[Samba] Samba / AD / Winbind issues

Kevin M. Barrett kmb at kmb.com
Sun May 8 13:56:58 GMT 2005 

John,

Yes I have nsswitch.conf correctly configured.

At 12:21 AM 5/8/2005, John H Terpstra wrote:
>On Saturday 07 May 2005 22:13, Kevin M. Barrett wrote:
> > Thanks for the quick reply... See below in context ....
>
>Looks like you are running winbind. What is in your /etc/nsswitch.conf file?
>Do you have?:
>
>passwd: files winbind
>shadow: files winbind
>group:  files winbind

Exactly as above

>If so, what is returned by executing?:
>
>         getent passwd

<snip>
named:x:25:25:named:/var/named:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
ibrix:x:500:500::/usr/local/ibrix:/bin/bash
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
D1+Administrator:x:10000:10000:Administrator:/home/D1/Administrator:/bin/bash
D1+Guest:x:10001:10001:Guest:/home/D1/Guest:/bin/bash
D1+SUPPORT_388945a0:x:10002:10000:SUPPORT_388945a0:/home/D1/SUPPORT_388945a0:/bin/bash
D1+IUSR_MEDIA-1:x:10003:10000:IUSR_MEDIA-1:/home/D1/IUSR_MEDIA-1:/bin/bash
D1+IWAM_MEDIA-1:x:10004:10000:IWAM_MEDIA-1:/home/D1/IWAM_MEDIA-1:/bin/bash
D1+WMUS_MEDIA-1:x:10005:10000:WMUS_MEDIA-1:/home/D1/WMUS_MEDIA-1:/bin/bash
D1+MEDIA-1$:x:10006:10002:MEDIA-1:/home/D1/MEDIA-1_:/bin/bash
D1+krbtgt:x:10007:10000:krbtgt:/home/D1/krbtgt:/bin/bash
D1+tuser2:x:10008:10000:test user2:/home/D1/tuser2:/bin/bash
D1+kmb:x:10009:10000:Kevin Barrett:/home/D1/kmb:/bin/bash
D1+HOST/gs005:x:10010:10003:gs005:/home/D1/HOST/gs005:/bin/bash
D1+HOST/gs015:x:10011:10003:gs015:/home/D1/HOST/gs015:/bin/bash



>         getent group

<snip>
desktop:x:80:
apache:x:48:
named:x:25:
webalizer:x:67:
squid:x:23:
ibrix:x:500:
postgres:x:26:
D1+Domain Computers:x:10003:
D1+Domain Controllers:x:10002:
D1+Schema Admins:x:10004:D1+Administrator
D1+Enterprise Admins:x:10005:D1+Administrator
D1+Domain Admins:x:10006:D1+kmb,D1+Administrator
D1+Domain Users:x:10000:
D1+Domain Guests:x:10001:
D1+Group Policy Creator Owners:x:10007:D1+Administrator
D1+DnsUpdateProxy:x:10008:
BUILTIN+System Operators:x:10009:
BUILTIN+Replicators:x:10010:
BUILTIN+Guests:x:10011:
BUILTIN+Power Users:x:10012:
BUILTIN+Print Operators:x:10013:
BUILTIN+Administrators:x:10014:
BUILTIN+Account Operators:x:10015:
BUILTIN+Backup Operators:x:10016:
BUILTIN+Users:x:10017:



>-John T.
>
> >
> > At 12:00 AM 5/8/2005, you wrote:
> > >On Saturday 07 May 2005 21:52, Kevin M. Barrett wrote:
> > > > List members,
> > > >
> > > >          I have an issue that I hope one of you can help me with ... I
> > > > have set up a AD ( 2003 ) as PDC and a RHE3 AS server running Samba
> > > > V3.0.6-2.3E following the instructions in the HOW-TO- By example.  Here
> > > > is what I have at the moment ..
> > >
> > >Wowa! Which are you following? The Samba-3 HOWTO and Reference Guide, or
> > >Samba-3 by Example? More importantly, which version? Printed or on-line
> > > PDF?
> >
> > On line version ... URL
> > http://us1.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm
> >
> > >Yes, I would like to know as I am in the process of updating both.
> > >
> > >Now, what is the returned information from executing the following?
> > >
> > >         net ads testjoin
> >
> > Join is OK
> >
> > >         net ads info
> >
> > LDAP server: 192.168.14.168
> > LDAP server name: media-1
> > Realm: D1.SANDTEST.COM
> > Bind Path: dc=D1,dc=SANDTEST,dc=COM
> > LDAP port: 389
> > Server time: Sun, 08 May 2005 00:10:20 GMT
> > KDC server: 192.168.14.168
> > Server time offset: -23
> >
> > >  - John T.
> > >
> > > > I had no problems adding the RH server to the Domain and I have Winbind
> > > > set up in the nsswitch.conf file for passwd, group and hosts
> > > >
> > > > I can do a "wbinfo -u" and it returns
> > > >
> > > > D1+Administrator
> > > > D1+Guest
> > > > D1+SUPPORT_388945a0
> > > > D1+IUSR_MEDIA-1
> > > > D1+IWAM_MEDIA-1
> > > > D1+WMUS_MEDIA-1
> > > > D1+MEDIA-1$
> > > > D1+krbtgt
> > > > D1+tuser2
> > > > D1+kmb
> > > > D1+HOST/gs005
> > > > D1+HOST/gs015
> > > >
> > > > wbinfo -g returns
> > > >
> > > > BUILTIN+System Operators
> > > > BUILTIN+Replicators
> > > > BUILTIN+Guests
> > > > BUILTIN+Power Users
> > > > BUILTIN+Print Operators
> > > > BUILTIN+Administrators
> > > > BUILTIN+Account Operators
> > > > BUILTIN+Backup Operators
> > > > BUILTIN+Users
> > > > D1+Domain Computers
> > > > D1+Domain Controllers
> > > > D1+Schema Admins
> > > > D1+Enterprise Admins
> > > > D1+Domain Admins
> > > > D1+Domain Users
> > > > D1+Domain Guests
> > > > D1+Group Policy Creator Owners
> > > > D1+DnsUpdateProxy
> > > >
> > > >
> > > > Now when I perform a smbclient command such as
> > > >
> > > > smbclient -L //gs005/ -Utuser2
> > > > Password:xxxxxxxx
> > > > session setup failed: NT_STATUS_LOGON_FAILURE
> > > > [root at gs005 etc]#
> > > >
> > > > as you can see I am running this on the same server that I'm looking
> > > > for the list from.  I get the same results using localhost and
> > > > 127.0.0.1 as well.   Also I get the same result when I run this command
> > > > on another Linux box asking for the same info...
> > > >
> > > > The Winbind trace looks like this.
> > > >
> > > > user 'tuser2' does not exist
> > > > [10175]: getpwnam D1+TUSER2
> > > > rpc: name_to_sid name=TUSER2
> > > > name_to_sid [rpc] TUSER2 for domain D1
> > > > Connected to LDAP server 192.168.14.168
> > > > got ldap server name media-1 at D1.SANDTEST.COM, using bind path:
> > > > dc=D1,dc=SANDTEST,dc=COM
> > > > IPC$ connections done anonymously
> > > > Connecting to host=MEDIA-1
> > > > Connecting to 192.168.14.168 at port 445
> > > > Doing spnego session setup (blob length=112)
> > > > got OID=1 2 840 48018 1 2 2
> > > > got OID=1 2 840 113554 1 2 2
> > > > got OID=1 2 840 113554 1 2 2 3
> > > > got OID=1 3 6 1 4 1 311 2 2 10
> > > > got principal=media-1$@D1.SANDTEST.COM
> > > > Doing kerberos session setup
> > > > Ticket in ccache[MEMORY:cliconnect] expiration Sun, 08 May 2005
> > > > 09:49:08 GMT user 'TUSER2' does not exist
> > > > [10175]: getpwnam tuser2
> > > > [10175]: getpwnam TUSER2
> > > > [10175]: create_user: user=>(tuser2), group=>()
> > > > winbindd_create_user: Cannot validate gid for group ('Domain Users')
> > > > [10175]: getpwnam tuser2
> > > > [10175]: getpwnam TUSER2
> > > >
> > > > Any body seen this and know where I should go to look for a solution.
> > > >
> > > > Thanks
> > > >
> > > > Kevin
> > > >
> > > >
> > > >
> > > >
> > > > Kevin M. Barrett
> > > >
> > > > KMB IT Consulting, Inc
> > > > 508-450-7717
> > >
> > >--
> > >John H Terpstra,
> > >Clerk of Session
> > >Christ Presbyerian Church (OPC)
> > >Salt Lake City, Utah.
> > >Phone: (801) 936-1367
> > >Cell:  (650) 580-8668
> > >--
> > >To unsubscribe from this list go to the following URL and read the
> > >instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
> > Kevin M. Barrett
> >
> > KMB IT Consulting, Inc
> > 508-450-7717
>
>--
>John H Terpstra
>Samba-Team Member
>Phone: +1 (650) 580-8668
>
>Author:
>The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
>Samba-3 by Example, ISBN: 0131472216
>Hardening Linux, ISBN: 0072254971
>Other books in production.
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba


Kevin M. Barrett

KMB IT Consulting, Inc
508-450-7717

More information about the samba mailing list