[Samba] still winbind! plz...

Antonio Nikolic antonio.nikolic at ibk-consult-gmbh.de
Wed Aug 7 08:24:02 GMT 2002

Hi Matt!

thank you,
I tried the RedHat-sytle system-auth on my pam.d/login file (debian) and it did
not really help me with the security stuff, though another problem has
been fixed (double password-prompts and things like that) - thanx a
lot for that :-] !!

But another thing I found out recently is that there seems to be a
limitation to the username-lenght!! The problem was, that I just could
not log in as "Administrator" or "domaintester" but as "schnulli" or
"tester" it worked fine! I renamed "Adminstrator" to "Administra" and
it worked well (in spite of the "Secret is Bad"-stuff).
Okay, the W2k Domainname is quite long ( 20 characters !!!) so my
guess is, that the combination of both, domainname and username is
truncated before is is sent over the network. One should verify this
by looking into the source, but it would take too long for me to find
out the right piece of code - so maybe a developer would chance to comment
this phenomenon...
Probably this also is the point the "bad-Secret" thing, because
winbindd cannot connect as adminstrator or anything... But why does
then wbinfo -u and login in genereal work?? And why did it then not
work after I secondly renamed "Administra" to "root" and joined the
domain once again and gave wbinfo -A root%... to winbindd?

The main problem remains: I cannot log on to a samba share as a
domainuser, samba still states it could not fetch trust account for
domain (xy[20charsLong]) and I have the impression it wont do until
wbinfo -t "Secret is OK" [or whatever output which is the opposite
of "Secret is bad" - Never have seen the positive one ;-) ]

My next step will be to set up W2K Domainname to a shorter, more
practical one, but I doubt about it's positive effect on the


MJ> I had the same problem, I fixed it by modifying the 
MJ> /etc/pam.d/system-auth  

MJ> auth        required      /lib/security/pam_env.so
MJ> auth        sufficient    /lib/security/pam_winbind.so
MJ> auth        sufficient    /lib/security/pam_unix.so likeauth nullok 
MJ> use_first_pass
MJ> auth        required      /lib/security/pam_deny.so

MJ> account     sufficient    /lib/secutiry/pam_winbind.so
MJ> account     required      /lib/security/pam_unix.so

MJ> password    required      /lib/security/pam_cracklib.so retry=3
MJ> password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 
MJ> shadow
MJ> password    required      /lib/security/pam_deny.so

MJ> session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ 
MJ> umask=0022
MJ> session     required      /lib/security/pam_limits.so
MJ> session     required      /lib/security/pam_unix.so

MJ> this should let winbind talk to the pdc. but, you need to run the 
MJ> smbpasswd (join to domain again)  command.  I don't remember of the top of 
MJ> my head the exact syntax.  alot of the instructions say to take the 
MJ> computer out of the domain and then re-add it through the the samba box, I 
MJ> didn't find it necessary, just run the smbpasswd command again.  make sure 
MJ> you: service smb stop, service winbind stop, then run smbpasswd.  then 
MJ> service smb start, service winbind start  and see what happens.

MJ> also, I don't know if this system-auth file is perfect, I'm still having 
MJ> trouble getting security=domain and adding groups to the write list in the 
MJ> smb.conf.  but I don't think its the system-auth file, but I have to do 
MJ> some more digging.  

MJ> this should make your secret problem go away, if not let me know.

MJ> Matt Jamison

MJ> On Wed, 7 Aug 2002, Antonio Nikolic wrote:

>> Hi everybody,
>> I still have trouble gettin' winbind running correctly and as time
>> passes by and all documentation and mailing lists have been read,
>> things are getting really urgent...
>> I think i should abstract the problem to the mininmun:
>>   winbind is up and running,
>>   wbinfo -u works,
>>   getenv password works,
>>   wbinfo -t states that
>> --->  Secret is bad
>>   and winbind-logfile says to check the machineaccount,
>>   samba-logfile comments my attempt to access a share as follows:
>>   "could not fetch trust account password for domain xy"
>>   Server is a Windows2000 Advanced one..
>>   machine account from the samba-server is visible in "Computers"
>>   after having successfully joined the domain.
>>   I tried several setups with
>>   2.2.5, 2.2.4 (selfcompiled)
>>   and 2.2.3a (debian-sid package)
>>   everytime the same. So I guess something with the configuration is
>>   missing; perhaps I have to make changes in the W2k-Server
>>   configuration.
>> Now - is there anybody out there, who knows how to solve this one?
>> I've been around several mailing lists and everyone's just asking this
>> kind of question about trust-account, but noone got answers...
>> cheers,
>> tony

More information about the samba mailing list