RH 7.0 and Winbind in an NT4.0 domain
Patrick Spinler
spinler.patrick at mayo.edu
Tue Feb 27 00:48:07 GMT 2001
Just FYI:
I am still unable to get a working system, running the latest winbindd
out of cvs branch APPLIANCE_TNG today. From the error "winbindd -d100"
spits at me, I guess that it's a domain trust issue (since my
workstation is in one domain 'RCHWKS', and my test domain id is in a
second domain 'MC', which 'RCHWKS' trusts). It's only a wild ass guess,
though.
(winbind log info here from a pam login attempt here)
adding trusted domain MC
adding trusted domain RCH
server: dc=RWKSRV00, pwdb_init=1, lsa_hnd=1
RCH: dc=, got_sid=0, sam_hnd=0 sam_dom_hnd=0
MC: dc=, got_sid=0, sam_hnd=0 sam_dom_hnd=0
RCHWKS: dc=, got_sid=0, sam_hnd=0 sam_dom_hnd=0
accepted socket 10
[ 1220]: pam auth mc/pjs11
could not get trust password for domain MC
I can see some intregeing stuff with the wbinfo command, but getent
passwd (or group) shows nothing beyond my local passwd/group database.
I just did a little tracing through the code. The "could not get trust
account password" error is being generated because the trust password is
not in the secrets database
nsswitch/winbindd_misc.c:_get_trust_account_passwd()
calling
secrets/secrets.c:secrets_fetch()
but I'm unclear where in the code path, if anywhere, the domain trust
account is supposed to be obtained and stored in the secrets database.
More investigation as time permits. If anyone has any clues, please
help.
-- Pat
Shaun Cloherty wrote:
>
> Patrick Spinler wrote:
>
> > Shaun:
> >
> > I'm trying to get a very similar configuration working (rh 6.2 instead
> > of 7.0, though).
> >
> > First, it sounds like you may have a basic samba configuration issue.
> > smbd and nmbd not starting is the first thing I'd look into. Do you
> > have samba installed where the init.d/smb script expects ? It sounds
> > like that script isn't finding smbd/nmbd.
>
> Correct, I added the path to the top of the init.d/smb script, and smbd and
> nmbd now start without a problem. I also modified the script to launch the
> winbindd daemon... very nice.
>
> > Second, I don't think that your domain membership for these machines is
> > going to do you any good. Specifically, the dual boot is going to muck
> > you up. Both half's of the machine can't be members in the nt domain
> > under the same machine account unless you have a magic way for both
> > sides to share the same machine password entry (in winnt registry and
> > linux /etc/.../DOMAIN.MACHINE.mac file)
>
> Humm... I'm not sure what happens on the NT side, I'm not much of an NT user.
> Perhaps you are right, but I now have 'getent passwd' spewing out a list of
> local users and a list of NT domain users... which is what I wanted. Actually
> authenticating the NT users to login is another matter... is that where this
> .mac file becomes an issue?
>
> > Third, it looks like your getent command is hanging on input from
> > winbindd.
>
> Correct again, it turns out that a defunct winbindd process was still hanging
> around tying up the pipe... killed it and the problem vanished.
>
> My next challenge is to force authentication via winbindd against the NT
> server. I've been struggling with the PAM documentation all weekend, and
> still don't really know what I'm doing...
>
> > Someone suggested to me that I dump the precompiled winbindd and
> > recompile from the APPLIANCE_TNG cvs branch. I'm going to give that a
> > try today or tomorrow.
>
> Let me know how you get on, I attempted to compile from the .tar.gz appliance
> source, but never had much success, in desperation I installed the
> precompiled package.
>
> Shaun
>
> --
> Shaun Cloherty
> Graduate School of Biomedical Engineering
> University of New South Wales
--
This message does not represent the policies or positions
of the Mayo Foundation or its subsidiaries.
Patrick Spinler email: Spinler.Patrick at Mayo.EDU
Mayo Foundation phone: 507/284-9485
More information about the samba-ntdom
mailing list