[Samba] prerequisites for winbind (Samba-3.0.4-SuSE-9.0)
Malte Woelky
Malte.Woelky at gmx.de
Mon May 31 19:22:59 GMT 2004
Hi there,
I'm not able to get winbind to work, although searched google and studied
and tried nearly every howto
and forum entry on the net the last week.... it simply doesn't work and I don't understand
why....
My Samba3-Domain SUPZ (samba & ldap Linux PDC, Windows Clients) works
perfektly
with all ldap users, groups (linux and from windows) and computer accounts
(Win2000 WS).
I'm using samba3-3.0.4-1.i586.rpm (etc) for SuSE 9.0 and smpldap-tools 0.8.4
form www.idealx.org
But I cannot get the winbind stuff zu work. I'm trying to integrate winbind
for ntlm_auth and Squid.
What do prequisites do I need for winbind?
my smb.conf (only winbind, logon & ldap related stuff)
--------------
[...]
logon script = \\supzli02pdc\netlogon\logon.bat
logon path =
logon drive = H:
logon home =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
add user script = /usr/local/sbin/smbldap-useradd -m
add group script = /usr/local/sbin/smbldap-groupadd -p
add user to group script = /usr/local/sbin/smbldap-groupmod -m
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
set primary group script = /usr/local/sbin/smbldap-usermod -g
add machine script = /usr/local/sbin/smbldap-useradd -w
passdb backend = ldapsam:ldap://192.168.10.50/
passwd program = /usr/local/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
username map = /etc/samba/smbusers
ldap suffix = dc=supz,dc=schulenge,dc=de
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=schulenge,dc=de
ldap ssl = no
ldap passwd sync = Yes
ldap delete dn = Yes
winbind use default domain = yes
winbind trusted domains only = yes
#winbind separator = +
#winbind nested groups = no
idmap uid = 50000-60000
idmap gid = 50000-60000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
winbind enable local accounts = yes
winbind cache time = 10
[...]
--------------
I always get the following errors:
----------
supzli02pdc:/ # wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret
supzli02pdc:/etc/samba # wbinfo -u
Error looking up domain users
supzli02pdc:/ # wbinfo -a SUPZ\\Hans.Meiserestme
plaintext password authentication failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Could not authenticate user SUPZ\Hans.Meiserestme with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Could not authenticate user SUPZ\Hans.Meiserestme with challenge/response
-------------
=> tried setting an user vor wbinfo, but this doesn't help:
supzli02pdc:/ # wbinfo --set-auth-user=administrator
Password:
Press any key to continue...
supzli02pdc:/ # wbinfo --get-auth-user
SUPZ\administrator%[...]
=> password replaced in posting and verified:
supzli02pdc:/etc/samba # smbclient -UAdministrator -L supzli02pdc
Password:
Domain=[SUPZ] OS=[Unix] Server=[Samba 3.0.4-SerNet-SuSE]
Sharename Type Comment
--------- ---- -------
netlogon Disk Netlogon administrator
print$ Disk
public Disk fuer alle
Meine Kurse Disk
Meine Stufen Disk
Willkommen Disk
IPC$ IPC IPC Service (SUPZ Master Samba Server 3.0.4-SerNet-SuSE)
ADMIN$ IPC IPC Service (SUPZ Master Samba Server 3.0.4-SerNet-SuSE)
Domain=[SUPZ] OS=[Unix] Server=[Samba 3.0.4-SerNet-SuSE]
Server Comment
--------- -------
SUPZLI02PDC SUPZ Master Samba Server 3.0.4-SerNet-SuSE
Workgroup Master
--------- -------
[...]
=> this works, so Account 'Administrator' and Pwassoword works.
Is selfjoing to Domain SUPZ required for my pdc SUPZLI02PDC to make winbind
work? this doesn't work too...
---------
supzli02pdc:/ # net rpc join -U administrator
Password:
Create of workstation account failed
User specified does not have administrator privileges
Unable to join domain SUPZ.
---------
ldap entries for the administator account:
supzli02pdc:/etc/smbldap-tools # smbldap-usershow Administrator
dn: uid=Administrator,ou=Users,dc=supz,dc=schulenge,dc=de
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount
gidNumber: 512
uid: Administrator
uidNumber: 0
homeDirectory: /home
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaHomePath: \\SUPZLI02PDC\homes
sambaHomeDrive: H:
sambaPrimaryGroupSID: S-1-5-21-1040516133-489134623-588480087-512
sambaSID: S-1-5-21-1040516133-489134623-588480087-2996
loginShell: /bin/false
sambaAcctFlags: [U]
sambaLMPassword: [...]
sambaNTPassword: [...]
gecos: Netbios Domain Administrator
sambaPwdCanChange: 1083754399
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1083754399
employeeType: PROXYACCESS
userPassword: {CRYPT} [...]
password are correct set and verified, I replaced them in the post with
[...]
Question: Is it required for winbindd use winbind in nsswitch.conf ???? I
only need winbind for squid & ntlm_auth
my /etc/nsswitch.conf:
passwd: compat ldap
group: compat ldap
I get my accounts from LDAP and posixAccount-class:
supzli02pdc:/etc # getent passwd
root:x:0:0:root:/root:/bin/bash
[...]
squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
Administrator:x:0:512:Netbios Domain Administrator:/home:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
supz0100$:x:1000:553:supz0100$:/dev/null:/bin/false
testmw1:x:1001:513:System User:/home/testmw1:/bin/bash
Martin.Monster:x:1005:513:Monster, Martin:/home/Martin.Monster:/bin/bash
Karl.King:x:1006:513:King, Karl:/home/Karl.King:/bin/bash
Holger.Mertens:x:1011:513:Mertens, Holger:/home/Holger.Mertens:/bin/bash
Lieschen.Mueller:x:1018:513:Mueller,
Lieschen:/home/Lieschen.Mueller:/bin/bash
Franz.Meier:x:1027:513:Meier, Franz:/home/Franz.Meier:/bin/bash
[...]
this works perfectly and shows all local and ldap users
Any ideas what I did wrong or what I missed ??
Thanks in advance for reading the detailed infos
I'm using SuSE 9.0 pro and the samba3-rpm from
http://us3.samba.org/samba/ftp/Binary_Packages/SuSE/3.0/i386/9.0/
(tried http://ftp.sernet.de/pub/samba/suse90/ - with no different effect on
my winbind problem)
--
Best regards,
Malte mailto:malte.woelky at gmx.de
_________________
Malte Woelky -=[SkyNet]=-
Unix/DBs/Networks/LDAP/Active Directory
Cert : MCSA 2000+2003, MCSA:msg, MCSE 2000+2003
voice : 0209/977 37 03 : 0174/95 32 105
eMail : Malte.Woelky at gmx.de
WWW : http://www.woelky.net/
_________ ICQ# 12 767 43 99 _________
More information about the samba
mailing list