[Samba] winbind - wbinfo problem - SOLVED
Vivekanandan Nataraj
viveknataraj at gmail.com
Fri Nov 19 04:28:36 MST 2010
Hi John,
The same smb and winbind configuration ( same SUSE box ) works good other
Windows AD servers.
"#wbinfo -u" and "#wbinfo -g" returns the users and groups respectively.
Thanks for your great help !!!
what is the difference between "#net rpc" and "#net ads" ?..if you have
time, give some explanation..
Regards,
Vivek
On Mon, Nov 15, 2010 at 6:56 PM, Vivekanandan Nataraj <
viveknataraj at gmail.com> wrote:
> Hi John,
>
> Thanks for your reply.
>
> # net ads testjoin
>
> [2010/11/15 06:40:27, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
> [2010/11/15 06:40:29, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
> Join to domain is not valid: Invalid credentials
>
> but,
>
> # net rpc testjoin
> Join to 'SQUID' is OK
>
> # net ads info -U Administrator
>
> Enter Administrator's password:
> LDAP server: 172.16.1.33
> LDAP server name: EIS.squid.biz
> Realm: SQUID.BIZ
> Bind Path: dc=SQUID,dc=BIZ
> LDAP port: 389
> Server time: Mon, 15 Nov 2010 06:45:33 IST
> KDC server: 172.16.1.33
> Server time offset: 43
>
> # net rpc info -U Administrator
>
> Enter Administrator's password:
> Domain Name: SQUID
> Domain SID: S-1-5-21-419217316-27721265-2755569738
> Sequence number: 548
> Num users: 29
> Num domain groups: 10
> Num local groups: 39
>
> # wbinfo -a 'vivek%vivek'
>
> plaintext password authentication succeeded
>
> challenge/response password authentication succeeded
>
> # wbinfo -K 'vivek%vivek'
> plaintext kerberos password authentication for [vivek%vivek] failed
> (requesting cctype: FILE)
> Could not authenticate user [vivek%vivek] with Kerberos (ccache: FILE)
>
> # kinit vivek
> Password for vivek at SQUID.BIZ:
> #
>
> Anything need to be modify on the Windows side ??..next step i will remove
> the system from the domain and try everything...
>
> Thanks in advance.
>
> Regards,
> VIvek
>
>
>
> On Mon, Nov 15, 2010 at 8:25 AM, John Stile <john at stilen.com> wrote:
>
>> "Invalid credentials" points to a problem, thought I'm guessing, with
>> the domain membership.
>>
>> I'm really not sure what it means.
>>
>> Does 'ads testjoin' show anything?
>>
>> Would it be too much trouble to remove the system from the domain and
>> add it back, assuming that was the the problem?
>>
>> 1. remove the machine from the domain (on the AD server),
>> 2. stop smbd, nmbd, and winbindd.
>> 3. find and remove "*.tdb" files.
>> 4. Check 'date' vs. 'net date'
>> 5. net ads join -U 'SQUID.BIZ+username'%'passwd'
>> 6. check 'net ads testjoin'
>> 7. check 'net ads info'
>> 8. start daemon: 'winbindd -d 3 -i'
>> 9. wbinfo -a 'SQUID.BIZ+username'%'password'
>> 10. wbinfo -K 'SQUID.BIZ+username'%'password'
>> 11. kinit username
>>
>> On Mon, 2010-11-15 at 00:32 +0530, Vivekanandan Nataraj wrote:
>> > Hi John,
>> >
>> >
>> > Thanks for your reply.
>> >
>> >
>> > This is the result :-
>> >
>> >
>> > #wbinfo -u
>> >
>> >
>> > Connected to LDAP server EIS.squid.biz
>> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
>> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> > ads_sasl_spnego_bind: got server principal name = eis$@SQUID.BIZ
>> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
>> > expiration Sun, 14 Nov 2010 22:22:14 IST
>> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
>> > expiration Sun, 14 Nov 2010 22:22:26 IST
>> > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
>> > credentials
>> > ads_connect for domain SQUID failed: Invalid credentials
>> > final write to client failed: Broken pipe
>> >
>> >
>> >
>> >
>> > #wbinfo -g
>> >
>> >
>> > Connected to LDAP server EIS.squid.biz
>> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
>> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> > ads_sasl_spnego_bind: got server principal name = eis$@SQUID.BIZ
>> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
>> > expiration Sun, 14 Nov 2010 22:27:10 IST
>> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
>> > expiration Sun, 14 Nov 2010 22:27:12 IST
>> > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
>> > credentials
>> > ads_connect for domain SQUID failed: Invalid credentials
>> > final write to client failed: Broken pipe
>> >
>> >
>> > any problem with krb configuration ???
>> >
>> >
>> > Regards,
>> > Vivek
>> >
>> >
>> >
>> >
>> > On Sun, Nov 14, 2010 at 11:59 PM, John Stile <john at stilen.com> wrote:
>> > You could try to run winbindd manually (winbindd -d 3 -i), and
>> > from
>> > another console run 'wbinfo -u', and see if any errors present
>> > them
>> > selves in the console where you ran winbindd. First make sure
>> > no other
>> > winbind daemon is running, by testing, as root, with: lsof -i
>> > tcp -nP |
>> > grep winbind
>> >
>> >
>> > On Sun, 2010-11-14 at 23:41 +0530, Vivekanandan Nataraj wrote:
>> > > Hi John,
>> > >
>> > >
>> > > Thanks for your reply.
>> > >
>> > >
>> > > I have modified the nsswitch.conf file and smb.conf as per
>> > your
>> > > suggestions.
>> > >
>> > >
>> > > Still wbinfo does not list the users... I have rebooted the
>> > server
>> > > after modification.
>> > >
>> > >
>> > > and #rm -rf /var/lib/samba/* and restart the services and
>> > joined the
>> > > domain again. but no luck..
>> > >
>> > >
>> > > nsswitch.conf
>> > > [
>> > > shadow: files
>> > > passwd: compat winbind
>> > > group: compat winbind
>> > >
>> > >
>> > > hosts: files dns wins
>> > > networks: files dns
>> > >
>> > >
>> > > services: files
>> > > protocols: files
>> > > rpc: files
>> > > ethers: files
>> > > netmasks: files
>> > > netgroup: files nis
>> > > publickey: files
>> > >
>> > >
>> > > bootparams: files
>> > > automount: files nis
>> > > aliases: files
>> > > ]
>> > >
>> > >
>> > > samba
>> > > [
>> > > workgroup = SQUID
>> > > realm = SQUID.BIZ
>> > > security = ADS
>> > > password server = EIS.SQUID.BIZ
>> > > printcap name = cups
>> > > idmap uid = 1000-20000000
>> > > idmap gid = 1000-20000000
>> > > winbind separator = +
>> > > winbind enum users = Yes
>> > > winbind enum groups = Yes
>> > > winbind use default domain = Yes
>> > > winbind nss info = rfc2307
>> > > cups options = raw
>> > > ]
>> > >
>> > >
>> > > Any thing i missed ?
>> > >
>> > >
>> > > Thanks in advance..
>> > >
>> > >
>> > > Regards,
>> > > Vivek
>> > >
>> > > On Sun, Nov 14, 2010 at 10:33 PM, John Stile
>> > <john at stilen.com> wrote:
>> > > Does /etc/nsswitch.conf hold winbind?
>> > > Something like this:
>> > > passwd: compat winbind
>> > > group: compat winbind
>> > >
>> > > Also,
>> > > your config doesn't show:
>> > > winbind separator = +
>> > >
>> > > your config doesn't have a fully qualified "password
>> > server"
>> > > hostname.
>> > >
>> > >
>> > >
>> > > On Sun, 2010-11-14 at 11:09 +0530, Vivekanandan
>> > Nataraj wrote:
>> > > > Hi Guys,
>> > > >
>> > > > I have configured SAMBA with Windows 2003 AD. But
>> > "#wbinfo
>> > > -u" and
>> > > > "#wbinfo -g" does not list the users
>> > > >
>> > > > 1. Domain joined successfully.
>> > > >
>> > > > # net rpc testjoin -U Administrator
>> > > > Join to 'DOMAIN' is OK
>> > > >
>> > > > 2. wbinfo -a works ( User authentication )
>> > > >
>> > > > # wbinfo -a 'DOMAIN\user'
>> > > > Enter DOMAIN\user's password:
>> > > > plaintext password authentication succeeded
>> > > > Enter DOMAIN\user's password:
>> > > > challenge/response password authentication
>> > succeeded
>> > > >
>> > > > 3. wbinfo -u and wbinfo -g does list nothing
>> > > >
>> > > > # wbinfo -u
>> > > > # wbinfo -g
>> > > >
>> > > > # wbinfo -r 'DOMAIN\user'
>> > > > Could not get groups for user DOMAIN\user
>> > > >
>> > > > SAMBA config : -
>> > > >
>> > > > [global]
>> > > > workgroup = DOMAIN
>> > > > realm = DOMAIN.BIZ
>> > > > security = ADS
>> > > > password server = EIS
>> > > > printcap name = cups
>> > > > idmap uid = 1000-20000000
>> > > > idmap gid = 1000-20000000
>> > > > winbind enum users = Yes
>> > > > winbind enum groups = Yes
>> > > > winbind use default domain = Yes
>> > > > winbind nss info = rfc2307
>> > > > cups options = raw
>> > > >
>> > > > Versions :-
>> > > >
>> > > > # smbd -V
>> > > > Version 3.4.2-1.1.3.1-2229-SUSE-SL11.2
>> > > >
>> > > > # winbindd -V
>> > > > Version 3.4.2-1.1.3.1-2229-SUSE-SL11.2
>> > > >
>> > > > Share your ideas...
>> > > >
>> > > > Regards,
>> > > > Vivek
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
>
More information about the samba
mailing list