[Samba] prerequisites for winbind (Samba-3.0.4-SuSE-9.0)

Malte Woelky Malte.Woelky at gmx.de
Mon May 31 19:22:59 GMT 2004

Hi there,

I'm not able to get winbind to work, although searched google and studied
and tried nearly every howto
and forum entry on the net the last week.... it simply doesn't work and I don't understand

My Samba3-Domain SUPZ (samba & ldap Linux PDC, Windows Clients) works
with all ldap users, groups (linux and from windows) and computer accounts
(Win2000 WS).

I'm using samba3-3.0.4-1.i586.rpm (etc) for SuSE 9.0 and smpldap-tools 0.8.4
form www.idealx.org

But I cannot get the winbind stuff zu work. I'm trying to integrate winbind
for ntlm_auth and Squid.

What do prequisites do I need for winbind?

my smb.conf (only winbind, logon & ldap related stuff)


        logon script = \\supzli02pdc\netlogon\logon.bat
        logon path =
        logon drive = H:
        logon home =
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes

        add user script = /usr/local/sbin/smbldap-useradd -m
        add group script = /usr/local/sbin/smbldap-groupadd -p
        add user to group script = /usr/local/sbin/smbldap-groupmod -m
        delete user from group script = /usr/local/sbin/smbldap-groupmod -x
        set primary group script = /usr/local/sbin/smbldap-usermod -g
        add machine script = /usr/local/sbin/smbldap-useradd -w

        passdb backend = ldapsam:ldap://
        passwd program = /usr/local/sbin/smbldap-passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
        username map = /etc/samba/smbusers

        ldap suffix = dc=supz,dc=schulenge,dc=de
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap admin dn = cn=admin,dc=schulenge,dc=de
        ldap ssl = no
        ldap passwd sync = Yes
        ldap delete dn = Yes

        winbind use default domain = yes
        winbind trusted domains only = yes
        #winbind separator = +
        #winbind nested groups = no
        idmap uid = 50000-60000
        idmap gid = 50000-60000
        template shell = /bin/bash
        template homedir = /home/%D/%U
        winbind enum groups = yes
        winbind enum users = yes
        winbind enable local accounts = yes
        winbind cache time = 10


I always get the following errors:

supzli02pdc:/ # wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret

supzli02pdc:/etc/samba # wbinfo -u
Error looking up domain users

supzli02pdc:/ # wbinfo -a SUPZ\\Hans.Meiserestme
plaintext password authentication failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
Could not authenticate user SUPZ\Hans.Meiserestme with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
Could not authenticate user SUPZ\Hans.Meiserestme with challenge/response

=> tried setting an user vor wbinfo, but this doesn't help:

supzli02pdc:/ # wbinfo --set-auth-user=administrator
Press any key to continue...
supzli02pdc:/ # wbinfo --get-auth-user

=> password replaced in posting and verified:

supzli02pdc:/etc/samba # smbclient -UAdministrator -L supzli02pdc
Domain=[SUPZ] OS=[Unix] Server=[Samba 3.0.4-SerNet-SuSE]

Sharename Type Comment
--------- ---- -------
netlogon Disk Netlogon administrator
print$ Disk
public Disk fuer alle
Meine Kurse Disk
Meine Stufen Disk
Willkommen Disk
IPC$ IPC IPC Service (SUPZ Master Samba Server 3.0.4-SerNet-SuSE)
ADMIN$ IPC IPC Service (SUPZ Master Samba Server 3.0.4-SerNet-SuSE)
Domain=[SUPZ] OS=[Unix] Server=[Samba 3.0.4-SerNet-SuSE]

Server Comment
--------- -------
SUPZLI02PDC SUPZ Master Samba Server 3.0.4-SerNet-SuSE

Workgroup Master
--------- -------

=> this works, so Account 'Administrator' and Pwassoword works.

Is selfjoing to Domain SUPZ required for my pdc SUPZLI02PDC to make winbind
work? this doesn't work too...

supzli02pdc:/ # net rpc join -U administrator
Create of workstation account failed
User specified does not have administrator privileges
Unable to join domain SUPZ.

ldap entries for the administator account:

supzli02pdc:/etc/smbldap-tools # smbldap-usershow Administrator
dn: uid=Administrator,ou=Users,dc=supz,dc=schulenge,dc=de
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount
gidNumber: 512
uid: Administrator
uidNumber: 0
homeDirectory: /home
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaHomePath: \\SUPZLI02PDC\homes
sambaHomeDrive: H:
sambaPrimaryGroupSID: S-1-5-21-1040516133-489134623-588480087-512
sambaSID: S-1-5-21-1040516133-489134623-588480087-2996
loginShell: /bin/false
sambaAcctFlags: [U]
sambaLMPassword: [...]
sambaNTPassword: [...]
gecos: Netbios Domain Administrator
sambaPwdCanChange: 1083754399
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1083754399
employeeType: PROXYACCESS
userPassword: {CRYPT} [...]

password are correct set and verified, I replaced them in the post with

Question: Is it required for winbindd use winbind in nsswitch.conf ???? I
only need winbind for squid & ntlm_auth

my /etc/nsswitch.conf:
    passwd: compat ldap
    group:  compat ldap

I get my accounts from LDAP and posixAccount-class:

supzli02pdc:/etc # getent passwd
squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
Administrator:x:0:512:Netbios Domain Administrator:/home:/bin/false
testmw1:x:1001:513:System User:/home/testmw1:/bin/bash
Martin.Monster:x:1005:513:Monster, Martin:/home/Martin.Monster:/bin/bash
Karl.King:x:1006:513:King, Karl:/home/Karl.King:/bin/bash
Holger.Mertens:x:1011:513:Mertens, Holger:/home/Holger.Mertens:/bin/bash
Franz.Meier:x:1027:513:Meier, Franz:/home/Franz.Meier:/bin/bash


this works perfectly and shows all local and ldap users

Any ideas what I did wrong or what I missed ??

Thanks in advance for reading the detailed infos

I'm using SuSE 9.0 pro and the samba3-rpm from
(tried http://ftp.sernet.de/pub/samba/suse90/ - with no different effect on
my winbind problem)

Best regards,
 Malte                          mailto:malte.woelky at gmx.de

Malte Woelky -=[SkyNet]=- 
Unix/DBs/Networks/LDAP/Active Directory 
Cert  : MCSA 2000+2003, MCSA:msg, MCSE 2000+2003
voice : 0209/977 37 03 : 0174/95 32 105 
eMail : Malte.Woelky at gmx.de 
WWW : http://www.woelky.net/ 
_________ ICQ# 12 767 43 99 _________

More information about the samba mailing list