[Samba] Winbind trouble when on the DC
Adam Tauno Williams
awilliam at whitemice.org
Thu Sep 15 19:01:51 GMT 2005
I have a situation where I want to do some authentication via ntlm_auth on my
DC. I've tested this on my test box (a domain member) and it works perfectly.
On domain member -
tor:~ # /usr/bin/ntlm_auth --username=adam --domain=BACKBONE --password=********
NT_STATUS_OK: Success (0x0)
On domain controller -
littleboy:~ # /usr/bin/ntlm_auth --username=adam --domain=BACKBONE
--password=**********
Reading winbind reply failed! (0x01)
: (0x0)
But winbindd is running an "wbinfo -p" says the winbind daemon is OK.
I can "wbinfo -u" and "wbinfo -g" to list domain users and groups on any member
server and it as quick as lightening. But on the domain controller is just
pukes with a "Error looking up domain groups" message. The domain controller
is working perfectly for ~200 XP and 2000 boxes. It is just the winbind stuff
does not work locally.
Anyone have any ideas?
DC is SuSe9.2 running Samba 3.0.20 with OpenLDAP backend.
The logs for winbind look like -
[2005/09/15 06:02:50, 6] nsswitch/winbindd.c:new_connection(596)
accepted socket 19
[2005/09/15 06:02:50, 10] nsswitch/winbindd.c:process_request(325)
process_request: request fn INTERFACE_VERSION
[2005/09/15 06:02:50, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(460)
[ 0]: request interface version
[2005/09/15 06:02:50, 10] nsswitch/winbindd.c:process_request(325)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2005/09/15 06:02:50, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
[ 0]: request location of privileged pipe
[2005/09/15 06:02:50, 6] nsswitch/winbindd.c:new_connection(596)
accepted socket 20
[2005/09/15 06:02:50, 10] nsswitch/winbindd.c:process_request(325)
process_request: request fn LIST_GROUPS
[2005/09/15 06:02:50, 3] nsswitch/winbindd_group.c:winbindd_list_groups(811)
[ 0]: list groups
[2005/09/15 06:02:50, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521)
get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2005/09/15 06:02:50, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526)
get_sam_group_entries: Failed to enumerate domain local groups!
[2005/09/15 06:02:50, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521)
get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2005/09/15 06:02:50, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526)
get_sam_group_entries: Failed to enumerate domain local groups!
NSS is working perfectly as well as I can "id {username}" and instantly get back
user information and all group memberships.
Global configuration
----------------------
[global]
workgroup = BACKBONE
server string = OpenLDAP DSA/DC
printing = CUPS
netbios name = barbel
netbios aliases = littleboy
keepalive = 0
guest account = pcnet
add machine script = /usr/bin/mono /usr/local/bin/cifsaddmachine.exe %u
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
local master = yes
os level = 200
domain master = yes
preferred master = yes
domain logons = yes
logon script = %G.bat
logon path = \\BARBEL\PROFILES\%U
logon drive = f:
logon home = \\SARDINE\HOMEDIR
wins support = yes
wins hook = /usr/bin/mono /usr/local/bin/wins_update.exe
name resolve order = wins host
dns proxy = yes
map to guest = Bad User
passdb backend = ldapsam:ldap://localhost/
ldap ssl = no
ldap admin dn =
uid=CIFSDC,ou=System,ou=Accounts,ou=Entities,ou=SAM,o=Morrison Industries,c=US
ldap suffix = o=Morrison Industries,c=US
ldap group suffix = ou=Groups,ou=Entities,ou=SAM
ldap user suffix = ou=Accounts,ou=Entities,ou=SAM
ldap machine suffix = ou=System,ou=Accounts,ou=Entities,ou=SAM
idmap backend = ldap:ldap://localhost
ldap idmap suffix = ou=idMap,ou=CIFS,ou=SubSystems
idmap uid = 40000-50000
idmap gid = 40000-50000
winbind use default domain = yes
username map = /etc/samba/username.map
remote announce = 192.168.10.255/BACKBONE
deadtime = 15
log level = 2 winbind:10
log file = /var/log/samba/log.%m
ldap passwd sync = yes
include = /etc/samba/smb.conf.%m
host msdfs = yes
cups server = crew
cups options = raw
enable privileges = yes
load printers = no
--
Adam Tauno Williams - http://www.whitemice.org
More information about the samba
mailing list