samba - Aug 2002 - still winbind! plz...

Hi everybody,

I still have trouble gettin' winbind running correctly and as time
passes by and all documentation and mailing lists have been read,
things are getting really urgent...

I think i should abstract the problem to the mininmun:
  winbind is up and running,
  wbinfo -u works,
  getenv password works,
  wbinfo -t states that
--->  Secret is bad
  and winbind-logfile says to check the machineaccount,
  samba-logfile comments my attempt to access a share as follows:
  "could not fetch trust account password for domain xy"

  Server is a Windows2000 Advanced one..
  machine account from the samba-server is visible in "Computers"
  after having successfully joined the domain.

  I tried several setups with
  2.2.5, 2.2.4 (selfcompiled)
  and 2.2.3a (debian-sid package)
  everytime the same. So I guess something with the configuration is
  missing; perhaps I have to make changes in the W2k-Server
  configuration.

Now - is there anybody out there, who knows how to solve this one?
I've been around several mailing lists and everyone's just asking this
kind of question about trust-account, but noone got answers...

cheers,
tony

I had the same problem, I fixed it by modifying the 
/etc/pam.d/system-auth  


auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok 
use_first_pass
auth        required      /lib/security/pam_deny.so

account     sufficient    /lib/secutiry/pam_winbind.so
account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 
shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ 
umask=0022
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


this should let winbind talk to the pdc. but, you need to run the 
smbpasswd (join to domain again)  command.  I don't remember of the top of 
my head the exact syntax.  alot of the instructions say to take the 
computer out of the domain and then re-add it through the the samba box, I 
didn't find it necessary, just run the smbpasswd command again.  make sure 
you: service smb stop, service winbind stop, then run smbpasswd.  then 
service smb start, service winbind start  and see what happens.

also, I don't know if this system-auth file is perfect, I'm still having
trouble getting security=domain and adding groups to the write list in the 
smb.conf.  but I don't think its the system-auth file, but I have to do 
some more digging.  

this should make your secret problem go away, if not let me know.

Matt Jamison


On Wed, 7 Aug 2002, Antonio Nikolic wrote:
> Hi everybody,
> 
> I still have trouble gettin' winbind running correctly and as time
> passes by and all documentation and mailing lists have been read,
> things are getting really urgent...
> 
> I think i should abstract the problem to the mininmun:
>   winbind is up and running,
>   wbinfo -u works,
>   getenv password works,
>   wbinfo -t states that
> --->  Secret is bad
>   and winbind-logfile says to check the machineaccount,
>   samba-logfile comments my attempt to access a share as follows:
>   "could not fetch trust account password for domain xy"
> 
>   Server is a Windows2000 Advanced one..
>   machine account from the samba-server is visible in "Computers"
>   after having successfully joined the domain.
> 
>   I tried several setups with
>   2.2.5, 2.2.4 (selfcompiled)
>   and 2.2.3a (debian-sid package)
>   everytime the same. So I guess something with the configuration is
>   missing; perhaps I have to make changes in the W2k-Server
>   configuration.
> 
> Now - is there anybody out there, who knows how to solve this one?
> I've been around several mailing lists and everyone's just asking
this
> kind of question about trust-account, but noone got answers...
> 
> cheers,
> tony
> 
> 
-- 
Matt Jamison 
Help Desk Technician &
Proprietary Software Assassin
Red Hat, Inc.
919-754-3700 x44406
jamisonm@redhat.com
NOVUS ORDO SECLORUM "a new order has begun"

Hi Sam,

thanx for your advice! I tried these steps (especially the
machineaccounts) but your solution seemed not to work for me... 8-(
I don't think machineaccounts are really necessary, because samba is
not the pdc. The way I understand it, the W2K Server is the one who
needs to create a machineaccount for the samba-server, which is done
by joning the domain with smbpasswd -j .....
Or did I get this wrong?

greets
tony

Hei,

On Wed, 7 Aug 2002 08:15:12 -0400 (EDT)
Matt Jamison <jamisonm@redhat.com> wrote:
> I had the same problem, I fixed it by modifying the 
> /etc/pam.d/system-auth  
you don?t need to configure pam unless you want to authenticate your Linux
console logins against a Windows PDC...most times you are only interested
in authenticating samba users.

But you are right, secret has to be "good". ;-)

Take a look at this:
http://lists.samba.org/pipermail/samba-ntdom/2001-November/053971.html

Goetz

On Wed, 7 Aug 2002 16:47:44 +0200
Antonio Nikolic <antonio.nikolic@ibk-consult-gmbh.de> wrote:
> The way I understand it, the W2K Server is the one who
> needs to create a machineaccount for the samba-server, which is done
> by joning the domain with smbpasswd -j .....
Yes. When trying to join the domain, set the debuglevel with "-D" and
look
what smbpasswd has to say.

And as mentioned, have a look at the doc:
http://lists.samba.org/pipermail/samba-ntdom/2001-November/053971.html
> Or did I get this wrong?
No. ;-)

Goetz