[Samba] Winbind Authentication Problem

L. Mark Stone LMStone at RNoME.com
Wed Jun 9 18:13:09 GMT 2004

Had planned to use LDAP and replace an NT4 domain, but trouble with a 
software vendor (long story) means we need to keep the NT4 domain and 
use winbind for share authentication for the next few months.

So, I religiously followed the TOSHARG winbind chapter, stopping short 
of making changes to /etc/pam.d files.

I can browse and see shares from the Samba box via KDE's LAN browser, 
but authentication doesn't work.

When browsing from a Windows box, I don't even get that far.

I have set up several Samba boxes, but never used Winbind before, so I 
expect I'm missing something simple here.

Using Samba 3.0.4-5 rpms compiled by Sernet (SuSE) on SuSE Pro 9.0 with 
all updates.

The box appears in NT4's Server Manager highlighted (so it's a domain 
member server as far as the domain is concerned.)  Net Neighborhood on 
a Windows box shows an icon for the Samba server.

From the Samba box running smbclient -L SHIRAZ generates a password 
prompt (doesn't matter what I put in) and then an error "session setup 

From a Windows machine on the network, doing a Start > Run > \\SHIRAZ 
[Enter] generates an error dialog box that reads: " configuration 
information could not be read from the domain controller, either 
because the machine is unavailable, or access has been denied."

The /var/log/messages file on the Samba server shows (I'm editing here): 
nsswitch/winbindd_util.c:get_trust_pw(1024) could not fetch trust 
account password for my domain MCCM

Here's /etc/pam.d/samba:
auth     required       pam_unix.so
account  required       pam_unix.so

Here's smb.conf (may wordwrap):
	workgroup = MCCM
	interfaces = 
	bind interfaces only = true
#	printing = cups
#	printcap name = cups
#	load printers = yes
	winbind separator = '\'
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind enum users = yes
	winbind enum groups = yes
	template shell = /bin/bash
	template homedir = /home/%D/%U
	security = domain
	password server = *
	wins server =
	encrypt passwords = yes

	comment = Company Financial Reports
	path = /data/Company/Accounting
	valid users = @Accounting
	read only = Yes

	comment = Accounting Department Use Only
	path = /data/Company/AcctPrivate
	valid users = @Accounting-Private

	comment = Billing Department Working Files
	path = /data/Company/Billing
	valid users = @Billing

	comment = Techie Stuff You May Need
	path = /data/Company/IT_Dept
	valid users = @"Domain Users"

	comment = For IT Department Use Only
	path = /data/Company/IT_Private
	valid users = @IT_Dept

	comment = For Lab Department Use Only
	path = /data/Company/Lab
	valid users = @Lab

	comment = Lab Management Use Only
	path = /data/Company/LabPrivate
	valid users = @Lab
# Change valid users to head of lab!

	comment = Public Documents
	path = /data/Company/Public
	valid users = @"Domain Users"

	comment = For Research Department Use Only
	path = /data/Company/Public
	valid users = @"Domain Users"
# Correct valid users to members of research local group.

And here's nsswitch.conf:

passwd: files winbind
shadow: files
group:  files winbind

passwd:	compat ldap
group:	compat ldap

hosts:	files dns wins
networks:	files dns

services:	files
protocols:	files
rpc:	files
ethers:	files
netmasks:	files
netgroup:	files
publickey:	files

bootparams:	files
automount:	files nis
aliases:	files

All ideas gratefully accepted!


A Message From...  L. Mark Stone

Reliable Networks of Maine, LLC
477 Congress Street, 5th Floor
Portland, ME 04101
Tel: (207) 772-5678
Web: http://www.RNoME.com

More information about the samba mailing list