[Samba] winbind - wbinfo problem - SOLVED
John Stile
john at stilen.com
Fri Nov 19 11:16:38 MST 2010
The doc is here:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html
The short answer:
1. not reading this doc will "cause pain, agony, and desperation."
2. 'net' map domain-to-unix ID's and interacts with domain security.
net rpc = for Windows Group Management operations.
net ads = for ADS operations.
net rap = for RAP (IBM OS/2 and samba <3) operations.
net will automatically fall back via the ads, rpc, and rap modes.
On Fri, 2010-11-19 at 16:58 +0530, Vivekanandan Nataraj wrote:
> Hi John,
>
> The same smb and winbind configuration ( same SUSE box ) works good
> other Windows AD servers.
>
> "#wbinfo -u" and "#wbinfo -g" returns the users and groups
> respectively.
>
> Thanks for your great help !!!
>
> what is the difference between "#net rpc" and "#net ads" ?..if you
> have time, give some explanation..
>
> Regards,
> Vivek
>
>
> On Mon, Nov 15, 2010 at 6:56 PM, Vivekanandan Nataraj
> <viveknataraj at gmail.com> wrote:
> Hi John,
>
> Thanks for your reply.
>
>
> # net ads testjoin
>
> [2010/11/15 06:40:27, 0]
> libads/sasl.c:819(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_krb5_bind failed:
> Invalid credentials
>
> [2010/11/15 06:40:29, 0]
> libads/sasl.c:819(ads_sasl_spnego_bind)
>
> kinit succeeded but ads_sasl_spnego_krb5_bind failed:
> Invalid credentials
>
> Join to domain is not valid: Invalid credentials
>
> but,
>
> # net rpc testjoin
> Join to 'SQUID' is OK
>
> # net ads info -U Administrator
>
> Enter Administrator's password:
> LDAP server: 172.16.1.33
> LDAP server name: EIS.squid.biz
> Realm: SQUID.BIZ
> Bind Path: dc=SQUID,dc=BIZ
> LDAP port: 389
> Server time: Mon, 15 Nov 2010 06:45:33 IST
> KDC server: 172.16.1.33
> Server time offset: 43
>
> # net rpc info -U Administrator
>
> Enter Administrator's password:
> Domain Name: SQUID
> Domain SID: S-1-5-21-419217316-27721265-2755569738
> Sequence number: 548
> Num users: 29
> Num domain groups: 10
> Num local groups: 39
>
> # wbinfo -a 'vivek%vivek'
>
> plaintext password authentication succeeded
>
> challenge/response password authentication succeeded
>
>
> # wbinfo -K 'vivek%vivek'
> plaintext kerberos password authentication for [vivek%vivek]
> failed (requesting cctype: FILE)
> Could not authenticate user [vivek%vivek] with Kerberos
> (ccache: FILE)
>
> # kinit vivek
> Password for vivek at SQUID.BIZ:
> #
>
> Anything need to be modify on the Windows side ??..next step i
> will remove the system from the domain and try everything...
>
> Thanks in advance.
>
> Regards,
> VIvek
>
>
>
>
> On Mon, Nov 15, 2010 at 8:25 AM, John Stile <john at stilen.com>
> wrote:
> "Invalid credentials" points to a problem, thought I'm
> guessing, with
> the domain membership.
>
> I'm really not sure what it means.
>
> Does 'ads testjoin' show anything?
>
> Would it be too much trouble to remove the system from
> the domain and
> add it back, assuming that was the the problem?
>
> 1. remove the machine from the domain (on the AD
> server),
> 2. stop smbd, nmbd, and winbindd.
> 3. find and remove "*.tdb" files.
> 4. Check 'date' vs. 'net date'
> 5. net ads join -U 'SQUID.BIZ+username'%'passwd'
> 6. check 'net ads testjoin'
> 7. check 'net ads info'
> 8. start daemon: 'winbindd -d 3 -i'
> 9. wbinfo -a 'SQUID.BIZ+username'%'password'
> 10. wbinfo -K 'SQUID.BIZ+username'%'password'
> 11. kinit username
>
>
> On Mon, 2010-11-15 at 00:32 +0530, Vivekanandan
> Nataraj wrote:
> > Hi John,
> >
> >
> > Thanks for your reply.
> >
> >
> > This is the result :-
> >
> >
> > #wbinfo -u
> >
> >
> > Connected to LDAP server EIS.squid.biz
> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> > ads_sasl_spnego_bind: got server principal name =
> eis$@SQUID.BIZ
> > ads_cleanup_expired_creds: Ticket in
> ccache[MEMORY:winbind_ccache]
> > expiration Sun, 14 Nov 2010 22:22:14 IST
> > ads_cleanup_expired_creds: Ticket in
> ccache[MEMORY:winbind_ccache]
> > expiration Sun, 14 Nov 2010 22:22:26 IST
> > kinit succeeded but ads_sasl_spnego_krb5_bind
> failed: Invalid
> > credentials
> > ads_connect for domain SQUID failed: Invalid
> credentials
> > final write to client failed: Broken pipe
> >
> >
> >
> >
> > #wbinfo -g
> >
> >
> > Connected to LDAP server EIS.squid.biz
> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> > ads_sasl_spnego_bind: got server principal name =
> eis$@SQUID.BIZ
> > ads_cleanup_expired_creds: Ticket in
> ccache[MEMORY:winbind_ccache]
> > expiration Sun, 14 Nov 2010 22:27:10 IST
> > ads_cleanup_expired_creds: Ticket in
> ccache[MEMORY:winbind_ccache]
> > expiration Sun, 14 Nov 2010 22:27:12 IST
> > kinit succeeded but ads_sasl_spnego_krb5_bind
> failed: Invalid
> > credentials
> > ads_connect for domain SQUID failed: Invalid
> credentials
> > final write to client failed: Broken pipe
> >
> >
> > any problem with krb configuration ???
> >
> >
> > Regards,
> > Vivek
> >
> >
> >
> >
> > On Sun, Nov 14, 2010 at 11:59 PM, John Stile
> <john at stilen.com> wrote:
> > You could try to run winbindd manually
> (winbindd -d 3 -i), and
> > from
> > another console run 'wbinfo -u', and see if
> any errors present
> > them
> > selves in the console where you ran
> winbindd. First make sure
> > no other
> > winbind daemon is running, by testing, as
> root, with: lsof -i
> > tcp -nP |
> > grep winbind
> >
> >
> > On Sun, 2010-11-14 at 23:41 +0530,
> Vivekanandan Nataraj wrote:
> > > Hi John,
> > >
> > >
> > > Thanks for your reply.
> > >
> > >
> > > I have modified the nsswitch.conf file and
> smb.conf as per
> > your
> > > suggestions.
> > >
> > >
> > > Still wbinfo does not list the users... I
> have rebooted the
> > server
> > > after modification.
> > >
> > >
> > > and #rm -rf /var/lib/samba/* and restart
> the services and
> > joined the
> > > domain again. but no luck..
> > >
> > >
> > > nsswitch.conf
> > > [
> > > shadow: files
> > > passwd: compat winbind
> > > group: compat winbind
> > >
> > >
> > > hosts: files dns wins
> > > networks: files dns
> > >
> > >
> > > services: files
> > > protocols: files
> > > rpc: files
> > > ethers: files
> > > netmasks: files
> > > netgroup: files nis
> > > publickey: files
> > >
> > >
> > > bootparams: files
> > > automount: files nis
> > > aliases: files
> > > ]
> > >
> > >
> > > samba
> > > [
> > > workgroup = SQUID
> > > realm = SQUID.BIZ
> > > security = ADS
> > > password server = EIS.SQUID.BIZ
> > > printcap name = cups
> > > idmap uid = 1000-20000000
> > > idmap gid = 1000-20000000
> > > winbind separator = +
> > > winbind enum users = Yes
> > > winbind enum groups = Yes
> > > winbind use default domain = Yes
> > > winbind nss info = rfc2307
> > > cups options = raw
> > > ]
> > >
> > >
> > > Any thing i missed ?
> > >
> > >
> > > Thanks in advance..
> > >
> > >
> > > Regards,
> > > Vivek
> > >
> > > On Sun, Nov 14, 2010 at 10:33 PM, John
> Stile
> > <john at stilen.com> wrote:
> > > Does /etc/nsswitch.conf hold
> winbind?
> > > Something like this:
> > > passwd: compat winbind
> > > group: compat winbind
> > >
> > > Also,
> > > your config doesn't show:
> > > winbind separator = +
> > >
> > > your config doesn't have a fully
> qualified "password
> > server"
> > > hostname.
> > >
> > >
> > >
> > > On Sun, 2010-11-14 at 11:09 +0530,
> Vivekanandan
> > Nataraj wrote:
> > > > Hi Guys,
> > > >
> > > > I have configured SAMBA with
> Windows 2003 AD. But
> > "#wbinfo
> > > -u" and
> > > > "#wbinfo -g" does not list the
> users
> > > >
> > > > 1. Domain joined successfully.
> > > >
> > > > # net rpc testjoin -U
> Administrator
> > > > Join to 'DOMAIN' is OK
> > > >
> > > > 2. wbinfo -a works ( User
> authentication )
> > > >
> > > > # wbinfo -a 'DOMAIN\user'
> > > > Enter DOMAIN\user's password:
> > > > plaintext password
> authentication succeeded
> > > > Enter DOMAIN\user's password:
> > > > challenge/response password
> authentication
> > succeeded
> > > >
> > > > 3. wbinfo -u and wbinfo -g does
> list nothing
> > > >
> > > > # wbinfo -u
> > > > # wbinfo -g
> > > >
> > > > # wbinfo -r 'DOMAIN\user'
> > > > Could not get groups for user
> DOMAIN\user
> > > >
> > > > SAMBA config : -
> > > >
> > > > [global]
> > > > workgroup = DOMAIN
> > > > realm = DOMAIN.BIZ
> > > > security = ADS
> > > > password server = EIS
> > > > printcap name = cups
> > > > idmap uid =
> 1000-20000000
> > > > idmap gid =
> 1000-20000000
> > > > winbind enum users = Yes
> > > > winbind enum groups =
> Yes
> > > > winbind use default
> domain = Yes
> > > > winbind nss info =
> rfc2307
> > > > cups options = raw
> > > >
> > > > Versions :-
> > > >
> > > > # smbd -V
> > > > Version
> 3.4.2-1.1.3.1-2229-SUSE-SL11.2
> > > >
> > > > # winbindd -V
> > > > Version
> 3.4.2-1.1.3.1-2229-SUSE-SL11.2
> > > >
> > > > Share your ideas...
> > > >
> > > > Regards,
> > > > Vivek
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
>
>
>
>
>
>
More information about the samba
mailing list