[Samba] Samba 3/ADC/Winbind problem

[ date ] Previous message:
THIS.DOMAIN at THIS.DOMAIN
rls at cableone.net the samba mailing list
Next message: [Samba] Samba 3/ADC/Winbind problem
Messages sorted by: [ date ] [ author ] [ subject ] [ thread ]
 root from the samba machine:    Ticket cache: FILE:/tmp/krb5cc_0    Default prinicpal: the Greetings all.     I am banging my head about this one, I will try for trust secret via RPC calls succeeded     wbinfo -m: return to be as specific as possible, bear with me please.     I have a W2KDC ADC, and trying to join a Samba 3 linux workstation to it.     What works:     net join:  succeeded     wbinfo -t:  checking to prompt, no output     wbinfo -u: correct list of local + AD members     wbinfo -g: correct list of local + AD groups     kinit: succeeded     klist output  Tue Nov  4 21:17:21 GMT 2003  Valid starting            Expires                 Service_principal    11/03/03 19:00:38  11/04/03 05:00:38  krbtgt/  Administrator at THIS.DOMAIN  good.  [2003/11/03 19:30:26, 10] nsswitch/winbindd_cache.c:wcache_fetch(470)    wcache_fetch: returning entry U/S-1-5-21-1220945662-842925246-1957994488-500 for (|(sAMAccountName=mail)(userPrincipalName= 1 Kerberos 4 ticket cache:  /tmp/tkt0    klist: You have no tickets cached     pam.d/login modified and working       AD users can log into local terminal of samba      machine, and if home dir is name for domain THIS status Success  [2003/11/03 19:30:26, 10] sam/idmap_util.c:idmap_sid_to_uid(150)    idmap_sid_to_uid: sid = [S-1-5-21-1220945662-842925246-1957994488-500]  [2003/11/03 19:30:26, 10] sam/idmap_tdb.c:db_get_id_from_sid(315)    db_get_id_from_sid  [2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221)    internal_get_id_from_sid: fetching record S-1-5-21-1220945662-842925246-1957994488-500 of pam_mkhomedir     telnet/ssh/ftp/etc. all working with local & AD accounts     No accounts in AD overlap linux system accounts     Any windows (all WinXP Pro or the samba shares at all, cannot even browse the samba system itself, or type 0x2  [2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228)    internal_get_id_from_sid: record S-1-5-21-1220945662-842925246-1957994488-513 -> GID 10000  [2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(262)    internal_get_id_from_sid: ID_GROUPID fetching record S-1-5-21-1220945662-842925246-1957994488-513 -> GID 10000   [2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190)    internal_get_sid_from_id: fetching record GID 10000  [2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196)    internal_get_sid_from_id: fetching record GID 10000 -> S-1-5-21-1220945662-842925246-1957994488-513  [2003/11/03 19:30:26, 10] sam/idmap_util.c:idmap_sid_to_gid(187)    idmap_sid_to_gid: gid = [10000]  [2003/11/03 19:30:26, 10] nsswitch/winbindd.c:client_write(502)    client_write: wrote 1300 bytes.  [2003/11/03 19:30:26, 10] nsswitch/winbindd.c:winbind_client_read(455)    client_read: read 0 bytes. Need 1568 more for domain THIS  [2003/11/03 19:31:00, 3] nsswitch/winbindd_ads.c:name_to_sid(312)    ads: name_to_sid  [2003/11/03 19:31:00, 5] libads/ldap_utils.c:ads_do_search_retry(52)    Search for domain THIS is not right, and I am busted if I can figure out what it is.     Contents of type 0x1  [2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228)    internal_get_id_from_sid: record S-1-5-21-1220945662-842925246-1957994488-500 -> UID 10000  [2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(243)    internal_get_id_from_sid: ID_USERID fetching record S-1-5-21-1220945662-842925246-1957994488-500 -> UID 10000   [2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190)    internal_get_sid_from_id: fetching record UID 10000  [2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196)    internal_get_sid_from_id: fetching record UID 10000 -> S-1-5-21-1220945662-842925246-1957994488-500  [2003/11/03 19:30:26, 10] sam/idmap_util.c:idmap_sid_to_uid(157)    idmap_sid_to_uid: uid = [10000]  [2003/11/03 19:30:26, 10] sam/idmap_util.c:idmap_sid_to_gid(179)    sid_to_gid: sid = [S-1-5-21-1220945662-842925246-1957994488-513]  [2003/11/03 19:30:26, 10] sam/idmap_tdb.c:db_get_id_from_sid(315)    db_get_id_from_sid  [2003/11/03 19:30:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221)    internal_get_id_from_sid: fetching record S-1-5-21-1220945662-842925246-1957994488-513 of write 38 extra data bytes.  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(502)    client_write: wrote 38 bytes.  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(536)    client_write: client_write: complete response written.  [2003/11/03 19:32:01, 6] nsswitch/winbindd.c:new_connection(340)    accepted socket 18  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)    client_read: read 0 bytes. Need 1568 more for domain THIS  [2003/11/03 19:30:26, 10] nsswitch/winbindd_cache.c:query_user(1067)    query_user: [Cached] - cached info for a full request.  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:process_request(305)    process_request: request fn WINBINDD_PRIV_PIPE_DIR  [2003/11/03 19:32:01, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267)    [31893]: request location on sock 17, pid 31893: EOF  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)    client_read: read 1568 bytes. Need 0 more for name for a full request.  [2003/11/03 19:31:00, 5] nsswitch/winbindd.c:winbind_client_read(462)    read failed on sock 18, pid 31841: EOF  [2003/11/03 19:31:00, 6] nsswitch/winbindd.c:new_connection(340)    accepted socket 17  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)    client_read: read 1568 bytes. Need 0 more for sock 17, pid 31883: EOF  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)    client_read: read 1568 bytes. Need 0 more for a          preferred master = No          local master = No          domain master = No          wins server = 50.50.50.50  #(IP of privileged pipe  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(502)    client_write: wrote 1300 bytes.  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(547)    client_write: need to guest = Bad User          obey pam restrictions = Yes          password server = MERCURY          log level = 10          log file = /var/log/samba3/log.%m          max log size = 50          name resolve order = wins lmhosts bcast          socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192          printcap name = cups          os level = a full request.  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:process_request(305)    process_request: request fn GETGROUPS  [2003/11/03 19:31:00, 3] nsswitch/winbindd_group.c:winbindd_getgroups(931)    [31883]: getgroups mail  [2003/11/03 19:31:00, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(342)    refresh_sequence_number: THIS time ok  [2003/11/03 19:31:00, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(367)    refresh_sequence_number: THIS seq number is missing, created      via use of privileged pipe  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(502)    client_write: wrote 1300 bytes.  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(547)    client_write: need to AD system.  Example:         smbclient -k //mercury/dfs1      Succeeds.     Any windows client's shares can be accessed from any other     windows client, or Win2K) client's shares can      be accessed from the linux machine, from    to write 38 extra data bytes.  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(502)    client_write: wrote 38 bytes.  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(536)    client_write: client_write: complete response written.  [2003/11/03 19:31:00, 6] nsswitch/winbindd.c:new_connection(340)    accepted socket 18  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)    client_read: read 0 bytes. Need 1568 more for a full request.  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:process_request(305)    process_request: request fn INTERFACE_VERSION  [2003/11/03 19:31:00, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(231)    [31883]: request interface version  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(502)    client_write: wrote 1300 bytes.  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)    client_read: read 1568 bytes. Need 0 more for (|(sAMAccountName=mail)(userPrincipalName=  mail at THIS.LOCAL  )) gave 0 replies  [2003/11/03 19:31:00, 1] libads/ads_ldap.c:ads_name_to_sid(64)    name_to_sid: mail not found  [2003/11/03 19:31:00, 10] nsswitch/winbindd_cache.c:wcache_save_name_to_sid(602)    wcache_save_name_to_sid: MAIL -> S-0-0  [2003/11/03 19:31:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(959)    user 'mail' does not exist  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:client_write(502)    client_write: wrote 1300 bytes.  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:winbind_client_read(455)    client_read: read 0 bytes. Need 1568 more for a full request.  [2003/11/03 19:32:01, 5] nsswitch/winbindd.c:winbind_client_read(462)    read failed on the machine's share list.     Something the my kerberos auth between samba/ADC is now 4040  [2003/11/03 19:31:00, 10] nsswitch/winbindd_cache.c:name_to_sid(958)    name_to_sid: [Cached] - doing backend query for a full request.  [2003/11/03 19:30:26, 5] nsswitch/winbindd.c:winbind_client_read(462)    read failed on any windows client.     smbclient -k //sol/tmp  session setup failed: NT_STATUS_LOGON_FAILURE     However, I can do this:  smbclient //sol/tmp  Enter password when prompted, and access success.     Of course, any windows client cannot access the samba/linux system, including any     dfs from the AD server.     What DOESN'T work:     Cannot access any samba shares for a full request.  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:process_request(305)    process_request: request fn GETGROUPS  [2003/11/03 19:32:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(931)    [31893]: getgroups mail  [2003/11/03 19:32:01, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(342)    refresh_sequence_number: THIS time ok  [2003/11/03 19:32:01, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(367)    refresh_sequence_number: THIS seq number is now 4040  [2003/11/03 19:32:01, 10] nsswitch/winbindd_cache.c:name_to_sid(958)    name_to_sid: [Cached] - doing backend query for a full request.  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:process_request(305)    process_request: request fn INTERFACE_VERSION  [2003/11/03 19:32:01, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(231)    [31893]: request interface version  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(502)    client_write: wrote 1300 bytes.  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)    client_read: read 1568 bytes. Need 0 more for about full request.  [2003/11/03 19:31:00, 10] nsswitch/winbindd.c:process_request(305)    process_request: request fn WINBINDD_PRIV_PIPE_DIR  [2003/11/03 19:31:00, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267)    [31883]: request location of /etc/krb5.conf:     [logging]   default = FILE:/var/log/kerberos/krb5libs.log   kdc = FILE:/var/log/kerberos/krb5kdc.log   admin_server = FILE:/var/log/kerberos/kadmind.log     [libdefaults]   ticket_lifetime = 24000   default_realm = THIS.DOMAIN   default_tgs_enctypes = des-cbc-crc des-cbc-md5   default_tkt_enctypes = des-cbc-crc des-cbc-md5   forwardable = true   proxiable = true   dns_lookup_realm = true   dns_lookup_kdc = true     [realms]   THIS.DOMAIN = {    kdc = mercury.this.domain:88     default_domain = this.domain   }     [domain_realm]   .this.domain = THIS.DOMAIN  this.domain = THIS.DOMAIN     [kdc]    profile = /var/kerberos/krb5kdc/kdc.conf     [pam]   debug = false   ticket_lifetime = 36000   renew_lifetime = 36000   forwardable = true   krb4_convert = false     /etc/samba/smb.conf:     [global]          workgroup = THIS          realm = THIS.DOMAIN          server string = Test Server (Samba %v)          security = ADS          map of ADS)          message command = /usr/bin/linpopup "%f" "%m" %s; rm %s          idmap uid = 10000-20000          idmap gid = 10000-20000          template shell = /bin/bash          winbind separator = +          winbind use default domain = Yes          printer admin = @Domain Admins          printing = cups     [homes]          comment = Home Directories          path = %H          valid users = %S          read only = No          create mask = 0600          directory mask = 0700          browseable = No     [printers]          comment = All Printers          path = /var/spool/samba3          create mask = 0700          guest ok = Yes          printable = Yes          print command = lpr-cups -P %p -o raw %s -r          browseable = No     [print$]          path = /var/lib/samba3/printers          write list = @adm, root          guest ok = Yes     [pdf-generator]          comment = PDF Generator (only valid users)          path = /var/tmp          printable = Yes          print command = /usr/share/samba3/scripts/print-pdf %s ~%u //%L/%u %m %I "%J" &     [tmp]          comment = Temporary file space          path = /tmp          read only = No          guest ok = Yes     [distributions]          comment = Linux Distributions          path = /usr/local/dist          read only = No          guest ok = Yes     [library]          comment = Software Library          path = /usr/share/library     [music]          comment = Music Editing Software          path = /usr/local/music          read only = No          guest ok = Yes     [public]          comment = Public Documentation          path = /usr/share/public          read only = No          guest ok = Yes     /etc/pam.d/samba  auth       required     /lib/security/pam_nologin.so  auth       required     /lib/security/pam_stack.so service=system-auth  account    required     /lib/security/pam_stack.so service=system-auth  session    required     /lib/security/pam_stack.so service=system-auth     /etc/pam.d/system-auth  auth        required      /lib/security/pam_env.so  auth        sufficient    /lib/security/pam_winbind3.so  auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass  auth        required      /lib/security/pam_deny.so     account     sufficient    /lib/security/pam_winbind3.so  account     required      /lib/security/pam_unix.so     password    required      /lib/security/pam_cracklib.so retry=3 minlen=0 dcredit=0  ucredit=0  password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow  password    required      /lib/security/pam_deny.so     session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022  session     required      /lib/security/pam_limits.so  session     required      /lib/security/pam_unix.so     Cleaned logs, start smb/nmb, start winbind, try to access /tmp share on samba/linux system:     /var/log/samba/log.winbindd:  [2003/11/03 19:30:26, 10] nsswitch/winbindd_cache.c:centry_expired(391)    centry_expired: Key U/S-1-5-21-1220945662-842925246-1957994488-500 for domain THIS  [2003/11/03 19:32:01, 3] nsswitch/winbindd_ads.c:name_to_sid(312)    ads: name_to_sid  [2003/11/03 19:32:01, 5] libads/ldap_utils.c:ads_do_search_retry(52)    Search for a full request.  [2003/11/03 19:31:00, 5] nsswitch/winbindd.c:winbind_client_read(462)    read failed on sock 18, pid 31883: EOF  [2003/11/03 19:32:01, 6] nsswitch/winbindd.c:new_connection(340)    accepted socket 17  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)    client_read: read 1568 bytes. Need 0 more  Previous message:  sock 18, pid 31893: EOF        Any tips on get the smb shares working would be appreciated!     Ron L. Smith to )) gave 0 replies  [2003/11/03 19:32:01, 1] libads/ads_ldap.c:ads_name_to_sid(64)    name_to_sid: mail not found  [2003/11/03 19:32:01, 10] nsswitch/winbindd_cache.c:wcache_save_name_to_sid(602)    wcache_save_name_to_sid: MAIL -> S-0-0  [2003/11/03 19:32:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(959)    user 'mail' does not exist  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:client_write(502)    client_write: wrote 1300 bytes.  [2003/11/03 19:32:01, 10] nsswitch/winbindd.c:winbind_client_read(455)    client_read: read 0 bytes. Need 1568 more for a full request.  [2003/11/03 19:32:01, 5] nsswitch/winbindd.c:winbind_client_read(462)    read failed
Messages sorted by: [Samba] Samba 3.0.0 can"t join ADS domain about [Samba] Samba 3.0.0 can"t join ADS domain
[ subject ] [Samba] Samba 3/ADC/Winbind problem
mail at THIS.LOCAL Ron Smith [ thread ] Next message: [ author ]
More information