[Samba] winbind - wbinfo problem
Vivekanandan Nataraj
viveknataraj at gmail.com
Mon Nov 15 06:26:20 MST 2010
Hi John,
Thanks for your reply.
# net ads testjoin
[2010/11/15 06:40:27, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
[2010/11/15 06:40:29, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Join to domain is not valid: Invalid credentials
but,
# net rpc testjoin
Join to 'SQUID' is OK
# net ads info -U Administrator
Enter Administrator's password:
LDAP server: 172.16.1.33
LDAP server name: EIS.squid.biz
Realm: SQUID.BIZ
Bind Path: dc=SQUID,dc=BIZ
LDAP port: 389
Server time: Mon, 15 Nov 2010 06:45:33 IST
KDC server: 172.16.1.33
Server time offset: 43
# net rpc info -U Administrator
Enter Administrator's password:
Domain Name: SQUID
Domain SID: S-1-5-21-419217316-27721265-2755569738
Sequence number: 548
Num users: 29
Num domain groups: 10
Num local groups: 39
# wbinfo -a 'vivek%vivek'
plaintext password authentication succeeded
challenge/response password authentication succeeded
# wbinfo -K 'vivek%vivek'
plaintext kerberos password authentication for [vivek%vivek] failed
(requesting cctype: FILE)
Could not authenticate user [vivek%vivek] with Kerberos (ccache: FILE)
# kinit vivek
Password for vivek at SQUID.BIZ:
#
Anything need to be modify on the Windows side ??..next step i will remove
the system from the domain and try everything...
Thanks in advance.
Regards,
VIvek
On Mon, Nov 15, 2010 at 8:25 AM, John Stile <john at stilen.com> wrote:
> "Invalid credentials" points to a problem, thought I'm guessing, with
> the domain membership.
>
> I'm really not sure what it means.
>
> Does 'ads testjoin' show anything?
>
> Would it be too much trouble to remove the system from the domain and
> add it back, assuming that was the the problem?
>
> 1. remove the machine from the domain (on the AD server),
> 2. stop smbd, nmbd, and winbindd.
> 3. find and remove "*.tdb" files.
> 4. Check 'date' vs. 'net date'
> 5. net ads join -U 'SQUID.BIZ+username'%'passwd'
> 6. check 'net ads testjoin'
> 7. check 'net ads info'
> 8. start daemon: 'winbindd -d 3 -i'
> 9. wbinfo -a 'SQUID.BIZ+username'%'password'
> 10. wbinfo -K 'SQUID.BIZ+username'%'password'
> 11. kinit username
>
> On Mon, 2010-11-15 at 00:32 +0530, Vivekanandan Nataraj wrote:
> > Hi John,
> >
> >
> > Thanks for your reply.
> >
> >
> > This is the result :-
> >
> >
> > #wbinfo -u
> >
> >
> > Connected to LDAP server EIS.squid.biz
> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> > ads_sasl_spnego_bind: got server principal name = eis$@SQUID.BIZ
> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> > expiration Sun, 14 Nov 2010 22:22:14 IST
> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> > expiration Sun, 14 Nov 2010 22:22:26 IST
> > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
> > credentials
> > ads_connect for domain SQUID failed: Invalid credentials
> > final write to client failed: Broken pipe
> >
> >
> >
> >
> > #wbinfo -g
> >
> >
> > Connected to LDAP server EIS.squid.biz
> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> > ads_sasl_spnego_bind: got server principal name = eis$@SQUID.BIZ
> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> > expiration Sun, 14 Nov 2010 22:27:10 IST
> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> > expiration Sun, 14 Nov 2010 22:27:12 IST
> > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
> > credentials
> > ads_connect for domain SQUID failed: Invalid credentials
> > final write to client failed: Broken pipe
> >
> >
> > any problem with krb configuration ???
> >
> >
> > Regards,
> > Vivek
> >
> >
> >
> >
> > On Sun, Nov 14, 2010 at 11:59 PM, John Stile <john at stilen.com> wrote:
> > You could try to run winbindd manually (winbindd -d 3 -i), and
> > from
> > another console run 'wbinfo -u', and see if any errors present
> > them
> > selves in the console where you ran winbindd. First make sure
> > no other
> > winbind daemon is running, by testing, as root, with: lsof -i
> > tcp -nP |
> > grep winbind
> >
> >
> > On Sun, 2010-11-14 at 23:41 +0530, Vivekanandan Nataraj wrote:
> > > Hi John,
> > >
> > >
> > > Thanks for your reply.
> > >
> > >
> > > I have modified the nsswitch.conf file and smb.conf as per
> > your
> > > suggestions.
> > >
> > >
> > > Still wbinfo does not list the users... I have rebooted the
> > server
> > > after modification.
> > >
> > >
> > > and #rm -rf /var/lib/samba/* and restart the services and
> > joined the
> > > domain again. but no luck..
> > >
> > >
> > > nsswitch.conf
> > > [
> > > shadow: files
> > > passwd: compat winbind
> > > group: compat winbind
> > >
> > >
> > > hosts: files dns wins
> > > networks: files dns
> > >
> > >
> > > services: files
> > > protocols: files
> > > rpc: files
> > > ethers: files
> > > netmasks: files
> > > netgroup: files nis
> > > publickey: files
> > >
> > >
> > > bootparams: files
> > > automount: files nis
> > > aliases: files
> > > ]
> > >
> > >
> > > samba
> > > [
> > > workgroup = SQUID
> > > realm = SQUID.BIZ
> > > security = ADS
> > > password server = EIS.SQUID.BIZ
> > > printcap name = cups
> > > idmap uid = 1000-20000000
> > > idmap gid = 1000-20000000
> > > winbind separator = +
> > > winbind enum users = Yes
> > > winbind enum groups = Yes
> > > winbind use default domain = Yes
> > > winbind nss info = rfc2307
> > > cups options = raw
> > > ]
> > >
> > >
> > > Any thing i missed ?
> > >
> > >
> > > Thanks in advance..
> > >
> > >
> > > Regards,
> > > Vivek
> > >
> > > On Sun, Nov 14, 2010 at 10:33 PM, John Stile
> > <john at stilen.com> wrote:
> > > Does /etc/nsswitch.conf hold winbind?
> > > Something like this:
> > > passwd: compat winbind
> > > group: compat winbind
> > >
> > > Also,
> > > your config doesn't show:
> > > winbind separator = +
> > >
> > > your config doesn't have a fully qualified "password
> > server"
> > > hostname.
> > >
> > >
> > >
> > > On Sun, 2010-11-14 at 11:09 +0530, Vivekanandan
> > Nataraj wrote:
> > > > Hi Guys,
> > > >
> > > > I have configured SAMBA with Windows 2003 AD. But
> > "#wbinfo
> > > -u" and
> > > > "#wbinfo -g" does not list the users
> > > >
> > > > 1. Domain joined successfully.
> > > >
> > > > # net rpc testjoin -U Administrator
> > > > Join to 'DOMAIN' is OK
> > > >
> > > > 2. wbinfo -a works ( User authentication )
> > > >
> > > > # wbinfo -a 'DOMAIN\user'
> > > > Enter DOMAIN\user's password:
> > > > plaintext password authentication succeeded
> > > > Enter DOMAIN\user's password:
> > > > challenge/response password authentication
> > succeeded
> > > >
> > > > 3. wbinfo -u and wbinfo -g does list nothing
> > > >
> > > > # wbinfo -u
> > > > # wbinfo -g
> > > >
> > > > # wbinfo -r 'DOMAIN\user'
> > > > Could not get groups for user DOMAIN\user
> > > >
> > > > SAMBA config : -
> > > >
> > > > [global]
> > > > workgroup = DOMAIN
> > > > realm = DOMAIN.BIZ
> > > > security = ADS
> > > > password server = EIS
> > > > printcap name = cups
> > > > idmap uid = 1000-20000000
> > > > idmap gid = 1000-20000000
> > > > winbind enum users = Yes
> > > > winbind enum groups = Yes
> > > > winbind use default domain = Yes
> > > > winbind nss info = rfc2307
> > > > cups options = raw
> > > >
> > > > Versions :-
> > > >
> > > > # smbd -V
> > > > Version 3.4.2-1.1.3.1-2229-SUSE-SL11.2
> > > >
> > > > # winbindd -V
> > > > Version 3.4.2-1.1.3.1-2229-SUSE-SL11.2
> > > >
> > > > Share your ideas...
> > > >
> > > > Regards,
> > > > Vivek
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
>
>
>
More information about the samba
mailing list