[Samba] erratic winbind authentication

Robert Steinmetz AIA rob at steinmetznet.com
Tue Nov 18 19:28:45 GMT 2008

Jeremy Allison wrote:
> On Tue, Nov 18, 2008 at 11:51:25AM -0600, Robert Steinmetz AIA wrote:
>> I have had a long term problem with my set up. winbind authentication is  
>> erratic.
>> Whenever I restart one of my servers the member server refuses to  
>> authenticate users. Sometimes is will only authenticate some users on  
>> some shares. Usually by fiddling with it I can eventually get it to work  
>> but I can't identify the solution so I can replicate it. Once I get can  
>> finally get it to work it works fine until the next restart.
> This request is a little short on details, e.g. "by fiddling with it I
> can eventually get it to work". Might help to have more info :-).
> Jeremy.
I apologize for the lack of information, but "fiddling with it" means 
that I run a bunch of commands to try to identify the problem and it 
eventually starts working. I haven't been able identify which command 
actually causes the system to start working. It doesn't appear to be the 
same one every time. For example sometimes "net join" seems to work, but 
not this time.

Users on the NT machines can browse the network and see the Domain, both 
servers and all of the shares on either server. they can access the PDC 
with no problem. When they attempt to access the shares on the Member 
Server sometimes they get a user/password window and no combination of 
user and password is accepted.

If any other information would help let me know.

I'm completely stumped, which isn't hard.

Ubuntu 8.04 LTS AMD 64
Samba Version 3.0.28a

I have an NT style domain with XP pro desktops.
1 -PDC
1- Member Server

On the PDC smbd and nmbd are unning
On the Member Server smbd nmbd and winbind are running.

Here is part of nsswitch.con;

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

Here is the Globals Section of the PDC

        workgroup = ATLANTA
        server string = %h mail passwd server (Samba, Ubuntu)
        passdb backend = tdbsam
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        time server = Yes
        hostname lookups = Yes
        logon path = \\THELMA\%U\.profiles
        logon drive = U:
        logon home = \\THELMA\%U
        domain logons = Yes
        domain master = Yes
        preferred master = Yes
        security = user

Here is the Globals for the Member Server

        workgroup = ATLANTA
        server string = %h file server (Samba, Ubuntu)
        security = domain
        password server =
        log level = 3
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        wins proxy = yes
        wins server =
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        name resolve order = wins bcast hosts
        hosts allow =
        winbind enum groups = yes
        winbind enum users = yes

Here are two shares one works and one doesn't.

        path = /files/Lucretia/Projects
        comment = Project Specific Data
        force group = samba
        read only = no
        create mask = 0764
        directory mask = 0775

        comment = General Office Data
        path = /files/Lucretia/Office
        force group = samba
        read only = No
        create mask = 0764
        directory mask = 0775

Both directories have the same ownership and linux permissions

drwxrwsr-x  69 rob  samba 16416 2008-10-24 17:15 Office
drwxrwsr-x  51 rob  samba  4032 2008-11-12 09:43 Projects

Among other commands I have run;

wbinfo -u and -g and get what I expect
net status shares returns a list of shares
net status  sessions return a list of sessions
getent passwd lists the domain users
getent group lists the groups including the domain groups
netlookup dc returns the correct ip address
netlookup master returns the correct ip address

Robert Steinmetz, AIA
Steinmetz & Associates

More information about the samba mailing list