samba - Mar 2003 - Samba with winbind setup but some glitches

Hello there!  
After much trial and error, scouring the net and books for samba
setups/faqs/resources, etc - I seem to have Samba setup with winbind more or
less correctly - There seems to be a couple bugs though.
 
The goal is to have a windows workstation-like Linux box to access the NT
4.0 domain.  Logging into the Linux box (physically) with domain user
accounts, accessing domain printers, shares, and other windows boxes'
shares.
 
I can login to my linux box with a Domain user name using Domain+Username,
and password.. but i get a 
id:  cannot find name for group ID 10000
 
though it seems to log me in okay, creates a home share under
/home/Domain/Username
i can lookup any netbios name on my lan alright, and view the shares, but if
i startup X, open konqueror (KDE) and type 
smb://pc101 (or whatever netbios name) i get a prompt for Username and
Password (even though i'm already logged in as a domain user).  Fine, i
enter the username and password, then konq lists the shares on that machine
(correctly!) - i attempt to open a share that i know i have access to with
this login name (from normal windows machines) - and it asks again for my
username and password..i enter it, the prompt goes away and it just hangs
there like it's trying to load the list of files on that share... (the
sprocket is turning in the browser, but nuthin's goin on)...
Ideas?
 
Also> I can't access the public folder on the Linux box from windows
machines, but I suspect that has to do with the way that the public share in
smb.conf is setup...
I can post every single step of my samba/winbind/pam config if needed - I
was hoping someone might know off the top of their head where these errors
are coming from...
Thanks in advance for any wisdom you can offer!  
 
Jason Sheldon

I typed that question up rather hastily last night before leaving work:
I'll add that i'm running Redhat 8.0, Samba 2.2.7a --with-pam  (should
have
done --with-winbind, but i didn't know about that with option until after). 
Another note: i had just freshly installed Redhat 8.0 with absolutely no
smb/samba options -so i've had to setup pretty much everything by hand -
scripts and all. (of course, i wasn't bright enough to realize that the
samba source comes with the init.d run scripts until after..!) 
1. what i want:  To physically login to the linux box with my NT 4.0 domain
username, and have access to all the domain shares/printers/email as if i
were on a windows machine.  i realize the only way to connect to native
exchange server and have contacts/calender function is to use ximian
evolution with the connector- which you have to pay for...pop3 works okay i
guess.
 
2. issue 1> I am able to login, but I'm finding it difficult to browse
the
windows shares - as said in the previous message, if i open Konqueror and
type smb://pcnetbiosname i get a prompt to provide login creds, then it
displays the shares, then i click the share i want, then it asks again for
login credentials, then it just sits there thinking...
in your guys' experience what are some of the better "Network
Neighborhood"
browsers?/best way to connect to windows shares with the gui? (KDE or GNOME)
 
issue 2> when i login from the shell, I get a "id: cannot find name for
group ID 10000" .  If i login at the X login it seems to authenticate
right,
but then it just brings me right back to the login screen...
 
issue 3 smbd> there are multiple smbd daemons running...so far not more than
2, maybe 3..when i restart the daemon /etc/rc.d/init.d/smb restart - it
loads nmbd and smbd just fine, and there is only one of each.  i'll look
back a while later and there are a couple smbd's..is this normal?  Does smbd
run an instance for each connection?
 
issue 4 smbstatus>  when i lookup smbstatus - it displays that i have a
connection to 10.100.101.1 which is an NT 4.0  PDC on a different subnet
(same subnet mask) -it doesn't display the PDC on my local subnet...strange?
in my smb.conf it's supposed to connect to 10.100.100.1 --
 
question 5>  is this setup supposed to be case sensitive when loggin in with
Domain+username and password?  my NT passwords (and even one of my logins)
contain both upper and lowercase + numerical characters
 
3. what i did:  
configured samba from /usr/local/src/samba-2.2.7a --with-smbmount --with-pam
(should have added winbind? any others?)
configured smb.conf:  (it's in /usr/local/samba/lib/smb.conf)
------------------------------------------------
[global]
 
name resolve order = wins lmhosts bcast
wins server = 10.100.100.1
wins support = no
domain master = no
local master = no
os level = 0
preferred master = no
workgroup = INFORMANT
server string = PC118
netbios name = PC118
security = domain
password server = SRV01 SRV02     #(PDC and BDC respectively)
encrypt passwords = yes
smb passwd file = /usr/local/samba/private/smbpasswd
winbind separator = +
winbind gid = 10000-20000
winbind uid = 10000-20000
winbind enum groups = yes
winbind enum users = yes      #(there are about 85 users on our domain, and
only 9 groups)
template shell = /bin/bash
template homedir = /home/%D/%U
 
[public]  #it was just a quick attempt to create a domain accessible share
for anyone,i can open the share but cannot write to it.
path = /transfer    ##which has drwxr-xr-x permissions owned by root##
guest ok = yes
writeable = yes  
---------------------------------
i have the scripts for nmbd/smbd/winbindd in /etc/rc.d/init.d/smb and
/etc/rc.d/init.d/winbindd  - with symlinks to rc3, rc5, and rc6 (K)
i did:
touch /var/cache/samba/unexpected.tdb    #(though i have no clue what this
does)
 
I joined the domain successfully with 
[ root@pc118 <mailto:root@pc118>  /] smbpasswd -j INFORMANT -r SRV01 -U
Administrator    #(password entered when prompted)
joined domain successfully
 
I edited /etc/nsswitch.conf so that  
passwd:  files winbind
shadow:  files nisplus
group:     files winbind
 
I tested wbinfo -u and -g, it gets users/groups from domain.
/]getent passwd gets a password list from domain (is it supposed to save
them in /etc/passwd or anywhere else or just DISPLAY the domain
users/passwords?  it displays them, but doesn't save them anywhere.  i
assume that's correct).
 
created home dir for domain users:  mkdir /home/INFORMANT    chmod 755
/home/INFORMANT
from samba-2.2.7a/source/]#  cp nsswitch/pam_winbind.so /lib/security   
/]# chmod 755 /lib/security/pam_winbind.so
samba-2.2.7a/source /]#  cp nsswitch/libnss_winbind.so /lib   chmod 755
/lib/libnss_winbind.so
/]#  ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
 
Edited PAM modules /etc/pam.d/system-auth
#%PAM-1.0
auth required     /lib/security/pam_env.so
auth sufficient    /lib/security/pam_winbind.so
auth sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass
auth required     /lib/security/pam_deny.so
 
account     required     /lib/security/pam_unix.so
password   required     /lib/security/pam_cracklib.so retry=3 typepassword  
sufficient   /lib/security/pam_unix.so nullok use_authtok md5
shadow
password   required    /lib/security/pam_deny.so
session     required     /lib/security/pam_limits.so
session     required     /lib/security/pam_unix.so
-----------
edited /etc/pam.d/login
#%Pam-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so  service=system-auth
auth       required     /lib/security/pam_nologin.so
account  required     /lib/security/pam_stack.so  service=system-auth
password required   /lib/security/pam_stack.so  service=system-auth
session   required    /lib/security/pam_stack.so  service=system-auth
session  optional     /lib/security/pam_console.so
session  required    /lib/security/pam_mkhomedir.so  skel=/etc/skel
umask=0022
 
After all that i also did the mksmbpasswd.sh as instructed in the
Encryption.html (i think it was encryption) - is this necessary when running
security = domain with winbind??  
[root@pc118 private/]# chmod 500 .;  chmod 600 smbpasswd
 
here are my startup scripts:
/etc/rc.d/init.d/smb
------------------------------------------
#!/bin/sh
#
#chkconfig: - 91 35
#
# source function library.
. /etc/rc.d/init.d/functions
 
# Source networking configuration.
. /etc/sysconfig/network
 
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
 
#Check that smb.conf exists
[ -f /usr/local/samba/lib/smb.conf ] || exit 0
 
RETVAL=0    #(this means "return value"?  i'm not a programmer, so
i was
curious about this parameter.)
 
# See how we were called.
 case "$1" in
start)
    killall smbd
    killall nmbd
    echo -n "Starting SMB services: "
    /usr/local/samba/bin/smbd -D
    echo -n "Starting NMB services: "
    /usr/local/samba/bin/nmbd -D
    echo
    ;;
stop)
    killall smbd
    killall smbd
    ;;
restart)
    $0 stop           
    $0 start
    RETVAL=$?
    ;;
reload)
    kill -SIGHUP `cat /usr/local/samba/var/locks/smbd.pid`
    kill -SIGHUP `cat /usr/local/samba/var/locks/nmbd.pid`
    ;;
status)
    statusproc /usr/local/samba/bin/smbd   #(note> statusproc seems to be an
unkown command on my system)
    statusproc /usr/local/samba/bin/nmbd
    RETVAL=$?
    ;;
    *)
    echo "Usage: $0 {start|stop|restart|status}"
    exit 1
    esac
 
    exit $RETVAL
---------------------------------------------------------
is the winbindd daemon script pertinent?
I basically pieced the smb script together from snippets i found on the web,
i suppose i could copy over the sample script found in the examples file in
the samba source - would this solve my multiple smbd issue?
 
Thanks again for any insight you can offer me on the above problems!
If anyone finds this step-by-step samba/winbind for NT 4.0 domain useful,
that's great too. like i said, it's CLOSE to working nicely..
my goal at the moment is to have a windows 98/nt workstation replacement
machine (linux) to access NT shares/printers/exchange server - for doing day
to day work/emails, nothing to fancy.  i just want it to function easily
when manually browsing "network neighborhood" and opening
shares/printing.
if at all possible that is...
 
Jason Sheldon