[Samba] Problem with winbind on Samba PDC after 3.0.20

Alex Deiter tiamat at komi.mts.ru
Sun Sep 11 16:26:39 GMT 2005 

Hi,

I'm using winbind to authenticate squid proxy users via ntlm_auth.
Squid, samba and winbind run on the same server.
The server is PDC and a member of the domain.
After update samba from 3.0.14a up to 3.0.20 ntlm_auth does not work.
Also wbinfo got error:

# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret

winbind log (winbindd -S -F -i -d 4):
cm_get_ipc_userpass: No auth-user defined
Serverzone is -14400
Using cleartext machine password
cli_net_req_chal: LSA Request Challenge from SERVER to \\SERVER
cred_session_key
cred_create
cli_net_auth2: srv:\\SERVER acct:WORKGROUP$ sc:6 mc: SERVER neg: 400701ff
could not open handle to NETLOGON pipe
Checking the trust account password returned NT_STATUS_ACCESS_DENIED

But if i run winbind with custom config:

# diff -u smb.conf wb.conf
--- smb.conf    Sun Sep 11 20:03:54 2005
+++ wb.conf     Sun Sep 11 20:04:08 2005
@@ -8,7 +8,7 @@
         display charset = KOI8-R
         dos charset = 866
         winbind use default domain = yes
-        domain logons = yes
+        domain logons = no

it work fine for me:

# wbinfo -t
checking the trust secret via RPC calls succeeded

winbind log (winbindd -S -F -i -d 4 -s wb.conf):
cm_get_ipc_userpass: No auth-user defined
Serverzone is -14400
lsa_io_sec_qos: length c does not match size 8
[    0]: request interface version
[    0]: request location of privileged pipe
[    0]: check machine account
child daemon request 26
[31109]: check machine account
cm_get_ipc_userpass: No auth-user defined
Using cleartext machine password
cli_net_req_chal: LSA Request Challenge from SERVER to \\SERVER
cred_session_key
cred_create
cli_net_auth2: srv:\\SERVER acct:SERVER$ sc:6 mc: SERVER neg: 400701ff
cred_create
cred_assert
secret is good

Tell me please: it is a bug or feature?

smb.conf:

[global]
        workgroup = WORKGROUP
        admin users = tiamat
        guest account = guest
        log file = /var/log/samba/%m.log
        security = user
        encrypt passwords = yes
        unix charset = KOI8-R
        display charset = KOI8-R
        dos charset = 866
        winbind use default domain = yes
        domain logons = yes

[homes]
        browseable = no
        writeable = yes
        valid users = %S

[netlogon]
        path = /home/samba/netlogon
        browseable = no

Server join into domain with:

# net join -U tiamat
Password:
Joined domain WORKGROUP.

Thanks a lot!

--
Alex Deiter

More information about the samba mailing list