[Samba] net ads testjoin failed but net rpc testjoin work

Thierry Leurent thierry.leurent at asgardian.be
Thu Apr 22 05:38:53 MDT 2010 

Volker,

I tried wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida and it failed :(

plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray%CatoNeimoida with plaintext
password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray with challenge/response

==> /var/log/samba/wb-EMPIRE.log <==
[2010/04/22 08:25:34, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
  [ 3235]: pam auth crap domain: EMPIRE user: EMPIRE\NuteGunray
[2010/04/22 08:25:34, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
  NTLM CRAP authentication for user [EMPIRE]\[EMPIRE\NuteGunray] returned
NT_STATUS_NO_SUCH_USER (PAM: 10)

==> /var/log/samba/winbindd.log <==
[2010/04/22 08:25:34, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [ 8479]: request interface version
[2010/04/22 08:25:34, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [ 8479]: request location of privileged pipe
[2010/04/22 08:25:34, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
  [ 8479]: pam auth EMPIRE\NuteGunray
[2010/04/22 08:25:34, 3] nsswitch/winbindd_misc.c:winbindd_info(479)
  [ 8479]: request misc info
[2010/04/22 08:25:34, 3] nsswitch/winbindd_misc.c:winbindd_domain_name(501)
  [ 8479]: request domain name
[2010/04/22 08:25:34, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1689)
  [ 8479]: pam auth crap domain: [EMPIRE] user: EMPIRE\NuteGunray


Yesterday, I saw a little error in my krb5.conf, I forgot last newline.
This morning after "your test", I corrected it but wbinfo -t failed the
RPC with "error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
(0xc0000233)" :(
After few search, I resolved the problem by adding lines in my
configurations files.

In my smb.conf it the general section, I add this 2 lines:
winbind use default domain = Yes
winbind nested groups = Yes


In My krb5.conf, I add this section
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

After a restart of winbind, wbinto -t worked


I tried wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida and it failed but in my
/var/log/samba/wb-EMPIRE.log, I saw "dual pam auth
EMPIRE+EMPIRE\NuteGunray".
+ is my winbind separator, it's look like, samba used 2 EMPIRE one as the
domain implicit, and one as a group explicit in my wbinfo command.

I joined the domain again with a net join ads.
net ads testjoin don't work and net rpc testjoin work like yesterday.

wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray%CatoNeimoida with plaintext
password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray with challenge/response

==> /var/log/samba/wb-EMPIRE.log <==
[2010/04/22 11:54:47, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341)
  [ 8693]: dual pam auth EMPIRE+EMPIRE\NuteGunray
[2010/04/22 11:54:47, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1584)
  Plain-text authentication for user EMPIRE+EMPIRE\NuteGunray returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
[2010/04/22 11:54:47, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
  [ 8693]: pam auth crap domain: EMPIRE user: EMPIRE\NuteGunray
[2010/04/22 11:54:47, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
  NTLM CRAP authentication for user [EMPIRE]\[EMPIRE\NuteGunray] returned
NT_STATUS_NO_SUCH_USER (PAM: 10)

==> /var/log/samba/winbindd.log <==
[2010/04/22 11:54:47, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [ 8950]: request interface version
[2010/04/22 11:54:47, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [ 8950]: request location of privileged pipe
[2010/04/22 11:54:47, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
  [ 8950]: pam auth EMPIRE\NuteGunray
[2010/04/22 11:54:47, 3] nsswitch/winbindd_misc.c:winbindd_info(479)
  [ 8950]: request misc info
[2010/04/22 11:54:47, 3] nsswitch/winbindd_misc.c:winbindd_domain_name(501)
  [ 8950]: request domain name
[2010/04/22 11:54:47, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1689)
  [ 8950]: pam auth crap domain: [EMPIRE] user: EMPIRE\NuteGunray

wbinfo -a EMPIRE+NuteGunray%CatoNeimoida
plaintext password authentication succeeded
challenge/response password authentication succeeded

[2010/04/22 13:10:23, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341)
  [ 8693]: dual pam auth EMPIRE+NuteGunray
[2010/04/22 13:10:23, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
  [ 8693]: pam auth crap domain: EMPIRE user: NuteGunray

==> /var/log/samba/winbindd.log <==
[2010/04/22 13:10:23, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [ 9081]: request interface version
[2010/04/22 13:10:23, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [ 9081]: request location of privileged pipe
[2010/04/22 13:10:23, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
  [ 9081]: pam auth EMPIRE+NuteGunray
[2010/04/22 13:10:23, 3] nsswitch/winbindd_misc.c:winbindd_info(479)
  [ 9081]: request misc info
[2010/04/22 13:10:23, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1689)
  [ 9081]: pam auth crap domain: [EMPIRE] user: NuteGunray

I really have some troubles to understand Samba and Active Directory.

Thierry

More information about the samba mailing list