[Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
John H Terpstra
jht at Samba.Org
Mon May 23 17:32:50 GMT 2005
On Monday 23 May 2005 11:23, Sean Kennedy wrote:
> Hi all,
>
> Thus far, I have managed to get wbinfo -[u|g] to display users/group
> correctly, and getent passwd/group works. However, wbinfo -t fails to
> work, giving me this error:
>
> [root at billing samba]# wbinfo -t
> checking the trust secret via RPC calls failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> Could not check secret
Check the security settings on the ADS domain contollers. It looks like it may
have been locked down to prevent remote access.
- John T.
>
>
>
> Further, this seems to be related to a problem with wbinfo -a:
>
> [root at billing samba]# wbinfo -a user%pass
> plaintext password authentication failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> error messsage was: Access denied
> Could not authenticate user user%pass with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> error messsage was: Access denied
> Could not authenticate user user with challenge/response
>
>
> I was able to join the domain successfully:
>
> [root at billing samba]# net ads join
> [2005/05/23 10:09:35, 0] libads/ldap.c:ads_add_machine_acct(1368)
> ads_add_machine_acct: Host account for billing already exists -
> modifying old account
> Using short domain name -- DOMAIN
> Joined 'BILLING' to realm 'DOMAIN.PRI'
>
>
>
> At this point, I am at a loss as to what to do further. I don't
> understand ADS well enough to know why I can get a list of usernames but
> I can't auth with them. That seems to be a big clue to me what's going
> on, but I don't understand it well enough to take it. :)
>
> Here is my krb5.conf file:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdr = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = DOMAIN.PRI
> default_tkt_enctypes = des-cbc-crc des-cbc-md5
> default_tgs_enctypes = des-cbc-crc
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
> [realms]
> DOMAIN.PRI = {
> kdc = dc-1.domain.pri:88
> admin_server = dc-1.domain.pri:749
> default_domain = domain.PRI
> }
>
> [domain_realm]
> domain.pri = DOMAIN.PRI.
> domain.pri = DOMAIN.PRI
>
> [pam]
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
>
>
> And here are the relevant bits of my smb.conf file:
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.PRI
> netbios name = BILLING
> password server = 192.168.1.3
>
> #domain logons = yes
> security = ads
> server string = Billing Office File Server
> interfaces = 192.168.1.0/24 127.0.0.0/8
> bind interfaces only = yes
> encrypt passwords = yes
> log level = 3
> log file =/var/log/samba/%U.log
> guest account = nobody
> guest ok = no
>
> use spnego = yes
> use kerberos keytab = yes
>
> wins server = 192.168.1.3
> # Browsing Election options
> local master = yes
> preferred master = yes
> domain master = no
> os level = 55
>
> wins support = no
> name resolve order = wins hosts bcast
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> #domain admin group = @Domain Admins
>
> winbind uid = 1000-5000
> winbind gid = 1000-5000
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%U
> template shell = /bin/bash
> winbind use default domain = yes
> winbind separator = +
>
>
> Any help is greatly apprecaited!
>
> Sean
>
> ps: Sorry for the html folks, I'll send this as text too. The html
> really helps with the formatting, which is why I use it.
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba
mailing list