RH 7.0 and Winbind in an NT4.0 domain

Patrick Spinler spinler.patrick at mayo.edu
Tue Feb 27 00:53:02 GMT 2001 

Question:

Is there an easy way to dump the contents of the secrets database and
see what _is_ there ?

Thanks,
-- Pat

Patrick Spinler wrote:
> 
> Just FYI:
> 
> I am still unable to get a working system, running the latest winbindd
> out of cvs branch APPLIANCE_TNG today.  From the error "winbindd -d100"
> spits at me, I guess that it's a domain trust issue (since my
> workstation is in one domain 'RCHWKS', and my test domain id is in a
> second domain 'MC', which 'RCHWKS' trusts).  It's only a wild ass guess,
> though.
> 
> (winbind log info here from a pam login attempt here)
>   adding trusted domain MC
>   adding trusted domain RCH
>   server: dc=RWKSRV00, pwdb_init=1, lsa_hnd=1
>   RCH: dc=, got_sid=0, sam_hnd=0 sam_dom_hnd=0
>   MC: dc=, got_sid=0, sam_hnd=0 sam_dom_hnd=0
>   RCHWKS: dc=, got_sid=0, sam_hnd=0 sam_dom_hnd=0
>   accepted socket 10
>   [ 1220]: pam auth mc/pjs11
>   could not get trust password for domain MC
> 
> I can see some intregeing stuff with the wbinfo command, but getent
> passwd (or group) shows nothing beyond my local passwd/group database.
> 
> I just did a little tracing through the code.  The "could not get trust
> account password" error is being generated because the trust password is
> not in the secrets database
> 
>  nsswitch/winbindd_misc.c:_get_trust_account_passwd()
>    calling
>    secrets/secrets.c:secrets_fetch()
> 
> but I'm unclear where in the code path, if anywhere, the domain trust
> account is supposed to be obtained and stored in the secrets database.
> 
> More investigation as time permits.  If anyone has any clues, please
> help.
> 
> -- Pat
> 
> Shaun Cloherty wrote:
> >
> > Patrick Spinler wrote:
> >
> > > Shaun:
> > >
> > > I'm trying to get a very similar configuration working (rh 6.2 instead
> > > of 7.0, though).
> > >
> > > First, it sounds like you may have a basic samba configuration issue.
> > > smbd and nmbd not starting is the first thing I'd look into.  Do you
> > > have samba installed where the init.d/smb script expects ?  It sounds
> > > like that script isn't finding smbd/nmbd.
> >
> > Correct, I added the path to the top of the init.d/smb script, and smbd and
> > nmbd now start without a problem. I also modified the script to launch the
> > winbindd daemon... very nice.
> >
> > > Second, I don't think that your domain membership for these machines is
> > > going to do you any good.  Specifically, the dual boot is going to muck
> > > you up.  Both half's of the machine can't be members in the nt domain
> > > under the same machine account unless you have a magic way for both
> > > sides to share the same machine password entry (in winnt registry and
> > > linux /etc/.../DOMAIN.MACHINE.mac file)
> >
> > Humm... I'm not sure what happens on the NT side, I'm not much of an NT user.
> > Perhaps you are right, but I now have 'getent passwd' spewing out a list of
> > local users and a list of NT domain users... which is what I wanted. Actually
> > authenticating the NT users to login  is another matter... is that where this
> > .mac file becomes an issue?
> >
> > > Third, it looks like your getent command is hanging on input from
> > > winbindd.
> >
> > Correct again, it turns out that a defunct winbindd process was still hanging
> > around tying up the pipe... killed it and the problem vanished.
> >
> > My next challenge is to force authentication via winbindd against the NT
> > server. I've been struggling with the PAM documentation all weekend, and
> > still don't really know what I'm doing...
> >
> > > Someone suggested to me that I dump the precompiled winbindd and
> > > recompile from the APPLIANCE_TNG cvs branch.  I'm going to give that a
> > > try today or tomorrow.
> >
> > Let me know how you get on, I attempted to compile from the .tar.gz appliance
> > source, but never had much success, in desperation I installed the
> > precompiled package.
> >
> > Shaun
> >
> > --
> > Shaun Cloherty
> > Graduate School of Biomedical Engineering
> > University of New South Wales
> 
> --
>       This message does not represent the policies or positions
>              of the Mayo Foundation or its subsidiaries.
>   Patrick Spinler                       email:  Spinler.Patrick at Mayo.EDU
>   Mayo Foundation                       phone:  507/284-9485

-- 
      This message does not represent the policies or positions
	     of the Mayo Foundation or its subsidiaries.
  Patrick Spinler			email:	Spinler.Patrick at Mayo.EDU
  Mayo Foundation			phone:	507/284-9485

More information about the samba-ntdom mailing list