (-u and -g) show correct information. The getent | commands (passwd and group) work fine also. If Samba is | running without winbind, I can see the shares in the | config file (net view \\) from a PC. With winbind | running I get an error message about the computer name | being in an invalid format. Below is a portion of | the log.winbind during the net view \\xxx: | ... | check_ntlm_password: Authentication for user [bdehn] | - [bdehn] FAILED with error NT_STATUS_INVALID_COMPUTER_NAME | | Any help would be greatly appreciated That error is being returned from the DC as far as I can tell. The error log you posted from from smbd. Have you looked at log.winbindd? cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc There's an anonymous coward in all of us. --anonymous -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDTmXbIR7qMdg1EfYRAm3MAKC0/LlKfcDjeXv49+tGqeUYw9QWRACcDay5 grOtQ/a7orpUFXaovEH8rCU= =6Vpr -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind problem - 3.0.20a and NT4 domain
All - We are using 3.0.20a on SLES 9 and are trying to configure a member server for our NT4 domain. The wbinfo commands (-u and -g) show correct information. The getent commands (passwd and group) work fine also. If Samba is running without winbind, I can see the shares in the config file (net view \\) from a PC. With winbind running I get an error message about the computer name being in an invalid format. Below is a portion of the log.winbind during the net view \\xxx: [2005/10/06 17:08:41, 3] smbd/oplock.c:init_oplocks(1380) open_oplock_ipc: opening loopback UDP socket. [2005/10/06 17:08:41, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(309) Linux kernel oplocks enabled [2005/10/06 17:08:41, 3] smbd/oplock.c:init_oplocks(1411) open_oplock ipc: pid = 30366, global_oplock_port = 32788 [2005/10/06 17:08:41, 3] smbd/process.c:process_smb(1114) Transaction 0 of length 137 [2005/10/06 17:08:41, 3] smbd/process.c:switch_message(900) switch message SMBnegprot (pid 30366) conn 0x0 [2005/10/06 17:08:41, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2005/10/06 17:08:41, 3] smbd/negprot.c:reply_negprot(466) Requested protocol [PC NETWORK PROGRAM 1.0] [2005/10/06 17:08:41, 3] smbd/negprot.c:reply_negprot(466) Requested protocol [LANMAN1.0] [2005/10/06 17:08:41, 3] smbd/negprot.c:reply_negprot(466) Requested protocol [Windows for Workgroups 3.1a] [2005/10/06 17:08:41, 3] smbd/negprot.c:reply_negprot(466) Requested protocol [LM1.2X002] [2005/10/06 17:08:41, 3] smbd/negprot.c:reply_negprot(466) Requested protocol [LANMAN2.1] [2005/10/06 17:08:41, 3] smbd/negprot.c:reply_negprot(466) Requested protocol [NT LM 0.12] [2005/10/06 17:08:41, 3] smbd/negprot.c:reply_nt1(337) using SPNEGO [2005/10/06 17:08:41, 3] smbd/negprot.c:reply_negprot(559) Selected protocol NT LM 0.12 [2005/10/06 17:08:41, 3] smbd/process.c:process_smb(1114) Transaction 1 of length 240 [2005/10/06 17:08:41, 3] smbd/process.c:switch_message(900) switch message SMBsesssetupX (pid 30366) conn 0x0 [2005/10/06 17:08:41, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2005/10/06 17:08:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(751) wct=12 flg2=0xc807 [2005/10/06 17:08:41, 2] smbd/sesssetup.c:setup_new_vc_session(704) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/10/06 17:08:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(588) Doing spnego session setup [2005/10/06 17:08:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(619) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2005/10/06 17:08:41, 3] smbd/sesssetup.c:reply_spnego_negotiate(480) Got OID 1 3 6 1 4 1 311 2 2 10 [2005/10/06 17:08:41, 3] smbd/sesssetup.c:reply_spnego_negotiate(483) Got secblob of size 40 [2005/10/06 17:08:41, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xe2088297 [2005/10/06 17:08:41, 3] smbd/process.c:process_smb(1114) Transaction 2 of length 356 [2005/10/06 17:08:41, 3] smbd/process.c:switch_message(900) switch message SMBsesssetupX (pid 30366) conn 0x0 [2005/10/06 17:08:41, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2005/10/06 17:08:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(751) wct=12 flg2=0xc807 [2005/10/06 17:08:41, 2] smbd/sesssetup.c:setup_new_vc_session(704) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/10/06 17:08:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(588) Doing spnego session setup [2005/10/06 17:08:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(619) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2005/10/06 17:08:41, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[bdehn] domain=[OREILLY] workstation=[IS101180] len1=24 len2=24 [2005/10/06 17:08:41, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2005/10/06 17:08:41, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2005/10/06 17:08:41, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2005/10/06 17:08:41, 3] smbd/uid.c:push_conn_ctx(388) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2005/10/06 17:08:41, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2005/10/06 17:08:41, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2005/10/06 17:08:41, 2] auth/auth.c:check_ntlm_password(317) check_ntlm_password: Authentication for user [bdehn] - [bdehn] FAILED with error NT_STATUS_INVALID_COMPUTER_NAME [2005/10/06 17:08:41, 3] smbd/process.c:process_smb(1114) Transaction 3 of length 240 [2005/10/06 17:08:41, 3]
[Samba] Winbind Problem on RedHat es3 samba 3.14a
Hi the list! Got an issue on my main filestore box, winbind keeps panicing :/ Ive got round it for now by restarting samba in the middle of the night. Previously it would only last 2 - 3 days (MAX) before winbind would panic 45692383- === 45692449-[2005/09/14 08:09:25, 0] lib/fault.c:fault_report(37) 45692503- INTERNAL ERROR: Signal 6 in pid 748 (3.0.14a) 45692551- Please read the appendix Bugs of the Samba HOWTO collection 45692613-[2005/09/14 08:09:25, 0] lib/fault.c:fault_report(39) 45692667- === 45692733:[2005/09/14 08:09:25, 0] lib/util.c:smb_panic2(1495) 45692786- PANIC: internal error 45692810:[2005/09/14 08:09:25, 0] lib/util.c:smb_panic2(1503) 45692863- BACKTRACE: 25 stack frames: 45692893: #0 /usr/local/samba/sbin/winbindd(smb_panic2+0x18c) [0x80c074f] 45692960: #1 /usr/local/samba/sbin/winbindd(smb_panic+0x10) [0x80c05c1] 45693025- #2 /usr/local/samba/sbin/winbindd [0x80b0572] 45693074- #3 /usr/local/samba/sbin/winbindd [0x80b05c7] 45693123- #4 /lib/tls/libc.so.6 [0xad3eb8] 45693159- #5 /lib/tls/libc.so.6(abort+0x1d5) [0xad54e5] 45693208- #6 /usr/local/samba/sbin/winbindd [0x80dde5b] 45693257- #7 /usr/local/samba/sbin/winbindd [0x80de1a9] 45693306- #8 /usr/local/samba/sbin/winbindd(cli_krb5_get_ticket+0x1c6) [0x80de4ba] 45693382- #9 /usr/local/samba/sbin/winbindd(spnego_gen_negTokenTarg+0x2f) [0x80defca] 45693461- #10 /usr/local/samba/sbin/winbindd [0x814d6c7] 45693511- #11 /usr/local/samba/sbin/winbindd [0x814d966] 45693561- #12 /usr/local/samba/sbin/winbindd(ads_sasl_bind+0xfe) [0x814df2a] 45693631- #13 /usr/local/samba/sbin/winbindd(ads_connect+0x218) [0x8148c3e] 45693700- #14 /usr/local/samba/sbin/winbindd(ads_do_search_retry+0x1af) [0x8152d57] 45693777- #15 /usr/local/samba/sbin/winbindd(ads_search_retry+0x22) [0x8152e91] 45693850- #16 /usr/local/samba/sbin/winbindd [0x8082e92] 45693900- #17 /usr/local/samba/sbin/winbindd [0x8078ede] 45693950- #18 /usr/local/samba/sbin/winbindd(winbindd_getpwnam+0x39f) [0x8070a14] 45694025- #19 /usr/local/samba/sbin/winbindd(strftime+0x1320) [0x806f314] 45694092- #20 /usr/local/samba/sbin/winbindd(winbind_process_packet+0x1d) [0x806f5d0] 45694171- #21 /usr/local/samba/sbin/winbindd(do_dual_daemon+0x1d3) [0x8085340] 45694243- #22 /usr/local/samba/sbin/winbindd(main+0x44b) [0x807033b] 45694305- #23 /lib/tls/libc.so.6(__libc_start_main+0xda) [0xac178a] 45694366- #24 /usr/local/samba/sbin/winbindd(chroot+0x31) [0x806ece5] In fact, this happened this morning, restart winbindd and its fine again, for a while Any ideas? Need more info? Cheers Ross -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind problem
Hi, I recently upgraded samba from 3.0.11 3.0.20. It's integrated with squid 2.5 STABLE 7 with patches for NTLM bugs. I am facing problem with NTLM authentication. The browser hangs and I get following error in log.winbindd [2005/09/02 13:53:10, 0] nsswitch/winbindd.c:process_loop(803) winbindd: Exceeding 200 client connections, no idle connection found [2005/09/02 13:53:10, 0] nsswitch/winbindd.c:process_loop(803) winbindd: Exceeding 200 client connections, no idle connection found [2005/09/02 13:53:10, 0] nsswitch/winbindd.c:process_loop(803) winbindd: Exceeding 200 client connections, no idle connection found [2005/09/02 13:53:10, 0] nsswitch/winbindd.c:process_loop(803) winbindd: Exceeding 200 client connections, no idle connection found [2005/09/02 13:53:10, 0] nsswitch/winbindd.c:process_loop(803) winbindd: Exceeding 200 client connections, no idle connection found The errors in squid cache.log FATAL: authenticateNTLMHandleReply: called with no result string Squid Cache (Version 2.5.STABLE7): Terminated abnormally. CPU Usage: 65238.530 seconds = 13687.180 user + 51551.350 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 24735 Memory usage for squid via mallinfo(): total space in arena: 437924 KB Ordinary blocks: 435653 KB 109298 blks Small blocks: 0 KB 0 blks Holding blocks: 20584 KB 23 blks Free Small blocks: 0 KB Free Ordinary blocks:2270 KB Total in use: 456237 KB 104% Total free: 2270 KB 1% 2005/09/02 10:19:59| Starting Squid Cache version 2.5.STABLE7 for i686-pc-linux- gnu... 2005/09/02 10:19:59| Process ID 21027 2005/09/02 10:19:59| With 32768 file descriptors available 2005/09/02 10:19:59| Performing DNS Tests... 2005/09/02 10:19:59| Successful DNS name lookup tests... 2005/09/02 10:19:59| DNS Socket created at 0.0.0.0, port 36573, FD 4 2005/09/02 10:19:59| Adding nameserver 10.203.193.25 from squid.conf 2005/09/02 10:19:59| Adding nameserver 202.56.250.5 from squid.conf 2005/09/02 10:19:59| Adding nameserver 202.56.230.5 from squid.conf 2005/09/02 10:19:59| Adding nameserver 202.56.230.6 from squid.conf 2005/09/02 10:19:59| helperOpenServers: Starting 200 'WsRedtor' processes 2005/09/02 10:20:06| helperStatefulOpenServers: Starting 250 'ntlm_auth' process es 2005/09/02 10:20:15| helperOpenServers: Starting 10 'ntlm_auth' processes 2005/09/02 10:20:16| Unlinkd pipe opened on FD 469 2005/09/02 10:20:16| Swap maxSize 10240 KB, estimated 7876923 objects 2005/09/02 10:20:16| Target number of buckets: 393846 2005/09/02 10:20:16| Using 524288 Store buckets 2005/09/02 10:20:16| Max Mem size: 81920 KB 2005/09/02 10:20:16| Max Swap size: 10240 KB 2005/09/02 10:20:16| Store logging disabled 2005/09/02 10:20:16| Rebuilding storage in /home1/cache1 (CLEAN) 2005/09/02 10:20:16| Rebuilding storage in /home1/cache2 (CLEAN) 2005/09/02 10:20:16| Rebuilding storage in /home1/cache3 (CLEAN) 2005/09/02 10:20:16| Rebuilding storage in /home1/cache4 (CLEAN) 2005/09/02 10:20:16| Rebuilding storage in /home1/cache5 (CLEAN) 2005/09/02 10:20:16| Rebuilding storage in /home1/cache6 (CLEAN) 2005/09/02 10:20:16| Rebuilding storage in /home1/cache7 (CLEAN) 2005/09/02 10:20:16| Rebuilding storage in /home1/cache8 (CLEAN) 2005/09/02 10:20:16| Rebuilding storage in /home1/cache9 (CLEAN) 2005/09/02 10:20:16| Rebuilding storage in /home1/cache (CLEAN) 2005/09/02 10:20:16| Using Least Load store dir selection 2005/09/02 10:20:16| Set Current Directory to /usr/local/squid/var/cache 2005/09/02 10:20:16| Loaded Icons. 2005/09/02 10:20:23| Accepting HTTP connections at 0.0.0.0, port 80, FD 488. 2005/09/02 10:20:23| Accepting ICP messages at 0.0.0.0, port 3130, FD 489. 2005/09/02 10:20:23| Accepting SNMP messages on port 3401, FD 490. 2005/09/02 10:20:23| WCCP Disabled. 2005/09/02 10:20:23| WCCP Disabled. 2005/09/02 10:20:23| Ready to serve requests. 2005/09/02 10:20:24| parseHttpRequest: Unsupported method 'CONNECT' 2005/09/02 10:20:24| clientReadRequest: FD 579 Invalid Request 2005/09/02 10:20:24| parseHttpRequest: Unsupported method 'CONNECT' 2005/09/02 10:20:24| clientReadRequest: FD 592 Invalid Request 2005/09/02 10:20:25| parseHttpRequest: Unsupported method 'CONNECT' 2005/09/02 10:20:25| clientReadRequest: FD 630 Invalid Request 2005/09/02 10:20:26| parseHttpRequest: Unsupported method 'CONNECT' 2005/09/02 10:20:26| clientReadRequest: FD 664 Invalid Request 2005/09/02 10:20:26| Store rebuilding is 1.6% complete 2005/09/02 10:20:26| urlParse: Illegal character in hostname 'us.i1.yimg.com%2fu s.yimg.com' 2005/09/02 10:20:29| urlParse: Illegal character in hostname 'us.i1.yimg.com%2fu s.yimg.com' 2005/09/02 10:20:29| urlParse: Illegal character in hostname 'us.i1.yimg.com%2fu s.yimg.com' 2005/09/02 10:20:29| urlParse: Illegal character in hostname 'us.i1.yimg.com%2fu s.yimg.com' 2005/09/02 10:20:29| urlParse: Illegal character in hostname
[Samba] winbind problem
hi all, i have a strange problem with winbind. Samba says that REALMwinbind seperatorusername is not a valid user (winbind getpw call), but winbind works! The strange thing happens when I call wbinfo -u, the result is a AD-Userlist like this: username1 username2 So far, but why not: REALMwinbind seperatorusername The same problem occurs when I call getent passwd! I have played with ther parameter winbind user default domain = yes/no but without success :( Any suggestions? cheers Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind-Problem with samba 3.0.14a/3.0.20pre and Solaris
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Aug 09, 2005 at 08:02:01AM +0200, Charles Bueche wrote: On lun, 2005-07-04 at 12:33 +0200, Joerg Dietze wrote: Hi Guys, anybody has a idea why getent groups only lists a few groups from my NT4-Dom. ? I have configured samba with security=domain, uid and gid maps and configured nsswitch.conf to use windbind. wbinfo -g works fine but getent group stops after few domaingroups. I had yesterday an incomplete list from `getent group` on system where nsswitch is told to use NSS. None of the groups from LDAP were shown. It turned out that the change from 'ou=Group' into 'ou=Groups' in the LDAP database, also needed a change in /etc/libnss-ldap.conf on 'nss_base_group'. Has winbind also a /etc/libnss-winbind.conf ? I think the problem is the domain-user - group because i can query all domaingroups with gentent group domain\groupname except the group domain-users. This group has more the 2000 members in it, it´s possible thats the problem under solaris. The query was about groups, not about the members of each group. But yes, I can imaging smart programmers saying: Hey, a query about groups, next query is most likey about the members of those groups, lets fetch allready information about it. Not realizing that it chokes the system. I have also a linux - based NAS-head for tests here this box works fine and lists all groups with getent group. thank you Joerg Dietze Hi Joerg, I have had the problem before, see my posts : http://lists.samba.org/archive/samba/2004-August/090422.html http://lists.samba.org/archive/samba/2004-June/087291.html If you have find a solution, please share :-) People reading the archive love to read in the sane order 8^) Please reply below the text. Charles Cheers Geert Stappers -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFC+b76OSINbgwa/7sRAlhcAKCeYJLVnX6gUHSdKXeTQrGa2ggpuwCguQgu VaLfFA1lQL8ypzh7QHOStog= =mb/t -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind-Problem with samba 3.0.14a/3.0.20pre and Solaris
Hi Joerg, I have had the problem before, see my posts : http://lists.samba.org/archive/samba/2004-August/090422.html http://lists.samba.org/archive/samba/2004-June/087291.html If you have find a solution, please share :-) Charles On lun, 2005-07-04 at 12:33 +0200, Joerg Dietze wrote: Hi Guys, anybody has a idea why getent groups only lists a few groups from my NT4-Dom. ? I have configured samba with security=domain, uid and gid maps and configured nsswitch.conf to use windbind. wbinfo -g works fine but getent group stops after few domaingroups. I think the problem is the domain-user - group because i can query all domaingroups with gentent group domain\groupname except the group domain-users. This group has more the 2000 members in it, it´s possible thats the problem under solaris. I have also a linux - based NAS-head for tests here this box works fine and lists all groups with getent group. thank you Joerg Dietze -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind Problem
I have a problem with winbind and pam that I just can't quite get past. Here is what I have: I have a home office with a Windows 2000 active directory domain (domain XYZ). I have a remote office running Samba 3.0.14a connected to the home office via a VPN. All users at the remote office are required to have an account on the active directory domain at the home office for several reasons, including the use of Exchange Server. All client machines at the remote office run XP Pro. The Samba server at the remote office is a domain controller for it's own domain (Workgroup = ABC). I have joined the Samba server to the home office domain, domain XYZ. When I run wbinfo-u I receive a list of users in the home domain of XYZ. When I run getent passwd I also see the users in the home domain. I have successfully joined an XP Pro workstation at the remote office to the remote office domain (ABC). All appears well up to this point, however one of my main goals it to use this setup to authenticate the XP Pro clients logging on to the remote domain (ABC) against their user account in the home domain of XYZ and I can't get that to work. XP Pro just displays the message about unknown user name or bad password. I don't want to have to create user accounts on the Samba server, only have them authenticate against the home domain. Here is the contents of my /etc/pam.d/samba file: #%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth auth required /lib/security/pam_winbind.so accountrequired /lib/security/pam_winbind.so accountrequired pam_stack.so service=system-auth sessionrequired /lib/security/pam_mkhomedir.so skel=/etc/samba/skel umask=0022 sessionrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth What am I doing wrong? Is this possible? It might be worth noting that this is a continuation of another discussion on another board that went as follows (I went with option B below): Here is what I have: I have a home office with a Windows 2000 active directory domain. I have a remote office running Samba 3.0.14a connected to the home office via a VPN. All users at the remote office are required to have an account on the active directory domain at the home office for several reasons, including the use of Exchange Server. All client machines at the remote office run XP Pro. Required Options: * I need to be able to run logon scripts locally at the remote office, from the Samba server at the remote office. * I need for each user to have a single user account and it needs to be the one in active directory on the domain controller at the home office. Optional Result: * I would like the XP Pro client machines to still be able to log on if the VPN connect gets dropped. I believe this is taken care of already due to the fact that the XP machines will cache the logon credentials, but I thought I would mention that in case there is a better way of doing this. General Question: How do I go about setting this up? I have looked at the docs and have been messing around with several different settings and can't quite figure it out. Specific Questions: 1.) What samba security mode should I be using? Your choices are: a) Samba configured as an ADS domain member - all domain logons will be handled from the central office - Samba is just a file/print server b) Samba configured as its own domain controller with a trust relationship to the central office domain. - Each remote office will be independant - All network logons will be handled locally 2.) Should the samba server workgroup setting be unique for the remote site or the same as the home office domain? Yes, but only if Samba is the domain controller for its own domain. 3.) Should the samba server be joined to the home office domain? Yes in both cases. 4.) What domain should the XP Pro clients join, the local domain or the home office domain? If the Samba server is just an ADS domain member server your XP clients need to be members of the ADS domain. If the Samba server is a PDC for the remote domain and you want logon and authentication to take place in the remote office, the XP client needs to be a member of the local domain. 5.) Does this require winbind to work? Yes, and Yes. Thanks to all in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind problem in ADS Domain
Hi all, I just installed a Suse Linux 9.2 with Samba 3.0.0923 I would like to make this new server a member server of my active directory domain I think I configured almost anything correctly: I succesfully joined the domain via LDAP with net ads join, I can browse user and groups via wbinfo -u and wbinfo -g I can browse user and groups via getent passwd and getent group I can also give file permissions whith chown FRAMEWEB+MyName . -R What I Cannot do is to use chgrp with domain name. I always got chgrp: invalid group name `frameweb+mygroup' If I run the winbindd demon with -i (interactive ) switch, I see group mygroup in domain FRAMEWEB does not exist moreover, after a little time I issued the succesfully command chown ... if I perform ls -la in that directory I am no more able to se the username, but only the associated sid (generated internally in the UID range) I did all the check recommended (net ads info) ( net ads status -UAdministrator) and everithing seems ok Could it be a bug in these release of samba boundled with Suse Linux 9.2 ? Coul be an idea to uninstall everything and download last stable version 3.0.14 source code and install that ? I read the book http://samba.org/samba/docs/man/Samba-Guide/unixclients.html and it speak a lot about suse linux... thanks in advance for any help Andrea Chi ricevesse questa mail per errore e' gentilmente pregato di cancellarla. Visitate il sito http://www.frameweb.it -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind-Problem with samba 3.0.14a/3.0.20pre and Solaris
Hi Guys, anybody has a idea why getent groups only lists a few groups from my NT4-Dom. ? I have configured samba with security=domain, uid and gid maps and configured nsswitch.conf to use windbind. wbinfo -g works fine but getent group stops after few domaingroups. I think the problem is the domain-user - group because i can query all domaingroups with gentent group domain\groupname except the group domain-users. This group has more the 2000 members in it, it´s possible thats the problem under solaris. I have also a linux - based NAS-head for tests here this box works fine and lists all groups with getent group. thank you Joerg Dietze -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind problem
Hi! I'm running suse 9.2 on the client and debian sarge on the server. I'm trying to authenticate users via the smb domain. It worked some weeks but after some weeks not using it, it was brocken. I've no idea why. I get following if I call: # wbinfo -u Error looking up domain users and in the log file ist following: [2005/06/08 08:49:10, 0] rpc_parse/parse_prs.c:prs_mem_get(537) prs_mem_get: reading data of size 4194534 would overrun buffer. I've turned to debug log to 10 and get following, what got broken? and how to fix it? [2005/06/08 08:42:16, 6] nsswitch/winbindd.c:new_connection(356) accepted socket 19 [2005/06/08 08:42:16, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 1824 bytes. Need 0 more for a full request. [2005/06/08 08:42:16, 10] nsswitch/winbindd.c:process_request(321) process_request: request fn INTERFACE_VERSION [2005/06/08 08:42:16, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [ 4374]: request interface version [2005/06/08 08:42:16, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 1300 bytes. [2005/06/08 08:42:16, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 1824 bytes. Need 0 more for a full request. [2005/06/08 08:42:16, 10] nsswitch/winbindd.c:process_request(321) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2005/06/08 08:42:16, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [ 4374]: request location of privileged pipe [2005/06/08 08:42:16, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 1300 bytes. [2005/06/08 08:42:16, 10] nsswitch/winbindd.c:client_write(569) client_write: need to write 35 extra data bytes. [2005/06/08 08:42:16, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 35 bytes. [2005/06/08 08:42:16, 10] nsswitch/winbindd.c:client_write(558) client_write: client_write: complete response written. [2005/06/08 08:42:16, 6] nsswitch/winbindd.c:new_connection(356) accepted socket 21 [2005/06/08 08:42:16, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 0 bytes. Need 1824 more for a full request. [2005/06/08 08:42:16, 5] nsswitch/winbindd.c:winbind_client_read(477) read failed on sock 19, pid 4374: EOF [2005/06/08 08:42:16, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 1824 bytes. Need 0 more for a full request. [2005/06/08 08:42:16, 10] nsswitch/winbindd.c:process_request(321) process_request: request fn LIST_USERS [2005/06/08 08:42:16, 3] nsswitch/winbindd_user.c:winbindd_list_users(587) [ 4374]: list users [2005/06/08 08:42:16, 10] nsswitch/winbindd_cache.c:fetch_cache_seqnum(287) fetch_cache_seqnum: timeout [HITT][4294967295 @ 1118212550] [2005/06/08 08:42:16, 10] nsswitch/winbindd_rpc.c:sequence_number(817) rpc: fetch sequence_number for HITT [2005/06/08 08:42:16, 10] rpc_client/cli_samr.c:cli_samr_open_domain(186) cli_samr_open_domain with sid S-1-5-21-1475990760-112971085-4177168692 [2005/06/08 08:42:16, 5] rpc_parse/parse_samr.c:init_samr_q_open_domain(250) samr_init_samr_q_open_domain [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_debug(82) 00 samr_io_q_open_domain [2005/06/08 08:42:16, 6] rpc_parse/parse_prs.c:prs_debug(82) 00 smb_io_pol_hnd pol [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint32(642) data1: [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint32(642) 0004 data2: 0001 [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint16(613) 0008 data3: [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint16(613) 000a data4: [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint8s(729) 000c data5: 38 a1 a6 42 46 39 00 00 [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint32(642) 0014 flags: 0200 [2005/06/08 08:42:16, 6] rpc_parse/parse_prs.c:prs_debug(82) 18 smb_io_dom_sid2 sid [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint32(642) 0018 num_auths: 0004 [2005/06/08 08:42:16, 7] rpc_parse/parse_prs.c:prs_debug(82) 1c smb_io_dom_sid sid [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint8(584) 001c sid_rev_num: 01 [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint8(584) 001d num_auths : 04 [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint8(584) 001e id_auth[0] : 00 [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint8(584) 001f id_auth[1] : 00 [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint8(584) 0020 id_auth[2] : 00 [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint8(584) 0021 id_auth[3] : 00 [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint8(584) 0022 id_auth[4] : 00 [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint8(584) 0023 id_auth[5] : 05 [2005/06/08 08:42:16, 5] rpc_parse/parse_prs.c:prs_uint32s(869) 0024 sub_auths : 0015 57f9d4e8 06bbcd4d f8fa8934 [2005/06/08 08:42:16, 5]
Re: [Samba] winbind problem
Matt Schwartz writes: I am guessing, but it might be that the SID has changed and this might be the cause of your problem. What you might do, is try re-joining your SUSE box to the smb domain. thx for the hint. tried it but I got following. did also again via yast, same error message. it worked some time ago and the windows clients also don't have any problem. # net join root's password: [2005/06/08 09:44:34, 0] utils/net_ads.c:ads_startup(186) ads_connect: Transport endpoint is not connected Joined domain HITT. if I provide an wrong passwort I get - so he must connect to server in some way. # net join root's password: [2005/06/08 09:44:27, 0] utils/net_ads.c:ads_startup(186) ads_connect: Transport endpoint is not connected Could not connect to server HADES The username or password was not correct. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind problem with Solaris 8
Hi, We are having a problem with Samba 3.0.13 winbind on Sparc Solaris 8 NT4 domain. The following is appearing during our overnight backup jobs and looks like winbind cannot map a unix uid to a windows SID. Samba itself works and users are able to see and use the share. Wbinfo -u -g -t all work I have winbind in nsswitch.conf passwd: files winbind group: files winbind The output of log.winbindd is as follows Copyright The Samba Team 2000-2004 [2005/05/17 20:41:10, 1] nsswitch/winbindd.c:main(864) winbindd version 3.0.13 started. Copyright The Samba Team 2000-2004 [2005/05/18 01:44:20, 1] nsswitch/winbindd_user.c:winbindd_getpwuid(238) could not convert uid 10259 to SID [2005/05/18 01:48:08, 1] nsswitch/winbindd_user.c:winbindd_getpwuid(238) could not convert uid 10259 to SID [2005/05/18 07:10:03, 1] nsswitch/winbindd.c:main(864) winbindd version 3.0.13 started. Copyright The Samba Team 2000-2004 The problem also occurs when running ls -l from the UNIX prompt which hangs on the samba share directory ls -ln works. Any help appreciated. Thank You Graeme -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind Problem
Hi, I have got two production facilities having the same configuration, facility 1-(domain CSW)Samba 3.0.5 PDC running on redhat 9 and 4 member server running the same samba version on redhat 9, facility-2- (domain CSWN)Samba 3.0.5 PDC with 2 domain member server, the domain member server uses winbind to authenticate usersthey connect to the local PDC, I have configured two way trust between the two facilities , everything was running perfectly from last 6 months, but from last two days the winbind is giving problem in domain CSW, the following error message appears on the member server in log.winbindd [2005/05/18 15:10:01, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435) cli_pipe:return critical error. Error was call timed out: server did not respond after 1 millisecond where as wbinfo -t is successful, but wbinfo -u and -g gives me the listing of only the trusting domain users(CSWN list and no CSW user list). The following error message is appearing on the domain controller of CSW domain make_server_info_info3:pdb_init_sam failed! Please suggest me some solution. Regards, Honey -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind problem when exec freeradius
Hil list!
I'm trying to authenticate Active Directory Users via freeradius. I
can do it in a general case (user and domain) without
problem. Now I have to do it restricting the authentication to the
members of a group.
I can exect the script (as is put in radiusd.conf) correct from the
command line:
Deb:~# /usr/bin/ntlm_auth --username=javi2
--require-membership-of='AAMM\MyGroup' --domain=AAMM
password:
NT_STATUS_OK: Success (0x0)
Deb:~# /usr/bin/ntlm_auth --username=javi2
--require-membership-of='AAMM\OtherGroup' --domain=AAMM
password:
NT_STATUS_LOGON_FAILURE: Logon failure (0xc06d)
Deb:~#
So samba and winbind look to be correctly configured, but when radius
exect it, looks as if winbind couldn't resolve group's name.
My line on radiusd.conf is:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --require-membership-of='AAMM\\MyGroup'
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
And get the next logs:
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=javi2
--require-membership-of='AAMM\MyGroup' --domain=AAMM
--challenge=6b480cf181ded625
--nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21 '
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=javi2
--require-membership-of='AAMM\MyGroup' --domain=AAMM
--challenge=6b480cf181ded625
--nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21
[2005/05/16 09:05:57, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve 'AAMM\MyGroup' into a SID!
Does anybody know why could it be happening? Thanks in advance for any help!!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem when exec freeradius
On Mon, 2005-05-16 at 09:28 +0200, Javier Jimenez wrote: Hil list! I'm trying to authenticate Active Directory Users via freeradius. I can do it in a general case (user and domain) without problem. Now I have to do it restricting the authentication to the members of a group. Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=javi2 --require-membership-of='AAMM\MyGroup' --domain=AAMM --challenge=6b480cf181ded625 --nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21 [2005/05/16 09:05:57, 0] utils/ntlm_auth.c:get_require_membership_sid (237) Winbindd lookupname failed to resolve 'AAMM\MyGroup' into a SID! Looking at the source, the issue appears to be the quotes. FreeRadius does not go via a shell, which means that the ' characters are not stripped off. (The ntlm_auth source shows that this debug message is printed without any quotes, which means you supplied them) Does anybody know why could it be happening? Thanks in advance for any help!! -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem when exec freeradius
Now, I'found another problem, if I put a group with spaceblanks on my ntlm_auth script on freeradius, cannot authenticate. It recognise just the first word of the name. Any idea about what´s happening? Thanks! -- Forwarded message -- From: Javier Jimenez [EMAIL PROTECTED] Date: 16-may-2005 12:42 Subject: Re: [Samba] Winbind problem when exec freeradius To: Andrew Bartlett [EMAIL PROTECTED] It works!! Thank you very much! Javi. 2005/5/16, Andrew Bartlett [EMAIL PROTECTED]: On Mon, 2005-05-16 at 09:28 +0200, Javier Jimenez wrote: Hil list! I'm trying to authenticate Active Directory Users via freeradius. I can do it in a general case (user and domain) without problem. Now I have to do it restricting the authentication to the members of a group. Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=javi2 --require-membership-of='AAMM\MyGroup' --domain=AAMM --challenge=6b480cf181ded625 --nt-response=bce392db1fcd91380690317e7cd1228e78940576d78fde21 [2005/05/16 09:05:57, 0] utils/ntlm_auth.c:get_require_membership_sid (237) Winbindd lookupname failed to resolve 'AAMM\MyGroup' into a SID! Looking at the source, the issue appears to be the quotes. FreeRadius does not go via a shell, which means that the ' characters are not stripped off. (The ntlm_auth source shows that this debug message is printed without any quotes, which means you supplied them) Does anybody know why could it be happening? Thanks in advance for any help!! -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net BodyID:76586272.2.n.logpart (stored separately) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem when exec freeradius
On Mon, 2005-05-16 at 20:03 +0200, Javier Jimenez wrote: Now, I'found another problem, if I put a group with spaceblanks on my ntlm_auth script on freeradius, cannot authenticate. It recognise just the first word of the name. Any idea about whats happening? Thanks! Likewise, FreeRadius is not calling a shell, so the splitting function is chewing on the string. The easy option is to change the name into a SID (S-123-456), and include that as the option. The FreeRadius list may be able to assist on how the quoting does or doesn't behave. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem revisited
On Tue, Dec 21, 2004 at 01:49:46PM -0600, Brian Kesting wrote: | ---/etc/nsswitch.conf- | | passwd: compat winbind | group: files dns compat winbind | shadow: files winbind [digression about nsswitch] On various nsswitch implementations (including the canonical implementation on Solaris, and the NetBSD version), it's not supported to list any other sources for a given database at the same time as compat, and compat only makes sense for the databases passwd and group. If you're not using the +/- syntax in /etc/passwd and /etc/group, just use files instead of compat. Otherwise, you should try something like: passwd: compat passwd_compat: winbind group: compat group_compat: dns winbind passwd_compat and group_compat specify the sources to lookup stuff for the + and - entries in /etc/passwd /etc/group (respectively). I suspect you don't want dns in group/group_compat either, unless you're running Hesiod at your site. (You can't list files or compat as sources for passwd_compat or group_compat as it doesn't make sense). pgp0bcP8MG1aF.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind problem revisited
Okay,
I started over from scratch with my samba server rebuild, but I am still
getting some weird issues. Here are my config files of importance:
--/etc/samba/smb.conf
# Samba Configuration File
[global]
workgroup = WAYNE
realm = WAYNE.LOCAL
server string = Samba Server
security = ADS
password server = police.wayne.local
encrypt passwords = yes
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/bash
winbind separator = +
client signing = no
client use spnego = no
[users]
comment = Users on Linux
path = /home/WAYNE
read only = No
browseable = Yes
---/etc/nsswitch.conf-
passwd: compat winbind
group: files dns compat winbind
shadow: files winbind
hosts: dns winbind files lwres
networks: files dns
services: files
protocols: files
rpc:files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files winbind nis
aliases:files winbind
/etc/pam.d/login--
#%PAM-1.0
auth requisite pam_unix2.sonullok #set_secrpc
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_winbind.so use_first_pass use_authtok
#authrequired pam_homecheck.so
auth required pam_env.so
auth required pam_mail.so
account required pam_unix2.so
account sufficient pam_winbind.so use_first_pass use_authtok
password required pam_pwcheck.so nullok
password required pam_unix2.sonullok use_first_pass
use_authtok
password sufficient pam_winbind.so use_first_pass use_authtok
session required pam_unix2.sonone # debug or trace
session sufficient pam_winbind.so use_first_pass use_authtok
session required pam_limits.so
session required pam_resmgr.so
/etc/krb5.conf---
[libdefaults]
default_realm = WAYNE.LOCAL
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = false
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
[realms]
WAYNE.LOCAL = {
kdc = 192.168.1.11
default_domain = WAYNE.LOCAL
admin_server = police.wayne.local
kpasswd_server = police.wayne.local
}
[domain_realm]
.WAYNE.LOCAL = WAYNE.LOCAL
WAYNE.LOCAL = WAYNE.LOCAL
.wayne.local = WAYNE.LOCAL
wayne.local = WAYNE.LOCAL
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
I have joined the AD successfully and have gained a Kerberos ticket. I can
resolve windows user names and groups with the following conditions: If I
leave the default_etypes lines in krb5.conf, then I get this in my
/var/log/samba/log.smbd file and I am unable to access the samba shares:
[2004/12/21 13:32:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/12/21 13:32:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/12/21 13:32:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
If I comment the etype lines out, the smb log file looks good and I can
access samba shares, but the /var/log/samba/log.winbind looks like this:
[2004/12/21 12:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/21 13:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/21 13:32:04, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No such file or directory)
I also had this show up in /var/log/samba/log.winbind:
[2004/12/21 13:26:26, 1] libads/ldap_utils.c:ads_do_search_retry(77)
ads_search_retry: failed to reconnect (Invalid credentials)
Any interpretations?
Thanks.
Brian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind Problem
Hello, we are running samba-3.0.7 on a suse 9.0 installation. Everything works fine so far only winbind authentication fails. Samba runs as an ads client in a windows domain. Domain join worked without problems. Winbind also started without problems. The ADS Domain Server is responsible for the MED-DUS domain and has a trust to a NT4 Server which serves the MEDOIL domain. After some time winbind stops resolving MED-DUS names. MEDOIL names do not have problems. After restarting winbind everything is back to normal until the problem happens again Here is my samba config # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2004/03/09 08:30:06 # Global parameters [global] encrypt passwords = yes ; printcap name = cups server string = fileservices realm = MED-DUS.LAN.MEDOIL.DE socket options = TCP_NODELAY os level = 20 preferred master = no local master = no domain master = no winbind uid = 1-2 password server = hpnt13.med-dus.lan.medoil.de ; printing = cups workgroup = MED-DUS ; unix password sync = yes unix charset = LOCALE ; wins server = hpnt13.med-dus.lan.medoil.de null passwords = yes interfaces = 127.0.0.1 eth0 eth1 template homedir = /home/%D/%u winbind gid = 1-2 security = ads client use spnego = yes ; winbind use default domain = yes ; winbind enable local accounts = yes ldap ssl = no winbind separator = _ template primary group = domusers winbind enum users = yes winbind enum groups = yes bind interfaces only = Yes show add printer wizard = no [homes] root preexec = test -d %H || /usr/local/bin/createhomedir.sh %H %D %U browseable = no writeable = yes inherit acls = yes map acl inherit = yes inherit acls = yes Are there known problems with winbind? The domain itself is quite small (around 80 users). Thanks for help Peter -- dadi-linux www.dadi-linux.de Peter Eckhardt Fon: +49 6071 951256 Weberstr. 36BFax: +49 6071 951257 64846 Groß-Zimmern [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind Problem
Hello, we are running samba-3.0.7 on a suse 9.0 installation. Everything works fine so far only winbind authentication fails. Samba runs as an ads client in a windows domain. Domain join worked without problems. Winbind also started without problems. The ADS Domain Server is responsible for the MED-DUS domain and has a trust to a NT4 Server which serves the MEDOIL domain. After some time winbind stops resolving MED-DUS names. MEDOIL names do not have problems. After restarting winbind everything is back to normal until the problem happens again Here is my samba config # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2004/03/09 08:30:06 # Global parameters [global] encrypt passwords = yes ; printcap name = cups server string = fileservices realm = MED-DUS.LAN.MEDOIL.DE socket options = TCP_NODELAY os level = 20 preferred master = no local master = no domain master = no winbind uid = 1-2 password server = hpnt13.med-dus.lan.medoil.de ; printing = cups workgroup = MED-DUS ; unix password sync = yes unix charset = LOCALE ; wins server = hpnt13.med-dus.lan.medoil.de null passwords = yes interfaces = 127.0.0.1 eth0 eth1 template homedir = /home/%D/%u winbind gid = 1-2 security = ads client use spnego = yes ; winbind use default domain = yes ; winbind enable local accounts = yes ldap ssl = no winbind separator = _ template primary group = domusers winbind enum users = yes winbind enum groups = yes bind interfaces only = Yes show add printer wizard = no [homes] root preexec = test -d %H || /usr/local/bin/createhomedir.sh %H %D %U browseable = no writeable = yes inherit acls = yes map acl inherit = yes inherit acls = yes The domain is quite small (around 80 users). There is no wins server running. DNS works fine. Are there known problems with winbind? Might there be problems with kerberos? Thanks for help Peter -- dadi-linux www.dadi-linux.de Peter Eckhardt Fon: +49 6071 951256 Weberstr. 36BFax: +49 6071 951257 64846 Groß-Zimmern [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] WINBIND Problem.....
Most definitely. The test directory appears as follows: [EMAIL PROTECTED] avamx_shares]# ls -al total 12 drwxr-xr-x 3 root root 4096 Sep 21 14:40 . drwxr-xr-x 17 root root 4096 Sep 2 06:07 .. drwxr-xr-x 2 tbullock Domain Admins 4096 Sep 21 14:40 tbullock The directory 'tbullock' is the one I am trying to gain access to. As you see Fedora allows me to use the winbind generated or acquired tbullock user and Domain Admins groups which I found pretty cool by the way. And also the wierd thing is if I try to browse to that 'tbullock' share and I am not actually logged in as 'tbullock' (Domain account) it gives me an straight forward Access Denied message. If I am sitting at my computer logged in as my Domain Account 'tbullock' then the message is much different and goes something like: Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. So it is returning different error messages depending on which account attempts to access the share. Thanks for the interest in this problem. Cheers, Travis -Original Message- From: Hamish [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 4:48 AM To: Travis Bullock Cc: [EMAIL PROTECTED] Subject: Re: [Samba] WINBIND Problem. Sorry for obvious question, but have you made sure that you have write permission to the directory you are trying to write to? Travis Bullock wrote: Hello again. Still have not resolved this winbind issue, although it may not be winbind at all. The odd thing is, when I attempt to access a share on the Fedora C2 server running samba 3.x and winbind it will ask for a password. If I enter the wrong username and password, it will give me an invalid username or password error. If I enter the correct username and password, it will give me a Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. Any ideas out there? Cheers, Travis -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] WINBIND Problem.....
Hi, Sorry for a few more obvious questions, but... What does the share definition in smb.conf look like? What global parameters have you set? Maybe I missed an earlier post or something. Thanks, Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Travis Bullock Sent: 05 October 2004 05:07 PM To: 'Hamish' Cc: [EMAIL PROTECTED] Subject: RE: [Samba] WINBIND Problem. Most definitely. The test directory appears as follows: [EMAIL PROTECTED] avamx_shares]# ls -al total 12 drwxr-xr-x 3 root root 4096 Sep 21 14:40 . drwxr-xr-x 17 root root 4096 Sep 2 06:07 .. drwxr-xr-x 2 tbullock Domain Admins 4096 Sep 21 14:40 tbullock The directory 'tbullock' is the one I am trying to gain access to. As you see Fedora allows me to use the winbind generated or acquired tbullock user and Domain Admins groups which I found pretty cool by the way. And also the wierd thing is if I try to browse to that 'tbullock' share and I am not actually logged in as 'tbullock' (Domain account) it gives me an straight forward Access Denied message. If I am sitting at my computer logged in as my Domain Account 'tbullock' then the message is much different and goes something like: Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. So it is returning different error messages depending on which account attempts to access the share. Thanks for the interest in this problem. Cheers, Travis -Original Message- From: Hamish [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 4:48 AM To: Travis Bullock Cc: [EMAIL PROTECTED] Subject: Re: [Samba] WINBIND Problem. Sorry for obvious question, but have you made sure that you have write permission to the directory you are trying to write to? Travis Bullock wrote: Hello again. Still have not resolved this winbind issue, although it may not be winbind at all. The odd thing is, when I attempt to access a share on the Fedora C2 server running samba 3.x and winbind it will ask for a password. If I enter the wrong username and password, it will give me an invalid username or password error. If I enter the correct username and password, it will give me a Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. Any ideas out there? Cheers, Travis -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] WINBIND Problem.....
Here she is: [global] log level = 3 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = AVMAX # server string is the equivalent of the NT Description field server string = Samba Server # separate domain and username with '+', like DOMAIN+username winbind separator = + # use uids from 1 to 2 for domain users winbind uid = 1-2 # use gids from 1 to 2 for domain groups winbind gid = 1-2 # allow enumeration of winbind users and groups password server = nt_bdc AVMAX encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd username map = /etc/samba/smbusers winbind use default domain = yes winbind cache time = 15 winbind enum users = yes winbind enum groups = yes obey pam restrictions = yes template shell = /bin/bash [homes] comment = Home Directories browseable = no writable = yes valid users = %S create mode = 0664 directory mode = 0775 [tbullock] comment = Avmax Domain Shares browseable = yes writable = yes read only = no path = /usr/avmax_shares/tbullock valid users = AVMAX+tbullock -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Le Noury Sent: Tuesday, October 05, 2004 9:10 AM To: [EMAIL PROTECTED] Subject: RE: [Samba] WINBIND Problem. Hi, Sorry for a few more obvious questions, but... What does the share definition in smb.conf look like? What global parameters have you set? Maybe I missed an earlier post or something. Thanks, Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Travis Bullock Sent: 05 October 2004 05:07 PM To: 'Hamish' Cc: [EMAIL PROTECTED] Subject: RE: [Samba] WINBIND Problem. Most definitely. The test directory appears as follows: [EMAIL PROTECTED] avamx_shares]# ls -al total 12 drwxr-xr-x 3 root root 4096 Sep 21 14:40 . drwxr-xr-x 17 root root 4096 Sep 2 06:07 .. drwxr-xr-x 2 tbullock Domain Admins 4096 Sep 21 14:40 tbullock The directory 'tbullock' is the one I am trying to gain access to. As you see Fedora allows me to use the winbind generated or acquired tbullock user and Domain Admins groups which I found pretty cool by the way. And also the wierd thing is if I try to browse to that 'tbullock' share and I am not actually logged in as 'tbullock' (Domain account) it gives me an straight forward Access Denied message. If I am sitting at my computer logged in as my Domain Account 'tbullock' then the message is much different and goes something like: Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. So it is returning different error messages depending on which account attempts to access the share. Thanks for the interest in this problem. Cheers, Travis -Original Message- From: Hamish [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 4:48 AM To: Travis Bullock Cc: [EMAIL PROTECTED] Subject: Re: [Samba] WINBIND Problem. Sorry for obvious question, but have you made sure that you have write permission to the directory you are trying to write to? Travis Bullock wrote: Hello again. Still have not resolved this winbind issue, although it may not be winbind at all. The odd thing is, when I attempt to access a share on the Fedora C2 server running samba 3.x and winbind it will ask for a password. If I enter the wrong username and password, it will give me an invalid username or password error. If I enter the correct username and password, it will give me a Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. Any ideas out there? Cheers, Travis -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] WINBIND Problem.....
You will want to ensure the two top-level directories above your share are set to at least r-x. (usr and avmax_shares). If that is correct try temporarily changing the permission to rwx or 777 for everyone to see if it is a permission problem. Finally, try adding a user (adduser) to your unix box with the exact name of your windows login. tbullock I would assume. You do not need to do anything special to the unix account except perhaps ensure the password is the same as your windows account. Regards, Gerald Bird - Original Message - From: Travis Bullock [EMAIL PROTECTED] To: 'Mark Le Noury' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 9:44 AM Subject: RE: [Samba] WINBIND Problem. Here she is: [global] log level = 3 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = AVMAX # server string is the equivalent of the NT Description field server string = Samba Server # separate domain and username with '+', like DOMAIN+username winbind separator = + # use uids from 1 to 2 for domain users winbind uid = 1-2 # use gids from 1 to 2 for domain groups winbind gid = 1-2 # allow enumeration of winbind users and groups password server = nt_bdc AVMAX encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd username map = /etc/samba/smbusers winbind use default domain = yes winbind cache time = 15 winbind enum users = yes winbind enum groups = yes obey pam restrictions = yes template shell = /bin/bash [homes] comment = Home Directories browseable = no writable = yes valid users = %S create mode = 0664 directory mode = 0775 [tbullock] comment = Avmax Domain Shares browseable = yes writable = yes read only = no path = /usr/avmax_shares/tbullock valid users = AVMAX+tbullock -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Le Noury Sent: Tuesday, October 05, 2004 9:10 AM To: [EMAIL PROTECTED] Subject: RE: [Samba] WINBIND Problem. Hi, Sorry for a few more obvious questions, but... What does the share definition in smb.conf look like? What global parameters have you set? Maybe I missed an earlier post or something. Thanks, Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Travis Bullock Sent: 05 October 2004 05:07 PM To: 'Hamish' Cc: [EMAIL PROTECTED] Subject: RE: [Samba] WINBIND Problem. Most definitely. The test directory appears as follows: [EMAIL PROTECTED] avamx_shares]# ls -al total 12 drwxr-xr-x 3 root root 4096 Sep 21 14:40 . drwxr-xr-x 17 root root 4096 Sep 2 06:07 .. drwxr-xr-x 2 tbullock Domain Admins 4096 Sep 21 14:40 tbullock The directory 'tbullock' is the one I am trying to gain access to. As you see Fedora allows me to use the winbind generated or acquired tbullock user and Domain Admins groups which I found pretty cool by the way. And also the wierd thing is if I try to browse to that 'tbullock' share and I am not actually logged in as 'tbullock' (Domain account) it gives me an straight forward Access Denied message. If I am sitting at my computer logged in as my Domain Account 'tbullock' then the message is much different and goes something like: Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. So it is returning different error messages depending on which account attempts to access the share. Thanks for the interest in this problem. Cheers, Travis -Original Message- From: Hamish [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 4:48 AM To: Travis Bullock Cc: [EMAIL PROTECTED] Subject: Re: [Samba] WINBIND Problem. Sorry for obvious question, but have you made sure that you have write permission to the directory you are trying to write to? Travis Bullock wrote: Hello again. Still have not resolved this winbind issue, although it may not be winbind at all. The odd thing is, when I attempt to access a share on the Fedora C2 server running samba 3.x and winbind it will ask for a password. If I enter the wrong username and password, it will give me an invalid username or password error. If I enter the correct username and password, it will give me a Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. Any ideas out there? Cheers, Travis -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] WINBIND Problem.....
Thanks for the tipshave done the chmods but to no availI really dont want to consider adding users with identical names and passwords to those on the Windows DC's because that is just way too much administrative overhead...I was hoping WINBIND would save me that grief... Thanks for tips. Cheers, Travis -Original Message- From: Gerald Bird [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 10:28 AM To: Travis Bullock; [EMAIL PROTECTED] Subject: Re: [Samba] WINBIND Problem. You will want to ensure the two top-level directories above your share are set to at least r-x. (usr and avmax_shares). If that is correct try temporarily changing the permission to rwx or 777 for everyone to see if it is a permission problem. Finally, try adding a user (adduser) to your unix box with the exact name of your windows login. tbullock I would assume. You do not need to do anything special to the unix account except perhaps ensure the password is the same as your windows account. Regards, Gerald Bird - Original Message - From: Travis Bullock [EMAIL PROTECTED] To: 'Mark Le Noury' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 9:44 AM Subject: RE: [Samba] WINBIND Problem. Here she is: [global] log level = 3 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = AVMAX # server string is the equivalent of the NT Description field server string = Samba Server # separate domain and username with '+', like DOMAIN+username winbind separator = + # use uids from 1 to 2 for domain users winbind uid = 1-2 # use gids from 1 to 2 for domain groups winbind gid = 1-2 # allow enumeration of winbind users and groups password server = nt_bdc AVMAX encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd username map = /etc/samba/smbusers winbind use default domain = yes winbind cache time = 15 winbind enum users = yes winbind enum groups = yes obey pam restrictions = yes template shell = /bin/bash [homes] comment = Home Directories browseable = no writable = yes valid users = %S create mode = 0664 directory mode = 0775 [tbullock] comment = Avmax Domain Shares browseable = yes writable = yes read only = no path = /usr/avmax_shares/tbullock valid users = AVMAX+tbullock -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Le Noury Sent: Tuesday, October 05, 2004 9:10 AM To: [EMAIL PROTECTED] Subject: RE: [Samba] WINBIND Problem. Hi, Sorry for a few more obvious questions, but... What does the share definition in smb.conf look like? What global parameters have you set? Maybe I missed an earlier post or something. Thanks, Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Travis Bullock Sent: 05 October 2004 05:07 PM To: 'Hamish' Cc: [EMAIL PROTECTED] Subject: RE: [Samba] WINBIND Problem. Most definitely. The test directory appears as follows: [EMAIL PROTECTED] avamx_shares]# ls -al total 12 drwxr-xr-x 3 root root 4096 Sep 21 14:40 . drwxr-xr-x 17 root root 4096 Sep 2 06:07 .. drwxr-xr-x 2 tbullock Domain Admins 4096 Sep 21 14:40 tbullock The directory 'tbullock' is the one I am trying to gain access to. As you see Fedora allows me to use the winbind generated or acquired tbullock user and Domain Admins groups which I found pretty cool by the way. And also the wierd thing is if I try to browse to that 'tbullock' share and I am not actually logged in as 'tbullock' (Domain account) it gives me an straight forward Access Denied message. If I am sitting at my computer logged in as my Domain Account 'tbullock' then the message is much different and goes something like: Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. So it is returning different error messages depending on which account attempts to access the share. Thanks for the interest in this problem. Cheers, Travis -Original Message- From: Hamish [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 4:48 AM To: Travis Bullock Cc: [EMAIL PROTECTED] Subject: Re: [Samba] WINBIND Problem. Sorry for obvious question, but have you made sure that you have write permission to the directory you are trying to write to? Travis Bullock wrote: Hello again. Still have not resolved this winbind issue, although it may not be winbind at all. The odd thing is, when I attempt to access a share on the Fedora C2 server running samba 3.x and winbind it will ask for a password. If I enter the wrong username and password, it will give me an invalid username or password error. If I enter the correct username and password, it will give me a Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. Any ideas out
Re: [Samba] WINBIND Problem.....
Sorry for obvious question, but have you made sure that you have write permission to the directory you are trying to write to? Travis Bullock wrote: Hello again. Still have not resolved this winbind issue, although it may not be winbind at all. The odd thing is, when I attempt to access a share on the Fedora C2 server running samba 3.x and winbind it will ask for a password. If I enter the wrong username and password, it will give me an invalid username or password error. If I enter the correct username and password, it will give me a Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. Any ideas out there? Cheers, Travis -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] WINBIND Problem.....
Hello again. Still have not resolved this winbind issue, although it may not be winbind at all. The odd thing is, when I attempt to access a share on the Fedora C2 server running samba 3.x and winbind it will ask for a password. If I enter the wrong username and password, it will give me an invalid username or password error. If I enter the correct username and password, it will give me a Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. Any ideas out there? Cheers, Travis -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind problem (?) on samba 3 ADS
--- Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: ---8 $ tar zxf samba-3.0.6.tar.gz $ cd samba-3.0.6/source $ patch -p0 filename.patch $ ./configure make everything works fine now, thank you. regards, EF = rgrds, EF __ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind problem (?) on samba 3 ADS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Emir Faisal wrote:
| The only thing that I CAN'T do is to access the share
| on samba machine. The wbinfo -u shows a wrong
| combination of WRKGRP\myloginame.full instead of our
| usual login combination WRKGRP\myloginame or
| [EMAIL PROTECTED]
Try this patch (already applied to the 3.0 svn tree.
cheers, jerry
- -
Alleviating the pain of Windows(tm) --- http://www.samba.org
GnuPG Key- http://www.plainjoe.org/gpg_public.asc
If we're adding to the noise, turn off this song--Switchfoot (2003)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBNHa6IR7qMdg1EfYRAlD4AJ4p1wikZFw56vSvEHiQoTZuOZ+6SgCfa4Me
7fIpFJwN1YWMbPVWOnf2Se0=
=xnB4
-END PGP SIGNATURE-
Index: libads/ldap.c
===
--- libads/ldap.c (revision 1381)
+++ libads/ldap.c (revision 2091)
@@ -2184,13 +2184,19 @@
*/
char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, void *msg)
{
+#if 0 /* JERRY */
char *ret, *p;
+ /* lookup_name() only works on the sAMAccountName to
+ returning the username portion of userPrincipalName
+ breaks winbindd_getpwnam() */
+
ret = ads_pull_string(ads, mem_ctx, msg, userPrincipalName);
if (ret (p = strchr(ret, '@'))) {
*p = 0;
return ret;
}
+#endif
return ads_pull_string(ads, mem_ctx, msg, sAMAccountName);
}
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind problem (?) on samba 3 ADS
--- Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: --8 Try this patch (already applied to the 3.0 svn tree. cheers, jerry --8 Thank you. I'll let you know the result :) EF = rgrds, EF __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind problem (?) on samba 3 ADS
--- Gerald (Jerry) Carter [EMAIL PROTECTED] wrote:
Try this patch (already applied to the 3.0 svn tree.
cheers, jerry
Index: libads/ldap.c
===
--- libads/ldap.c (revision 1381)
+++ libads/ldap.c (revision 2091)
@@ -2184,13 +2184,19 @@
*/
char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX
*mem_ctx, void *msg)
{
...
...
...
this is new to me, btw.
how to apply/merge this patch ?
=
rgrds,
EF
__
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind problem (?) on samba 3 ADS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Emir Faisal wrote:
| --- Gerald (Jerry) Carter [EMAIL PROTECTED] wrote:
|
|Try this patch (already applied to the 3.0 svn tree.
|cheers, jerry
|
|
|Index: libads/ldap.c
|
| ===
|
|--- libads/ldap.c (revision 1381)
|+++ libads/ldap.c (revision 2091)
|@@ -2184,13 +2184,19 @@
| */
| char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX
|*mem_ctx, void *msg)
| {
|
| ...
| ...
| ...
|
| this is new to me, btw.
| how to apply/merge this patch ?
Save the patche to a file.
$ tar zxf samba-3.0.6.tar.gz
$ cd samba-3.0.6/source
$ patch -p0 filename.patch
$ ./configure make
cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBNSqAIR7qMdg1EfYRAjzzAKC+OQKgzJASk0VmuH2/pEVFNhTupQCg8/RM
Hu9lXrT3WNwOmxIJxmBBmzo=
=yRrV
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind problem (?) on samba 3 ADS
Hi, I have installed samba 3.0.6 based on the Official HOWTO to join out Active Directory environment, with winbind and pam support. I have join the samba to the domain using net ads join -Umyloginame. I can do the wbinfo -g, getent passwd and getent group correctly. I also can list shares on other machine, using kerberos: # kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: # smbclient -k -L \\borneo OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2] Sharename Type Comment - --- ... ... # Problem: The only thing that I CAN'T do is to access the share on samba machine. The wbinfo -u shows a wrong combination of WRKGRP\myloginame.full instead of our usual login combination WRKGRP\myloginame or [EMAIL PROTECTED]. definition: myloginame = Pre-Windows 2000 Logon Name myloginame.full = Windows 2000 Logon Name smb.conf: [global] unix charset = LOCALE workgroup = WRKGRP realm = REALM.FQDN server string = Samba-3.0.6 security = ADS password server = nias username map = /opt/samba-3.0.6/lib/username_map.conf # username level = 3 log level = 1 syslog = 0 log file = /var/opt/samba-3.0.6/%m max log size = 50 printcap name = CUPS wins server = nias idmap uid = 1-2 idmap gid = 1-2 template primary group = Domain Users template shell = /bin/bash winbind separator = + winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind cache time = 1 winbind nested groups = yes printing = cups preferred master = no domain master = no local master = no socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 use kerberos keytab = yes as expected in the logfile: winbindd logfile: == winbindd == [2004/08/31 08:54:44, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) user 'myloginame.full' does not exist [2004/08/31 08:54:44, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) user 'myloginame.full' does not exist [2004/08/31 08:54:45, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) user 'myloginame.full' does not exist Thank you, EF = rgrds, EF ___ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
