[Samba] Finally winbind on RH9 working, but why ?

jo at neolabs.be jo at neolabs.be
Mon Aug 4 14:42:05 GMT 2003 

Hi,

maybe (probably ??) it's me, but it took me more than a week to
get winbindd working on Redhat 9. It works now after changing a 
parameter in smb.conf, but I have NO idea why. Maybe some of you
already had the same problem. If so, PLEASE clearify ! Thanks...
PS as you will see later, getent group also does not work. This is
an independent problem I think... can it have something to do with
spaces in group names ??? 


Here are the config files of the two machines. Both are linux boxes, so
no win machine is involved.


server (PDC):
-------------

Redhat 9 
samba 2.2.8a compiled with 
--with-winbind --with-winbind-auth-challenge

hw : lx50


[root at server source]# more /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=server.one.sunedu


[root at server source]# more /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		localhost.localdomain localhost
172.17.11.5		client.one.sunedu CLIENT client
172.17.11.4		server.one.sunedu SERVER server

(I still have a problem with the name service, that's why)


[root at server lib]# more smb.conf
[global]
   workgroup = MYGROUP
   netbios name = SERVER
   add user script = /usr/sbin/useradd -d /dev/null -s /bin/false -g
machines -M %u
   server string = Samba Server
   printcap name = /etc/printcap
   load printers = yes
   log file = /var/log/samba/log.%m
   max log size = 50
   security = user
  encrypt passwords = yes
  smb passwd file = /etc/samba/smbpasswd
  unix password sync = Yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   local master = yes
   os level = 33
   domain master = yes 
   preferred master = yes
   domain logons = yes
   logon path = \\%L\Profiles\%U
   wins support = yes
   dns proxy = no 
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
 [netlogon]
   comment = Network Logon Service
   path = /home/netlogon
   writable = no
   share modes = no
[Profiles]
    path = /home/profiles
    browseable = no
    guest ok = yes
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

client (domain member) :

Redhat 9 
samba 2.2.8a compiled with 
--with-winbind --with-winbind-auth-challenge


[root at client root]# more /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=client.one.sunedu


[root at client root]# more /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		localhost.localdomain localhost
172.17.11.5		client.one.sunedu client CLIENT
172.17.11.4		server.one.sunedu SERVER server


[root at client lib]# more smb.conf
[global]
server string = SambaBSD-2.2.8 
netbios name = CLIENT
workgroup = MYGROUP
security = domain 
password server = *
encrypt passwords = yes 
wins server = 172.17.11.4
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind separator = .
winbind use default domain = yes
winbind cache time = 0
password level = 8
username level = 8
[tmp]
path = /tmp
browseable = yes
writable = yes
public = no
create mode = 0664
directory mode = 0775


as you can see pretty normal settings. The reason I recompiled samba
is that apparently Redhat forgot to compile with
--with-winbind-auth-challenge which I think is necessary for windbind to
work (correct me ?)


The parameter that made it all work is :

winbind cache time = 0

if I reset this to the default on the client, which is 15, I get the
following results :



[root at client root]# getent passwd
root:x:0:0:root:/root:/bin/bash
... 
client$:x:502:501::/dev/null:/bin/false
root:x:10000:10000:root:/home/MYGROUP/root:/bin/false
jo:x:10001:10000::/home/MYGROUP/jo:/bin/false


[root at client root]# getent group

DOES NOT SHOW THE "win" GROUPS... ANY IDEA WHY? Where are
the groups stored on the samba pdc????


[root at client root]# wbinfo -u
root
jo
[root at client root]# wbinfo -g
Domain Admins
Domain Users
[root at client root]# 
[root at client root]# wbinfo -t
Secret is good
[root at client root]# 
[root at client root]# wbinfo -a jo%welcome
plaintext password authentication succeeded
challenge/response password authentication succeeded 
//thanks to recompiling !!!!!!!!!!

[root at client root]# 

So everything seems ok, but if I try to connect to a local share on the
client in the hope that winbind will provide the user accout jo, it fails 
like this :

[root at client root]# smbclient //CLIENT/tmp -U jo%welcome
added interface ip=172.17.11.5 bcast=172.17.11.255 nmask=255.255.255.0
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.8a]
tree connect failed: NT_STATUS_UNSUCCESSFUL <-----------------------
[root at client root]# smbclient //CLIENT/tmp -U jo%welcome
added interface ip=172.17.11.5 bcast=172.17.11.255 nmask=255.255.255.0
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.8a]
tree connect failed: NT_STATUS_WRONG_PASSWORD <--------------------
[root at client root]#

The weird thing is the different error message the second time, which is
reset to the first one after - you guessed it - 15 seconds... that's how
I figured out it maybe had something to do with teh cache time (ok I was
just lucky to try it).

As soon as I change it back to winbind cache time = 0 is works fine :

[root at client root]# smbclient //CLIENT/tmp -U jo%welcome
added interface ip=172.17.11.5 bcast=172.17.11.255 nmask=255.255.255.0
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.8a]
smb: \> ls
  .                                   D        0  Mon Aug  4 04:02:07 2003
  ..                                  D        0  Fri Aug  1 13:35:41 2003
  jd_sockV4                           A        0  Fri Aug  1 13:36:20 2003
  orbit-root                          D        0  Fri Aug  1 16:07:15 2003
  .font-unix                         DH        0  Fri Aug  1 13:36:21 2003
  .fam_socket                        AH        0  Fri Aug  1 13:44:14 2003
  .gdm_socket                         H        0  Fri Aug  1 13:36:22 2003
  .iroha_unix                        DH        0  Fri Aug  1 13:36:16 2003
  .X11-unix                          DH        0  Fri Aug  1 13:36:22 2003
  .X0-lock                           HR       11  Fri Aug  1 13:36:22 2003
  .ICE-unix                          DH        0  Fri Aug  1 13:44:14 2003
  ssh-XX9OiucF                        D        0  Fri Aug  1 13:44:13 2003
  .winbindd                          DH        0  Mon Aug  4 13:10:59 2003
  test                                D        0  Fri Aug  1 06:01:54 2003
  test2                               D        0  Fri Aug  1 06:07:06 2003
  yahoo                               D        0  Fri Aug  1 16:10:13 2003
  joke                                D        0  Fri Aug  1 16:18:18 2003

		62228 blocks of size 8192. 32583 blocks available
smb: \> 


Is this a feature or a bug ??? The man page of winbindd does not make it
anyclearer for me....hope this can help anybody.


Thanks for any replies.
Jo
Sun Microsystems

NEOlabs - http://www.neolabs.be - mailto:info at neolabs.be

More information about the samba mailing list