[Samba] winbindd almost working, perhaps ?

Jonathan Ungar Jonathan.Ungar at grassroots.com
Wed Feb 6 00:30:03 GMT 2002 

samba 2.2.3 on RH7.2, trying to authenticate users from a windows 2000 domain, all SP2 DCs.


just to show I've gotten pretty far, I think: here's what works:

1. browsing the linux box from windows machines on the domain:

	H:\>net view \\newintranet
	Shared resources at \\newintranet

	Intranet Samba Server

	Share name   Type         Used as  Comment

	------------------------------------------------------------
	webdata      Disk         J:       Intranet web server data
	The command completed successfully. 


2. winbindd binding to domain DCs:

	[root at newintranet samba]# winbindd -d 3 -i
	added interface ip=10.1.4.7 bcast=10.1.255.255 nmask=255.255.0.0
	getting trusted domain list
	resolve_lmhosts: Attempting lmhosts lookup for name GRASSROOTS<0x1c>
	resolve_wins: Attempting wins lookup for name GRASSROOTS<0x1c>	
	resolve_wins: WINS server resolution selected and no WINS servers listed.	
	name_resolve_bcast: Attempting broadcast lookup for name GRASSROOTS<0x1c>
	bind succeeded on port 0
	Got a positive name query response from 10.1.4.2 ( 10.1.4.2 )
	Got a positive name query response from 10.1.4.3 ( 10.1.4.3 )
	bind succeeded on port 0
	resolve_lmhosts: Attempting lmhosts lookup for name ADSF01<0x20>
	resolve_hosts: Attempting host lookup for name ADSF01<0x20>
	IPC$ connections done anonymously
	Connecting to 10.1.4.2 at port 445
	adding domain GRASSROOTS

(although, what's that bit about 'WINS server resolution selected' ?  WINS server resolution is certainly not "selected" in smb.conf... I wonder what this is about - or if it even matters...)



OK, what doesn't work:

nothing's getting actually written to /etc/passwd or /etc/group.  Here's output from winbindd -d 3 -i  as I browse the linux machine from a win2k machine on the domain (I intentionally did this with a 'testuser' account rather than my own, which is in the Domain Admins NT group and already has an account on the Linux box with the same username/password - gee, should I get rid of that and let winbindd add my domain user account instead ?  uhhh...

***

[25091]: getpwnam GRASSROOTS+testuser
CACHESEQ GRASSROOTS/USR/testuser is 4294967295
resolve_lmhosts: Attempting lmhosts lookup for name ADSF01<0x20>
resolve_hosts: Attempting host lookup for name ADSF01<0x20>
IPC$ connections done anonymously
Connecting to 10.1.4.2 at port 445
CACHESEQ GRASSROOTS/SID/GRASSROOTS\testuser is 4294967295
cached sequence number for GRASSROOTS is 4294967295
cached sequence number for GRASSROOTS is 4294967295
cached sequence number for GRASSROOTS is 4294967295
resolve_lmhosts: Attempting lmhosts lookup for name ADSF01<0x20>
resolve_hosts: Attempting host lookup for name ADSF01<0x20>
IPC$ connections done anonymously
Connecting to 10.1.4.2 at port 445
pwnam_from_user(): error getting user info for user 'testuser'
cached sequence number for GRASSROOTS is 4294967295
[25091]: getpwnam testuser
[25091]: getpwnam TESTUSER
[25091]: getpwnam testuser
[25091]: getpwnam TESTUSER
[25091]: getpwnam testuser
[25091]: getpwnam TESTUSER
[25091]: getpwnam testuser
[25091]: getpwnam TESTUSER
[25091]: getgroups nobody
[25091]: lookupsid S-1-5-21-1229272821-789336058-1060284298-513
CACHESEQ GRASSROOTS/NAM/S-1-5-21-1229272821-789336058-1060284298-513 is 42949672
95
cached sequence number for GRASSROOTS is 4294967295
cached sequence number for GRASSROOTS is 4294967295
[25091]: sid to gid S-1-5-21-1229272821-789336058-1060284298-513
[25091]: gid to sid 10002
[25091]: getgroups nobody

***

That almost looks like good stuff, except for that "pwnam_from_user(): error getting user info for user 'testuser'".  Which isn't very surprising, since:

[root at newintranet samba]# /etc/rc.d/init.d/smb start
Starting SMB services:                                     [  OK  ]
Starting NMB services:                                     [  OK  ]
Starting Winbind services:                                 [  OK  ]
[root at newintranet samba]# wbinfo -u
Error looking up domain users
[root at newintranet samba]# wbinfo -g
Error looking up domain groups
[root at newintranet samba]#


Ok, so I'm not sure what to change!  Seems like I've tried everything!

Also, I did build 2.2.3 from source (several times, actually). The last build (clean) was done with:

./configure 
--with-winbind 
--with-pam 
--with-pam_smbpass 
--with-acl-support 
--prefix=/usr 
--sysconfdir=/etc/samba 
--with-privatedir=/etc/samba 
--with-swatdir=/usr/share/swat 
--with-lockdir=/var/lock/samba 
--with-logfilebase=/var/log/samba

maybe I broke everything by putting ACL support in ?

Also, notice that I specified '--with-logfilebase=/var/log/samba'.  But I'm getting a lot of "Unable to open new log file /usr/local/samba/var/log.[hostname]: No such file or directory" in /var/log/samba/log.*


Well, there it all is. If I left out something important, let me know. I was trying not to take up too much space with this one (too late)  


Any suggestions ?



Jonathan Ungar
Systems Administrator
Grassroots Enterprise, Inc.

More information about the samba mailing list