[Samba] Finally winbind on RH9 working, but why ?

jo at neolabs.be jo at neolabs.be
Mon Aug 4 21:08:00 GMT 2003


Maybe I'll rephrase it shorter :

1) eventhough 'wbinfo -g' gives me the correct groups, they do not
show up when I go 'getent group'. Can it be the spaces in the Samba
groups 'Domain Admins' and 'Domain Users'? Where is the information 
about these groups stored on the Samba pdc?

2) I only get winbind to do it's job (which is connecting to a
local share on the domain member with a winbind user) when I
a) set the parameter 'winbind cache timeout = 0'
OR
b) create the user locally on the domain member, which is of course
what we try to avoid by using winbind... 

any idea's why playing with the cache timeout causes a difference?

Thanks in advance...

the full story is below but I guess it's to long for anyone to read
*grin*

Jo De Baer





On Mon, 04 Aug 2003 16:42:05 +0200 jo at neolabs.be wrote:

> Hi,
> 
> maybe (probably ??) it's me, but it took me more than a week to
> get winbindd working on Redhat 9. It works now after changing a 
> parameter in smb.conf, but I have NO idea why. Maybe some of you
> already had the same problem. If so, PLEASE clearify ! Thanks...
> PS as you will see later, getent group also does not work. This is
> an independent problem I think... can it have something to do with
> spaces in group names ??? 
> 
> 
> Here are the config files of the two machines. Both are linux boxes, so
> no win machine is involved.
> 
> 
> server (PDC):
> -------------
> 
> Redhat 9 
> samba 2.2.8a compiled with 
> --with-winbind --with-winbind-auth-challenge
> 
> hw : lx50
> 
> 
> [root at server source]# more /etc/sysconfig/network
> NETWORKING=yes
> HOSTNAME=server.one.sunedu
> 
> 
> [root at server source]# more /etc/hosts
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1		localhost.localdomain localhost
> 172.17.11.5		client.one.sunedu CLIENT client
> 172.17.11.4		server.one.sunedu SERVER server
> 
> (I still have a problem with the name service, that's why)
> 
> 
> [root at server lib]# more smb.conf
> [global]
>    workgroup = MYGROUP
>    netbios name = SERVER
>    add user script = /usr/sbin/useradd -d /dev/null -s /bin/false -g
> machines -M %u
>    server string = Samba Server
>    printcap name = /etc/printcap
>    load printers = yes
>    log file = /var/log/samba/log.%m
>    max log size = 50
>    security = user
>   encrypt passwords = yes
>   smb passwd file = /etc/samba/smbpasswd
>   unix password sync = Yes
>   passwd program = /usr/bin/passwd %u
>   passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>    local master = yes
>    os level = 33
>    domain master = yes 
>    preferred master = yes
>    domain logons = yes
>    logon path = \\%L\Profiles\%U
>    wins support = yes
>    dns proxy = no 
> [homes]
>    comment = Home Directories
>    browseable = no
>    writable = yes
>  [netlogon]
>    comment = Network Logon Service
>    path = /home/netlogon
>    writable = no
>    share modes = no
> [Profiles]
>     path = /home/profiles
>     browseable = no
>     guest ok = yes
> [printers]
>    comment = All Printers
>    path = /var/spool/samba
>    browseable = no
>    guest ok = no
>    writable = no
>    printable = yes
> 
> client (domain member) :
> 
> Redhat 9 
> samba 2.2.8a compiled with 
> --with-winbind --with-winbind-auth-challenge
> 
> 
> [root at client root]# more /etc/sysconfig/network
> NETWORKING=yes
> HOSTNAME=client.one.sunedu
> 
> 
> [root at client root]# more /etc/hosts
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1		localhost.localdomain localhost
> 172.17.11.5		client.one.sunedu client CLIENT
> 172.17.11.4		server.one.sunedu SERVER server
> 
> 
> [root at client lib]# more smb.conf
> [global]
> server string = SambaBSD-2.2.8 
> netbios name = CLIENT
> workgroup = MYGROUP
> security = domain 
> password server = *
> encrypt passwords = yes 
> wins server = 172.17.11.4
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = .
> winbind use default domain = yes
> winbind cache time = 0
> password level = 8
> username level = 8
> [tmp]
> path = /tmp
> browseable = yes
> writable = yes
> public = no
> create mode = 0664
> directory mode = 0775
> 
> 
> as you can see pretty normal settings. The reason I recompiled samba
> is that apparently Redhat forgot to compile with
> --with-winbind-auth-challenge which I think is necessary for windbind to
> work (correct me ?)
> 
> 
> The parameter that made it all work is :
> 
> winbind cache time = 0
> 
> if I reset this to the default on the client, which is 15, I get the
> following results :
> 
> 
> 
> [root at client root]# getent passwd
> root:x:0:0:root:/root:/bin/bash
> ... 
> client$:x:502:501::/dev/null:/bin/false
> root:x:10000:10000:root:/home/MYGROUP/root:/bin/false
> jo:x:10001:10000::/home/MYGROUP/jo:/bin/false
> 
> 
> [root at client root]# getent group
> 
> DOES NOT SHOW THE "win" GROUPS... ANY IDEA WHY? Where are
> the groups stored on the samba pdc????
> 
> 
> [root at client root]# wbinfo -u
> root
> jo
> [root at client root]# wbinfo -g
> Domain Admins
> Domain Users
> [root at client root]# 
> [root at client root]# wbinfo -t
> Secret is good
> [root at client root]# 
> [root at client root]# wbinfo -a jo%welcome
> plaintext password authentication succeeded
> challenge/response password authentication succeeded 
> //thanks to recompiling !!!!!!!!!!
> 
> [root at client root]# 
> 
> So everything seems ok, but if I try to connect to a local share on the
> client in the hope that winbind will provide the user accout jo, it fails 
> like this :
> 
> [root at client root]# smbclient //CLIENT/tmp -U jo%welcome
> added interface ip=172.17.11.5 bcast=172.17.11.255 nmask=255.255.255.0
> Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.8a]
> tree connect failed: NT_STATUS_UNSUCCESSFUL <-----------------------
> [root at client root]# smbclient //CLIENT/tmp -U jo%welcome
> added interface ip=172.17.11.5 bcast=172.17.11.255 nmask=255.255.255.0
> Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.8a]
> tree connect failed: NT_STATUS_WRONG_PASSWORD <--------------------
> [root at client root]#
> 
> The weird thing is the different error message the second time, which is
> reset to the first one after - you guessed it - 15 seconds... that's how
> I figured out it maybe had something to do with teh cache time (ok I was
> just lucky to try it).
> 
> As soon as I change it back to winbind cache time = 0 is works fine :
> 
> [root at client root]# smbclient //CLIENT/tmp -U jo%welcome
> added interface ip=172.17.11.5 bcast=172.17.11.255 nmask=255.255.255.0
> Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.8a]
> smb: \> ls
>   .                                   D        0  Mon Aug  4 04:02:07 2003
>   ..                                  D        0  Fri Aug  1 13:35:41 2003
>   jd_sockV4                           A        0  Fri Aug  1 13:36:20 2003
>   orbit-root                          D        0  Fri Aug  1 16:07:15 2003
>   .font-unix                         DH        0  Fri Aug  1 13:36:21 2003
>   .fam_socket                        AH        0  Fri Aug  1 13:44:14 2003
>   .gdm_socket                         H        0  Fri Aug  1 13:36:22 2003
>   .iroha_unix                        DH        0  Fri Aug  1 13:36:16 2003
>   .X11-unix                          DH        0  Fri Aug  1 13:36:22 2003
>   .X0-lock                           HR       11  Fri Aug  1 13:36:22 2003
>   .ICE-unix                          DH        0  Fri Aug  1 13:44:14 2003
>   ssh-XX9OiucF                        D        0  Fri Aug  1 13:44:13 2003
>   .winbindd                          DH        0  Mon Aug  4 13:10:59 2003
>   test                                D        0  Fri Aug  1 06:01:54 2003
>   test2                               D        0  Fri Aug  1 06:07:06 2003
>   yahoo                               D        0  Fri Aug  1 16:10:13 2003
>   joke                                D        0  Fri Aug  1 16:18:18 2003
> 
> 		62228 blocks of size 8192. 32583 blocks available
> smb: \> 
> 
> 
> Is this a feature or a bug ??? The man page of winbindd does not make it
> anyclearer for me....hope this can help anybody.
> 
> 
> Thanks for any replies.
> Jo
> Sun Microsystems
> 
> NEOlabs - http://www.neolabs.be - mailto:info at neolabs.be
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

NEOlabs - http://www.neolabs.be - mailto:info at neolabs.be



More information about the samba mailing list