[Samba] Two questions: 'wbinfo -a' & NT/2k APW

Manuel Gomez ERG at e-r-solutions.com
Fri Apr 12 19:59:03 GMT 2002 

Greetings,

Brief preamble: this list is a fantastic resource.  I've been lurking and
have learned a lot, but I haven't seen anyone ask the following:

First, my environment: a single Debian Linux (kernel 2.2.18) Samba server
(version 2.2.2debian-2) in the midst of an NT 4 domain.  I have successfully
configured Winbindd such that my NT domain user names and groups are able to
be used for all things Samba, and for console logon, as well.  

One problem is that when I try to use 'wbinfo -a' to test the domain
password validation, I see the following:

    plaintext password authentication succeeded
    challenge/response password authentication failed
    Could not authenticate user DOMAIN+User%password with challenge/response

Does anyone know why this may be?  Or perhaps this is normal, and my lack of
experience prevents me from seeing it as such?  I have a wildly speculative
hypothesis that this may be related to some difficulties we have been having
using DOS LanMan clients with the same Samba server (I don't have enough
details about those problems to ask about them... Yet).

Another (smaller[?]) issue that I'm having with Winbind is the naming of
groups.  I have an NT Domain group called "Domain Admins" (surprise!), and
yet, when I 'wbinfo -r DOMAIN+User' (to get the GIDs of a user's domain
groups) and then input, for example, 'wbinfo -s `wbinfo -G 10000`' (to
convert GIDs to SIDs and then SIDs to human-readable group names) the
resulting groups are labeled as: "DOMAIN+Domain Admins 2" and "DOMAIN+Domain
Users 2"; and yet, when I use 'smbstatus' it shows group memberships for
clients connected to shares without the trailing number.  Is this an
indication that Winbindd has twice mapped my domain groups to Linux GIDs?
Am I overlooking something obvious (just not obvious to me)?

OK, the second issue is more interesting (to me).  I'm trying to set up a
printer for use with my NT4 & 2k clients.  I have CUPS set up as the
spooling subsystem, and I have confirmed that it works properly.  If I set
'disable spoolss = yes' then I can print successfully from 2k (haven't
tested NT).  I can even print when I set 'disable spoolss = no'.  However,
problems arise when trying to use the NT/2k Add Printer Wizard: it never
appears in the Printers share on my server.  When I tail the log.smbd I see:

[TIMESTAMP]              smbd/service.c:make_connection(239)
  [client hostname] ([client IP address]) couldn't find service
::{[mysterious SID]}
(substitutions are surrounded by [])

Finally, I tried resolving the SID in the log to a domain group or user, to
no avail.  My current thinking is that my domain group is not resolving
properly to a Linux GID.  In my smb.conf, I have 'printer admin =
root,@"DOMAIN+Domain Admins".  SWAT does not like those double quotes one
bit, and I haven't confirmed that it's working at all (see above, as well).

This is the point at which I have exhausted my Samba knowledge and cast
myself on the mercy of this list.  Anybody have any suggestions, hints, tips
or recommendations on one or more of the above issues?

Thank you all,
Manuel Gomez

More information about the samba mailing list