[Samba] winbind failing to find user in Active Directory

Tim Jordan timothy_jordan at labor.state.ak.us
Fri Dec 19 23:48:56 GMT 2003 

I have my Mandrake 9.2 box running as a domain member for a W2K AD
domain.  This is a new problem or I'm missing something really obvious.

Possible bug?

Setup:
Samba Server 3.0.1 = ANC-GENTOO
Windows Domain = LABOR
windows xp client = ANC-07-14927xp
tim = Windows Active Directory Domain Acccount

Getting this "check_winbind_security" error when trying to connect to
Samba vai windows client (xp):
**************************************************************
[2003/12/19 21:43:24, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[ANC-GENTOO]\[tim]@[ANC-07-14927XP] with the new password interface
[2003/12/19 21:43:24, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is:
[ANC-GENTOO]\[tim]@[ANC-07-14927XP]
[2003/12/19 21:43:24, 3] auth/auth_winbind.c:check_winbind_security(79)
  check_winbind_security: Not using winbind, requested domain was for
this SAM.
[2003/12/19 21:43:24, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [tim] -> [tim] FAILED
with error NT_STATUS_NO_SUCH_US ER
[2003/12/19 21:43:25, 3] smbd/process.c:timeout_processing(1104)
  timeout_processing: End of file from client (client has disconnected).
**************************************************************

1. winbind is working:	
	# wbinfo -u | grep tim
	tim

	# getent group | grep "Domain Admins"
	Domain Admins:x:10003:tim, Administrator, etc..., ....,....,...,..

2. I noticed that when trying to connect to my Samba shares the username
and password comes back as:
		username: ANC-Gentoo\tim
   
   It should read:
		username: LABOR\tim

3. I took it out of the domain and then rejoined the domain:

	 net ads join -U tim%password
	 Using short domain name -- LABOR
     	Joined 'ANC-GENTOO' to realm 'LABOR.AK'

4. klist -e
   12/19/03 22:45:54  12/20/03 03:58:16  anc-07-14927xp$@LABOR.AK
   Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with
RSA-MD5



Now when trying to connect to Samba from XP workstation:

****************************************************************
[2003/12/19 22:47:44, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[LABOR]\[tim]@[ANC-07-14927XP] with the new password interface
[2003/12/19 22:47:44, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [LABOR]\[tim]@[ANC-07-14927XP]
[2003/12/19 22:47:44, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/12/19 22:47:44, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/12/19 22:47:44, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/12/19 22:47:44, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/12/19 22:47:44, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [tim] -> [tim] FAILED
with error NT_STATUS_NO_SUCH_USER
[2003/12/19 22:47:44, 3] smbd/process.c:timeout_processing(1104)
  timeout_processing: End of file from client (client has disconnected).
******************************************************************

I noticed the domain field changed to properly read LABOR\tim.  Problem
is Samba still cant find my domain account!


My brain is melting so I'm taking a break...here are my .config files
Tim

smb.conf:
[global]
                                                                                                                                       
workgroup = LABOR
realm = LABOR.AK
server string = Samba Server %v
printcap name = cups
load printers = yes
printing = cups
printer admin = @"Domain Admins"
log file = /usr/local/samba/var/log.%m
max log size = 100
log level = 10
security = ads
password server = ipaddress of pdc
encrypt passwords = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
#winbind use default domain = yes
allow trusted domains = no
auth methods = winbind
template homedir = /home/%D/%U
obey pam restrictions = yes
template shell = /bin/bash
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
os level = 0
domain master = no
preferred master = no
domain logons = no
add user script = /usr/sbin/useradd -s /bin/false '%u'
idmap uid = 10000-20000
idmap gid = 10000-20000
name resolve order = wins lmhosts bcast
wins server = ipaddress of winsserver
dns proxy = no

More information about the samba mailing list