[Samba] Finally winbind on RH9 working, but why ?
jo at neolabs.be
jo at neolabs.be
Mon Aug 4 21:08:00 GMT 2003
Maybe I'll rephrase it shorter :
1) eventhough 'wbinfo -g' gives me the correct groups, they do not
show up when I go 'getent group'. Can it be the spaces in the Samba
groups 'Domain Admins' and 'Domain Users'? Where is the information
about these groups stored on the Samba pdc?
2) I only get winbind to do it's job (which is connecting to a
local share on the domain member with a winbind user) when I
a) set the parameter 'winbind cache timeout = 0'
OR
b) create the user locally on the domain member, which is of course
what we try to avoid by using winbind...
any idea's why playing with the cache timeout causes a difference?
Thanks in advance...
the full story is below but I guess it's to long for anyone to read
*grin*
Jo De Baer
On Mon, 04 Aug 2003 16:42:05 +0200 jo at neolabs.be wrote:
> Hi,
>
> maybe (probably ??) it's me, but it took me more than a week to
> get winbindd working on Redhat 9. It works now after changing a
> parameter in smb.conf, but I have NO idea why. Maybe some of you
> already had the same problem. If so, PLEASE clearify ! Thanks...
> PS as you will see later, getent group also does not work. This is
> an independent problem I think... can it have something to do with
> spaces in group names ???
>
>
> Here are the config files of the two machines. Both are linux boxes, so
> no win machine is involved.
>
>
> server (PDC):
> -------------
>
> Redhat 9
> samba 2.2.8a compiled with
> --with-winbind --with-winbind-auth-challenge
>
> hw : lx50
>
>
> [root at server source]# more /etc/sysconfig/network
> NETWORKING=yes
> HOSTNAME=server.one.sunedu
>
>
> [root at server source]# more /etc/hosts
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1 localhost.localdomain localhost
> 172.17.11.5 client.one.sunedu CLIENT client
> 172.17.11.4 server.one.sunedu SERVER server
>
> (I still have a problem with the name service, that's why)
>
>
> [root at server lib]# more smb.conf
> [global]
> workgroup = MYGROUP
> netbios name = SERVER
> add user script = /usr/sbin/useradd -d /dev/null -s /bin/false -g
> machines -M %u
> server string = Samba Server
> printcap name = /etc/printcap
> load printers = yes
> log file = /var/log/samba/log.%m
> max log size = 50
> security = user
> encrypt passwords = yes
> smb passwd file = /etc/samba/smbpasswd
> unix password sync = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> local master = yes
> os level = 33
> domain master = yes
> preferred master = yes
> domain logons = yes
> logon path = \\%L\Profiles\%U
> wins support = yes
> dns proxy = no
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> [netlogon]
> comment = Network Logon Service
> path = /home/netlogon
> writable = no
> share modes = no
> [Profiles]
> path = /home/profiles
> browseable = no
> guest ok = yes
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = no
> writable = no
> printable = yes
>
> client (domain member) :
>
> Redhat 9
> samba 2.2.8a compiled with
> --with-winbind --with-winbind-auth-challenge
>
>
> [root at client root]# more /etc/sysconfig/network
> NETWORKING=yes
> HOSTNAME=client.one.sunedu
>
>
> [root at client root]# more /etc/hosts
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1 localhost.localdomain localhost
> 172.17.11.5 client.one.sunedu client CLIENT
> 172.17.11.4 server.one.sunedu SERVER server
>
>
> [root at client lib]# more smb.conf
> [global]
> server string = SambaBSD-2.2.8
> netbios name = CLIENT
> workgroup = MYGROUP
> security = domain
> password server = *
> encrypt passwords = yes
> wins server = 172.17.11.4
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = .
> winbind use default domain = yes
> winbind cache time = 0
> password level = 8
> username level = 8
> [tmp]
> path = /tmp
> browseable = yes
> writable = yes
> public = no
> create mode = 0664
> directory mode = 0775
>
>
> as you can see pretty normal settings. The reason I recompiled samba
> is that apparently Redhat forgot to compile with
> --with-winbind-auth-challenge which I think is necessary for windbind to
> work (correct me ?)
>
>
> The parameter that made it all work is :
>
> winbind cache time = 0
>
> if I reset this to the default on the client, which is 15, I get the
> following results :
>
>
>
> [root at client root]# getent passwd
> root:x:0:0:root:/root:/bin/bash
> ...
> client$:x:502:501::/dev/null:/bin/false
> root:x:10000:10000:root:/home/MYGROUP/root:/bin/false
> jo:x:10001:10000::/home/MYGROUP/jo:/bin/false
>
>
> [root at client root]# getent group
>
> DOES NOT SHOW THE "win" GROUPS... ANY IDEA WHY? Where are
> the groups stored on the samba pdc????
>
>
> [root at client root]# wbinfo -u
> root
> jo
> [root at client root]# wbinfo -g
> Domain Admins
> Domain Users
> [root at client root]#
> [root at client root]# wbinfo -t
> Secret is good
> [root at client root]#
> [root at client root]# wbinfo -a jo%welcome
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> //thanks to recompiling !!!!!!!!!!
>
> [root at client root]#
>
> So everything seems ok, but if I try to connect to a local share on the
> client in the hope that winbind will provide the user accout jo, it fails
> like this :
>
> [root at client root]# smbclient //CLIENT/tmp -U jo%welcome
> added interface ip=172.17.11.5 bcast=172.17.11.255 nmask=255.255.255.0
> Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.8a]
> tree connect failed: NT_STATUS_UNSUCCESSFUL <-----------------------
> [root at client root]# smbclient //CLIENT/tmp -U jo%welcome
> added interface ip=172.17.11.5 bcast=172.17.11.255 nmask=255.255.255.0
> Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.8a]
> tree connect failed: NT_STATUS_WRONG_PASSWORD <--------------------
> [root at client root]#
>
> The weird thing is the different error message the second time, which is
> reset to the first one after - you guessed it - 15 seconds... that's how
> I figured out it maybe had something to do with teh cache time (ok I was
> just lucky to try it).
>
> As soon as I change it back to winbind cache time = 0 is works fine :
>
> [root at client root]# smbclient //CLIENT/tmp -U jo%welcome
> added interface ip=172.17.11.5 bcast=172.17.11.255 nmask=255.255.255.0
> Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.8a]
> smb: \> ls
> . D 0 Mon Aug 4 04:02:07 2003
> .. D 0 Fri Aug 1 13:35:41 2003
> jd_sockV4 A 0 Fri Aug 1 13:36:20 2003
> orbit-root D 0 Fri Aug 1 16:07:15 2003
> .font-unix DH 0 Fri Aug 1 13:36:21 2003
> .fam_socket AH 0 Fri Aug 1 13:44:14 2003
> .gdm_socket H 0 Fri Aug 1 13:36:22 2003
> .iroha_unix DH 0 Fri Aug 1 13:36:16 2003
> .X11-unix DH 0 Fri Aug 1 13:36:22 2003
> .X0-lock HR 11 Fri Aug 1 13:36:22 2003
> .ICE-unix DH 0 Fri Aug 1 13:44:14 2003
> ssh-XX9OiucF D 0 Fri Aug 1 13:44:13 2003
> .winbindd DH 0 Mon Aug 4 13:10:59 2003
> test D 0 Fri Aug 1 06:01:54 2003
> test2 D 0 Fri Aug 1 06:07:06 2003
> yahoo D 0 Fri Aug 1 16:10:13 2003
> joke D 0 Fri Aug 1 16:18:18 2003
>
> 62228 blocks of size 8192. 32583 blocks available
> smb: \>
>
>
> Is this a feature or a bug ??? The man page of winbindd does not make it
> anyclearer for me....hope this can help anybody.
>
>
> Thanks for any replies.
> Jo
> Sun Microsystems
>
> NEOlabs - http://www.neolabs.be - mailto:info at neolabs.be
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
NEOlabs - http://www.neolabs.be - mailto:info at neolabs.be
More information about the samba
mailing list