[Samba] Samba 3/ADC/Winbind problem
Ron Smith
rls at cableone.net
Tue Nov 4 21:17:21 GMT 2003
Greetings all.
I am banging my head about this one, I will try to be as specific as
possible, bear with me please.
I have a W2KDC ADC, and trying to join a Samba 3 linux workstation to it.
What works:
net join: succeeded
wbinfo -t: checking the trust secret via RPC calls succeeded
wbinfo -m: return to prompt, no output
wbinfo -u: correct list of local + AD members
wbinfo -g: correct list of local + AD groups
kinit: succeeded
klist output for root from the samba machine:
Ticket cache: FILE:/tmp/krb5cc_0
Default prinicpal: Administrator at THIS.DOMAIN
Valid starting Expires Service_principal
11/03/03 19:00:38 11/04/03 05:00:38 krbtgt/THIS.DOMAIN at THIS.DOMAIN
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
pam.d/login modified and working
AD users can log into local terminal of samba
machine, and if home dir is missing, created
via use of pam_mkhomedir
telnet/ssh/ftp/etc. all working with local & AD accounts
No accounts in AD overlap linux system accounts
Any windows (all WinXP Pro or Win2K) client's shares can
be accessed from the samba/linux system, including any
dfs from the AD system. Example:
smbclient -k //mercury/dfs1
Succeeds.
Any windows client's shares can be accessed from any other
windows client, or the AD server.
What DOESN'T work:
Cannot access any samba shares on the linux machine, from
the samba system itself, or any windows client.
smbclient -k //sol/tmp
session setup failed: NT_STATUS_LOGON_FAILURE
However, I can do this:
smbclient //sol/tmp
Enter password when prompted, and access success.
Of course, any windows client cannot access the samba shares at all, cannot
even browse the machine's share list.
Something about my kerberos auth between samba/ADC is not right, and I am
busted if I can figure out what it is.
Contents of /etc/krb5.conf:
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = THIS.DOMAIN
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
THIS.DOMAIN = {
kdc = mercury.this.domain:88
default_domain = this.domain
}
[domain_realm]
.this.domain = THIS.DOMAIN
this.domain = THIS.DOMAIN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
/etc/samba/smb.conf:
[global]
workgroup = THIS
realm = THIS.DOMAIN
server string = Test Server (Samba %v)
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
password server = MERCURY
log level = 10
log file = /var/log/samba3/log.%m
max log size = 50
name resolve order = wins lmhosts bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
os level = 1
preferred master = No
local master = No
domain master = No
wins server = 50.50.50.50 #(IP of ADS)
message command = /usr/bin/linpopup "%f" "%m" %s; rm %s
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
printer admin = @Domain Admins
printing = cups
[homes]
comment = Home Directories
path = %H
valid users = %S
read only = No
create mask = 0600
directory mask = 0700
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba3
create mask = 0700
guest ok = Yes
printable = Yes
print command = lpr-cups -P %p -o raw %s -r
browseable = No
[print$]
path = /var/lib/samba3/printers
write list = @adm, root
guest ok = Yes
[pdf-generator]
comment = PDF Generator (only valid users)
path = /var/tmp
printable = Yes
print command = /usr/share/samba3/scripts/print-pdf %s ~%u //%L/%u
%m %I "%J" &
[tmp]
comment = Temporary file space
path = /tmp
read only = No
guest ok = Yes
[distributions]
comment = Linux Distributions
path = /usr/local/dist
read only = No
guest ok = Yes
[library]
comment = Software Library
path = /usr/share/library
[music]
comment = Music Editing Software
path = /usr/local/music
read only = No
guest ok = Yes
[public]
comment = Public Documentation
path = /usr/share/public
read only = No
guest ok = Yes
/etc/pam.d/samba
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
/etc/pam.d/system-auth
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_winbind3.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
use_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_winbind3.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 minlen=0
dcredit=0 ucredit=0
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
Cleaned logs, start smb/nmb, start winbind, try to access /tmp share on
samba/linux system:
/var/log/samba/log.winbindd:
[2003/11/03 19:30:26, 10] nsswitch/winbindd_cache.c:centry_expired(391)
centry_expired: Key U/S-1-5-21-1220945662-842925246-1957994488-500 for
domain THIS is good.
[2003/11/03 19:30:26, 10] nsswitch/winbindd_cache.c:wcache_fetch(470)
wcache_fetch: returning entry
U/S-1-5-21-1220945662-842925246-1957994488-500 for domain THIS
[2003/11/03 19:30:26, 10] nsswitch/winbindd_cache.c:query_user(1067)
query_user: [Cached] - cached info for domain THIS status Success
[2003/11/03 19:30:26, 10] sam/idmap_util.c:idmap_sid_to_uid(150)
idmap_sid_to_uid: sid = [S-1-5-21-1220945662-842925246-1957994488-500]
[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:db_get_id_from_sid(315)
db_get_id_from_sid
[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221)
internal_get_id_from_sid: fetching record
S-1-5-21-1220945662-842925246-1957994488-500 of type 0x1
[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228)
internal_get_id_from_sid: record
S-1-5-21-1220945662-842925246-1957994488-500 -> UID 10000
[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(243)
internal_get_id_from_sid: ID_USERID fetching record
S-1-5-21-1220945662-842925246-1957994488-500 -> UID 10000
[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190)
internal_get_sid_from_id: fetching record UID 10000
[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196)
internal_get_sid_from_id: fetching record UID 10000 ->
S-1-5-21-1220945662-842925246-1957994488-500
[2003/11/03 19:30:26, 10] sam/idmap_util.c:idmap_sid_to_uid(157)
idmap_sid_to_uid: uid = [10000]
[2003/11/03 19:30:26, 10] sam/idmap_util.c:idmap_sid_to_gid(179)
sid_to_gid: sid = [S-1-5-21-1220945662-842925246-1957994488-513]
[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:db_get_id_from_sid(315)
db_get_id_from_sid
[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221)
internal_get_id_from_sid: fetching record
S-1-5-21-1220945662-842925246-1957994488-513 of type 0x2
[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228)
internal_get_id_from_sid: record
S-1-5-21-1220945662-842925246-1957994488-513 -> GID 10000
[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(262)
internal_get_id_from_sid: ID_GROUPID fetching record
S-1-5-21-1220945662-842925246-1957994488-513 -> GID 10000
[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190)
internal_get_sid_from_id: fetching record GID 10000
[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196)
internal_get_sid_from_id: fetching record GID 10000 ->
S-1-5-21-1220945662-842925246-1957994488-513
[2003/11/03 19:30:26, 10] sam/idmap_util.c:idmap_sid_to_gid(187)
idmap_sid_to_gid: gid = [10000]
[2003/11/03 19:30:26, 10] nsswitch/winbindd.c:client_write(502)
client_write: wrote 1300 bytes.
[2003/11/03 19:30:26, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 0 bytes. Need 1568 more for a full request.
[2003/11/03 19:30:26, 5] nsswitch/winbindd.c:winbind_client_read(462)
read failed on sock 18, pid 31841: EOF
[2003/11/03 19:31:00, 6] nsswitch/winbindd.c:new_connection(340)
accepted socket 17
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 1568 bytes. Need 0 more for a full request.
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:process_request(305)
process_request: request fn INTERFACE_VERSION
[2003/11/03 19:31:00, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(231)
[31883]: request interface version
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(502)
client_write: wrote 1300 bytes.
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 1568 bytes. Need 0 more for a full request.
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:process_request(305)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2003/11/03 19:31:00, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267)
[31883]: request location of privileged pipe
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(502)
client_write: wrote 1300 bytes.
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(547)
client_write: need to write 38 extra data bytes.
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(502)
client_write: wrote 38 bytes.
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(536)
client_write: client_write: complete response written.
[2003/11/03 19:31:00, 6] nsswitch/winbindd.c:new_connection(340)
accepted socket 18
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 0 bytes. Need 1568 more for a full request.
[2003/11/03 19:31:00, 5] nsswitch/winbindd.c:winbind_client_read(462)
read failed on sock 17, pid 31883: EOF
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 1568 bytes. Need 0 more for a full request.
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:process_request(305)
process_request: request fn GETGROUPS
[2003/11/03 19:31:00, 3] nsswitch/winbindd_group.c:winbindd_getgroups(931)
[31883]: getgroups mail
[2003/11/03 19:31:00, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(342)
refresh_sequence_number: THIS time ok
[2003/11/03 19:31:00, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(367)
refresh_sequence_number: THIS seq number is now 4040
[2003/11/03 19:31:00, 10] nsswitch/winbindd_cache.c:name_to_sid(958)
name_to_sid: [Cached] - doing backend query for name for domain THIS
[2003/11/03 19:31:00, 3] nsswitch/winbindd_ads.c:name_to_sid(312)
ads: name_to_sid
[2003/11/03 19:31:00, 5] libads/ldap_utils.c:ads_do_search_retry(52)
Search for (|(sAMAccountName=mail)(userPrincipalName=mail at THIS.LOCAL))
gave 0 replies
[2003/11/03 19:31:00, 1] libads/ads_ldap.c:ads_name_to_sid(64)
name_to_sid: mail not found
[2003/11/03 19:31:00, 10]
nsswitch/winbindd_cache.c:wcache_save_name_to_sid(602)
wcache_save_name_to_sid: MAIL -> S-0-0
[2003/11/03 19:31:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(959)
user 'mail' does not exist
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(502)
client_write: wrote 1300 bytes.
[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 0 bytes. Need 1568 more for a full request.
[2003/11/03 19:31:00, 5] nsswitch/winbindd.c:winbind_client_read(462)
read failed on sock 18, pid 31883: EOF
[2003/11/03 19:32:01, 6] nsswitch/winbindd.c:new_connection(340)
accepted socket 17
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 1568 bytes. Need 0 more for a full request.
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:process_request(305)
process_request: request fn INTERFACE_VERSION
[2003/11/03 19:32:01, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(231)
[31893]: request interface version
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(502)
client_write: wrote 1300 bytes.
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 1568 bytes. Need 0 more for a full request.
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:process_request(305)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2003/11/03 19:32:01, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267)
[31893]: request location of privileged pipe
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(502)
client_write: wrote 1300 bytes.
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(547)
client_write: need to write 38 extra data bytes.
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(502)
client_write: wrote 38 bytes.
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(536)
client_write: client_write: complete response written.
[2003/11/03 19:32:01, 6] nsswitch/winbindd.c:new_connection(340)
accepted socket 18
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 0 bytes. Need 1568 more for a full request.
[2003/11/03 19:32:01, 5] nsswitch/winbindd.c:winbind_client_read(462)
read failed on sock 17, pid 31893: EOF
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 1568 bytes. Need 0 more for a full request.
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:process_request(305)
process_request: request fn GETGROUPS
[2003/11/03 19:32:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(931)
[31893]: getgroups mail
[2003/11/03 19:32:01, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(342)
refresh_sequence_number: THIS time ok
[2003/11/03 19:32:01, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(367)
refresh_sequence_number: THIS seq number is now 4040
[2003/11/03 19:32:01, 10] nsswitch/winbindd_cache.c:name_to_sid(958)
name_to_sid: [Cached] - doing backend query for name for domain THIS
[2003/11/03 19:32:01, 3] nsswitch/winbindd_ads.c:name_to_sid(312)
ads: name_to_sid
[2003/11/03 19:32:01, 5] libads/ldap_utils.c:ads_do_search_retry(52)
Search for (|(sAMAccountName=mail)(userPrincipalName=mail at THIS.LOCAL))
gave 0 replies
[2003/11/03 19:32:01, 1] libads/ads_ldap.c:ads_name_to_sid(64)
name_to_sid: mail not found
[2003/11/03 19:32:01, 10]
nsswitch/winbindd_cache.c:wcache_save_name_to_sid(602)
wcache_save_name_to_sid: MAIL -> S-0-0
[2003/11/03 19:32:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(959)
user 'mail' does not exist
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(502)
client_write: wrote 1300 bytes.
[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 0 bytes. Need 1568 more for a full request.
[2003/11/03 19:32:01, 5] nsswitch/winbindd.c:winbind_client_read(462)
read failed on sock 18, pid 31893: EOF
Any tips to get the smb shares working would be appreciated!
Ron L. Smith
More information about the samba
mailing list