[Samba] Samba 2.2.5-10, W2K PDC and Winbind - Authentication issues

Aaron D. lists at aaronsplace.org
Tue Sep 10 20:28:00 GMT 2002 

I've gotten passed the problem I had with joining the domain.  However, I 
am still having problems with the authentication of domain user accounts 
against the samba server.

wbinfo -u shows my users from the domain correctly.
wbinfo -g does the same for my domain groups.
getent passwd shows the domain users as expected.
wbinfo -t shows a good trust.
wbinfo -a allows me to authenticate any user (although I've noticed only 
plain text seems to work?)

NOTE: If I add entries into the smbpasswd in the format of domain+user and 
set the password then all works as expected, save of course the fact I have 
to manually add the users which basically defeats the purpose of setting up 
winbind?

Any ideas, thoughts, suggestions, or glasses filled with hard liquor are 
welcome. I see the following quite frequently in the logs on Samba, but 
nothing on the audit logs of the PDC. "connect_to_domain_password_server: 
machine SERVER rejected the tconX on the IPC$ share. Error was : 
NT_STATUS_ACCESS_DENIED."

PDC is a W2K SP2 Advanced Server.
Samba is on RedHat 7.1 Kernel 2.4.9-34



When I try to access a share, or even browse the root of the same server I 
get various examples of the following in my log.smbd:

[2002/09/10 15:13:18, 3] smbd/process.c:process_smb(877)
   Transaction 13 of length 198
[2002/09/10 15:13:18, 3] smbd/process.c:switch_message(684)
   switch message SMBsesssetupX (pid 1924)
[2002/09/10 15:13:18, 3] smbd/sec_ctx.c:set_sec_ctx(313)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2002/09/10 15:13:18, 3] smbd/reply.c:reply_sesssetup_and_X(857)
   Domain=[DOMAIN]  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 
5.0]
[2002/09/10 15:13:18, 3] smbd/reply.c:reply_sesssetup_and_X(868)
   sesssetupX:name=[adonaldson]
[2002/09/10 15:13:18, 3] smbd/reply.c:reply_sesssetup_and_X(929)
   Using unix username DOMAIN+adonaldson
[2002/09/10 15:13:18, 3] libsmb/namequery.c:resolve_wins(709)
   resolve_wins: Attempting wins lookup for name SERVER<0x20>
[2002/09/10 15:13:18, 3] libsmb/namequery.c:resolve_wins(727)
   resolve_wins: WINS server == <10.7.7.201>
[2002/09/10 15:13:18, 3] lib/util_sock.c:open_socket_in(813)
   bind succeeded on port 0
[2002/09/10 15:13:18, 2] libsmb/namequery.c:name_query(421)
   Got a positive name query response from 10.7.7.201 ( 10.7.7.201 )
[2002/09/10 15:13:18, 3] lib/util_sock.c:open_socket_out(845)
   Connecting to 10.7.7.201 at port 445
[2002/09/10 15:13:18, 0] 
smbd/password.c:connect_to_domain_password_server(1328)
   connect_to_domain_password_server: machine SERVER rejected the tconX on 
the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED.
[2002/09/10 15:13:18, 0] smbd/password.c:domain_client_validate(1585)
   domain_client_validate: Domain password server not available.
[2002/09/10 15:13:18, 2] passdb/pdb_smbpasswd.c:startsmbfilepwent(170)
   startsmbfilepwent_internal: unable to open file /etc/samba/smbpasswd. 
Error was No such file or directory
[2002/09/10 15:13:18, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367)
   unable to open passdb database.
[2002/09/10 15:13:18, 1] smbd/password.c:pass_check_smb(545)
   Couldn't find user 'domain+adonaldson' in passdb.
[2002/09/10 15:13:18, 2] smbd/reply.c:reply_sesssetup_and_X(972)
   NT Password did not match for user 'domain+adonaldson'!
[2002/09/10 15:13:18, 2] smbd/reply.c:reply_sesssetup_and_X(982)
   Defaulting to Lanman password for domain+adonaldson
[2002/09/10 15:13:18, 2] passdb/pdb_smbpasswd.c:startsmbfilepwent(170)
   startsmbfilepwent_internal: unable to open file /etc/samba/smbpasswd. 
Error was No such file or directory
[2002/09/10 15:13:18, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367)
   unable to open passdb database.
[2002/09/10 15:13:18, 1] smbd/password.c:pass_check_smb(545)
   Couldn't find user 'domain+adonaldson' in passdb.
[2002/09/10 15:13:18, 1] smbd/reply.c:reply_sesssetup_and_X(998)
   Rejecting user 'domain+adonaldson': authentication failed
[2002/09/10 15:13:18, 3] smbd/error.c:error_packet(91)
   error string = No such file or directory
[2002/09/10 15:13:18, 3] smbd/error.c:error_packet(106)
   error packet at smbd/reply.c(1000) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE

This is what appears for the same attempt in the log.winbind

[2002/09/10 15:13:17, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(103)
   [ 1924]: getpwnam DOMAIN+adonaldson
[2002/09/10 15:13:17, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(103)
   [ 1924]: getpwnam domain+adonaldson
[2002/09/10 15:13:17, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(103)
   [ 1924]: getpwnam domain+adonaldson
[2002/09/10 15:13:17, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(103)
   [ 1924]: getpwnam domain+adonaldson
[2002/09/10 15:13:18, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(103)
   [ 1924]: getpwnam DOMAIN+adonaldson
[2002/09/10 15:13:18, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(103)
   [ 1924]: getpwnam domain+adonaldson
[2002/09/10 15:13:18, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(103)
   [ 1924]: getpwnam domain+adonaldson
[2002/09/10 15:13:18, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(103)
   [ 1924]: getpwnam domain+adonaldson
[2002/09/10 15:13:59, 3] nsswitch/winbindd_user.c:winbindd_endpwent(313)
   [ 1926]: endpwent
[2002/09/10 15:13:59, 3] nsswitch/winbindd_user.c:winbindd_endpwent(313)
   [ 1926]: endpwent
[2002/09/10 15:14:42, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(103)
   [ 1927]: getpwnam +nobody


Here is my current smb.conf:


# Global parameters
[global]
         password server = server
         interfaces = 10.7.7.200/24 127.0.0.1
         bind interfaces only = Yes
         wins server = 10.7.7.201
         debug level = 3
         browse list = No
         dns proxy = No
         security = domain
         encrypt passwords = Yes
         obey pam restrictions = no
         workgroup = domain
         server string = Samba Server
         comment = File and Print Services on BART
         local master = No
         socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
         netbios name = SAMBA
         mangled names = No
         case sensitive = no
         max log size = 50
         preferred master = no
         winbind separator = +
         winbind cache time = 10
#        template shell = /bin/bash
#        template homedir = /home/%D/%U
         winbind uid = 10000-20000
         winbind gid = 10000-20000
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = yes
         name resolve order = wins lmhosts host bcast
         time server = yes
         os level = 33
         hosts allow = x.x.x. 127.

[homes]
         comment = Home Directories
         writeable = Yes
         browseable = No

[printers]
         comment = All Printers
         path = /var/spool/samba
         printable = Yes
         browseable = Yes

More information about the samba mailing list