[Samba] Winbind lost domain

Liutauras Adomaitis liutauras.adomaitis at gmail.com
Wed May 27 21:10:58 GMT 2009 

On Wed, May 27, 2009 at 5:22 PM, Mailing pigna <lucapml at gmail.com> wrote:
> Hi all.
> I have a problem whith winbind authentication.
> I have 2 samba domains, DOMA and DOMB, and these domains have trust in one
> another.
>
> On both pdc winbind is installed.
>
> I installed a proxy server using squid with ntlm authentication. I install
> on the server:
> squid
> samba
> winbind
> I have modify the smb.conf on proxy:
> [global]
>  workgroup = DOMA
>  server string = PROXY DOMA
>  password server = xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy
>  security = domain
>  encrypt passwords = yes
>  winbind separator = +
>  winbind uid = 10000-20000
>  winbind gid = 10000-20000
>  winbind enum users = yes
>  winbind enum groups = yes
>  winbind use default domain = No
>  log level = 2
>  log file = /var/log/samba/%m.log
>  max log size = 100000
>  socket options = TCP_NODELAY
>  wins server = xxx.xxx.xxx.xxx
>
> I have run this comand:
> #net rpc join -S PDC1 -U Administrator
> and the proxy server as joined in the domain
> Now this command executed successful:
> #wbinfo -t
> checking the trust secret via RPC calls succeeded
> #wbinfo -u
> DOMA+user1
> DOMA+user2
> DOMA+user3
> DOMA+user4
> ecc. ecc.
> #wbinfo -a DOMA+user1%pwduser1
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> Until here everything ok.
> Every now and then but it seems that winbind loses the domain and users are
> no longer able to navigate.
> This is the log of winbind:
> [2009/05/27 12:54:21, 1]
> rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
>  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR
> received from remote machine SERVERA pipe \lsarpc fnum 0x74f0!
> [2009/05/27 12:54:28, 1]
> rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
>  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR
> received from remote machine SERVERA pipe \lsarpc fnum 0x751a!
> [2009/05/27 14:48:36, 0] libsmb/clientgen.c:cli_receive_smb(111)
>  Receiving SMB: Server stopped responding
> [2009/05/27 14:48:36, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
>  rpc_api_pipe: Remote machine SERVERA pipe \NETLOGON fnum 0x751ereturned
> critical error. Error was Call timed out: server did not respon
> d after 10000 milliseconds
> [2009/05/27 14:48:36, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
>  NTLM CRAP authentication for user [DOMA]\[gonzaga] returned
> NT_STATUS_IO_TIMEOUT (PAM: 4)
> [2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386)
>  cli_rpc_pipe_close: cli_close failed on pipe \samr, fnum 0x751b to machine
> SERVERA. Error was Call timed out: server did not respond a
> fter 1000 milliseconds
> [2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386)
>  cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x751c to
> machine SERVERA. Error was Call timed out: server did not respond
>  after 500 milliseconds
> [2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386)
>  cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x751e to
> machine SERVERA. Error was Call timed out: server did not respo
> nd after 500 milliseconds
> [2009/05/27 14:48:46, 0] libsmb/clientgen.c:cli_receive_smb(111)
>  Receiving SMB: Server stopped responding
> [2009/05/27 14:48:57, 0] libsmb/clientgen.c:cli_receive_smb(111)
>  Receiving SMB: Server stopped responding
> [2009/05/27 14:49:07, 0] libsmb/clientgen.c:cli_receive_smb(111)
>  Receiving SMB: Server stopped responding
> [2009/05/27 14:49:07, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
>  NTLM CRAP authentication for user [DOMA]\[user1] returned
> NT_STATUS_IO_TIMEOUT (PAM: 4)
> [2009/05/27 14:49:26, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
>  NTLM CRAP authentication for user [DOMA]\[user2] returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
> [2009/05/27 14:49:32, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
>  NTLM CRAP authentication for user [DOMA]\[user3] returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
> [2009/05/27 14:49:50, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
>  NTLM CRAP authentication for user [DOMA]\[user4] returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
> [2009/05/27 14:49:52, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
>  NTLM CRAP authentication for user [DOMA]\[user4] returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
> [2009/05/27 14:50:36, 4] nsswitch/winbindd_dual.c:fork_domain_child(1080)
>  child daemon request 47
> [2009/05/27 14:50:36, 8] nsswitch/winbindd_cm.c:connection_ok(1515)
>  connection_ok: Connection to for domain DOMA has NULL cli!
> [2009/05/27 14:50:36, 5] libsmb/namequery.c:saf_fetch(136)
>  saf_fetch: Returning "SERVERA" for "DOMA" domain
> [2009/05/27 14:50:36, 5] libads/dns.c:sitename_fetch(706)
>  sitename_fetch: No stored sitename for
> [2009/05/27 14:50:36, 5] libsmb/namecache.c:namecache_fetch(214)
>  name SERVERA#20 found.
> [2009/05/27 14:50:36, 6] libsmb/clientgen.c:write_socket(152)
>  write_socket(18,72)
> [2009/05/27 14:50:36, 6] libsmb/clientgen.c:write_socket(155)
>  write_socket(18,72) wrote 72
> [2009/05/27 14:50:36, 5] libsmb/cliconnect.c:cli_session_request(1407)
>  Sent session request
>
> If restart winbind on proxy server browsing resumed without problems.
>
> Can you help?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


there was a post " samba two way trusts and winbind" few days ago.
That may be your case.

Liutauras

More information about the samba mailing list