[Samba] prerequisites for winbind (Samba-3.0.4-SuSE-9.0)

Malte Woelky Malte.Woelky at gmx.de
Mon May 31 19:22:59 GMT 2004


Hi there,


I'm not able to get winbind to work, although searched google and studied
and tried nearly every howto
and forum entry on the net the last week.... it simply doesn't work and I don't understand
why....

My Samba3-Domain SUPZ (samba & ldap Linux PDC, Windows Clients) works
perfektly
with all ldap users, groups (linux and from windows) and computer accounts
(Win2000 WS).

I'm using samba3-3.0.4-1.i586.rpm (etc) for SuSE 9.0 and smpldap-tools 0.8.4
form www.idealx.org



But I cannot get the winbind stuff zu work. I'm trying to integrate winbind
for ntlm_auth and Squid.





What do prequisites do I need for winbind?





my smb.conf (only winbind, logon & ldap related stuff)

--------------
[...]

        logon script = \\supzli02pdc\netlogon\logon.bat
        logon path =
        logon drive = H:
        logon home =
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes

        add user script = /usr/local/sbin/smbldap-useradd -m
        add group script = /usr/local/sbin/smbldap-groupadd -p
        add user to group script = /usr/local/sbin/smbldap-groupmod -m
        delete user from group script = /usr/local/sbin/smbldap-groupmod -x
        set primary group script = /usr/local/sbin/smbldap-usermod -g
        add machine script = /usr/local/sbin/smbldap-useradd -w

        passdb backend = ldapsam:ldap://192.168.10.50/
        passwd program = /usr/local/sbin/smbldap-passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
        username map = /etc/samba/smbusers

        ldap suffix = dc=supz,dc=schulenge,dc=de
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap admin dn = cn=admin,dc=schulenge,dc=de
        ldap ssl = no
        ldap passwd sync = Yes
        ldap delete dn = Yes

        winbind use default domain = yes
        winbind trusted domains only = yes
        #winbind separator = +
        #winbind nested groups = no
        idmap uid = 50000-60000
        idmap gid = 50000-60000
        template shell = /bin/bash
        template homedir = /home/%D/%U
        winbind enum groups = yes
        winbind enum users = yes
        winbind enable local accounts = yes
        winbind cache time = 10

[...]
--------------

I always get the following errors:

----------
supzli02pdc:/ # wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret

supzli02pdc:/etc/samba # wbinfo -u
Error looking up domain users

supzli02pdc:/ # wbinfo -a SUPZ\\Hans.Meiserestme
plaintext password authentication failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Could not authenticate user SUPZ\Hans.Meiserestme with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Could not authenticate user SUPZ\Hans.Meiserestme with challenge/response
-------------



=> tried setting an user vor wbinfo, but this doesn't help:



supzli02pdc:/ # wbinfo --set-auth-user=administrator
Password:
Press any key to continue...
supzli02pdc:/ # wbinfo --get-auth-user
SUPZ\administrator%[...]


=> password replaced in posting and verified:



supzli02pdc:/etc/samba # smbclient -UAdministrator -L supzli02pdc
Password:
Domain=[SUPZ] OS=[Unix] Server=[Samba 3.0.4-SerNet-SuSE]

Sharename Type Comment
--------- ---- -------
netlogon Disk Netlogon administrator
print$ Disk
public Disk fuer alle
Meine Kurse Disk
Meine Stufen Disk
Willkommen Disk
IPC$ IPC IPC Service (SUPZ Master Samba Server 3.0.4-SerNet-SuSE)
ADMIN$ IPC IPC Service (SUPZ Master Samba Server 3.0.4-SerNet-SuSE)
Domain=[SUPZ] OS=[Unix] Server=[Samba 3.0.4-SerNet-SuSE]

Server Comment
--------- -------
SUPZLI02PDC SUPZ Master Samba Server 3.0.4-SerNet-SuSE

Workgroup Master
--------- -------
[...]




=> this works, so Account 'Administrator' and Pwassoword works.



Is selfjoing to Domain SUPZ required for my pdc SUPZLI02PDC to make winbind
work? this doesn't work too...

---------
supzli02pdc:/ # net rpc join -U administrator
Password:
Create of workstation account failed
User specified does not have administrator privileges
Unable to join domain SUPZ.
---------




ldap entries for the administator account:

supzli02pdc:/etc/smbldap-tools # smbldap-usershow Administrator
dn: uid=Administrator,ou=Users,dc=supz,dc=schulenge,dc=de
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount
gidNumber: 512
uid: Administrator
uidNumber: 0
homeDirectory: /home
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaHomePath: \\SUPZLI02PDC\homes
sambaHomeDrive: H:
sambaPrimaryGroupSID: S-1-5-21-1040516133-489134623-588480087-512
sambaSID: S-1-5-21-1040516133-489134623-588480087-2996
loginShell: /bin/false
sambaAcctFlags: [U]
sambaLMPassword: [...]
sambaNTPassword: [...]
gecos: Netbios Domain Administrator
sambaPwdCanChange: 1083754399
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1083754399
employeeType: PROXYACCESS
userPassword: {CRYPT} [...]

password are correct set and verified, I replaced them in the post with
[...]




Question: Is it required for winbindd use winbind in nsswitch.conf ???? I
only need winbind for squid & ntlm_auth

my /etc/nsswitch.conf:
    passwd: compat ldap
    group:  compat ldap




I get my accounts from LDAP and posixAccount-class:

supzli02pdc:/etc # getent passwd
root:x:0:0:root:/root:/bin/bash
[...]
squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
Administrator:x:0:512:Netbios Domain Administrator:/home:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
supz0100$:x:1000:553:supz0100$:/dev/null:/bin/false
testmw1:x:1001:513:System User:/home/testmw1:/bin/bash
Martin.Monster:x:1005:513:Monster, Martin:/home/Martin.Monster:/bin/bash
Karl.King:x:1006:513:King, Karl:/home/Karl.King:/bin/bash
Holger.Mertens:x:1011:513:Mertens, Holger:/home/Holger.Mertens:/bin/bash
Lieschen.Mueller:x:1018:513:Mueller,
Lieschen:/home/Lieschen.Mueller:/bin/bash
Franz.Meier:x:1027:513:Meier, Franz:/home/Franz.Meier:/bin/bash

[...]

this works perfectly and shows all local and ldap users





Any ideas what I did wrong or what I missed ??


Thanks in advance for reading the detailed infos




I'm using SuSE 9.0 pro and the samba3-rpm from
http://us3.samba.org/samba/ftp/Binary_Packages/SuSE/3.0/i386/9.0/
(tried http://ftp.sernet.de/pub/samba/suse90/ - with no different effect on
my winbind problem)




-- 
Best regards,
 Malte                          mailto:malte.woelky at gmx.de

_________________
Malte Woelky -=[SkyNet]=- 
Unix/DBs/Networks/LDAP/Active Directory 
Cert  : MCSA 2000+2003, MCSA:msg, MCSE 2000+2003
voice : 0209/977 37 03 : 0174/95 32 105 
eMail : Malte.Woelky at gmx.de 
WWW : http://www.woelky.net/ 
_________ ICQ# 12 767 43 99 _________




More information about the samba mailing list