[Samba] Getting users and groups through winbind on FreeBSD

Ashley Moran work at ashleymoran.me.uk
Mon Oct 23 14:46:38 GMT 2006


Hi

We have a few Linux samba servers that authenticate against our  
Active Directory domain (Small Business Server 2000).  I've added a  
couple of disks to a FreeBSD 6.1 server in our office and I'm trying  
to achieve the same but not having much luck.  I'm  new to all  
this... I'm not our network admin, but he is BSD-phobic so I thought  
it was safer to do it myself.

I've installed these relevant ports:
cyrus-sasl-2.1.22   RFC 2222 SASL (Simple Authentication and Security  
Layer)
openldap-sasl-client-2.3.27 Open source LDAP client implementation  
with SASL2 support
samba-3.0.23c_2,1   A free SMB and CIFS client and server for UNIX

Here is how the server is configured:

# cat /etc/nsswitch.conf
group: files winbind
hosts: files dns
networks: files
passwd: files winbind
shells: files

# sed -nE '/^[^#;]/p' /usr/local/etc/smb.conf
[global]
    workgroup = JIGSAWHQ
    server string = dim samba server
    security = ADS
    hosts allow = 192.168.0. 127.
    log file = /var/log/samba3/log.%m
    log level = 4
    max log size = 50
    password server = jigsaw-sbs02.jigsawhq.com
    realm = JIGSAWHQ.COM
    socket options = TCP_NODELAY
    local master = no
    dns proxy = no
     map hidden = no
     map system = no
     map archive = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   allow trusted domains = no
   idmap backend = rid:JIGSAWHQ=10000-20000
   winbind nested groups = yes
   ldap ssl = no
   template shell = /bin/tcsh
   template homedir = /usr/home/%U
[Share]
         comment = codeweavers share
         path = /var/share
         writeable = yes
         public = yes
         create mask = 0777
         directory mask = 0777



Here are some diagnostics:

# net ads testjoin
Join is OK

# wbinfo -D JIGSAWHQ
Name              : JIGSAWHQ
Alt_Name          : jigsawhq.com
SID               : S-1-5-21-1085031214-1957994488-1343024091
Active Directory  : Yes
Native            : No
Primary           : Yes
Sequence          : 1172959

# wbinfo -u
...list of usernames...
(not prepended by the domains, but neither is it on our Linux servers  
either)

# wbinfo -g
...list of groups...


However this command *should* now work, but doesn't:
# pw usershow PaulBarrett
pw: no such user `PaulBarrett'

The output in log.wb-JIGSAWHQ (winbindd -d4) is this:
[2006/10/23 12:35:44, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 12:35:44, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\PaulBarrett
[2006/10/23 12:35:44, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(257)
   rpc: name_to_sid name=JIGSAWHQ\PaulBarrett
[2006/10/23 12:35:44, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(265)
   name_to_sid [rpc] JIGSAWHQ\PaulBarrett for domain JIGSAWHQ
[2006/10/23 12:35:44, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
   rpc_pipe_bind: Remote machine JIGSAW-SBS02 pipe \lsarpc fnum  
0x4004 bind request returned ok.
[2006/10/23 12:35:44, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(941)
   Got challenge flags:
[2006/10/23 12:35:44, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
   Got NTLMSSP neg_flags=0x62890235
     NTLMSSP_NEGOTIATE_UNICODE
     NTLMSSP_REQUEST_TARGET
     NTLMSSP_NEGOTIATE_SIGN
     NTLMSSP_NEGOTIATE_SEAL
     NTLMSSP_NEGOTIATE_NTLM
     NTLMSSP_NEGOTIATE_NTLM2
     NTLMSSP_CHAL_TARGET_INFO
     NTLMSSP_NEGOTIATE_128
     NTLMSSP_NEGOTIATE_KEY_EXCH
[2006/10/23 12:35:44, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(963)
   NTLMSSP: Set final flags:
[2006/10/23 12:35:44, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
   Got NTLMSSP neg_flags=0x60080235
     NTLMSSP_NEGOTIATE_UNICODE
     NTLMSSP_REQUEST_TARGET
     NTLMSSP_NEGOTIATE_SIGN
     NTLMSSP_NEGOTIATE_SEAL
     NTLMSSP_NEGOTIATE_NTLM
     NTLMSSP_NEGOTIATE_NTLM2
     NTLMSSP_NEGOTIATE_128
     NTLMSSP_NEGOTIATE_KEY_EXCH
[2006/10/23 12:35:44, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
   NTLMSSP Sign/Seal - Initialising with flags:
[2006/10/23 12:35:44, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
   Got NTLMSSP neg_flags=0x60080235
     NTLMSSP_NEGOTIATE_UNICODE
     NTLMSSP_REQUEST_TARGET
     NTLMSSP_NEGOTIATE_SIGN
     NTLMSSP_NEGOTIATE_SEAL
     NTLMSSP_NEGOTIATE_NTLM
     NTLMSSP_NEGOTIATE_NTLM2
     NTLMSSP_NEGOTIATE_128
     NTLMSSP_NEGOTIATE_KEY_EXCH
[2006/10/23 12:35:44, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
   lsa_io_sec_qos: length c does not match size 8
[2006/10/23 12:35:44, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 12:35:44, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1171
[2006/10/23 12:35:44, 3] nsswitch/winbindd_ads.c:query_user(478)
   ads: query_user
[2006/10/23 12:35:44, 3] nsswitch/winbindd_ads.c:query_user(535)
   ads query_user gave PaulBarrett


When I try to log into the server from my mac, I get to choose share  
"Share", and enter my credentials, but it says "Could not connect to  
the server because the name or password is not correct".

The same log file spews out the following:
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 13
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_pam.c:winbindd_dual_pam_auth_crap(1460)
   [ 6457]: pam auth crap domain: JIGSAWHQ user: ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(257)
   rpc: name_to_sid name=JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(265)
   name_to_sid [rpc] JIGSAWHQ\ashleymoran for domain JIGSAWHQ
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 3] nsswitch/winbindd_ads.c:query_user(478)
   ads: query_user
[2006/10/23 13:04:34, 3] nsswitch/winbindd_ads.c:query_user(535)
   ads query_user gave ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 13
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_pam.c:winbindd_dual_pam_auth_crap(1460)
   [ 6457]: pam auth crap domain: JIGSAWHQ user: ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 13
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_pam.c:winbindd_dual_pam_auth_crap(1460)
   [ 6457]: pam auth crap domain: JIGSAWHQ user: ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_async.c:winbindd_dual_lookupname(709)
   [ 6457]: lookupname JIGSAWHQ\ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
   child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/ 
winbindd_user.c:winbindd_dual_userinfo(146)
   [ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123


One thing I've noticed is that I've (apparently) not used LDAP  
anywhere.  One guide I've found ( and based most of my setup on -  
http://www.kurai.org/~gdunn/samba3-ad/fbsd_samba.html ) uses LDAP  
explicitly, but my current setup is similar to what we've got on our  
gentoo systems, and I can't see any explicit LDAP references anywhere  
there either.


Can anyone offer any pointers?  I tried the FreeBSD list but got  
directed here.

Ashley


More information about the samba mailing list