[Samba] winbind problem, have workaround but...

fred.samba at fredsnet.org fred.samba at fredsnet.org
Fri Aug 24 00:30:06 GMT 2007



I found what may be the key to this whole thing.  our domain
administrators decided to through a switch in Group policy that limited
communication to ntlmv2 only.  we've had a a whole lot of admins
scratching thier heads as to how to fix it.  I think I have it squared
away now.

the fix was to add "client ntlmv2 auth = yes" , and "host msdfs = no"
in the globals. rename the secrets.tdb file and rejoin to the domain.  i'm
not sure what happened in the guts of samba to make it act like it did.
but there we are.


thanks for the help....

> Greetings list,
>
> I have a member server in a w2k3 AD domain that has been happily spinning
> for a couple of years. As of yesterday morning, we've been having some
> issues with it.  I've had it configured correctly, and haven't touched it.
>  I'll provide the configs if needed.
>
> I've kept it updated as time's gone on for security updates etc..
>
> the wonkyness seems to rear is head when winbindd gets restartes.  In the
> log.winbindd file I get a tremendous amount of these
>
> 2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622)
>   Could not initialise \PIPE\NETLOGON
> [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622)
>   Could not initialise \PIPE\NETLOGON
> [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622)
>   Could not initialise \PIPE\NETLOGON
> [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622)
>   Could not initialise \PIPE\NETLOGON
>
> but they stop as soon as I issue
>
> # net ads changetrustpw
>
> then it seems to connect and all is well until winbind gets restarted.
>
> I was following a lot of logs at lev3 yesterday, and some users were able
> to authenticate, on one machine but not on others..etc.. it was all very
> wonky until I did the net ads changetrustpw
>
> I can provide any information needed.  I'm running mandriva corp server 3
> with samba 3.014a. patched up to (CVE-2007-2444) (I think that's post
> 3.023d)
>
> I'm perplexed, and not sure what the proper permanent fix for it is.  I'm
> thinking about removing it from the domain, and re-joining it, but I'm not
> sure what precisely is needed.  (what files to delete, which ones to copy
> off etc..)  I don't want to lose the winbindd_idmap.tdb or anything
> important.  (I do back these up...)
>
> any help would be greatly appreciated.
>
> Kindest regards,
> Fred dussault
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>



More information about the samba mailing list