[Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems

Mon May 23 17:23:31 GMT 2005

Hi all,

Thus far, I have managed to get wbinfo -[u|g] to display users/group 
correctly, and getent passwd/group works.  However, wbinfo -t fails to 
work, giving me this error:

[root at billing samba]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret

Further, this seems to be related to a problem with wbinfo -a:

[root at billing samba]# wbinfo -a user%pass
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user user%pass with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user user with challenge/response

I was able to join the domain successfully:

[root at billing samba]# net ads join
[2005/05/23 10:09:35, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for billing already exists - 
modifying old account
Using short domain name -- DOMAIN
Joined 'BILLING' to realm 'DOMAIN.PRI'

At this point, I am at a loss as to what to do further.  I don't 
understand ADS well enough to know why I can get a list of usernames but 
I can't auth with them.  That seems to be a big clue to me what's going 
on, but I don't understand it well enough to take it.  :)

Here is my krb5.conf file:

[logging]
default = FILE:/var/log/krb5libs.log
kdr = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.PRI
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
DOMAIN.PRI = {
kdc = dc-1.domain.pri:88
admin_server = dc-1.domain.pri:749
default_domain = domain.PRI
}

[domain_realm]
.domain.pri = DOMAIN.PRI
domain.pri = DOMAIN.PRI

[pam]
debug           = false
ticket_lifetime = 36000
renew_lifetime  = 36000
forwardable     = true
krb4_convert    = false

And here are the relevant bits of my smb.conf file:

[global]
        workgroup = DOMAIN
        realm = DOMAIN.PRI
        netbios name = BILLING
        password server = 192.168.1.3

        #domain logons = yes
        security = ads
        server string = Billing Office File Server
        interfaces = 192.168.1.0/24 127.0.0.0/8
        bind interfaces only = yes
        encrypt passwords = yes
        log level = 3
        log file =/var/log/samba/%U.log
        guest account = nobody
        guest ok = no

        use spnego = yes
        use kerberos keytab = yes

        wins server = 192.168.1.3
        # Browsing Election options
        local master = yes
        preferred master = yes
        domain master = no
        os level = 55

        wins support = no
        name resolve order = wins hosts bcast
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        #domain admin group = @Domain Admins

        winbind uid = 1000-5000
        winbind gid = 1000-5000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%U
        template shell = /bin/bash
        winbind use default domain = yes
        winbind separator = +

Any help is greatly apprecaited!

Sean

ps: Sorry for the html folks, I'll send this as text too.  The html 
really helps with the formatting, which is why I use it.