[Samba] wbinfo -t fails but other wbinfo and getent items work.

Michael Wray mwray at aimconnect.com
Mon Apr 25 20:24:38 GMT 2005 

Problem: wbinfo -t fails. As long as it fails, I am unable to map sids to 
Group Names. I need this functionality for my application. I can use just 
about everyother function of wbinfo at least partially...

Distro: Debian woody.
Packages:
ii  samba          3.0.11-0woody1 a LanManager-like file and printer server fo
ii  samba-common   3.0.11-0woody1 Samba common files used by both the server a
ii  samba-doc      3.0.11-0woody1 Samba documentation
ii  libpam-smbpass 3.0.11-0woody1 pluggable authentication module for SMB pass
ii  libsmbclient   3.0.11-0woody1 shared library that allows applications to t
ii  smbclient      3.0.11-0woody1 a LanManager-like simple client for Unix
ii  winbind        3.0.11-0woody1 service to resolve user and group informatio
ii  krb5-config    1.4            Configuration files for Kerberos Version 5
ii  krb5-doc       1.2.4-5woody8  Documentation for krb5
ii  libkrb-1-kerbe 1.2.2-8.dirk.1 Kerberos Libraries for Kerberos4 From KTH
ii  libkrb5-17-hei 0.6.3-0.dirk.1 Libraries for Heimdal Kerberos
ii  libkrb53       1.2.4-5woody8  MIT Kerberos runtime libraries
ii  heimdal-client 0.6.3-0.dirk.1 Clients for Heimdal Kerberos
ii  heimdal-kdc    0.6.3-0.dirk.1 KDC for Heimdal Kerberos
rc  heimdal-server 0.6.3-0.dirk.1 Servers for Heimdal Kerberos
rc  heimdal-server 0.6.3-0.dirk.1 X11 files for Heimdal Kerberos

Caveat, I'm stuck with using "stable" backports for samba...due to the 
development environment I'm in..policy dictates I wait for the package to be 
backported before I can upgrade to it.
log.winbindd,log.nmbd, and log.samba only show the services starting and 
stopping.  If the answer is upgrading to yet a newer version of samba..then 
great..the solution will have to wait. Problem started out w/ version 3.0.7, 
and hasn't been working since..even with subsequent upgrades.  Note: now I am 
on 3.0.11 (got that about the time everyone started talking about 3.0.14.)



Here is the error from my log.%m (Of and relating to winbindd)



test:/var/log/samba# tail -f log.ntlm
[2005/04/25 14:38:40, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [26801]: request interface version
[2005/04/25 14:38:40, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [26801]: request location of privileged pipe
[2005/04/25 14:38:40, 3] 
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(41)
  [26801]: check machine account
[2005/04/25 14:38:40, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(109)
  IPC$ connections done anonymously
[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
  Doing spnego session setup (blob length=113)
[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
  got OID=1 2 840 48018 1 2 2
[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
  got OID=1 2 840 113554 1 2 2
[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
  got OID=1 2 840 113554 1 2 2 3
[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
  got OID=1 3 6 1 4 1 311 2 2 10
[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740)
  got principal=server03test$@TEST.COM
[2005/04/25 14:38:40, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(533)
  Doing kerberos session setup
[2005/04/25 14:38:40, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318)
  Ticket in ccache[MEMORY:cliconnect] expiration Tue, 26 Apr 2005 00:38:40 GMT
[2005/04/25 14:38:40, 0] libsmb/smb_signing.c:signing_good(240)
  signing_good: BAD SIG: seq 1
[2005/04/25 14:38:40, 0] libsmb/clientgen.c:cli_receive_smb(121)
  SMB Signature verification failed on incoming packet!
[2005/04/25 14:38:40, 3] nsswitch/winbindd_cm.c:new_cm_connection(755)
  Could not open a connection to TEST for \PIPE\NETLOGON 
(NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
[2005/04/25 14:38:40, 3] 
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(68)
  could not open handle to NETLOGON pipe
[2005/04/25 14:38:40, 2] 
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98)
  Checking the trust account password returned 
NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
[2005/04/25 14:40:01, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27086]: request interface version
[2005/04/25 14:40:01, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27086]: request location of privileged pipe
[2005/04/25 14:40:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27086]: getgroups root
[2005/04/25 14:40:01, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27087]: request interface version
[2005/04/25 14:40:01, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27087]: request location of privileged pipe
[2005/04/25 14:40:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27087]: getgroups root
[2005/04/25 14:40:02, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27090]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27090]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27090]: getgroups amavis
[2005/04/25 14:40:02, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27091]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27091]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27091]: getgroups root
[2005/04/25 14:40:02, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27097]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27097]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27097]: getgroups root
[2005/04/25 14:40:02, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27099]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27099]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27099]: getgroups root
[2005/04/25 14:40:02, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27100]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27100]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27100]: getgroups amavis
[2005/04/25 14:40:02, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27111]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27111]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27111]: getgroups postfix
[2005/04/25 14:40:02, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27112]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27112]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27112]: getgroups postfix
[2005/04/25 14:40:02, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27114]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27114]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27114]: getgroups postfix
[2005/04/25 14:40:02, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27118]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27118]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27118]: getgroups root
[2005/04/25 14:40:03, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27126]: request interface version
[2005/04/25 14:40:03, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27126]: request location of privileged pipe
[2005/04/25 14:40:03, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27126]: getgroups postfix
[2005/04/25 14:40:03, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [27133]: request interface version
[2005/04/25 14:40:03, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [27133]: request location of privileged pipe
[2005/04/25 14:40:03, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
  [27133]: getgroups postfix


The top shows NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, and an error on signing 
on an incoming packet.  Is this where my problems lie?  I can use wbinfo -g, 
-u, -r, -Y,-G,-n, and -S. wbinfo -s only works on "Builtin" groups and users.


smb.conf:
======
[global]
server string = Filtering Server
log file = /var/log/samba/log.ntlm
max log size = 50
security = ads
socket options = TCP_NODELAY
dns proxy = no
encrypt passwords = yes
winbind enum users = yes
winbind enum groups = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = TEST
passdb backend = tdbsam guest
obey pam restrictions = yes
password server = server03test.test.com
realm = test.com
use spnego = yes


===================
krb5.conf
=============
[libdefaults]
        default_realm = TEST.COM
# The following krb5.conf variables are only for MIT Kerberos.
#       default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
#       default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        default_etypes = des-cbc-crc des-cbc-md5
        default_etypes_des = des-cbc-crc des-cbc-md5
#       permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        krb4_get_tickets=no
# The following libdefaults parameters are only for Heimdal Kerberos.
#       v4_instance_resolve = false
##      v4_name_convert = {
#               host = {
#                       rcmd = host
#                       ftp = ftp
#               }
#               plain = {
#                       something = something-else
#               }
#       }
[realms]
TEST.COM = {
        kdc = server03test.test.com
        admin_server = server03test.test.com
        default_domain = test.com
}

[domain_realm]
        .test.com = TEST.COM


-- 
Michael Wray
AimConnect, an S4F Inc. Company
918.524.1010 ext 106
mwray at aimconnect.com
http://www.aimconnect.com

More information about the samba mailing list