[Samba] Samba / AD / Winbind issues

Kevin M. Barrett kmb at kmb.com
Sun May 8 14:18:28 GMT 2005 

Some addtional info with regards to my Winbind issue...

I have started the Winbind process interactively with a debug level of 9

here is the results of two smbclient -L //gs005/ -Utuser2 commands The 
first is with the password set to the wrong value and it shows that 
samba/winbind knows that it is wrong ( that is a good thing )

+++++ LOG DATA ++++++

[20195]: request interface version
[20195]: request location of privileged pipe
[20195]: ping
[20195]: pam auth crap domain: D1 user: tuser2
winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED.  Maybe the trust 
account password was changed and we didn't know it.  Killing connections to 
domain D1
resolve_lmhosts: Attempting lmhosts lookup for name lab14-168<0x20>
resolve_wins: Attempting wins lookup for name lab14-168<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name lab14-168<0x20>
Connected to LDAP server 192.168.14.168
got ldap server name media-1 at D1.SANDTEST.COM, using bind path: 
dc=D1,dc=SANDTEST,dc=COM
IPC$ connections done anonymously
Connecting to host=MEDIA-1
Connecting to 192.168.14.168 at port 445
Doing spnego session setup (blob length=112)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=media-1$@D1.SANDTEST.COM
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Sun, 08 May 2005 20:03:42 GMT
NTLM CRAP authentication for user [D1]\[tuser2] returned 
NT_STATUS_WRONG_PASSWORD (PAM: 7)

----- END LOG DATA ------

and this one is with the password set correctly ( much longer log )

++++ LOG DATA ++++


[20780]: request interface version
[20780]: request location of privileged pipe
[20780]: ping
[20780]: pam auth crap domain: D1 user: tuser2
winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED.  Maybe the trust 
account password was changed and we didn't know it.  Killing connections to 
domain D1
Connected to LDAP server 192.168.14.168
got ldap server name media-1 at D1.SANDTEST.COM, using bind path: 
dc=D1,dc=SANDTEST,dc=COM
IPC$ connections done anonymously
Connecting to host=MEDIA-1
Connecting to 192.168.14.168 at port 445
Doing spnego session setup (blob length=112)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=media-1$@D1.SANDTEST.COM
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Sun, 08 May 2005 20:13:17 GMT
[20780]: getpwnam d1+tuser2
rpc: name_to_sid name=tuser2
name_to_sid [rpc] tuser2 for domain D1
Connected to LDAP server 192.168.14.168
got ldap server name media-1 at D1.SANDTEST.COM, using bind path: 
dc=D1,dc=SANDTEST,dc=COM
IPC$ connections done anonymously
Connecting to host=MEDIA-1
Connecting to 192.168.14.168 at port 445
Doing spnego session setup (blob length=112)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=media-1$@D1.SANDTEST.COM
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Sun, 08 May 2005 20:13:17 GMT
user 'tuser2' does not exist
[20780]: getpwnam D1+tuser2
rpc: name_to_sid name=tuser2
name_to_sid [rpc] tuser2 for domain D1
Connected to LDAP server 192.168.14.168
got ldap server name media-1 at D1.SANDTEST.COM, using bind path: 
dc=D1,dc=SANDTEST,dc=COM
IPC$ connections done anonymously
Connecting to host=MEDIA-1
Connecting to 192.168.14.168 at port 445
Doing spnego session setup (blob length=112)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=media-1$@D1.SANDTEST.COM
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Sun, 08 May 2005 20:13:17 GMT
user 'tuser2' does not exist
[20780]: getpwnam D1+TUSER2
rpc: name_to_sid name=TUSER2
name_to_sid [rpc] TUSER2 for domain D1
Connected to LDAP server 192.168.14.168
got ldap server name media-1 at D1.SANDTEST.COM, using bind path: 
dc=D1,dc=SANDTEST,dc=COM
IPC$ connections done anonymously
Connecting to host=MEDIA-1
Connecting to 192.168.14.168 at port 445
Doing spnego session setup (blob length=112)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=media-1$@D1.SANDTEST.COM
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Sun, 08 May 2005 20:13:17 GMT
user 'TUSER2' does not exist
[20780]: getpwnam tuser2
[20780]: getpwnam TUSER2
[20780]: create_user: user=>(tuser2), group=>()
winbindd_create_user: Cannot validate gid for group ('Domain Users')
[20780]: getpwnam tuser2
[20780]: getpwnam TUSER2
[20780]: create_user: user=>(tuser2), group=>()
winbindd_create_user: Cannot validate gid for group ('Domain Users')
[20780]: getpwnam d1+tuser2
rpc: name_to_sid name=tuser2
name_to_sid [rpc] tuser2 for domain D1
Connected to LDAP server 192.168.14.168
got ldap server name media-1 at D1.SANDTEST.COM, using bind path: 
dc=D1,dc=SANDTEST,dc=COM
IPC$ connections done anonymously
Connecting to host=MEDIA-1
Connecting to 192.168.14.168 at port 445
Doing spnego session setup (blob length=112)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=media-1$@D1.SANDTEST.COM
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Sun, 08 May 2005 20:13:17 GMT
user 'tuser2' does not exist
[20780]: getpwnam D1+tuser2
rpc: name_to_sid name=tuser2
name_to_sid [rpc] tuser2 for domain D1
Connected to LDAP server 192.168.14.168
got ldap server name media-1 at D1.SANDTEST.COM, using bind path: 
dc=D1,dc=SANDTEST,dc=COM
IPC$ connections done anonymously
Connecting to host=MEDIA-1
Connecting to 192.168.14.168 at port 445
Doing spnego session setup (blob length=112)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=media-1$@D1.SANDTEST.COM
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Sun, 08 May 2005 20:13:17 GMT
user 'tuser2' does not exist
[20780]: getpwnam D1+TUSER2
rpc: name_to_sid name=TUSER2
name_to_sid [rpc] TUSER2 for domain D1
Connected to LDAP server 192.168.14.168
got ldap server name media-1 at D1.SANDTEST.COM, using bind path: 
dc=D1,dc=SANDTEST,dc=COM
IPC$ connections done anonymously
Connecting to host=MEDIA-1
Connecting to 192.168.14.168 at port 445
Doing spnego session setup (blob length=112)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=media-1$@D1.SANDTEST.COM
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Sun, 08 May 2005 20:13:17 GMT
user 'TUSER2' does not exist
[20780]: getpwnam tuser2
[20780]: getpwnam TUSER2
[20780]: create_user: user=>(tuser2), group=>()
winbindd_create_user: Cannot validate gid for group ('Domain Users')
[20780]: getpwnam tuser2
[20780]: getpwnam TUSER2

----- END LOG DATA ----

In both cases I see a disturbing error at the top

winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED.  Maybe the trust 
account password was changed and we didn't know it.  Killing connections to 
domain D1

Any guidance on resolving this problem is welcome...

Kevin





Kevin M. Barrett

KMB IT Consulting, Inc
508-450-7717

More information about the samba mailing list