[Samba] Winbind ADS Issues w/ *TONS* of Pre-Research
Anders Berg
andersb at vg.no
Fri May 14 09:36:18 GMT 2004
Hi,
just like:
http://lists.samba.org/archive/samba/2004-May/085521.html
http://lists.samba.org/archive/samba/2004-May/085808.html
huh?
Another *just* came in also:
http://lists.samba.org/archive/samba/2004-May/085881.html
Well, this one has many persons puzzeled. The best place so far is:
<http://www.linuxquestions.org/questions/showthread.php?s=&threadid=161506>http://www.linuxquestions.org/questions/showthread.php?s=&threadid=161506
I guess that the Samba community is still (which of course we are part of)
does not have the solution for this problem, since it has not been
answered/adressed by anybody in great lenght/detail. The HOWTO adresses it
in: http://se.samba.org/samba/docs/man/howto/domain-member.html#ads-member
but really that is no HOWTO. As long as it does not show you HOW-TO.
I also guess that some people that have followed this thread for a while
are starting to get bugged by me :)
Sorry I can't help you, I have not figured it out either.
YS
Anders Berg
At 18:18 13.05.2004 -0400, William R. Lorenz wrote:
>Samba Team,
>
>I've been trying to get my Samba server to authenticate users against a
>Windows 2000 Active Directory domain controller, and it just doesn't work.
>I've encountered a TREMENDOUS amount of postings from people who have run
>into the same issue, and there's never any responses with a resolution.
>I must have viewed more than 500 postings over the course of the day.
>
>I have a seemingly valid Samba configuration file. All of the `wbinfo
>-u`, `wbinfo -g`, `getent passwd`, and `getent group` commands work just
>fine. Howver, `wbinfo -t` and `wbinfo -a` don't work, and I can't
>authenticate users against the domain controller. As an example:
>
> [root at nasone samba]# net ads join -U Administrator
> Administrator's password:
> [2004/05/13 17:49:30, 0] libads/ldap.c:ads_add_machine_acct(1006)
> Host account for nasone already exists - modifying old account
> Using short domain name -- ECHUDSON
> Joined 'NASONE' to realm 'HUDSON-OFFICE.ECEDIINC.COM'
> [root at nasone samba]# net rpc join -U Administrator
> Password:
> Joined domain ECHUDSON.
> [root at nasone samba]# wbinfo -t
> checking the trust secret via RPC calls failed
> error code was NT_STATUS_UNSUCCESSFUL (0xc0000001)
> Could not check secret
> [root at nasone samba]#
>
>After trying to do the `wbinfo -t`, I see the following in 'winbindd.log':
>
> [2004/05/13 17:49:41, 2]
> libsmb/cliconnect.c:cli_session_setup_kerberos(535)
> Doing kerberos session setup
> [2004/05/13 17:49:41, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336)
> rpc_auth_pipe: wrong schannel auth len 24
> [2004/05/13 17:49:41, 0]
> rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
> cli_nt_setup_creds: request challenge failed
> [2004/05/13 17:49:41, 2]
> nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98)
> Checking the trust account password returned NT_STATUS_UNSUCCESSFUL
>
>I am using Samba 3.0.4, as distributed in Fedora Core 1 RPM format on the
>main Samba website @ http://www.samba.org/. Here's the details:
>
> [root at nasone samba]# rpm -qa | grep ^samba
> samba-common-3.0.4-2
> samba-client-3.0.4-2
> samba-3.0.4-2
> [root at nasone samba]# rpm -qa | grep ^krb5
> krb5-libs-1.3.1-6
> krb5-workstation-1.3.1-6
> [root at nasone samba]#
>
>The output of `wbinfo -a` produces the following:
>
> [root at nasone samba]# wbinfo -a Administrator
> plaintext password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user Administrator with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
> error messsage was: No logon servers
> Could not authenticate user Administrator with challenge/response
> [root at nasone samba]#
>
>And this results in the following in 'winbindd.log':
>
> [2004/05/13 17:53:04, 2]
> libsmb/cliconnect.c:cli_session_setup_kerberos(535)
> Doing kerberos session setup
> [2004/05/13 17:53:04, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336)
> rpc_auth_pipe: wrong schannel auth len 24
> [2004/05/13 17:53:04, 0]
> rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
> cli_nt_setup_creds: request challenge failed
> [2004/05/13 17:53:04, 2]
> nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(612)
> NTLM CRAP authentication for user [ECHUDSON]\[Administrator] returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
>
>NTLM CRAP authentication is right -- this just doesn't want to work! ;)
>
>Here's the contents of my '/etc/samba/smb.conf' configuration file:
>
> [root at nasone samba]# grep -v ^\; /etc/samba/smb.conf
> [global]
> workgroup = ECHUDSON
> realm = HUDSON-OFFICE.LOCAL
> server string = NASONE
> hosts allow = 10.0.0.0/24
> load printers = no
>
> security = ads
> auth methods = winbind
> password server = ARIEL
> name resolve order = bcast wins host
> wins server = 10.0.0.150 10.0.0.151
>
> log level = 2
> log file = /var/log/samba/samba-global.log
> log file = /var/log/samba/%m.log
> max log size = 0
>
> winbind separator = +
> encrypt passwords = yes
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 15
> template shell = /sbin/nologin
> template homedir = /dev/null/%D/%U
>
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> interfaces = 10.0.0.180/24 10.0.1.180/24
>
> os level = 33
> local master = no
> domain master = no
> preferred master = no
> domain logons = no
>
> wins support = no
> dns proxy = no
>
> [volume01]
> comment = volume01
> path = /mnt/volumes/lv01
> public = no
> writable = no
> printable = no
> valid users = @"ECHUDSON+Domain Admins"
> write list = @"ECHUDSON+Domain Admins"
> create mask = 0664
> directory mask = 0775
> nt acl support = yes
> [root at nasone samba]#
>
>Here's a one example of other people having the same issue (I searched
>long and hard for any resolutions many of these had found, to no avail!):
>
> http://lists.samba.org/archive/samba-technical/2003-July/030983.html
>
>I'd grab others, but I've already closed lots of browser windows. ;)
>
>Here's some additional Kerberos information this is probably pertinent:
>
> [root at nasone root]# kinit administrator at HUDSON-OFFICE.LOCAL
> Password for administrator at HUDSON-OFFICE.LOCAL:
> [root at nasone root]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at HUDSON-OFFICE.LOCAL
>
> Valid starting Expires Service principal
> 05/13/04 18:13:23 05/14/04 04:14:36
> krbtgt/HUDSON-OFFICE.ECEDIINC.COM at HUDSON-OFFICE.LOCAL
> renew until 05/14/04 18:13:23
> 05/13/04 18:15:33 05/14/04 04:14:36 ariel$@HUDSON-OFFICE.LOCAL
> renew until 05/14/04 18:13:23
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [root at nasone root]#
>
>And finally, let's get in a good test of Kerberos with the -k flag:
>
> [root at nasone root]# smbclient -U Administrator -k //10.0.0.150/GENSRVNT
> OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
> smb: \> ls
> . D 0 Thu Apr 1 15:37:04 2004
> .. D 0 Thu Apr 1 15:37:04 2004
> [ADDITIONAL DIRECTORY LISTING TRIMMED]
> smb: \> quit
> [root at nasone root]#
>
>Does anyone have any ideas?!?!
>
>-- _
>__ __ ___ _| | William R. Lorenz <wrl at express.org>
>\ V V / '_| | http://www.clevelandlug.net/ ; "Every revolution was
> \./\./|_| |_| first a thought in one man's mind." - Ralph Waldo Emerson
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: http://lists.samba.org/mailman/listinfo/samba
*****************************************************************
Denne fotnoten bekrefter at denne e-postmeldingen ble
skannet av MailSweeper og funnet fri for virus.
*****************************************************************
This footnote confirms that this email message has been swept by
MailSweeper for the presence of computer viruses.
*****************************************************************
More information about the samba
mailing list