[Samba] still winbind! plz...
antonio.nikolic at ibk-consult-gmbh.de
Wed Aug 7 08:24:02 GMT 2002
I tried the RedHat-sytle system-auth on my pam.d/login file (debian) and it did
not really help me with the security stuff, though another problem has
been fixed (double password-prompts and things like that) - thanx a
lot for that :-] !!
But another thing I found out recently is that there seems to be a
limitation to the username-lenght!! The problem was, that I just could
not log in as "Administrator" or "domaintester" but as "schnulli" or
"tester" it worked fine! I renamed "Adminstrator" to "Administra" and
it worked well (in spite of the "Secret is Bad"-stuff).
Okay, the W2k Domainname is quite long ( 20 characters !!!) so my
guess is, that the combination of both, domainname and username is
truncated before is is sent over the network. One should verify this
by looking into the source, but it would take too long for me to find
out the right piece of code - so maybe a developer would chance to comment
Probably this also is the point the "bad-Secret" thing, because
winbindd cannot connect as adminstrator or anything... But why does
then wbinfo -u and login in genereal work?? And why did it then not
work after I secondly renamed "Administra" to "root" and joined the
domain once again and gave wbinfo -A root%... to winbindd?
The main problem remains: I cannot log on to a samba share as a
domainuser, samba still states it could not fetch trust account for
domain (xy[20charsLong]) and I have the impression it wont do until
wbinfo -t "Secret is OK" [or whatever output which is the opposite
of "Secret is bad" - Never have seen the positive one ;-) ]
My next step will be to set up W2K Domainname to a shorter, more
practical one, but I doubt about it's positive effect on the
MJ> I had the same problem, I fixed it by modifying the
MJ> auth required /lib/security/pam_env.so
MJ> auth sufficient /lib/security/pam_winbind.so
MJ> auth sufficient /lib/security/pam_unix.so likeauth nullok
MJ> auth required /lib/security/pam_deny.so
MJ> account sufficient /lib/secutiry/pam_winbind.so
MJ> account required /lib/security/pam_unix.so
MJ> password required /lib/security/pam_cracklib.so retry=3
MJ> password sufficient /lib/security/pam_unix.so nullok use_authtok md5
MJ> password required /lib/security/pam_deny.so
MJ> session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
MJ> session required /lib/security/pam_limits.so
MJ> session required /lib/security/pam_unix.so
MJ> this should let winbind talk to the pdc. but, you need to run the
MJ> smbpasswd (join to domain again) command. I don't remember of the top of
MJ> my head the exact syntax. alot of the instructions say to take the
MJ> computer out of the domain and then re-add it through the the samba box, I
MJ> didn't find it necessary, just run the smbpasswd command again. make sure
MJ> you: service smb stop, service winbind stop, then run smbpasswd. then
MJ> service smb start, service winbind start and see what happens.
MJ> also, I don't know if this system-auth file is perfect, I'm still having
MJ> trouble getting security=domain and adding groups to the write list in the
MJ> smb.conf. but I don't think its the system-auth file, but I have to do
MJ> some more digging.
MJ> this should make your secret problem go away, if not let me know.
MJ> Matt Jamison
MJ> On Wed, 7 Aug 2002, Antonio Nikolic wrote:
>> Hi everybody,
>> I still have trouble gettin' winbind running correctly and as time
>> passes by and all documentation and mailing lists have been read,
>> things are getting really urgent...
>> I think i should abstract the problem to the mininmun:
>> winbind is up and running,
>> wbinfo -u works,
>> getenv password works,
>> wbinfo -t states that
>> ---> Secret is bad
>> and winbind-logfile says to check the machineaccount,
>> samba-logfile comments my attempt to access a share as follows:
>> "could not fetch trust account password for domain xy"
>> Server is a Windows2000 Advanced one..
>> machine account from the samba-server is visible in "Computers"
>> after having successfully joined the domain.
>> I tried several setups with
>> 2.2.5, 2.2.4 (selfcompiled)
>> and 2.2.3a (debian-sid package)
>> everytime the same. So I guess something with the configuration is
>> missing; perhaps I have to make changes in the W2k-Server
>> Now - is there anybody out there, who knows how to solve this one?
>> I've been around several mailing lists and everyone's just asking this
>> kind of question about trust-account, but noone got answers...
More information about the samba