[Samba] Winbind - Why won't you authenticate???
MCCALL,DON (HP-USA,ex1)
don_mccall at hp.com
Wed Feb 13 10:07:11 GMT 2002
Hi Thomas,
The message from pdb_smbpasswd.c is saying that it can't find the smbpasswd
file;
this is normal if you are doing domain level authentication, and have not
created/populated
an smbpasswd file - if the domain authentication doesn't work, samba trys to
authenticate
you locally to the smbpasswd file. So this isn't the issue, I believe.
It looks to me as if your win2k dc has disabled support for NTLM v1
challenge response authentication.
Check you domain controller security policy under security settings/local
policies/
security options and see what the value of :
Lan Manager Authentication Level
says....
Also, If you would like, stop winbindd,remove the log.winbindd file,
set your log level in smb.conf to 10, and
start winbind, then do your wbinfo -a... command, and send me the
log.winbindd; perhaps I
can see what is happening from a full debug log.
Thanks,
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas at jhuapl.edu]
Sent: Wednesday, February 13, 2002 12:29 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Another thing I noticed. I looked at the log file in samba/var and found
the log for my machine was filled with this:
[2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367)
unable to open passdb database.
Where is the pdb_smbpassd.c file and why would there be a problem opening
it?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
Sent: Tuesday, February 12, 2002 5:24 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
I see a couple of things that are suspicious.
Take a look at my output, from a winbindd system that is a member of the WT1
domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my
winbind separator is + (as your's appears to be in your smb.conf file):
# ./wbinfo -u
ATL-WTEC+Administrator
ATL-WTEC+atlwtec1
ATL-WTEC+ddmc
ATL-WTEC+Guest
ATL-WTEC+IUSR_ALBERTE
WT1+Administrator
WT1+ddmc
WT1+Guest
WT1+IUSR_CERES
WT1+IWAM_CERES
WT1+krbtgt
WT1+test
WT1+test1
WT1+test2
WT1+test3
WT1+test4
WT1+test5
# ./wbinfo -m
ATL-WTEC
#
NOTE it shows the users in the ATL-WTEC domain as well as my home domain
(this may be because
I have a 2 way trust between the domains); but NOTE also, that the wbinfo
output SHOWS my
users with the "+" separator, which matches what I have in my smb.conf file
- YOURS DOES NOT:
it shows the separator being used as "\"...
You might try verifying your smb.conf file 'winbind separator' by running
testparm|grep winbind
and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u
again. Verify that
it is using the "+", and if so, then try your wbinfo -a command again (with
the + sign)...
That's all I have for now...
don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas at jhuapl.edu]
Sent: Tuesday, February 12, 2002 5:03 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Below is the beginning of the output which I just pasted into this e-mail.
You'll find the error on the bottom. Also at the bottom is a copy of the
smb.conf file. It this all correct?
Thanks,
-Dan
adams{root}5: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}6: ./wbinfo -u
adams{root}11: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}12: ./wbinfo -u
JWAD\Administrator
JWAD\dantest
JWAD\Guest
JWAD\guestuser
JWAD\Nelsojb1
JWAD\repladmin
JWAD\shaffjl1
JWAD\SMS&_JWAD-DC1
JWAD\SMSCliToknAcct&
JWAD\SQLAgentCmdExec
JWAD\SQLExecutiveCmdExec
JWAD\SQLServerService
JWAD\vashodp1
JWAD\Volga
JWAD\WestRL1
adams{root}13: ./wbinfo -g
JWAD\Domain Admins
JWAD\Domain Guests
JWAD\Domain Users
JWAD\MTS Trusted Impersonators
JWAD\SMSInternalCliGrp
adams{root}14: ./wbinfo -m
JHUAPL
adams{root}15: ./wbinfo -a JWAD+dantest%password
plaintext password authentication failed
Could not authenticate user JWAD+dantest%password with plaintext password
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
SMB Conf file:
# Samba config file created using SWAT
# from thomaDJ1.jhuapl.edu (128.244.11.37)
# Date: 2002/02/12 16:11:14
# Global parameters
[global]
workgroup = JWAD
netbios name = ADAMS
server string = adams samba
security = DOMAIN
encrypt passwords = Yes
null passwords = Yes
password server = *
log file = /usr/local/samba/var/log.%m
max log size = 50
large readwrite = Yes
load printers = No
os level = 0
preferred master = False
local master = No
domain master = False
dns proxy = No
valid chars = - _
winbind uid = 10000-20000
winbind gid = 10000-20000
template homedir = /apps/users/%U
winbind separator = +
hosts allow = 128.244.11.
strict locking = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[temp]
path = /apps/temp
write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator
jwad+dantest
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
Sent: Tuesday, February 12, 2002 3:32 PM
To: 'Thomas, Daniel J.'; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
that should work - but I notice that you are using "\" for the winbindd
separator - some unix'es will swallow this character as an 'escape'
character; for instance on HPUX you can see:
# ./wbinfo -a atl-wtec\atlwtec1%atlwtec1
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext
password
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with
challenge/response
NOTE in the above that the response does NOT display the "\" inbetween the
domain
and the username.
Is this happening to you?
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas at jhuapl.edu]
Sent: Tuesday, February 12, 2002 3:09 PM
To: Samba (E-mail)
Subject: [Samba] Winbind - Why won't you authenticate???
Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine.
I installed with the winbind option and everything went though just find.
I was able to join the NT domain and now I can do a wbinfo -u "and get a
domain user list as well as a "wbinfo -g and get a group list. For some
reason though, the authentication isn't working.
I tried to "wbinfo -a" and used a number of possible names. The samba
server is on an NT domain called "jwad" and it has a trust relationship with
"jhuapl". My user account is on jhuapl, and I want to get authenticated.
When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on
both clear text and challange/reponse methods. From what I see though, it
doesn't even appear to be trying to talk to the domain controller, because
the Reponses are given way to quick for any real network activity to have
taken place.
Please lend some advice if you have any. I can probably get sample output
if needed.
-Dan
Daniel J. Thomas
Systems Administrator
Johns Hopkins University
Applied Physics Laboratory
Laurel, MD
Balt: (443) 778-7924
Wash: (240) 228-7924
"Always avoid a bad file copy...
You can never know when your replication proceeds you."
-Anonymous Author
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list