interdomain trust rpc error (error in winbindd?)

Jeremy Drake jeremyd at apptechsys.com
Wed Jul 30 20:48:34 GMT 2003


I'll cut right to the point.  I set up winbind on a samba PDC which trusts 
a win2k domain running in mixed mode.  I can do "getent passwd" and I see 
the domain users, and the same for group.  The problem comes when I try to 
authenticate a user from the trusted domain.  Note that this seems to work 
properly with a win2k domain member.  I get no meaningful errors from 
anyone other than  NT_STATUS_NO_LOGON_SERVERS.  When I start "winbindd -d 
100", I get tons of info, the meaningful piece is pasted here:

[2003/07/30 13:38:00, 3] rpc_client/cli_pipe.c:rpc_api_pipe(456)
  Bind NACK received on pipe 4005!
[2003/07/30 13:38:00, 2] 
rpc_client/cli_pipe.c:cli_nt_establish_netlogon(1580)
  rpc bind to \PIPE\NETLOGON failed
...
[2003/07/30 13:38:00, 3] 
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(354)
  could not open handle to NETLOGON pipe (error: NT_STATUS_UNSUCCESSFUL)
[2003/07/30 13:38:00, 2] 
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(422)
  NTLM CRAP authentication for user [ATS]\[jeremyd] returned 
NT_STATUS_NO_LOGON_SERVERS (PAM: 4)


The tcp dump shows it does indeed receive a "DCERPC Bind_nak: call_id: 
65538 reason: Unknown (9)" from the pdc of the win2k domain.

Last but not least, my smb.conf (very simple so far)

Thanks for reading this -- I figured that samba-technical would be
appropriate for this since I have such detailed problems.  I have complete
tcpdump logs for traffic between samba and win2k pdcs, as well as from a
functioning trust with a winnt domain (which samba will replace if we get
this trust working) available upon request, as are complete logs (and 
most any other info required).  

The nt4 domain receives the same error, but then goes on to do some
RPC_NETLOGON traffic (as reported by tcpdump) and trys again, and this
time it works.

I am not on the list, so please cc me on all replies.  Thanks

Jeremy

-------
[global]

   workgroup = TESTDOM
   server string = Samba Server %v
   log file = /data/local/jeremyd2/progs/var/log.%m
   max log size = 50
   security = user
   encrypt passwords = yes

   socket options = TCP_NODELAY
   domain master = yes
   domain logons = yes
   # address has been changed from real one
   wins server = 192.168.123.130
   dns proxy = no

######## winbind settings #######
   winbind separator = +
   winbind uid = 20000-30000
   winbind gid = 20000-30000
   winbind enum users = yes
   winbind enum groups = yes

#============================ Share Definitions ==============================
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

# Un-comment the following and create the netlogon directory for Domain 
Logons
 [netlogon]
   comment = Network Logon Service
   path = /data/local/jeremyd2/progs/lib/netlogon
   guest ok = yes
   writable = no
   share modes = no


[printers]
   comment = All Printers
   path = /usr/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes


-- 
Rule of the Great:
	When people you greatly admire appear to be thinking deep
	thoughts, they probably are thinking about lunch.



More information about the samba-technical mailing list