[Samba] winbindd hangs up while retreiving usernames.

Dmitry mitroko at gmail.com
Tue Apr 29 06:05:29 GMT 2008


I'm installing new FreeBSD 6.2-RELEASE, based on intel machine. Firewall
type is OPEN.
I have Windows Server 2000 with Active Directory on it, working in Native

I've installed samba-3.0.23c_2,1 from /usr/ports/net/samba3
without krb-1.5.1 being installed.

to /etc/rc.conf

filled /etc/nsswitch.conf with:
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files

filled /usr/local/etc/smb.conf with:
#======================= Global Settings =====================================
workgroup = DEP2
realm = DEP2.CITY-XXI.INT <http://dep2.city-xxi.int/>
netbios name = SZRouter
server string = Secondary Router
security = ADS
hosts allow = 10.1.9., 127.
log file = /var/log/samba/log.%m
max log size = 5000
password server = City2.dep2.city-xxi.int <http://city2.dep2.city-xxi.int/>
dns proxy = no

preferred master = no
local master = no
domain master = no
os level = 0

# My Properties
auth methods = winbind
winbind use default domain = yes
allow trusted domains = no
client NTLMv2 auth = yes
winbind separator = +
winbind cache time = 10
idmap uid = 10000-20000
idmap gid = 10000-20000

and checked syntax with:
testparm -s

I've modified /etc/krb5.conf
 default = FILE:/var/log/kerberos/krb5libs.log
 kdc = FILE:/var/log/kerberos/krb5kdc.log
 admin_server = FILE:/var/log/kerberos/kadmind.log

 ticket_lifetime = 2400
 default_realm = DEP2.CITY-XXI.INT <http://dep2.city-xxi.int/>
 clockskew = 300
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_etypes = des-cbc-crc des-cbc-md5 rc4-hmac
 default_etypes_des = des-cbc-crc des-cbc-md5 rc4-hmac

    DEP2.CITY-XXI.INT <http://dep2.city-xxi.int/> = {
        kdc =
        admin_server =
    .dep2.city-xxi.int = DEP2.CITY-XXI.INT <http://dep2.city-xxi.int/>

and checked it with verify_krb5_conf

I've created new computer account in AD with "Allow pre-Windows 2000
computers to use this account" checked box.
Then I've successfuly authenticated with login mitroko (member of Domain
Admins) and entered joined domain with
net ads join -U mitroko
Computer account in AD achieved proper DNS-name field, but didn't achieve
any of OS type fileds.

I've restarted winbindd (with /usr/local/etc/rc.d/samba restart) - OK
I've pinged winbindd with
wbinfo -p - Success
wbinfo -t returns "checking the trust secret via RPC calls succeeded"
wbinfo -a testme%testme returns
plaintext password authentication succeeded
challenge/response password authentication succeeded
wbinfo -s successfuly converts SIDs to object-names.

however, wbinfo -u and wbinfo -g returns lists only after 20-30 seconds.
wbinfo -r testme doesn't work, hanging up, so squid's wbinfo_group.pl script
doesn't work also.

I have in my /var/log/samba/log.winbindd error's:

Not a user account? atype=0x30000000


rpc_api_pipe: Remote machine CITY2 pipe \NETLOGON fnum 0x8returned critical
error. Error was Call timed out: server did not respond after 10000

I've read samba mail-list
In advice http://lists.samba.org/archive/samba/2006-July/122912.html, I've
installed krb-1.5.1 from /usr/ports/security/krb5
with prefix /usr/local, moved old vesions to *.old filenames and added
simlinks to /usr/local/* kerberos files

but it doesn't help me.

Unfortunately I can´t send verbose output of
winbindd -i -d 50 >output.txt command
because of 64K limit.
Therefore, I´ve placed it here - http://mitroko.com/output.txt

Any suggestions will be appreciated.
Thank you.

More information about the samba mailing list