[Samba] samba 3.0.7 cannot join NT4 domain
Denis Vlasenko
vda at port.imtp.ilyichevsk.odessa.ua
Wed Sep 22 14:24:15 GMT 2004
I looked into the docs and searched thru the Net.
Googling for "NT_STATUS_PIPE_NOT_AVAILABLE"
yields rather large list of questions about
this situatins, but no working hints so far.
I believe my samba installation is done very carefully
(entirely unlike "grab rpm and be happy" style)
and I can try to find out what's going on.
Let me describe what do I have so far:
My samba is built from sources and is laid out as follows:
/usr/app/samba-4.0.7/{bin,include,lib,man,sbin,swat}
these files never change in normal
samba operations and on reconfiguration/experiments
/usr/app/samba-4.0.7/var/{etc,lock,log,pid,private}
this is the "dynamic" data, configs, etc
/lib/security/pam_winbind.so -> /app/samba-3.0.7/lib/pam_winbind.so
/lib/libnss_winbind.so -> /app/samba-3.0.7/lib/libnss_winbind.so
/lib/libnss_winbind.so.2 -> /app/samba-3.0.7/lib/libnss_winbind.so.2
/lib/libnss_wins.so -> /app/samba-3.0.7/lib/libnss_wins.so
/lib/libnss_wins.so.2 -> /app/samba-3.0.7/lib/libnss_wins.so.2
symlinks to needed DSOs
/var/service/{smb_n,smb_s,smb_w}
daemontools-controlled 'services' which start
nmbd, smbd and winbindd, respectively. Like this
(all three daemons are started with these options):
#!/bin/sh
exec 2>&1
exec </dev/null
echo "* Starting"
exec env - winbindd --stdout --foreground --interactive
/etc/nsswitch:
...
passwd: compat winbind
group: compat winbind
hosts: files wins dns
...
I plan to use sshd as one of ways to test NT auth, so:
/etc/pam.d/sshd:
auth required pam_unix_auth.so
auth sufficient pam_winbind.so use_first_pass use_authtok
account sufficient pam_winbind.so user_first_pass use_authtok
password required pam_unix_passwd.so
password sufficient pam_winbind.so use_first_pass use_authtok
session required pam_unix_session.so
session required pam_mkhomedir.so
session sufficient pam_winbind.so use_first_pass use_authtok
smb.conf - see below.
I need to run this server as NT4 domain member.
I start from completely clean state (var/lock and
var/private are empty). I start the daemons:
# cd /var/service; svc -u smb*
(this is daemontools way of starting 'services')
nmbd and smbd are working fine and I will not go into
details like their log contents. Let's concentrate on winbindd.
Apparently it tries to connect to PDC:
* Starting
winbindd version 3.0.7 started.
Copyright The Samba Team 2000-2004
Processing section "[pub]"
Processing section "[homes]"
WARNING: The "only user" option is deprecated
adding IPC service
adding IPC service
added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0
added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
add_trusted_domain: PORT is an NT4 domain
Added domain PORT S-0-0
resolve_wins: Attempting wins lookup for name PORT<0x1c>
resolve_wins: using WINS server 172.16.42.102 and tag '*'
Got a positive name query response from 172.16.42.102 ( 172.16.42.102 172.16.42.102 )
rpc_dc_name: Returning DC PORT_PDC (172.16.42.102) for domain PORT
IPC$ connections done anonymously
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
bind_rpc_pipe: transfer syntax differs
rpc_pipe_bind: check_bind_response failed.
cli_nt_session_open: rpc bind to \PIPE\lsarpc failed
Could not fetch sid for our domain PORT
rpc: trusted_domains
rpc_dc_name: Returning DC PORT_PDC (172.16.42.102) for domain PORT
IPC$ connections done anonymously
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
schannel refused - continuing without schannel (NT_STATUS_UNSUCCESSFUL)
At this point, NT Server Manager shows HUNTER is the list of
computers as:
Computer Type Description
---------- ---------------------- ------------
HUNTER Windows NT 4.9 Server Samba 3.0.7
Which is a bit strange because I did not join domain yet.
(It isn't listed if I uncheck View->Show Domain Members only)
According to swat/help/Samba-Guide/unixclients.html#ch9-nsswbnd,
I shall join the domain: net rpc join -U user%pass.
Shall I do it while daemons are running or not?
Shall I do "Computer->Add to Domain" in NT Server Manager before this?
Docs does not answer these.
Oh, well. Will try to do it with running daemons and without
doing that thing to NT Server Manager.
# net rpc join -U vda%XXXXXXXXXXXXXXX
Joined domain PORT.
Looks good? Not so. wbinfo -u fails with this in winbindd log:
2004-09-22 16:45:33.558053500 rpc: trusted_domains
2004-09-22 16:46:27.860356500 [ 6853]: request interface version
2004-09-22 16:46:27.862685500 [ 6853]: request location of privileged pipe
2004-09-22 16:46:27.866979500 [ 6853]: list users
Let's see what will happen if I restart daemons:
# svc -d smb*; sleep 5; svc -u smb*
Winbindd log:
* Starting
winbindd version 3.0.7 started.
Copyright The Samba Team 2000-2004
Processing section "[pub]"
Processing section "[homes]"
WARNING: The "only user" option is deprecated
adding IPC service
adding IPC service
added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0
added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
add_trusted_domain: PORT is an NT4 domain
Added domain PORT S-0-0
rpc_dc_name: Returning DC PORT_PDC (172.16.42.102) for domain PORT
IPC$ connections done anonymously
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
bind_rpc_pipe: transfer syntax differs
rpc_pipe_bind: check_bind_response failed.
cli_nt_session_open: rpc bind to \PIPE\lsarpc failed
rpc: trusted_domains
rpc_dc_name: Returning DC PORT_PDC (172.16.42.102) for domain PORT
IPC$ connections done anonymously
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
Bind NACK received on pipe 1802!
cli_nt_session_open: rpc bind to \PIPE\lsarpc failed
Could not open a connection to PORT for \PIPE\lsarpc (NT_STATUS_PIPE_NOT_AVAILABLE)
add_trusted_domain: BUILTIN is an NT4 domain
Added domain BUILTIN S-1-5-32
add_trusted_domain: HUNTER is an NT4 domain
Added domain HUNTER S-1-5-21-4117605173-658000377-4279512090
rpc: trusted_domains
Could not open a connection to PORT for \PIPE\lsarpc (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
Not good. Okay. Let's try to pre-join HUNTER in NT ServMan first.
Stopping daemos. (Daemons forget to remove their pidfiles from var/pid/*.
Oh well.) Purging everything in var/{lock,private}, deleting HUNTER
from domain via ServMan. (HUNTER remains for 15 mins. Oh well #2.
hostname hunter2 will hopefully work around that :)
Pre-joining HUNTER2 in NT ServMan. Starting daemons.
# net rpc join -U vda%XXXXXXXXXXXXXXX
Joined domain PORT.
# wbinfo -u
Error looking up domain users
Basically same info in all logs.
Looks like my samba is unable to convince PDC that it is
indeed a member of the domain.
Any helpful hints?
--
vda
smb.conf
========
# %U session username (the username that the client
# wanted, not necessarily the same as the one they
# got).
# %G primary group name of %U.
# %h the Internet hostname that Samba is running on.
# %m the NetBIOS name of the client machine (very use-
# ful).
# %L the NetBIOS name of the server. This allows you to
# change your config based on what the client calls
# you. Your server can have a ``dual personality''.
# %M the Internet name of the client machine.
# %R the selected protocol level after protocol negotia-
# tion. It can be one of CORE, COREPLUS, LANMAN1,
# LANMAN2 or NT1.
# %d The process id of the current server process.
# %a the architecture of the remote machine. Only some
# are recognized, and those may not be 100% reliable.
# It currently recognizes Samba, Windows for Work-
# groups, Windows 95, Windows NT and Windows 2000.
# Anything else will be known as ``UNKNOWN''. If it
# gets it wrong sending a level 3 log to
# samba at samba.org should allow it to be fixed.
# %I The IP address of the client machine.
# %T the current date and time.
# %D Name of the domain or workgroup of the current
# user.
# %$(envvar)
# The value of the environment variable envar.
#
# The following substitutes apply only to some configuration
# options (only those that are used when a connection has
# been established):
#
# %S the name of the current service, if any.
# %P the root directory of the current service, if any.
# %u username of the current service, if any.
# %g primary group name of %u.
# %H the home directory of the user given by %u.
# %N the name of your NIS home directory server. This is
# obtained from your NIS auto.map entry. If you have
# not compiled Samba with the --with-automount
# option, this value will be the same as %L.
# %p the path of the service's home directory, obtained
# from your NIS auto.map entry. The NIS auto.map
# entry is split up as ``%N:%p''.
# Global parameters
[global]
;;;;;;; Machine type (standalone/domain member/etc)
;;;;;;; Pick one type of config below
;# Authenticate users using given WinNT box
;# - VDA: ok
; workgroup = PORT
; encrypt passwords = yes
; security = server
; password server = PORT_PDC
; domain master = no
# Authenticate users using given WinNT domain
# - VDA: ok, but you'll need to create UNIX users for each connecting Win one
# (same username as found on PDC)
# Update: [2001/12/07] can't make it accept domain users
# when winbindd is running even if local user exists in /etc/passwd
workgroup = PORT
encrypt passwords = yes
security = domain
password server = *
domain master = no
# domain logons = yes: provides the NETLOGON service
# which only PDC and BDC shall provide.
# This is a NO-GO for domain member machine. Set to NO.
domain logons = no
;# Authenticate users using local Samba
;# (we are part of a workgroup)
;# - VDA: ok.
;# Set passwords for users via smbpasswd!
; workgroup = LINUX
; os level = 33
; security = share
; domain logons = no
;# We are PDC for our domain (domain name set by 'workgroup')
;# Have to have [netlogon]
;# TODO: check:maybe we need [profiles] too?
; workgroup = PORT2
; os level = 34
; security = user
; domain logons = yes
; domain master = yes # affects browser elections
; ;# To be executed each time user logs in. Stored in [netlogon]
; ;logon script = %u.bat
; # Home dir and drive to map it to
; # (%L: our server netbios name, %u: final user name)
; logon home = \\%L\%u\home\%u
; logon drive = w:
; # Profiles dir for roaming profiles
; logon path = \\%L\%u\home\%u\profiles
;;;;;;; Browsing
# force reelection on nmbd startup
# use with caution, because if there are several such hosts... ouch...
preferred master = No
;;;;;;; Connections
# connection timeout, minutes
deadtime = 15
;;;;;;; File management
# create mode = (((user_specified) AND cr_mode) OR force_mode)
create mode = 0644
force create mode = 0400
# 0's disallow chmodding of corresponding bits
security mask = 0777
# same for dirs
directory mode = 755
force directory mode = 0111
directory security mask = 0777
#
unix charset = koi8r
display charset = koi8r
dos charset = cp866
;;;;;;; User management
map to guest = Bad User
guest account = guest
guest ok = Yes
null passwords = Yes
template homedir = /home/%D+%U
template shell = /bin/bash
name resolve order = wins
wins server = 172.16.42.102
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
;;;;;;; Logging
# Higher numbers = more logging
# Example: debuglevel = 3 passdb:5 auth:10 winbind:2
# (all tdb printdrivers lanman smb rpc_parse rpc_srv rpc_cli passdb sam auth winbind vfs idmap)
debuglevel = 3
#log file = /usr/app/samba-3.0.7/var/log/samba.%m
log file = /usr/app/samba-3.0.7/var/log/samba.all
# in kb. Will rename to *.old when exceeded
max log size = 128
debug hires timestamp = yes
debug pid = yes
debug timestamp = yes
#debug uid = yes
# Do not log to syslog if message's level is greater than...
syslog = 0
# Do not log into files, syslog only?
syslog only = no
;;;;;;; Shares
;default service = user
;[user]
; path = /
; username = %S
; read only = No
; guest ok = No
; only user = Yes
; browseable = Yes
[pub]
path = /pub
guest only = Yes
;[in]
; path = /pub/in
; read only = No
; guest only = Yes
[homes]
path = /
;*;username = %S
read only = No
guest ok = No
only user = Yes
# we don't actually want users to see //me/homes ;)
browseable = No
;[netlogon]
; path = /usr/app/samba-3.0.7/var/netlogon
; guest ok = No
; browseable = No
;[profiles]
; path = /usr/app/samba-3.0.7/var/profiles
; browseable = No
More information about the samba
mailing list