[Samba] winbind: user not found on PDC

Matthias Weiss matthias.weiss at isis-papyrus.com
Wed Jun 19 07:22:03 GMT 2002


Hallo everyone!

Hopefully I'm right here to post a help request, otherwise excuse my 
disturbance.

My setup: RedHat 7.3 with samba 2.2.3a, linux kernel 2.4.18.
###################################
/etc/nsswitch.conf:
passwd:     files winbind nisplus
shadow:     files nisplus
group:      files winbind nisplus

/etc/pam.d/system-auth:
auth        required      /lib/security/pam_nologin.so
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so debug
auth        sufficient    /lib/security/pam_unix.so use_first_pass 
likeauth nullok debug
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so debug

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok 
md5 shadow debug
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so debug
###################################

I have a Win2000 PDC called domcont1. On this machine there is e.g. an 
account for matw. When I log in from a Win2000 machine I can login.
On my linux box I can make a "smbpasswd -j domain1" and a wbinfo -m [-u 
-g] which works just fine.
I can also do a "su -" switching to root where it first looks up the PDC 
for root, doesn't find an entry and then uses pam_unix and authenticates 
- fine as expected because there is no root on the PDC.

But when I do su - matw I get on the command line:
su: incorrect password

The log file /var/log/auth says:
Jun 19 16:11:09 localhost pam_winbind[4036]: Verify user `matw' with 
password `matw'
Jun 19 16:11:09 localhost pam_winbind[4036]: user `matw' not found

/var/log/samba/log.winbindd says:

[2002/06/19 16:11:05, 6] nsswitch/winbindd.c:new_connection(406)
  accepted socket 10
[2002/06/19 16:11:05, 10] nsswitch/winbindd.c:client_read(482)
  client_read: read 1044 bytes. Need 0 more for a full request.
[2002/06/19 16:11:05, 10] nsswitch/winbindd.c:process_request(371)
  process_request: request fn ENDPWENT
[2002/06/19 16:11:05, 3] nsswitch/winbindd_user.c:winbindd_endpwent(364)
  [ 4036]: endpwent
[2002/06/19 16:11:05, 10] nsswitch/winbindd.c:client_write(531)
  client_write: wrote 1300 bytes.
[2002/06/19 16:11:09, 6] nsswitch/winbindd.c:new_connection(406)
  accepted socket 11
[2002/06/19 16:11:09, 10] nsswitch/winbindd.c:client_read(482)
  client_read: read 1044 bytes. Need 0 more for a full request.
[2002/06/19 16:11:09, 10] nsswitch/winbindd.c:process_request(371)
  process_request: request fn PAM_AUTH
[2002/06/19 16:11:09, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(55)
  [ 4036]: pam auth matw
[2002/06/19 16:11:09, 10] nsswitch/winbindd.c:client_write(531)
  client_write: wrote 1300 bytes.
[2002/06/19 16:11:11, 10] nsswitch/winbindd.c:client_read(482)
  client_read: read 0 bytes. Need 1044 more for a full request.
[2002/06/19 16:11:11, 5] nsswitch/winbindd.c:client_read(488)
  read failed on sock 11, pid 4036: EOF
[2002/06/19 16:11:11, 10] nsswitch/winbindd.c:client_read(482)
  client_read: read 0 bytes. Need 1044 more for a full request.
[2002/06/19 16:11:11, 5] nsswitch/winbindd.c:client_read(488)
  read failed on sock 10, pid 4036: EOF



I have attached the smb.conf file, maybe some problem there.

The PDC uses Active Directories. A computer account for my samber server 
linux machine (yoda) was added as "pre Win2000 Compatible Access" on the 
PDC. The Netlogon was restarted on the PDC.

Can somebody please help??

Thanx in advance

Matthias
-------------- next part --------------
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash) 
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors. 
#
#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = domain1

# server string is the equivalent of the NT Description field
   server string = Linux Samba Server %v (%L)

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
   hosts allow = 10.1. 127.0.0.1


# machine name in the network neighborhood

   netbios name = yoda

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
#   printcap name = /etc/printcap
#   load printers = yes

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
#   printing = lprng

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# Set the log level: ranging from 1 to 10; levels higher than 3 only useful
# for samba programers

   log level = 3

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/%m.log

# Put a capping on the size of the log files (in Kb).
   max log size = 1000000

# Security mode. Most people will want user level security. See
# security_level.txt for details.
   security = domain

# Use password server option only with security = server
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = <NT-Server-Name>
   password server = *

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
;  password level = 8
;  username level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
   encrypt passwords = yes
   smb passwd file = /etc/samba/smbpasswd

# The following is needed to keep smbclient from spouting spurious errors
# when Samba is built with support for SSL.
;   ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crt

# The following are needed to allow password changing from Windows to
# update the Linux sytsem password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
#        the encrypted SMB passwords. They allow the Unix password
#        to be kept in sync with the SMB password.
   unix password sync = Yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

# You can use PAM's password change control flag for Samba. If
# enabled, then PAM will be used for password changes when requested
# by an SMB client instead of the program listed in passwd program.
# It should be possible to enable this without changing your passwd
# chat parameter for most setups.

   pam password change = yes

# Unix users can map to different SMB User names
;  username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /etc/samba/smb.conf.%m

# This parameter will control whether or not Samba should obey PAM's
# account and session management directives. The default behavior is
# to use PAM for clear text authentication only and to ignore any
# account or session management. Note that Samba always ignores PAM
# for authentication in the case of encrypt passwords = yes

  obey pam restrictions = yes

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
;   interfaces = 192.168.12.2/24 192.168.13.2/24 

# Configure remote browse list synchronisation here
#  request announcement to, or browse list sync from:
#	a specific host or from / to a whole subnet (see below)
;   remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
;   remote announce = 192.168.1.255 192.168.2.44

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
   local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
;   os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
   domain master = no


# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
   preferred master = no

# Enable this if you want Samba to be a domain logon server for 
# Windows95 workstations. 
   domain logons = no

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
;   logon path = \\%L\Profiles\%U

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#	Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one	WINS Server on the network. The default is NO.
;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = no 

# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
;  preserve case = no
;  short preserve case = no
# Default case is normally upper case for all DOS files
;  default case = lower
# Be very careful with case sensitivity - it can break things!
;  case sensitive = no

# the UNIX server should be aware of oportunistic locks by WIN NT machines
   kernel oplocks = yes

# list of users that must not access shares
   invalid users = root bin daemon adm lp sync shutdown halt mail \
		   news uucp operator games gopher ftp nobody mailnull \
		   rpm xfs ntp rpc gdm rpcuser nfsnobody nscd ident radvd

# winbindd parameters
#####################

# separator sign between domain name and user name
   winbind separator = +

# range of user ids that are allocated  by  the  winbindd  daemon. This
# range of ids should have no existing local or NIS users within it as
# strange conflicts can occur otherwise
   winbind uid = 30000-40000
# range of group ids that are allocated by the winbindd daemon.  This
# range of group ids should have no existing local or NIS groups within
# it as strange conflicts can occur  otherwise.
   winbind gid = 30000-40000

# When filling out the user information for a Windows NT user, the winbindd
# daemon uses this parameter to fill in the home directory for that user.
# If the string %D is present it is substituted with  the  user's  Windows  NT
# domain name. If the string %U is present it is substituted with the user's
# Windows NT user name.
   template homedir = /home/%U

# When filling out the user information for a Windows NT user, the winbindd
# daemon uses this parameter to fill in the shell for that user.
   template shell = /bin/bash

#============================ Share Definitions ==============================

[homes]
   comment = Home Directories
   guest ok = no
   browseable = no
   template shell = /bin/bash

   writable = yes
   valid users = %S
   create mode = 0774
   directory mode = 0775
   hide dot files = yes
   wide links = no
   map archive = yes
   map system = no
   map hidden = no

# If you want users samba doesn't recognize to be mapped to a guest user
; map to guest = bad user


# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
;   comment = Network Logon Service
;   path = /usr/local/samba/lib/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no



More information about the samba mailing list