[Samba] samba 3 member of win2003 domain + winbind can't see users
Stuart Westbury
stuart at coscom.net
Sun Mar 20 23:14:36 GMT 2005
Hi Samba gurus,
I have the following problem with a samba member server on a windows 2003
domain. I have managed to join the domain and my trust secret is good, but
I can't list users or groups using "wbinfo -u" or "wbinfo -g"
OS version Red Hat Enterprise Linux AS release 3 (Taroon)
Samba version samba-3.0.9-1.3E.2
Kerb version krb5-libs-1.2.7-38
This is the result from the join. It worked but produced this error :
net join ads -U admin
Password:
[2005/03/18 3:41:00, 0] libads/kerberos.c:
ads_kinit_password(133) kerberos_kinit_password admin at AU.DOMAIN.INT
failed: ASN.1 encoding ended unexpectedly
Joined domain AU
This is a similar error that I get when I use kinit :
kinit username at AU.DOMAIN.INT
Password for username at AU.DOMAIN.INT:
kinit(v5): ASN.1 encoding ended unexpectedly while getting initial
credentials
However, wbinfo -a username works fine (see below). Also, if I enter a
wrong password or username to kinit, it tells me the client does not
exist. Whats wrong with my kerberos?
The server now appears in the Active Directory, the trust secret is good,
and users can be authenticated using "wbinfo -a", but when trying to list
users and groups, it hangs, and winbind must be restarted. I will show the
output of these commands here.
~> wbinfo -t
checking the trust secret via RPC calls succeeded
~> wbinfo -a domuser%PASSWD
plaintext password authentication succeeded
challenge/response password authentication succeeded
~> wbinfo -u (hangs for about 30 seconds)
Error looking up domain users
Winbind must then be restarted or "wbinfo -t" starts to fail with :
checking the trust secret via RPC calls failed
error code was (0x0)
Could not check secret
I have also setup (in an attempt to solve this problem) a --set-auth-user.
I have tried both admin and non-admin accounts. When I do a tdbdump of the
secrets.tdb, I can see it in there and the details are correct, but I get
the same result. In the secrets.tdb, my domain is set to just AU, not,
AU.DOMAIN.INT. Is this correct? How do I even change it?
My config files are as follows :
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AU.DOMAIN.INT
[realms]
au.domain.int = {
kdc = dc001.AU.DOMAIN.INT:88
kdc = dc002.AU.DOMAIN.INT:88
}
[domain_realms]
.au.domain.int = AU.DOMAIN.INT
au.domain.int = AU.DOMAIN.INT
smb.conf
[global]
workgroup = AU
netbios name = aucbcosrv016
realm = AU.DOMAIN.INT
server string = Test Samba Server
printcap name = /etc/printcap
load printers = yes
printing = lprng
log file = /var/log/samba/%m.log
max log size = 0
security = ads
winbind enum users = yes
winbind gid = 10000-20000
winbind enum groups = yes
winbind uid = 10000-20000
winbind cache time = 15
winbind use default domain = yes
name resolve order = hosts lmhosts wins bcast
password server = aucbcosrv001 aucbcosrv002
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
<shares excluded>
nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
Does this sound familiar to anyone? I've really hit a wall on this. Any
help would be greatly appreciated, and rewarded with lots of praise and
that warm fuzzy feeling :)
Thanks,
Stuart
More information about the samba
mailing list