[Samba] Winbind trouble when on the DC

Adam Tauno Williams awilliam at whitemice.org
Thu Sep 15 19:01:51 GMT 2005 

I have a situation where I want to do some authentication via ntlm_auth on my
DC.  I've tested this on my test box (a domain member) and it works perfectly.

On domain member -
tor:~ # /usr/bin/ntlm_auth --username=adam --domain=BACKBONE --password=********
NT_STATUS_OK: Success (0x0)

On domain controller -
littleboy:~ # /usr/bin/ntlm_auth --username=adam --domain=BACKBONE
--password=**********
Reading winbind reply failed! (0x01)
:  (0x0)

But winbindd is running an "wbinfo -p" says the winbind daemon is OK.

I can "wbinfo -u" and "wbinfo -g" to list domain users and groups on any member
server and it as quick as lightening.  But on the domain controller is just
pukes with a "Error looking up domain groups" message.  The domain controller
is working perfectly for ~200 XP and 2000 boxes.  It is just the winbind stuff
does not work locally.

Anyone have any ideas?

DC is SuSe9.2 running Samba 3.0.20 with OpenLDAP backend.

The logs for winbind look like -
[2005/09/15 06:02:50, 6] nsswitch/winbindd.c:new_connection(596)
  accepted socket 19
[2005/09/15 06:02:50, 10] nsswitch/winbindd.c:process_request(325)
  process_request: request fn INTERFACE_VERSION
[2005/09/15 06:02:50, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(460)
  [    0]: request interface version
[2005/09/15 06:02:50, 10] nsswitch/winbindd.c:process_request(325)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2005/09/15 06:02:50, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
  [    0]: request location of privileged pipe
[2005/09/15 06:02:50, 6] nsswitch/winbindd.c:new_connection(596)
  accepted socket 20
[2005/09/15 06:02:50, 10] nsswitch/winbindd.c:process_request(325)
  process_request: request fn LIST_GROUPS
[2005/09/15 06:02:50, 3] nsswitch/winbindd_group.c:winbindd_list_groups(811)
  [    0]: list groups
[2005/09/15 06:02:50, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521)
  get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2005/09/15 06:02:50, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526)
  get_sam_group_entries: Failed to enumerate domain local groups!
[2005/09/15 06:02:50, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521)
  get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2005/09/15 06:02:50, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526)
  get_sam_group_entries: Failed to enumerate domain local groups!

NSS is working perfectly as well as I can "id {username}" and instantly get back
user information and all group memberships.

Global configuration
----------------------
[global]
   workgroup = BACKBONE
   server string = OpenLDAP DSA/DC
   printing = CUPS
   netbios name = barbel
   netbios aliases = littleboy
   keepalive = 0
   guest account = pcnet
   add machine script = /usr/bin/mono /usr/local/bin/cifsaddmachine.exe %u
   security = user
   encrypt passwords = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
   local master = yes
   os level = 200
   domain master = yes
   preferred master = yes
   domain logons = yes
   logon script = %G.bat
   logon path = \\BARBEL\PROFILES\%U
   logon drive = f:
   logon home = \\SARDINE\HOMEDIR
   wins support = yes
   wins hook = /usr/bin/mono /usr/local/bin/wins_update.exe
   name resolve order = wins host
   dns proxy = yes
   map to guest = Bad User
   passdb backend = ldapsam:ldap://localhost/
   ldap ssl = no
   ldap admin dn =
uid=CIFSDC,ou=System,ou=Accounts,ou=Entities,ou=SAM,o=Morrison Industries,c=US
   ldap suffix = o=Morrison Industries,c=US
   ldap group suffix = ou=Groups,ou=Entities,ou=SAM
   ldap user suffix = ou=Accounts,ou=Entities,ou=SAM
   ldap machine suffix = ou=System,ou=Accounts,ou=Entities,ou=SAM
   idmap backend = ldap:ldap://localhost
   ldap idmap suffix = ou=idMap,ou=CIFS,ou=SubSystems
   idmap uid = 40000-50000
   idmap gid = 40000-50000
   winbind use default domain = yes
   username map = /etc/samba/username.map
   remote announce = 192.168.10.255/BACKBONE
   deadtime = 15
   log level = 2 winbind:10
   log file = /var/log/samba/log.%m
   ldap passwd sync = yes
   include = /etc/samba/smb.conf.%m
   host msdfs = yes
   cups server = crew
   cups options = raw
   enable privileges = yes
   load printers = no

-- 
Adam Tauno Williams - http://www.whitemice.org

More information about the samba mailing list