[Samba] Samba 3 & ADS current capabilities [adr]
Andrew Bartlett
abartlet at samba.org
Sat Feb 1 04:32:00 GMT 2003
On Sat, 2003-02-01 at 11:57, Rick Segeberg wrote:
> Andrew,
>
> Thanks for your response. This reply is actually not a request for
> additional help. After much searching throught the lists and Google
> along with a lot of experimentation, I think I've got it (mostly) figure
> out. This post is just an effort to help others who might be struggling
> with the same issues as I was. I'm sure it's far from perfect and if
> anyone has suggestions on improving something, I'd like to hear them.
>
> Server Information:
> Redhad 8.0 w/ kernel 2.4.28-18.8.0
> Samba 3.0 alpha 21
>
> Just to be sure, I've started at the beginning and double checked
> everything to make sure it matches the documentation I have. Also, I
> apologize for the wordiness, but hopefully this will help someone else.
> Here's what I've done so far:
>
> I successfully joined the domain (actually this shows me re-joining):
>
> # /usr/local/samba/bin/net ads join
> [2003/01/30 15:30:04, 0] libads/ldap.c:ads_join_realm(1325)
> Host account for lintest already exists - deleting old account
> Joined 'LINTEST' to realm 'MYDOMAIN.ORG'
>
> Then to make sure I could actually authenticate up to the w2k ads
> server:
>
> # ../bin/smbclient //postoffice/c\$ -k
> added interface ip=10.1.46.5 bcast=10.1.47.255 nmask=255.255.240.0
> Doing spnego session setup (blob length=113)
> Doing kerberos session setup
> OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
> smb: \>
>
> At the prompt, I was able to traverse all directories, etc.
>
> In following the winbind documentation, I tried joining the domain again
> after configuring my smb.conf file (figuring this wouldn't work since
> it's quite a bit different than the 1st join command):
>
> # bin/net rpc join -s PDC -U john.doe
I've just commited clarifications to the documentation, as this only
applies to NT4 domains. The new documentation refers to 'net join',
which detects which based on your 'security=' setting.
> Figuring I've already joined the domain, I proceeded in following the
> documentation. I started up winbindd (which shows as running after
> issuing "ps ax"), then tried:
> [root at lintest samba]# bin/wbinfo -t
> checking the trust secret via RPC calls failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> Could not check secret
>
> Logs show:
>
> [2003/01/31 08:34:05, 1]
> rpc_client/cli_netlogon.c:cli_nt_setup_creds(300)
> cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
> [2003/01/31 08:34:05, 0] nsswitch/winbindd_cm.c:cm_get_netlogon_cli(936)
> error connecting to domain password server: NT_STATUS_ACCESS_DENIED
>
> Windows event viewer shows this:
>
> The session setup from the computer LINTEST failed to authenticate. The
> name of the account referenced in the security database is LINTEST$.
> The following error occurred:
> Access is denied.
>
> I finally found a fix for this. My nsswitch.conf file had the shadow
> line incorrect. It was:
That was not the fix for that issue. The only thing that can cause that
error is an incorrect join.
> ==============================
> ## nsswitch.conf
> ## created by Rick
>
> passwd: files winbind
> shadow: files winbind
> group: files winbind
> ==============================
>
> It is now:
> ==============================
> ## nsswitch.conf
> ## created by Rick
>
> passwd: files winbind
> shadow: files
> group: files winbind
> =============================
>
> Amazing how such a small oversight can effect things.
That's because it was something else.
> Now this works:
>
> [root at lintest samba]# bin/wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> Since this fix, my log now show:
>
> [2003/01/31 09:23:52, 1]
> nsswitch/winbindd_util.c:add_trusted_domain(140)
> Added domain MYDMN
> [2003/01/31 09:24:02, 1] nsswitch/winbindd_util.c:init_domain_list(220)
> Retrying startup domain sid fetch for MYDMN
>
> As you can see, this continues about every 10 seconds.
>
> I changed my smb.conf file back (I had been experimenting with the
> difference in the security = domain vs. = ADS and password = * vs. =
> <server name>). I am now able to connect to the samba server from the
> domain logged in w2k workstation (without asking for a password).
> Yahoo!!!
>
> BUT - then it occurred to me that the user I'm using is in the
> /etc/passwd file (but not in the smbpasswd file). I commented this user
> out (using #). After this, the user could not connect to the samba
> server. In the documentation, it appears that I need to use "getent
> passwd" and "getent group" to pull down the user list and groups from
> the server. This doesn't seem to work. Here's what I get:
>
> #getent passwd
>
> This seemed to only list the current contents of my /etc/passwd file.
> It's my understanding that it should list this and then follow it with
> the domain users with their new uids, gids, home direcoties and default
> shells. All I got was the /etc/passwd file.
>
> Log shows:
> [2003/01/31 11:22:35, 0] nsswitch/winbindd.c:process_loop(620)
> process_loop: Invalid request size from pid 10640: 1304 bytes sent,
> should be
> 1564
> [2003/01/31 11:22:35, 0] nsswitch/winbindd.c:process_loop(620)
> process_loop: Invalid request size from pid 10640: 1304 bytes sent,
> should be
> 1564
> As I would expect, "getent group" works the same.
>
> I found a posting from 2002-05-06 with a similar error in which you
> thought the winbindd libraries did not match. I'm using the version
> that came with the alpha21 package (I thought).
> Then I found a posting that showed the libnss_winbind.so libraries are
> not created by make (although it didn't say how to do that). Found a
> posting via Google
> (http://samba.cadcamlab.org/lists/samba-technical/Apr2002/00059.html)
> which also indicated that the libnsswitch_winbind.so library is not
> created by make. Followed his instructions "make
> nsswitch/libnss_winbind.so" from the source directory, then copied it to
> /lib and another problem resolved. No more "Invalid request size...."
> errors.
I'll see about adding some more parinoia/admin sanity checks.
> #getent passwd (now works)
> #getent group (now works)
>
> Now my workstation will successfully login to samba server without
> asking for a password and without a user/passwd in /etc/passwd or
> smbpasswd. However, no other machine can seem to log in (even when
> using the same account). No errors or logs on the samba box or the dc.
> This seemed odd, so I relogged into my w2k workstation, and now it will
> not log in either. Interesting.
>
> Then I noticed this in the logs:
>
> [2003/01/31 13:10:12, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(127)
> user 'IP-RSEGEBE50172$' does not exist
>
> However, I have found that this does not seem to matter. What mattered
> were the directory permissions (right now I only have [homes] shared
> out). By using getent group, I was able to find the group number of a
> group that my user belonged to. All I have to do is chown and chmod the
> directory to which I want that share available to and it works.
>
> Here's an example:
>
> In my ADS, I have group called IT. Using "getent group|grep IT" I find
> my group number is 12345. I create a directory on my samba box called
> "it_dudes", then issue the following commands as root:
>
> #chown 12345 it_dudes
> #chmod 770 it_dudes
>
> If you do an ls -l, you'll see a pretty cool listing, like this:
>
> drwxrwx--- 2 root DOMAIN+IT 4096 Dec 16 10:39 it_dudes
>
> Now everyone in the "it_dudes" group has full permission to whatever is
> there.
>
> Of course, the above directory has to be shared out appropriately in
> smb.conf. My configs (below) only show basic configurations, but you
> really should add to it such entries as the umask, default permissions
> (of the share that is), etc.
>
> Notes:
> 1) My Windows 2000 ADS domain name is MYDOMAIN.ORG, however my NT domain
> name is MYDMN. Anything that shows ADS listings (such as getent group)
> always shows the NT domain name.
> 2) I did all of my work via telnet windows (actually ssh). It was
> helpful to have one of the windows open with "tail -f log.winbindd
> |more" running as I could see cause and effect related problems and
> successes. Also, my ssh session has a nice big buffer so I can scroll
> back and see things I might have missed.
> 3) Somewhere in all of this, I added root to the smbpasswd file. I know
> it helped, but now I don't remember what it was.
> 4) There is a smb startup/stop/restart script at the end of this also.
> Very helpful with all the restarts I had to do when making changes.
> 5) If I think of or discover anything else, I will post it.
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030201/6c0df183/attachment.bin
More information about the samba
mailing list