[Samba] Winbind + machine account + non-anonymous access (RestrictAnonymous)

Ingmar Koecher ingmar.koecher at netikus.net
Mon Jun 3 15:54:04 GMT 2002

Hi everybody,

my (our) goal here is to setup a samba server in a NT domain (and 
eventually in a Win2k domain - but for now I just want to test it on NT) 
and have it act like a member server - meaning that I don't use the 
local user database but instead assing permissions of shares to domain 
users and groups.

To avoid having to administer both users in the NT domain and on the 
samba server(s) I have to use winbindd - I guess I am correct on this one.

The samba processes are up and running but there is not much configured 
yet except for the most basic info like domain name and such. Now the 
problem is that "wbinfo -t" tells me that the machine account is bad and 
I also can't query the domain controller when "RestrictAnonymous" is in 

This is what I did:

The contents of smb.conf:

     workgroup = OURDOMAIN
    server string =
    security = DOMAIN
    encrypt passwords = Yes
    password server = thepdc
    log level = 4
   winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind separator = +
    winbind use default domain = Yes

Created a server/workstation account in the NT domain

Joined the NT domain with "smbpasswd -j OURDOMAIN -r thepdc" - OK.

Then I start "winbindd -d 10 -i" in a terminal window

Then I issue "wbinfo -u" and voila, all the users are being listed.

Then I issue "wbinfo -t" and it says:
Secret is bad

The output of winbindd says:
accepted socket 13
client_read: read 1304 bytes. Need 0 more for a full request.
process_request: request fn CHECK_MACHACC
[ 3114]: check machine account
client_write: wrote 1300 bytes.
read failed on sock 13, pid 3114: EOF

I really don't understand that since it joined the domain successfully 
and since it shows up ok in server manager.

Well, then I set "RestrictAnonymous" to "1" (before it was set to 0) and 
reboot the NT PDC. From that point on I can't query the users anymore 
with "wbinfo -u".

The output of winbindd is:
[ 3165]: list users
IPC$ connections done anonymously
Connecting to host=THEPDC share=IPC$
resolve_lmhosts: Attempting lmhosts lookup for name THEPDC<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/lib/lmhosts. 
Error was No such file or
resolve_hosts: Attempting host lookup for name THEPDC<0x20>
Connecting to at port 445
error connecting to (Connection refused)
Connecting to at port 139

(I added the lmhosts file in the meantime but it doesn't improve the 

Now does winbindd even support non-anonymous connections? I recall 
somebody telling me that this can be done ...?

How can I configure it to do so?

Why is the secret bad? :(

Thanks for any help,


More information about the samba mailing list