how to force the winbind authentication in AD? (without he enum of users and groups)

jiri sasek - Sun Microsystems - Prague Czech Republic Jiri.Sasek at Sun.COM
Thu Jan 17 22:31:56 GMT 2008

Hello samba folks

I have a problem authenticating the smbd session without the "winbind 
enum users " set "yes". There is 2-way non-transitive interdomain trust 
between the SMBSETUP and MOUREK and for instance the "MOUREK\jura" can 
logon on the "WXPTST"(@SMBSETUP) machine as far as "SMBSETUP\jurasek" 
can logon so the trust seems works.

"smbd" can not authenticate samba session. Can anybody help to point me 
how to trace the /var/samba/locks/winbindd_privileged/pipe traffic for 

Thank you in advance for any help



----- details  ------
I have the following smb.conf:

    security = ads
    auth methods = winbind guest sam
    workgroup = SMBSETUP
    use kerberos keytab = true
    server string = Samba 3.0.28 ADS

  # winbind configuration:

    winbind separator = \\

    idmap domains = SMBSETUP MOUREK

    idmap config SMBSETUP:backend = rid
    idmap config SMBSETUP:base_rid  = 1000
    idmap config SMBSETUP:range = 10000 - 29999

    idmap config MOUREK:backend = rid
    idmap config MOUREK:base_rid  = 1000
    idmap config MOUREK:range = 30000 - 49999


wbinfo -u -g dumps correctly the users/groups from both domains

also the iud can be obtain by the:

-bash-3.00# /usr/sfw/bin/wbinfo -n 'MOUREK\jura'
S-1-5-21-3750146957-173258023-4083698037-1109 User (1)
-bash-3.00# /usr/sfw/bin/wbinfo -S 

so everything seems to be working but when I am attaching from the 
workstation "WXPTST" which is attached in the "SMBSETUP" domain I can 
not authenticate "smbd" session. Picking up from the "log.wxptst"

[2008/01/17 23:16:47, 5] auth/auth_util.c:(161)
   make_user_info_map: Mapping user []\[] from workstation [WXPTST]

...user seems not to be known and the winbind authentication forced as 
first is failing:

[2008/01/17 23:16:47, 5] auth/auth.c:(273)
   check_ntlm_password: winbind authentication for user [] FAILED with 

later the NTLM2 gives a bit better result:

[2008/01/17 23:16:48, 3] libsmb/ntlmssp.c:(739)
   Got user=[jura] domain=[MOUREK] workstation=[WXPTST] len1=24 len2=24

but "winbind enum users" is not set so even if:

[2008/01/17 23:16:48, 5] lib/username.c:(131)
   Finding user MOUREK\jura

...authentication is failing:

[2008/01/17 23:16:48, 6] auth/auth_sam.c:(414)
   check_samstrict_security: MOUREK is not one of my local names 


[2008/01/17 23:16:48, 2] auth/auth.c:(319)
   check_ntlm_password:  Authentication for user [jura] -> [jura] FAILED 


More information about the samba-technical mailing list