user authentication issues with samba4-beta5 as a member server

Jean Raby jraby at inverse.ca
Thu Sep 6 07:59:58 MDT 2012 

On 12-09-05 7:17 PM, Andrew Bartlett wrote:
>> Alright, I tested this again with beta8 and /usr/sbin/samba won't even
>> >  start when configured as a member server.
>> >  So I guess the release notes were right;-)
>> >
>> >  We've been using samba as a DC along with openchange and sogo and it
>> >  works pretty well for our development needs, but we're trying to find a
>> >  way to integrate that with existing domains with a windows DC.
>> >
>> >  At first I thought that we'd simply have to join samba as a member
>> >  server, but obviously, that won't work for now.
> It is meant to still permit a startup in this situation.  Is there any
> chance you could debug the code in source4/smbd/server.c that imposes
> this restriction and work out why if doesn't allow you to start up?
Indeed, samba will start if 'dcerpc endpoint servers' contains 'mapiproxy'.
It didn't work in my tests since I was using a minimal smb.conf without 
this parameter.

However, I get the same behavior when trying to authenticate a user 
using wbinfo -K :

wbsrv_samba3_pam_auth called
wb_sid2domain_send called
wb_sid2domain_send called
         seed        5e6aa7e2:daa2ed4a
         seed+time   aeb3513a:daa2ed4a
         CLIENT      61dd86df:7ac44384
         seed+time+1 aeb3513b:daa2ed4a
         SERVER      97d78633:4efdf572
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED'
imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.0.21
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED]
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED'
imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.0.50
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED

>
>> >  Are there any other options that we could try to be able to authenticate
>> >  users against an existing domain short of joining samba as a DC?
>> >  Or if it is not possible at all right now, is this something that might
>> >  be implemented in the foreseeable future?
>> >
>> >  Like I said earlier, we need to use 'samba' instead of smbd since we
>> >  need to use the following configuration parameters, which I think are
>> >  only available with the samba daemon :
>> >
>> >      dcerpc endpoint servers = epmapper, mapiproxy
>> >      dcerpc_mapiproxy:server = true
>> >      dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp,
>> >  exchange_ds_rfr
> The winbindd issues we still need to sort out, but if the Openchange
> folks expect this to work from their end, then we will keep the Samba
> side available.  The startup check is just to try and avoid user
> confusion from our broader user base.
Do you expect to be able to sort the winbindd issue before the samba4 
release or will it be part of a later release?

-- 
Jean

More information about the samba-technical mailing list