FIX: Re: [Samba] prerequisites for winbind (Samba-3.0.4-SuSE-9.0)
Malte Woelky
Malte.Woelky at gmx.de
Tue Jun 1 18:20:57 GMT 2004
Hallo,
Cool, figured it out this night or better this morning (6 o'ckock ;-) , too.
Maybe wbinfo -a / -u seems not to work because of our
missing/uncomplete PAM or nsswitch configuration, but we don't need
it vor squid auth... my accounts/groups come from pam_ldap & nss_ldap & Co
My biggest mistake was running this from within mc (Midnight
Commander) e.g. wbinfo -a User.xy%3xyz
which expanses to something like wbinfo -a User.xyxyz
and enver works.
But from pure command line it succeeds ;-)
At the time of writing of my post last evening, I additionally
mixed up my Administrator/uid=0 - Account, so I couldn't join from Win2k-Workstation,
which days ago was alredy working for nearly four month... shit happens ;-)
(I'm writing my diplom thesis)
Yours
Malte
Tuesday, June 1, 2004, 11:06:31 AM, you wrote:
FD> hello, I'v the same problem with wbinfo -{u,g} but winbind works
FD> when used with squid, also wbinfo -a Administrator%XXXXXX
FD> work.
FD> [root at pdc root]# wbinfo -a Administrator%XXXXX
FD> plaintext password authentication succeeded
FD> challenge/response password authentication succeeded
FD> but
FD> [root at va2 root]# wbinfo -u
FD> Error looking up domain users
FD> [root at va2 root]# wbinfo -g
FD> Error looking up domain groups
FD> francesco.
FD> Malte Woelky wrote:
>>Hi there,
>>
>>
>>I'm not able to get winbind to work, although searched google and studied
>>and tried nearly every howto
>>and forum entry on the net the last week.... it simply doesn't work and I don't understand
>>why....
>>
>>My Samba3-Domain SUPZ (samba & ldap Linux PDC, Windows Clients) works
>>perfektly
>>with all ldap users, groups (linux and from windows) and computer accounts
>>(Win2000 WS).
>>
>>I'm using samba3-3.0.4-1.i586.rpm (etc) for SuSE 9.0 and smpldap-tools 0.8.4
>>form www.idealx.org
>>
>>
>>
>>But I cannot get the winbind stuff zu work. I'm trying to integrate winbind
>>for ntlm_auth and Squid.
>>
>>
>>
>>
>>
>>What do prequisites do I need for winbind?
>>
>>
>>
>>
>>
>>my smb.conf (only winbind, logon & ldap related stuff)
>>
>>--------------
>>[...]
>>
>> logon script = \\supzli02pdc\netlogon\logon.bat
>> logon path =
>> logon drive = H:
>> logon home =
>> domain logons = Yes
>> os level = 65
>> preferred master = Yes
>> domain master = Yes
>> wins support = Yes
>>
>> add user script = /usr/local/sbin/smbldap-useradd -m
>> add group script = /usr/local/sbin/smbldap-groupadd -p
>> add user to group script = /usr/local/sbin/smbldap-groupmod -m
>> delete user from group script = /usr/local/sbin/smbldap-groupmod -x
>> set primary group script = /usr/local/sbin/smbldap-usermod -g
>> add machine script = /usr/local/sbin/smbldap-useradd -w
>>
>> passdb backend = ldapsam:ldap://192.168.10.50/
>> passwd program = /usr/local/sbin/smbldap-passwd %u
>> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>>*all*authentication*tokens*updated*
>> username map = /etc/samba/smbusers
>>
>> ldap suffix = dc=supz,dc=schulenge,dc=de
>> ldap machine suffix = ou=Computers
>> ldap user suffix = ou=Users
>> ldap group suffix = ou=Groups
>> ldap admin dn = cn=admin,dc=schulenge,dc=de
>> ldap ssl = no
>> ldap passwd sync = Yes
>> ldap delete dn = Yes
>>
>> winbind use default domain = yes
>> winbind trusted domains only = yes
>> #winbind separator = +
>> #winbind nested groups = no
>> idmap uid = 50000-60000
>> idmap gid = 50000-60000
>> template shell = /bin/bash
>> template homedir = /home/%D/%U
>> winbind enum groups = yes
>> winbind enum users = yes
>> winbind enable local accounts = yes
>> winbind cache time = 10
>>
>>[...]
>>--------------
>>
>>I always get the following errors:
>>
>>----------
>>supzli02pdc:/ # wbinfo -t
>>checking the trust secret via RPC calls failed
>>error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
>>Could not check secret
>>
>>supzli02pdc:/etc/samba # wbinfo -u
>>Error looking up domain users
>>
>>supzli02pdc:/ # wbinfo -a SUPZ\\Hans.Meiserestme
>>plaintext password authentication failed
>>error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
>>error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>>Could not authenticate user SUPZ\Hans.Meiserestme with plaintext password
>>challenge/response password authentication failed
>>error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
>>error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>>Could not authenticate user SUPZ\Hans.Meiserestme with challenge/response
>>-------------
>>
>>
>>
>>=> tried setting an user vor wbinfo, but this doesn't help:
>>
>>
>>
>>supzli02pdc:/ # wbinfo --set-auth-user=administrator
>>Password:
>>Press any key to continue...
>>supzli02pdc:/ # wbinfo --get-auth-user
>>SUPZ\administrator%[...]
>>
>>
>>=> password replaced in posting and verified:
>>
>>
>>
>>supzli02pdc:/etc/samba # smbclient -UAdministrator -L supzli02pdc
>>Password:
>>Domain=[SUPZ] OS=[Unix] Server=[Samba 3.0.4-SerNet-SuSE]
>>
>>Sharename Type Comment
>>--------- ---- -------
>>netlogon Disk Netlogon administrator
>>print$ Disk
>>public Disk fuer alle
>>Meine Kurse Disk
>>Meine Stufen Disk
>>Willkommen Disk
>>IPC$ IPC IPC Service (SUPZ Master Samba Server 3.0.4-SerNet-SuSE)
>>ADMIN$ IPC IPC Service (SUPZ Master Samba Server 3.0.4-SerNet-SuSE)
>>Domain=[SUPZ] OS=[Unix] Server=[Samba 3.0.4-SerNet-SuSE]
>>
>>Server Comment
>>--------- -------
>>SUPZLI02PDC SUPZ Master Samba Server 3.0.4-SerNet-SuSE
>>
>>Workgroup Master
>>--------- -------
>>[...]
>>
>>
>>
>>
>>=> this works, so Account 'Administrator' and Pwassoword works.
>>
>>
>>
>>Is selfjoing to Domain SUPZ required for my pdc SUPZLI02PDC to make winbind
>>work? this doesn't work too...
>>
>>---------
>>supzli02pdc:/ # net rpc join -U administrator
>>Password:
>>Create of workstation account failed
>>User specified does not have administrator privileges
>>Unable to join domain SUPZ.
>>---------
>>
>>
>>
>>
>>ldap entries for the administator account:
>>
>>supzli02pdc:/etc/smbldap-tools # smbldap-usershow Administrator
>>dn: uid=Administrator,ou=Users,dc=supz,dc=schulenge,dc=de
>>cn: Administrator
>>sn: Administrator
>>objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount
>>gidNumber: 512
>>uid: Administrator
>>uidNumber: 0
>>homeDirectory: /home
>>sambaLogonTime: 0
>>sambaLogoffTime: 2147483647
>>sambaKickoffTime: 2147483647
>>sambaHomePath: \\SUPZLI02PDC\homes
>>sambaHomeDrive: H:
>>sambaPrimaryGroupSID: S-1-5-21-1040516133-489134623-588480087-512
>>sambaSID: S-1-5-21-1040516133-489134623-588480087-2996
>>loginShell: /bin/false
>>sambaAcctFlags: [U]
>>sambaLMPassword: [...]
>>sambaNTPassword: [...]
>>gecos: Netbios Domain Administrator
>>sambaPwdCanChange: 1083754399
>>sambaPwdMustChange: 2147483647
>>sambaPwdLastSet: 1083754399
>>employeeType: PROXYACCESS
>>userPassword: {CRYPT} [...]
>>
>>password are correct set and verified, I replaced them in the post with
>>[...]
>>
>>
>>
>>
>>Question: Is it required for winbindd use winbind in nsswitch.conf ???? I
>>only need winbind for squid & ntlm_auth
>>
>>my /etc/nsswitch.conf:
>> passwd: compat ldap
>> group: compat ldap
>>
>>
>>
>>
>>I get my accounts from LDAP and posixAccount-class:
>>
>>supzli02pdc:/etc # getent passwd
>>root:x:0:0:root:/root:/bin/bash
>>[...]
>>squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
>>Administrator:x:0:512:Netbios Domain Administrator:/home:/bin/false
>>nobody:x:999:514:nobody:/dev/null:/bin/false
>>supz0100$:x:1000:553:supz0100$:/dev/null:/bin/false
>>testmw1:x:1001:513:System User:/home/testmw1:/bin/bash
>>Martin.Monster:x:1005:513:Monster, Martin:/home/Martin.Monster:/bin/bash
>>Karl.King:x:1006:513:King, Karl:/home/Karl.King:/bin/bash
>>Holger.Mertens:x:1011:513:Mertens, Holger:/home/Holger.Mertens:/bin/bash
>>Lieschen.Mueller:x:1018:513:Mueller,
>>Lieschen:/home/Lieschen.Mueller:/bin/bash
>>Franz.Meier:x:1027:513:Meier, Franz:/home/Franz.Meier:/bin/bash
>>
>>[...]
>>
>>this works perfectly and shows all local and ldap users
>>
>>
>>
>>
>>
>>Any ideas what I did wrong or what I missed ??
>>
>>
>>Thanks in advance for reading the detailed infos
>>
>>
>>
>>
>>I'm using SuSE 9.0 pro and the samba3-rpm from
>>http://us3.samba.org/samba/ftp/Binary_Packages/SuSE/3.0/i386/9.0/
>>(tried http://ftp.sernet.de/pub/samba/suse90/ - with no different effect on
>>my winbind problem)
>>
>>
>>
>>
>>
>>
--
Best regards,
Malte mailto:malte.woelky at gmx.de
Malte Woelky -=[SkyNet]=-
Unix/DBs/Networks/LDAP/Active Directory
Cert : MCSA 2000+2003, MCSA:msg, MCSE 2000+2003
voice : 0209/977 37 03 : 0174/95 32 105
eMail : Malte.Woelky at gmx.de
WWW : http://www.woelky.net/
_________ ICQ# 12 767 43 99 _________
More information about the samba
mailing list