[Samba] Samba 3/ADC/Winbind problem

Ron Smith rls at cableone.net
Tue Nov 4 21:17:21 GMT 2003


Greetings all.

 

I am banging my head about this one, I will try to be as specific as
possible, bear with me please.

 

I have a W2KDC ADC, and trying to join a Samba 3 linux workstation to it.

 

What works:

 

net join:  succeeded

 

wbinfo -t:  checking the trust secret via RPC calls succeeded

 

wbinfo -m: return to prompt, no output

 

wbinfo -u: correct list of local + AD members

 

wbinfo -g: correct list of local + AD groups

 

kinit: succeeded

 

klist output for root from the samba machine:

  Ticket cache: FILE:/tmp/krb5cc_0

  Default prinicpal: Administrator at THIS.DOMAIN

 

   Valid starting            Expires                 Service_principal

  11/03/03 19:00:38  11/04/03 05:00:38  krbtgt/THIS.DOMAIN at THIS.DOMAIN

 

  Kerberos 4 ticket cache:  /tmp/tkt0

  klist: You have no tickets cached

 

pam.d/login modified and working

     AD users can log into local terminal of samba

    machine, and if home dir is missing, created

    via use of pam_mkhomedir

 

telnet/ssh/ftp/etc. all working with local & AD accounts

 

No accounts in AD overlap linux system accounts

 

Any windows (all WinXP Pro or Win2K) client's shares can

    be accessed from the samba/linux system, including any

   dfs from the AD system.  Example:

       smbclient -k //mercury/dfs1

    Succeeds.

 

Any windows client's shares can be accessed from any other

   windows client, or the AD server.

 

What DOESN'T work:

 

Cannot access any samba shares on the linux machine, from

  the samba system itself, or any windows client.

 

smbclient -k //sol/tmp

session setup failed: NT_STATUS_LOGON_FAILURE

 

However, I can do this:

smbclient //sol/tmp

Enter password when prompted, and access success.

 

Of course, any windows client cannot access the samba shares at all, cannot
even browse the machine's share list.

 

Something about my kerberos auth between samba/ADC is not right, and I am
busted if I can figure out what it is.

 

Contents of /etc/krb5.conf:

 

[logging]

 default = FILE:/var/log/kerberos/krb5libs.log

 kdc = FILE:/var/log/kerberos/krb5kdc.log

 admin_server = FILE:/var/log/kerberos/kadmind.log

 

[libdefaults]

 ticket_lifetime = 24000

 default_realm = THIS.DOMAIN

 default_tgs_enctypes = des-cbc-crc des-cbc-md5

 default_tkt_enctypes = des-cbc-crc des-cbc-md5

 forwardable = true

 proxiable = true

 dns_lookup_realm = true

 dns_lookup_kdc = true

 

[realms]

 THIS.DOMAIN = {

  kdc = mercury.this.domain:88

   default_domain = this.domain

 }

 

[domain_realm]

 .this.domain = THIS.DOMAIN

this.domain = THIS.DOMAIN

 

[kdc]

  profile = /var/kerberos/krb5kdc/kdc.conf

 

[pam]

 debug = false

 ticket_lifetime = 36000

 renew_lifetime = 36000

 forwardable = true

 krb4_convert = false

 

/etc/samba/smb.conf:

 

[global]

        workgroup = THIS

        realm = THIS.DOMAIN

        server string = Test Server (Samba %v)

        security = ADS

        map to guest = Bad User

        obey pam restrictions = Yes

        password server = MERCURY

        log level = 10

        log file = /var/log/samba3/log.%m

        max log size = 50

        name resolve order = wins lmhosts bcast

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        printcap name = cups

        os level = 1

        preferred master = No

        local master = No

        domain master = No

        wins server = 50.50.50.50  #(IP of ADS)

        message command = /usr/bin/linpopup "%f" "%m" %s; rm %s

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        template shell = /bin/bash

        winbind separator = +

        winbind use default domain = Yes

        printer admin = @Domain Admins

        printing = cups

 

[homes]

        comment = Home Directories

        path = %H

        valid users = %S

        read only = No

        create mask = 0600

        directory mask = 0700

        browseable = No

 

[printers]

        comment = All Printers

        path = /var/spool/samba3

        create mask = 0700

        guest ok = Yes

        printable = Yes

        print command = lpr-cups -P %p -o raw %s -r

        browseable = No

 

[print$]

        path = /var/lib/samba3/printers

        write list = @adm, root

        guest ok = Yes

 

[pdf-generator]

        comment = PDF Generator (only valid users)

        path = /var/tmp

        printable = Yes

        print command = /usr/share/samba3/scripts/print-pdf %s ~%u //%L/%u
%m %I "%J" &

 

[tmp]

        comment = Temporary file space

        path = /tmp

        read only = No

        guest ok = Yes

 

[distributions]

        comment = Linux Distributions

        path = /usr/local/dist

        read only = No

        guest ok = Yes

 

[library]

        comment = Software Library

        path = /usr/share/library

 

[music]

        comment = Music Editing Software

        path = /usr/local/music

        read only = No

        guest ok = Yes

 

[public]

        comment = Public Documentation

        path = /usr/share/public

        read only = No

        guest ok = Yes

 

/etc/pam.d/samba

auth       required     /lib/security/pam_nologin.so

auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth

 

/etc/pam.d/system-auth

auth        required      /lib/security/pam_env.so

auth        sufficient    /lib/security/pam_winbind3.so

auth        sufficient    /lib/security/pam_unix.so likeauth nullok
use_first_pass

auth        required      /lib/security/pam_deny.so

 

account     sufficient    /lib/security/pam_winbind3.so

account     required      /lib/security/pam_unix.so

 

password    required      /lib/security/pam_cracklib.so retry=3 minlen=0
dcredit=0  ucredit=0

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow

password    required      /lib/security/pam_deny.so

 

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022

session     required      /lib/security/pam_limits.so

session     required      /lib/security/pam_unix.so

 

Cleaned logs, start smb/nmb, start winbind, try to access /tmp share on
samba/linux system:

 

/var/log/samba/log.winbindd:

[2003/11/03 19:30:26, 10] nsswitch/winbindd_cache.c:centry_expired(391)

  centry_expired: Key U/S-1-5-21-1220945662-842925246-1957994488-500 for
domain THIS is good.

[2003/11/03 19:30:26, 10] nsswitch/winbindd_cache.c:wcache_fetch(470)

  wcache_fetch: returning entry
U/S-1-5-21-1220945662-842925246-1957994488-500 for domain THIS

[2003/11/03 19:30:26, 10] nsswitch/winbindd_cache.c:query_user(1067)

  query_user: [Cached] - cached info for domain THIS status Success

[2003/11/03 19:30:26, 10] sam/idmap_util.c:idmap_sid_to_uid(150)

  idmap_sid_to_uid: sid = [S-1-5-21-1220945662-842925246-1957994488-500]

[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:db_get_id_from_sid(315)

  db_get_id_from_sid

[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221)

  internal_get_id_from_sid: fetching record
S-1-5-21-1220945662-842925246-1957994488-500 of type 0x1

[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228)

  internal_get_id_from_sid: record
S-1-5-21-1220945662-842925246-1957994488-500 -> UID 10000

[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(243)

  internal_get_id_from_sid: ID_USERID fetching record
S-1-5-21-1220945662-842925246-1957994488-500 -> UID 10000 

[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190)

  internal_get_sid_from_id: fetching record UID 10000

[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196)

  internal_get_sid_from_id: fetching record UID 10000 ->
S-1-5-21-1220945662-842925246-1957994488-500

[2003/11/03 19:30:26, 10] sam/idmap_util.c:idmap_sid_to_uid(157)

  idmap_sid_to_uid: uid = [10000]

[2003/11/03 19:30:26, 10] sam/idmap_util.c:idmap_sid_to_gid(179)

  sid_to_gid: sid = [S-1-5-21-1220945662-842925246-1957994488-513]

[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:db_get_id_from_sid(315)

  db_get_id_from_sid

[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221)

  internal_get_id_from_sid: fetching record
S-1-5-21-1220945662-842925246-1957994488-513 of type 0x2

[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228)

  internal_get_id_from_sid: record
S-1-5-21-1220945662-842925246-1957994488-513 -> GID 10000

[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(262)

  internal_get_id_from_sid: ID_GROUPID fetching record
S-1-5-21-1220945662-842925246-1957994488-513 -> GID 10000 

[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190)

  internal_get_sid_from_id: fetching record GID 10000

[2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196)

  internal_get_sid_from_id: fetching record GID 10000 ->
S-1-5-21-1220945662-842925246-1957994488-513

[2003/11/03 19:30:26, 10] sam/idmap_util.c:idmap_sid_to_gid(187)

  idmap_sid_to_gid: gid = [10000]

[2003/11/03 19:30:26, 10] nsswitch/winbindd.c:client_write(502)

  client_write: wrote 1300 bytes.

[2003/11/03 19:30:26, 10] nsswitch/winbindd.c:winbind_client_read(455)

  client_read: read 0 bytes. Need 1568 more for a full request.

[2003/11/03 19:30:26, 5] nsswitch/winbindd.c:winbind_client_read(462)

  read failed on sock 18, pid 31841: EOF

[2003/11/03 19:31:00, 6] nsswitch/winbindd.c:new_connection(340)

  accepted socket 17

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)

  client_read: read 1568 bytes. Need 0 more for a full request.

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:process_request(305)

  process_request: request fn INTERFACE_VERSION

[2003/11/03 19:31:00, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(231)

  [31883]: request interface version

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(502)

  client_write: wrote 1300 bytes.

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)

  client_read: read 1568 bytes. Need 0 more for a full request.

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:process_request(305)

  process_request: request fn WINBINDD_PRIV_PIPE_DIR

[2003/11/03 19:31:00, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267)

  [31883]: request location of privileged pipe

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(502)

  client_write: wrote 1300 bytes.

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(547)

  client_write: need to write 38 extra data bytes.

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(502)

  client_write: wrote 38 bytes.

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(536)

  client_write: client_write: complete response written.

[2003/11/03 19:31:00, 6] nsswitch/winbindd.c:new_connection(340)

  accepted socket 18

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)

  client_read: read 0 bytes. Need 1568 more for a full request.

[2003/11/03 19:31:00, 5] nsswitch/winbindd.c:winbind_client_read(462)

  read failed on sock 17, pid 31883: EOF

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)

  client_read: read 1568 bytes. Need 0 more for a full request.

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:process_request(305)

  process_request: request fn GETGROUPS

[2003/11/03 19:31:00, 3] nsswitch/winbindd_group.c:winbindd_getgroups(931)

  [31883]: getgroups mail

[2003/11/03 19:31:00, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(342)

  refresh_sequence_number: THIS time ok

[2003/11/03 19:31:00, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(367)

  refresh_sequence_number: THIS seq number is now 4040

[2003/11/03 19:31:00, 10] nsswitch/winbindd_cache.c:name_to_sid(958)

  name_to_sid: [Cached] - doing backend query for name for domain THIS

[2003/11/03 19:31:00, 3] nsswitch/winbindd_ads.c:name_to_sid(312)

  ads: name_to_sid

[2003/11/03 19:31:00, 5] libads/ldap_utils.c:ads_do_search_retry(52)

  Search for (|(sAMAccountName=mail)(userPrincipalName=mail at THIS.LOCAL))
gave 0 replies

[2003/11/03 19:31:00, 1] libads/ads_ldap.c:ads_name_to_sid(64)

  name_to_sid: mail not found

[2003/11/03 19:31:00, 10]
nsswitch/winbindd_cache.c:wcache_save_name_to_sid(602)

  wcache_save_name_to_sid: MAIL -> S-0-0

[2003/11/03 19:31:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(959)

  user 'mail' does not exist

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(502)

  client_write: wrote 1300 bytes.

[2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)

  client_read: read 0 bytes. Need 1568 more for a full request.

[2003/11/03 19:31:00, 5] nsswitch/winbindd.c:winbind_client_read(462)

  read failed on sock 18, pid 31883: EOF

[2003/11/03 19:32:01, 6] nsswitch/winbindd.c:new_connection(340)

  accepted socket 17

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)

  client_read: read 1568 bytes. Need 0 more for a full request.

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:process_request(305)

  process_request: request fn INTERFACE_VERSION

[2003/11/03 19:32:01, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(231)

  [31893]: request interface version

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(502)

  client_write: wrote 1300 bytes.

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)

  client_read: read 1568 bytes. Need 0 more for a full request.

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:process_request(305)

  process_request: request fn WINBINDD_PRIV_PIPE_DIR

[2003/11/03 19:32:01, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267)

  [31893]: request location of privileged pipe

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(502)

  client_write: wrote 1300 bytes.

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(547)

  client_write: need to write 38 extra data bytes.

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(502)

  client_write: wrote 38 bytes.

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(536)

  client_write: client_write: complete response written.

[2003/11/03 19:32:01, 6] nsswitch/winbindd.c:new_connection(340)

  accepted socket 18

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)

  client_read: read 0 bytes. Need 1568 more for a full request.

[2003/11/03 19:32:01, 5] nsswitch/winbindd.c:winbind_client_read(462)

  read failed on sock 17, pid 31893: EOF

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)

  client_read: read 1568 bytes. Need 0 more for a full request.

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:process_request(305)

  process_request: request fn GETGROUPS

[2003/11/03 19:32:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(931)

  [31893]: getgroups mail

[2003/11/03 19:32:01, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(342)

  refresh_sequence_number: THIS time ok

[2003/11/03 19:32:01, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(367)

  refresh_sequence_number: THIS seq number is now 4040

[2003/11/03 19:32:01, 10] nsswitch/winbindd_cache.c:name_to_sid(958)

  name_to_sid: [Cached] - doing backend query for name for domain THIS

[2003/11/03 19:32:01, 3] nsswitch/winbindd_ads.c:name_to_sid(312)

  ads: name_to_sid

[2003/11/03 19:32:01, 5] libads/ldap_utils.c:ads_do_search_retry(52)

  Search for (|(sAMAccountName=mail)(userPrincipalName=mail at THIS.LOCAL))
gave 0 replies

[2003/11/03 19:32:01, 1] libads/ads_ldap.c:ads_name_to_sid(64)

  name_to_sid: mail not found

[2003/11/03 19:32:01, 10]
nsswitch/winbindd_cache.c:wcache_save_name_to_sid(602)

  wcache_save_name_to_sid: MAIL -> S-0-0

[2003/11/03 19:32:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(959)

  user 'mail' does not exist

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(502)

  client_write: wrote 1300 bytes.

[2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)

  client_read: read 0 bytes. Need 1568 more for a full request.

[2003/11/03 19:32:01, 5] nsswitch/winbindd.c:winbind_client_read(462)

  read failed on sock 18, pid 31893: EOF

 

 

Any tips to get the smb shares working would be appreciated!

 

Ron L. Smith




More information about the samba mailing list