[Samba] Winbind + machine account + non-anonymous access (RestrictAnonymous)
Ingmar Koecher
ingmar.koecher at netikus.net
Mon Jun 3 15:54:04 GMT 2002
Hi everybody,
my (our) goal here is to setup a samba server in a NT domain (and
eventually in a Win2k domain - but for now I just want to test it on NT)
and have it act like a member server - meaning that I don't use the
local user database but instead assing permissions of shares to domain
users and groups.
To avoid having to administer both users in the NT domain and on the
samba server(s) I have to use winbindd - I guess I am correct on this one.
The samba processes are up and running but there is not much configured
yet except for the most basic info like domain name and such. Now the
problem is that "wbinfo -t" tells me that the machine account is bad and
I also can't query the domain controller when "RestrictAnonymous" is in
place.
This is what I did:
The contents of smb.conf:
workgroup = OURDOMAIN
server string =
security = DOMAIN
encrypt passwords = Yes
password server = thepdc
log level = 4
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind use default domain = Yes
Created a server/workstation account in the NT domain
Joined the NT domain with "smbpasswd -j OURDOMAIN -r thepdc" - OK.
Then I start "winbindd -d 10 -i" in a terminal window
Then I issue "wbinfo -u" and voila, all the users are being listed.
Then I issue "wbinfo -t" and it says:
--
Secret is bad
0xc00000e5
--
The output of winbindd says:
--
accepted socket 13
client_read: read 1304 bytes. Need 0 more for a full request.
process_request: request fn CHECK_MACHACC
[ 3114]: check machine account
client_write: wrote 1300 bytes.
read failed on sock 13, pid 3114: EOF
--
I really don't understand that since it joined the domain successfully
and since it shows up ok in server manager.
Well, then I set "RestrictAnonymous" to "1" (before it was set to 0) and
reboot the NT PDC. From that point on I can't query the users anymore
with "wbinfo -u".
The output of winbindd is:
--
[ 3165]: list users
IPC$ connections done anonymously
Connecting to host=THEPDC share=IPC$
resolve_lmhosts: Attempting lmhosts lookup for name THEPDC<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/lib/lmhosts.
Error was No such file or
directory
resolve_hosts: Attempting host lookup for name THEPDC<0x20>
Connecting to 10.8.220.133 at port 445
error connecting to 10.8.220.133:445 (Connection refused)
Connecting to 10.8.220.133 at port 139
--
(I added the lmhosts file in the meantime but it doesn't improve the
situation)
Now does winbindd even support non-anonymous connections? I recall
somebody telling me that this can be done ...?
How can I configure it to do so?
Why is the secret bad? :(
Thanks for any help,
Ingmar.
More information about the samba
mailing list