how to force the winbind authentication in AD? (without he enum of
users and groups)
jiri sasek - Sun Microsystems - Prague Czech Republic
Jiri.Sasek at Sun.COM
Thu Jan 17 22:31:56 GMT 2008
Hello samba folks
I have a problem authenticating the smbd session without the "winbind
enum users " set "yes". There is 2-way non-transitive interdomain trust
between the SMBSETUP and MOUREK and for instance the "MOUREK\jura" can
logon on the "WXPTST"(@SMBSETUP) machine as far as "SMBSETUP\jurasek"
can logon so the trust seems works.
"smbd" can not authenticate samba session. Can anybody help to point me
how to trace the /var/samba/locks/winbindd_privileged/pipe traffic for
instance?
Thank you in advance for any help
Regards
Jura
----- details ------
I have the following smb.conf:
[global]
security = ads
auth methods = winbind guest sam
realm = SMBSETUP.CZECH.SUN.COM
workgroup = SMBSETUP
use kerberos keytab = true
server string = Samba 3.0.28 ADS
# winbind configuration:
winbind separator = \\
idmap domains = SMBSETUP MOUREK
idmap config SMBSETUP:backend = rid
idmap config SMBSETUP:base_rid = 1000
idmap config SMBSETUP:range = 10000 - 29999
idmap config MOUREK:backend = rid
idmap config MOUREK:base_rid = 1000
idmap config MOUREK:range = 30000 - 49999
...
wbinfo -u -g dumps correctly the users/groups from both domains
also the iud can be obtain by the:
-bash-3.00# /usr/sfw/bin/wbinfo -n 'MOUREK\jura'
S-1-5-21-3750146957-173258023-4083698037-1109 User (1)
-bash-3.00# /usr/sfw/bin/wbinfo -S
S-1-5-21-3750146957-173258023-4083698037-1109
30109
so everything seems to be working but when I am attaching from the
workstation "WXPTST" which is attached in the "SMBSETUP" domain I can
not authenticate "smbd" session. Picking up from the "log.wxptst"
[2008/01/17 23:16:47, 5] auth/auth_util.c:(161)
make_user_info_map: Mapping user []\[] from workstation [WXPTST]
...user seems not to be known and the winbind authentication forced as
first is failing:
[2008/01/17 23:16:47, 5] auth/auth.c:(273)
check_ntlm_password: winbind authentication for user [] FAILED with
error NT_STATUS_NO_SUCH_USER
later the NTLM2 gives a bit better result:
[2008/01/17 23:16:48, 3] libsmb/ntlmssp.c:(739)
Got user=[jura] domain=[MOUREK] workstation=[WXPTST] len1=24 len2=24
but "winbind enum users" is not set so even if:
[2008/01/17 23:16:48, 5] lib/username.c:(131)
Finding user MOUREK\jura
...authentication is failing:
[2008/01/17 23:16:48, 6] auth/auth_sam.c:(414)
check_samstrict_security: MOUREK is not one of my local names
(ROLE_DOMAIN_MEMBER)
than:
[2008/01/17 23:16:48, 2] auth/auth.c:(319)
check_ntlm_password: Authentication for user [jura] -> [jura] FAILED
with error NT_STATUS_NO_SUCH_USER
--------------------------------------------------------------
More information about the samba-technical
mailing list