interdomain trust rpc error (error in winbindd?)
Jeremy Drake
jeremyd at apptechsys.com
Wed Jul 30 20:48:34 GMT 2003
I'll cut right to the point. I set up winbind on a samba PDC which trusts
a win2k domain running in mixed mode. I can do "getent passwd" and I see
the domain users, and the same for group. The problem comes when I try to
authenticate a user from the trusted domain. Note that this seems to work
properly with a win2k domain member. I get no meaningful errors from
anyone other than NT_STATUS_NO_LOGON_SERVERS. When I start "winbindd -d
100", I get tons of info, the meaningful piece is pasted here:
[2003/07/30 13:38:00, 3] rpc_client/cli_pipe.c:rpc_api_pipe(456)
Bind NACK received on pipe 4005!
[2003/07/30 13:38:00, 2]
rpc_client/cli_pipe.c:cli_nt_establish_netlogon(1580)
rpc bind to \PIPE\NETLOGON failed
...
[2003/07/30 13:38:00, 3]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(354)
could not open handle to NETLOGON pipe (error: NT_STATUS_UNSUCCESSFUL)
[2003/07/30 13:38:00, 2]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(422)
NTLM CRAP authentication for user [ATS]\[jeremyd] returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
The tcp dump shows it does indeed receive a "DCERPC Bind_nak: call_id:
65538 reason: Unknown (9)" from the pdc of the win2k domain.
Last but not least, my smb.conf (very simple so far)
Thanks for reading this -- I figured that samba-technical would be
appropriate for this since I have such detailed problems. I have complete
tcpdump logs for traffic between samba and win2k pdcs, as well as from a
functioning trust with a winnt domain (which samba will replace if we get
this trust working) available upon request, as are complete logs (and
most any other info required).
The nt4 domain receives the same error, but then goes on to do some
RPC_NETLOGON traffic (as reported by tcpdump) and trys again, and this
time it works.
I am not on the list, so please cc me on all replies. Thanks
Jeremy
-------
[global]
workgroup = TESTDOM
server string = Samba Server %v
log file = /data/local/jeremyd2/progs/var/log.%m
max log size = 50
security = user
encrypt passwords = yes
socket options = TCP_NODELAY
domain master = yes
domain logons = yes
# address has been changed from real one
wins server = 192.168.123.130
dns proxy = no
######## winbind settings #######
winbind separator = +
winbind uid = 20000-30000
winbind gid = 20000-30000
winbind enum users = yes
winbind enum groups = yes
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
# Un-comment the following and create the netlogon directory for Domain
Logons
[netlogon]
comment = Network Logon Service
path = /data/local/jeremyd2/progs/lib/netlogon
guest ok = yes
writable = no
share modes = no
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
--
Rule of the Great:
When people you greatly admire appear to be thinking deep
thoughts, they probably are thinking about lunch.
More information about the samba-technical
mailing list