[Samba] samba & winbind with AD 2K auth problem
fadhelbb at free.fr
fadhelbb at free.fr
Fri Aug 6 14:45:33 GMT 2004
Hi
I cannot make winbind work correctly. My problem is that my AD users &
groupes are not authenticated on my samba box. I made it work correctly on my
samba 2.2x, an dfrom my understanding, each time a AD user is connected, a Unix
account is created, nad winbind synhronize both accounts.
It looks like the user script "/usr/sbin/useradd -s /bin/false %u" doesn't work,
and my NT user are not added in /etc/passwd and i noticed too, that i have the
error in the winbind.log :
Error: UID range full! i try to enhance my idmap uid, but when i restarted smb &
winbind, it's alway the same
I have set up Fedora 2. with
samba-3.0.5
krb5...-1.3.3.7
ldap-2.1.29-1
I stopped all the services on the LX box, except smb and winbind (no nscd
service as i saw in a forum)
AD 2K with sp4.
My Linux box was joined correctly in my AD domain.
wbinfo -u and -g see the AD users & groups but without the domain netbios alias.
(i choose the \ separator), my domain netbios alias is C-S and when i launch
wbinfo -u, the result is : john, jacques.... and not C-S\john....
First Question : is it normal ?
===================
My smb.conf :
Samba config file created using SWAT
# from
# Date: 2004/08/06 15:29:55
# Global parameters
[global]
workgroup = C-S
realm = C.COM
server string = Serveur de Fchiers
security = ADS
obey pam restrictions = Yes
password server = *
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = wins host bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
disable spoolss = Yes
add user script = /usr/sbin/useradd -s /bin/false %u
domain master = No
dns proxy = No
wins server = 192.168.0.10
ldap ssl = no
idmap uid = 10000-100000
idmap gid = 10000-100000
template primary group = smbusers
template homedir = /home/winnt/ %D/%U
winbind separator = +
winbind use default domain = Yes
hide unreadable = Yes
[applis]
comment = Applications, Software : Partage Admin
path = /var/applis
valid users = @C-S\SAMBA-Users
write list = @C-S\SAMBA-Users
read only = No
Here is my winbind.log :
[2004/08/06 15:41:26, 1] nsswitch/winbindd.c:main(843)
winbindd version 3.0.5-0.0.2 started.
Copyright The Samba Team 2000-2004
[2004/08/06 15:41:26, 2] param/loadparm.c:do_section(3401)
Processing section "[printers]"
[2004/08/06 15:41:26, 2] param/loadparm.c:do_section(3401)
Processing section "[applis]"
[2004/08/06 15:41:26, 3] param/loadparm.c:lp_add_ipc(2362)
adding IPC service
[2004/08/06 15:41:26, 3] param/loadparm.c:lp_add_ipc(2362)
adding IPC service
[2004/08/06 15:41:26, 2] lib/interface.c:add_interface(79)
added interface ip=192.168.0.21 bcast=192.168.255.255 nmask=255.255.0.0
[2004/08/06 15:41:26, 2] lib/interface.c:add_interface(79)
added interface ip=192.168.0.21 bcast=192.168.255.255 nmask=255.255.0.0
[2004/08/06 15:41:26, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
Registered MSG_REQ_POOL_USAGE
[2004/08/06 15:41:26, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2004/08/06 15:41:26, 3] nsswitch/winbindd_util.c:add_trusted_domain(173)
add_trusted_domain: C-S is an NT4 domain
[2004/08/06 15:41:26, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain C-S C.COM S-0-0
[2004/08/06 15:41:26, 3] libads/ldap.c:ads_connect(218)
Connected to LDAP server ldap_server
[2004/08/06 15:41:26, 3] libads/ldap.c:ads_server_info(2029)
got ldap server name ldap_server at C.COM, using bind path: dc=C,dc=COM
[2004/08/06 15:41:26, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(110)
IPC$ connections done anonymously
[2004/08/06 15:41:26, 3] libsmb/cliconnect.c:cli_start_connection(1373)
Connecting to host=ldap_server
[2004/08/06 15:41:26, 3] lib/util_sock.c:open_socket_out(735)
Connecting to ldap_server at port 445
[2004/08/06 15:41:26, 3] libsmb/cliconnect.c:cli_session_setup_spnego(705)
added interface ip=192.168.5.21 bcast=192.168.255.255 nmask=255.255.0.0
[2004/08/06 15:41:26, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
Registered MSG_REQ_POOL_USAGE
[2004/08/06 15:41:26, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2004/08/06 15:41:26, 3] nsswitch/winbindd_util.c:add_trusted_domain(173)
add_trusted_domain: c-s is an NT4 domain
[2004/08/06 15:41:26, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain c-s c.com S-0-0
[2004/08/06 15:41:26, 3] libads/ldap.c:ads_connect(218)
Connected to LDAP server 192.168.1.135
[2004/08/06 15:41:26, 3] libads/ldap.c:ads_server_info(2029)
got ldap server name ldap_server at c.com, using bind path: dc=C,dc=COM
[2004/08/06 15:41:26, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(110)
IPC$ connections done anonymously
[2004/08/06 15:41:26, 3] libsmb/cliconnect.c:cli_start_connection(1373)
Connecting to host=ldap_server
[2004/08/06 15:41:26, 3] lib/util_sock.c:open_socket_out(735)
Connecting to 192.168.1.135 at port 445
[2004/08/06 15:41:26, 3] libsmb/cliconnect.c:cli_session_setup_spnego(705)
Doing spnego session setup (blob length=108)
[2004/08/06 15:41:26, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
got OID=1 2 840 48018 1 2 2
[2004/08/06 15:41:26, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
got OID=1 2 840 113554 1 2 2
[2004/08/06 15:41:26, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
got OID=1 2 840 113554 1 2 2 3
[2004/08/06 15:41:26, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
got OID=1 3 6 1 4 1 311 2 2 10
[2004/08/06 15:41:26, 3] libsmb/cliconnect.c:cli_session_setup_spnego(737)
got principal=ldap_server$@c.com
[2004/08/06 15:41:26, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/08/06 15:41:26, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(245)
Ticket in ccache[MEMORY:cliconnect] expiration Sat, 07 Aug 2004 01:41:26 GMT
[2004/08/06 15:41:26, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
lsa_io_sec_qos: length c does not match size 8
[2004/08/06 15:41:26, 3] nsswitch/winbindd_ads.c:alternate_name(932)
ads: alternate_name
[2004/08/06 15:41:26, 3] libads/ldap.c:ads_connect(218)
Connected to LDAP server 192.168.1.135
[2004/08/06 15:41:26, 3] libads/ldap.c:ads_server_info(2029)
got ldap server name ldap_server at c.com, using bind path: dc=C,dc=COM
[2004/08/06 15:41:26, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
got OID=1 2 840 48018 1 2 2
[2004/08/06 15:41:26, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
got OID=1 2 840 113554 1 2 2
[2004/08/06 15:41:26, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
got OID=1 2 840 113554 1 2 2 3
[2004/08/06 15:41:26, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
[2004/08/06 15:41:26, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
got principal=ldap_server$@c.com
[2004/08/06 15:41:26, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
krb5_cc_get_principal failed (No credentials cache found)
[2004/08/06 15:41:26, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(245)
Ticket in ccache[MEMORY:winbind_ccache] expiration Sat, 07 Aug 2004 01:41:26
GMT
[2004/08/06 15:41:27, 3] libads/ldap.c:ads_workgroup_name(2124)
Found alternate name 'c-s' for realm 'c.com'
[2004/08/06 15:41:27, 3] nsswitch/winbindd_ads.c:trusted_domains(832)
ads: trusted_domains
[2004/08/06 15:41:27, 3] libads/ldap.c:ads_connect(218)
Connected to LDAP server 192168.1.135
[2004/08/06 15:41:27, 3] libads/ldap.c:ads_server_info(2029)
got ldap server name ldap_server at c.com, using bind path: dc=C,dc=COM
[2004/08/06 15:41:27, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(110)
IPC$ connections done anonymously
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_start_connection(1373)
Connecting to host=ldap_server
[2004/08/06 15:41:27, 3] lib/util_sock.c:open_socket_out(735)
Connecting to 172.16.1.135 at port 445
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_session_setup_spnego(705)
Doing spnego session setup (blob length=108)
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
got OID=1 2 840 48018 1 2 2
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
got OID=1 2 840 113554 1 2 2
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
got OID=1 2 840 113554 1 2 2 3
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
got OID=1 3 6 1 4 1 311 2 2 10
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_session_setup_spnego(737)
got principal=ldap_server$@c.com
[2004/08/06 15:41:27, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/08/06 15:41:27, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(245)
Ticket in ccache[MEMORY:cliconnect] expiration Sat, 07 Aug 2004 01:41:27 GMT
[2004/08/06 15:41:27, 3] nsswitch/winbindd_util.c:add_trusted_domain(173)
add_trusted_domain: DEV is an NT4 domain
[2004/08/06 15:41:27, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain DEV dev.com S-1-5-21-1606980848-813497703-1202660629
[2004/08/06 15:41:27, 3] nsswitch/winbindd_util.c:add_trusted_domain(173)
Added domain BUILTIN S-1-5-32
[2004/08/06 15:41:27, 3] nsswitch/winbindd_util.c:add_trusted_domain(173)
add_trusted_domain: SRV-F04 is an NT4 domain
[2004/08/06 15:41:27, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain SRV-F04 S-1-5-21-300734864-1869551599-1629350182
[2004/08/06 15:41:27, 3] nsswitch/winbindd_ads.c:trusted_domains(832)
ads: trusted_domains
[2004/08/06 15:41:27, 3] libads/ldap.c:ads_connect(218)
Connected to LDAP server 192.168.1.135
[2004/08/06 15:41:27, 3] libads/ldap.c:ads_server_info(2029)
got ldap server name ldap_server at c.COM, using bind path: dc=c,dc=COM
[2004/08/06 15:41:27, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(110)
IPC$ connections done anonymously
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_start_connection(1373)
Connecting to host=ldap_server
[2004/08/06 15:41:27, 3] lib/util_sock.c:open_socket_out(735)
Connecting to 192.168.1.135 at port 445
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_session_setup_spnego(705)
Doing spnego session setup (blob length=108)
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
got OID=1 2 840 48018 1 2 2
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
got OID=1 2 840 113554 1 2 2
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
got OID=1 2 840 113554 1 2 2 3
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
got OID=1 3 6 1 4 1 311 2 2 10
[2004/08/06 15:41:27, 3] libsmb/cliconnect.c:cli_session_setup_spnego(737)
got principal=ldap_server$@c.COM
[2004/08/06 15:41:27, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/08/06 15:41:27, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(245)
Ticket in ccache[MEMORY:cliconnect] expiration Sat, 07 Aug 2004 01:41:27 GMT
[2004/08/06 15:41:29, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[ 5905]: request interface version
[2004/08/06 15:41:29, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[ 5905]: request location of privileged pipe
[2004/08/06 15:41:29, 3] nsswitch/winbindd_misc.c:winbindd_ping(238)
[ 5905]: ping
[2004/08/06 15:41:29, 3] nsswitch/winbindd_misc.c:winbindd_ping(238)
[ 5905]: ping
[ 6043]: getpwnam C-S+Support
[2004/08/06 16:25:08, 0] sam/idmap_tdb.c:db_allocate_id(106)
idmap Fatal Error: UID range full!! (max: 100000)
[2004/08/06 16:25:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
error getting user id for sid S-1-5-21-891374478-1870800512-441284377-1823
[2004/08/06 16:25:08, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124)
[ 6043]: getpwnam C-S+SUPPORT
[2004/08/06 16:25:08, 0] sam/idmap_tdb.c:db_allocate_id(106)
idmap Fatal Error: UID range full!! (max: 100000)
[2004/08/06 16:25:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
error getting user id for sid S-1-5-21-891374478-1870800512-441284377-1823
[
the computer.log file give : (/var/log/samba/ip.log)
[2004/08/06 15:51:02, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(560)
NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1]
PrimaryDomain=[]
[2004/08/06 15:51:02, 3] smbd/sesssetup.c:reply_spnego_negotiate(438)
Got OID 1 2 840 48018 1 2 2
[2004/08/06 15:51:02, 3] smbd/sesssetup.c:reply_spnego_negotiate(438)
Got OID 1 2 840 113554 1 2 2
[2004/08/06 15:51:02, 3] smbd/sesssetup.c:reply_spnego_negotiate(438)
Got OID 1 3 6 1 4 1 311 2 2 10
[2004/08/06 15:51:02, 3] smbd/sesssetup.c:reply_spnego_negotiate(441)
Got secblob of size 1195
Error writing 5 bytes to client. -1. (Connection reset by peer)
[2004/08/06 15:51:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/08/06 15:51:02, 2] smbd/server.c:exit_server(568)
Closing connections
[2004/08/06 15:51:02, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2004/08/06 15:51:02, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name failed with error Record does not
exist.
[2004/08/06 15:51:02, 3] smbd/server.c:exit_server(611)
Server exit (connection denied)
[2004/08/06 15:51:02, 3] smbd/sesssetup.c:reply_spnego_kerberos(180)
Ticket name is [Support at C.COM]
useradd: invalid user name 'Support'
[2004/08/06 15:51:02, 3] auth/auth_util.c:smb_create_user(53)
smb_create_user: Running the command `/usr/sbin/useradd -s /bin/false Support'
gave 3
[2004/08/06 15:51:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username C-S+Support is invalid on this system
[2004/08/06 15:51:02, 3] smbd/error.c:error_packet(118)
error packet at smbd/sesssetup.c(252) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2004/08/06 15:51:02, 3] smbd/process.c:process_smb(890)
Transaction 2 of length 1426
[2004/08/06 15:51:02, 3] smbd/process.c:switch_message(685)
[2004/08/06 15:51:47, 3] smbd/sesssetup.c:reply_spnego_negotiate(438)
Got OID 1 3 6 1 4 1 311 2 2 10
[2004/08/06 15:51:47, 3] smbd/sesssetup.c:reply_spnego_negotiate(441)
Got secblob of size 1195
[2004/08/06 15:51:47, 3] smbd/sesssetup.c:reply_spnego_kerberos(180)
Ticket name is [Support at C.COM]
useradd: invalid user name 'Support'
[2004/08/06 15:51:47, 3] auth/auth_util.c:smb_create_user(53)
smb_create_user: Running the command `/usr/sbin/useradd -s /bin/false Support'
gave 3
[2004/08/06 15:51:47, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username C-S+Support is invalid on this system
[2004/08/06 15:51:47, 3] smbd/error.c:error_packet(118)
error packet at smbd/sesssetup.c(252) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2004/08/06 15:51:47, 3] smbd/process.c:timeout_processing(1104)
[2004/08/06 15:51:47, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2004/08/06 15:51:47, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name failed with error Record does not
exist.
[2004/08/06 15:51:47, 3] smbd/server.c:exit_server(611)
Server exit (normal exit)
The "getent passwd" gives me only the unix list.sme thing for the getent group
i modified /etc/pam.d/samba :
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
account sufficient /lib/security/pam_winbind.so
/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_selinux.so multiple
session required pam_stack.so service=system-auth
session optional pam_console.so
account sufficient /lib/security/pam_winbind.so
[root at SRV-F04 root]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-300734864-1869551599-1629350182-513) -> -1
Domain Admins (S-1-5-21-300734864-1869551599-1629350182-512) -> -1
Domain Guests (S-1-5-21-300734864-1869551599-1629350182-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Computer (S-1-5-21-300734864-1869551599-1629350182-2011) ->
domaincomputers
SAMBA-Users (S-1-5-21-300734864-1869551599-1629350182-2013) -> sambausers
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
I cannot figure out what i did wrong, can somebody help me ??? I'am stuck since
yesterday
Thks
Fafa
More information about the samba
mailing list