[Samba] winbind - wbinfo problem - SOLVED

Vivekanandan Nataraj viveknataraj at gmail.com
Fri Nov 19 04:28:36 MST 2010


Hi John,

The same smb and winbind configuration ( same SUSE box ) works good other
Windows AD servers.

"#wbinfo -u" and "#wbinfo -g" returns the users and groups respectively.

Thanks for your great help !!!

what is the difference between "#net rpc" and "#net ads" ?..if you have
time, give some explanation..

Regards,
Vivek


On Mon, Nov 15, 2010 at 6:56 PM, Vivekanandan Nataraj <
viveknataraj at gmail.com> wrote:

> Hi John,
>
> Thanks for your reply.
>
> # net ads testjoin
>
> [2010/11/15 06:40:27,  0] libads/sasl.c:819(ads_sasl_spnego_bind)
>
>   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
> [2010/11/15 06:40:29,  0] libads/sasl.c:819(ads_sasl_spnego_bind)
>
>   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
> Join to domain is not valid: Invalid credentials
>
> but,
>
> # net rpc testjoin
> Join to 'SQUID' is OK
>
> # net ads info -U Administrator
>
> Enter Administrator's password:
> LDAP server: 172.16.1.33
> LDAP server name: EIS.squid.biz
> Realm: SQUID.BIZ
> Bind Path: dc=SQUID,dc=BIZ
> LDAP port: 389
> Server time: Mon, 15 Nov 2010 06:45:33 IST
> KDC server: 172.16.1.33
> Server time offset: 43
>
> # net rpc info -U Administrator
>
> Enter Administrator's password:
> Domain Name: SQUID
> Domain SID: S-1-5-21-419217316-27721265-2755569738
> Sequence number: 548
> Num users: 29
> Num domain groups: 10
> Num local groups: 39
>
> # wbinfo -a 'vivek%vivek'
>
> plaintext password authentication succeeded
>
> challenge/response password authentication succeeded
>
> # wbinfo -K 'vivek%vivek'
> plaintext kerberos password authentication for [vivek%vivek] failed
> (requesting cctype: FILE)
> Could not authenticate user [vivek%vivek] with Kerberos (ccache: FILE)
>
>  # kinit vivek
> Password for vivek at SQUID.BIZ:
> #
>
> Anything need to be modify on the Windows side ??..next step i will remove
> the system from the domain and try everything...
>
> Thanks in advance.
>
> Regards,
> VIvek
>
>
>
> On Mon, Nov 15, 2010 at 8:25 AM, John Stile <john at stilen.com> wrote:
>
>> "Invalid credentials" points to a problem, thought I'm guessing, with
>> the domain membership.
>>
>> I'm really not sure what it means.
>>
>> Does 'ads testjoin' show anything?
>>
>> Would it be too much trouble to remove the system from the domain and
>> add it back, assuming that was the the problem?
>>
>> 1. remove the machine from the domain (on the AD server),
>> 2. stop smbd, nmbd, and winbindd.
>> 3. find and remove  "*.tdb"  files.
>> 4. Check 'date' vs. 'net date'
>> 5. net ads join -U 'SQUID.BIZ+username'%'passwd'
>> 6. check 'net ads testjoin'
>> 7. check 'net ads info'
>> 8. start daemon: 'winbindd -d 3 -i'
>> 9.  wbinfo -a 'SQUID.BIZ+username'%'password'
>> 10. wbinfo -K 'SQUID.BIZ+username'%'password'
>> 11. kinit username
>>
>> On Mon, 2010-11-15 at 00:32 +0530, Vivekanandan Nataraj wrote:
>> > Hi John,
>> >
>> >
>> > Thanks for your reply.
>> >
>> >
>> > This is the result :-
>> >
>> >
>> > #wbinfo -u
>> >
>> >
>> > Connected to LDAP server EIS.squid.biz
>> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
>> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> > ads_sasl_spnego_bind: got server principal name = eis$@SQUID.BIZ
>> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
>> > expiration Sun, 14 Nov 2010 22:22:14 IST
>> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
>> > expiration Sun, 14 Nov 2010 22:22:26 IST
>> > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
>> > credentials
>> > ads_connect for domain SQUID failed: Invalid credentials
>> > final write to client failed: Broken pipe
>> >
>> >
>> >
>> >
>> > #wbinfo -g
>> >
>> >
>> > Connected to LDAP server EIS.squid.biz
>> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
>> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> > ads_sasl_spnego_bind: got server principal name = eis$@SQUID.BIZ
>> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
>> > expiration Sun, 14 Nov 2010 22:27:10 IST
>> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
>> > expiration Sun, 14 Nov 2010 22:27:12 IST
>> > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
>> > credentials
>> > ads_connect for domain SQUID failed: Invalid credentials
>> > final write to client failed: Broken pipe
>> >
>> >
>> > any problem with krb configuration ???
>> >
>> >
>> > Regards,
>> > Vivek
>> >
>> >
>> >
>> >
>> > On Sun, Nov 14, 2010 at 11:59 PM, John Stile <john at stilen.com> wrote:
>> >         You could try to run winbindd manually (winbindd -d 3 -i), and
>> >         from
>> >         another console run 'wbinfo -u', and see if any errors present
>> >         them
>> >         selves in the console where you ran winbindd.  First make sure
>> >         no other
>> >         winbind daemon is running, by testing, as root, with:  lsof -i
>> >         tcp -nP |
>> >         grep winbind
>> >
>> >
>> >         On Sun, 2010-11-14 at 23:41 +0530, Vivekanandan Nataraj wrote:
>> >         > Hi John,
>> >         >
>> >         >
>> >         > Thanks for your reply.
>> >         >
>> >         >
>> >         > I have modified the nsswitch.conf file and smb.conf as per
>> >         your
>> >         > suggestions.
>> >         >
>> >         >
>> >         > Still wbinfo does not list the users... I have rebooted the
>> >         server
>> >         > after modification.
>> >         >
>> >         >
>> >         > and  #rm -rf /var/lib/samba/* and restart the services and
>> >         joined the
>> >         > domain again. but no luck..
>> >         >
>> >         >
>> >         > nsswitch.conf
>> >         > [
>> >         > shadow: files
>> >         > passwd: compat winbind
>> >         > group:  compat winbind
>> >         >
>> >         >
>> >         > hosts:  files dns wins
>> >         > networks:       files dns
>> >         >
>> >         >
>> >         > services:       files
>> >         > protocols:      files
>> >         > rpc:    files
>> >         > ethers: files
>> >         > netmasks:       files
>> >         > netgroup:       files nis
>> >         > publickey:      files
>> >         >
>> >         >
>> >         > bootparams:     files
>> >         > automount:      files nis
>> >         > aliases:        files
>> >         > ]
>> >         >
>> >         >
>> >         > samba
>> >         > [
>> >         >         workgroup = SQUID
>> >         >         realm = SQUID.BIZ
>> >         >         security = ADS
>> >         >         password server = EIS.SQUID.BIZ
>> >         >         printcap name = cups
>> >         >         idmap uid = 1000-20000000
>> >         >         idmap gid = 1000-20000000
>> >         >         winbind separator = +
>> >         >         winbind enum users = Yes
>> >         >         winbind enum groups = Yes
>> >         >         winbind use default domain = Yes
>> >         >         winbind nss info = rfc2307
>> >         >         cups options = raw
>> >         > ]
>> >         >
>> >         >
>> >         > Any thing i missed ?
>> >         >
>> >         >
>> >         > Thanks in advance..
>> >         >
>> >         >
>> >         > Regards,
>> >         > Vivek
>> >         >
>> >         > On Sun, Nov 14, 2010 at 10:33 PM, John Stile
>> >         <john at stilen.com> wrote:
>> >         >         Does /etc/nsswitch.conf hold winbind?
>> >         >         Something like this:
>> >         >         passwd:  compat winbind
>> >         >         group:   compat winbind
>> >         >
>> >         >         Also,
>> >         >         your config doesn't show:
>> >         >          winbind separator = +
>> >         >
>> >         >         your config doesn't have a fully qualified "password
>> >         server"
>> >         >         hostname.
>> >         >
>> >         >
>> >         >
>> >         >         On Sun, 2010-11-14 at 11:09 +0530, Vivekanandan
>> >         Nataraj wrote:
>> >         >         > Hi Guys,
>> >         >         >
>> >         >         > I have configured SAMBA with Windows 2003 AD. But
>> >         "#wbinfo
>> >         >         -u"  and
>> >         >         > "#wbinfo -g" does not list the users
>> >         >         >
>> >         >         > 1. Domain joined successfully.
>> >         >         >
>> >         >         > # net rpc testjoin -U Administrator
>> >         >         > Join to 'DOMAIN' is OK
>> >         >         >
>> >         >         > 2. wbinfo -a works ( User authentication )
>> >         >         >
>> >         >         > # wbinfo -a 'DOMAIN\user'
>> >         >         > Enter DOMAIN\user's password:
>> >         >         > plaintext password authentication succeeded
>> >         >         > Enter DOMAIN\user's password:
>> >         >         > challenge/response password authentication
>> >         succeeded
>> >         >         >
>> >         >         > 3. wbinfo -u and wbinfo -g does list nothing
>> >         >         >
>> >         >         > # wbinfo -u
>> >         >         > # wbinfo -g
>> >         >         >
>> >         >         >  # wbinfo -r 'DOMAIN\user'
>> >         >         > Could not get groups for user DOMAIN\user
>> >         >         >
>> >         >         > SAMBA config : -
>> >         >         >
>> >         >         > [global]
>> >         >         >         workgroup = DOMAIN
>> >         >         >         realm = DOMAIN.BIZ
>> >         >         >         security = ADS
>> >         >         >         password server = EIS
>> >         >         >         printcap name = cups
>> >         >         >         idmap uid = 1000-20000000
>> >         >         >         idmap gid = 1000-20000000
>> >         >         >         winbind enum users = Yes
>> >         >         >         winbind enum groups = Yes
>> >         >         >         winbind use default domain = Yes
>> >         >         >         winbind nss info = rfc2307
>> >         >         >         cups options = raw
>> >         >         >
>> >         >         > Versions :-
>> >         >         >
>> >         >         > # smbd -V
>> >         >         > Version 3.4.2-1.1.3.1-2229-SUSE-SL11.2
>> >         >         >
>> >         >         > # winbindd -V
>> >         >         > Version 3.4.2-1.1.3.1-2229-SUSE-SL11.2
>> >         >         >
>> >         >         > Share your ideas...
>> >         >         >
>> >         >         > Regards,
>> >         >         > Vivek
>> >         >
>> >         >
>> >         >
>> >         >
>> >         >
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
>


More information about the samba mailing list