[Samba] winbind - wbinfo problem
John Stile
john at stilen.com
Sun Nov 14 19:55:13 MST 2010
"Invalid credentials" points to a problem, thought I'm guessing, with
the domain membership.
I'm really not sure what it means.
Does 'ads testjoin' show anything?
Would it be too much trouble to remove the system from the domain and
add it back, assuming that was the the problem?
1. remove the machine from the domain (on the AD server),
2. stop smbd, nmbd, and winbindd.
3. find and remove "*.tdb" files.
4. Check 'date' vs. 'net date'
5. net ads join -U 'SQUID.BIZ+username'%'passwd'
6. check 'net ads testjoin'
7. check 'net ads info'
8. start daemon: 'winbindd -d 3 -i'
9. wbinfo -a 'SQUID.BIZ+username'%'password'
10. wbinfo -K 'SQUID.BIZ+username'%'password'
11. kinit username
On Mon, 2010-11-15 at 00:32 +0530, Vivekanandan Nataraj wrote:
> Hi John,
>
>
> Thanks for your reply.
>
>
> This is the result :-
>
>
> #wbinfo -u
>
>
> Connected to LDAP server EIS.squid.biz
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> ads_sasl_spnego_bind: got server principal name = eis$@SQUID.BIZ
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> expiration Sun, 14 Nov 2010 22:22:14 IST
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> expiration Sun, 14 Nov 2010 22:22:26 IST
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
> credentials
> ads_connect for domain SQUID failed: Invalid credentials
> final write to client failed: Broken pipe
>
>
>
>
> #wbinfo -g
>
>
> Connected to LDAP server EIS.squid.biz
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> ads_sasl_spnego_bind: got server principal name = eis$@SQUID.BIZ
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> expiration Sun, 14 Nov 2010 22:27:10 IST
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> expiration Sun, 14 Nov 2010 22:27:12 IST
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
> credentials
> ads_connect for domain SQUID failed: Invalid credentials
> final write to client failed: Broken pipe
>
>
> any problem with krb configuration ???
>
>
> Regards,
> Vivek
>
>
>
>
> On Sun, Nov 14, 2010 at 11:59 PM, John Stile <john at stilen.com> wrote:
> You could try to run winbindd manually (winbindd -d 3 -i), and
> from
> another console run 'wbinfo -u', and see if any errors present
> them
> selves in the console where you ran winbindd. First make sure
> no other
> winbind daemon is running, by testing, as root, with: lsof -i
> tcp -nP |
> grep winbind
>
>
> On Sun, 2010-11-14 at 23:41 +0530, Vivekanandan Nataraj wrote:
> > Hi John,
> >
> >
> > Thanks for your reply.
> >
> >
> > I have modified the nsswitch.conf file and smb.conf as per
> your
> > suggestions.
> >
> >
> > Still wbinfo does not list the users... I have rebooted the
> server
> > after modification.
> >
> >
> > and #rm -rf /var/lib/samba/* and restart the services and
> joined the
> > domain again. but no luck..
> >
> >
> > nsswitch.conf
> > [
> > shadow: files
> > passwd: compat winbind
> > group: compat winbind
> >
> >
> > hosts: files dns wins
> > networks: files dns
> >
> >
> > services: files
> > protocols: files
> > rpc: files
> > ethers: files
> > netmasks: files
> > netgroup: files nis
> > publickey: files
> >
> >
> > bootparams: files
> > automount: files nis
> > aliases: files
> > ]
> >
> >
> > samba
> > [
> > workgroup = SQUID
> > realm = SQUID.BIZ
> > security = ADS
> > password server = EIS.SQUID.BIZ
> > printcap name = cups
> > idmap uid = 1000-20000000
> > idmap gid = 1000-20000000
> > winbind separator = +
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > winbind use default domain = Yes
> > winbind nss info = rfc2307
> > cups options = raw
> > ]
> >
> >
> > Any thing i missed ?
> >
> >
> > Thanks in advance..
> >
> >
> > Regards,
> > Vivek
> >
> > On Sun, Nov 14, 2010 at 10:33 PM, John Stile
> <john at stilen.com> wrote:
> > Does /etc/nsswitch.conf hold winbind?
> > Something like this:
> > passwd: compat winbind
> > group: compat winbind
> >
> > Also,
> > your config doesn't show:
> > winbind separator = +
> >
> > your config doesn't have a fully qualified "password
> server"
> > hostname.
> >
> >
> >
> > On Sun, 2010-11-14 at 11:09 +0530, Vivekanandan
> Nataraj wrote:
> > > Hi Guys,
> > >
> > > I have configured SAMBA with Windows 2003 AD. But
> "#wbinfo
> > -u" and
> > > "#wbinfo -g" does not list the users
> > >
> > > 1. Domain joined successfully.
> > >
> > > # net rpc testjoin -U Administrator
> > > Join to 'DOMAIN' is OK
> > >
> > > 2. wbinfo -a works ( User authentication )
> > >
> > > # wbinfo -a 'DOMAIN\user'
> > > Enter DOMAIN\user's password:
> > > plaintext password authentication succeeded
> > > Enter DOMAIN\user's password:
> > > challenge/response password authentication
> succeeded
> > >
> > > 3. wbinfo -u and wbinfo -g does list nothing
> > >
> > > # wbinfo -u
> > > # wbinfo -g
> > >
> > > # wbinfo -r 'DOMAIN\user'
> > > Could not get groups for user DOMAIN\user
> > >
> > > SAMBA config : -
> > >
> > > [global]
> > > workgroup = DOMAIN
> > > realm = DOMAIN.BIZ
> > > security = ADS
> > > password server = EIS
> > > printcap name = cups
> > > idmap uid = 1000-20000000
> > > idmap gid = 1000-20000000
> > > winbind enum users = Yes
> > > winbind enum groups = Yes
> > > winbind use default domain = Yes
> > > winbind nss info = rfc2307
> > > cups options = raw
> > >
> > > Versions :-
> > >
> > > # smbd -V
> > > Version 3.4.2-1.1.3.1-2229-SUSE-SL11.2
> > >
> > > # winbindd -V
> > > Version 3.4.2-1.1.3.1-2229-SUSE-SL11.2
> > >
> > > Share your ideas...
> > >
> > > Regards,
> > > Vivek
> >
> >
> >
> >
> >
>
>
>
>
>
More information about the samba
mailing list