Thomas Zehbe
2003-Oct-27 10:54 UTC
[Samba] winbind cannot get domain SID, no authentication
Hi Folks, an installation using samba 2.2.7a on a SuSE 8.2 box (2.4.20 kernel) doesn?t work using winbind to authenticate users at an NT 4.0 SP6a Server. But it did work until last Monday. Rejoining the domain (smbpasswd -j), setting the SID (smbpasswd -w), reinstalling SP6a on the NT box - nothing helps. Does anyone has any idea??? Here are some lines of the logs an configs. winbind (seems to me to be the core problem): ... [2003/10/22 11:22:34, 1] nsswitch/winbindd_util.c:init_domain_list(144) Retrying startup domain sid fetch for CDU ... smbd: ... [2003/10/22 08:01:58, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157) cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT [2003/10/22 08:01:58, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72) cli_nt_setup_creds: auth2 challenge failed [2003/10/22 08:01:58, 0] smbd/password.c:connect_to_domain_password_server(1367) connect_to_domain_password_server: unable to setup the PDC credentials to machine C150. Error was : NT_STATUS_OK. [2003/10/22 08:01:58, 0] smbd/password.c:domain_client_validate(1599) domain_client_validate: Domain password server not available. [2003/10/22 08:01:58, 1] lib/util_sock.c:get_socket_name(977) Gethostbyaddr failed for 192.168.2.232 [2003/10/22 08:01:58, 1] smbd/service.c:make_connection(636) stiewe2 (192.168.2.232) connect to service stiewe as user stiewe (uid=10025, gid=10000) (pid 4887) ... The 192.168.2.232 is the Client who tries to connect. smb.conf: [global] workgroup = xyz netbios name = GENERAL interfaces = 192.168.2.100/255.255.255.0 security = DOMAIN encrypt passwords = Yes password server = 192.168.2.200 log level = 1 null passwords = yes debug level = 1 syslog = 0 time server = Yes unix extensions = Yes socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY printcap name = CUPS character set = ISO8859-15 client code page = 850 add user script = useradd -d /dev/null -g 500 -s /bin/false %m$ logon path = \\%L\profiles\%U logon home = \\%L\%U\profile domain logons = Yes os level = 64 domain master = No wins server = 192.168.2.200 winbind uid = 10000-20000 winbind gid = 10000-20000 template homedir = /nutzerdaten/winhomes/%U obey pam restrictions = yes Thanks Thomas Zehbe INGENION GmbH Fon 0 50 31 / 9 02 04-2 Fax 0 50 31 / 9 02 04-9 www.ingenion.de
Hi, first update your samba from the suse server to 2.2.8a (3.0) which is on suses ftp server or via yast for serveral security bugs. Gethostbyaddr failed for 192.168.2.232 seems to me like samba cant connect to win server, maybe you have a broken nic cable hub etc, did you check this by nmap or etherreal ping etc...have you installed new iptables rules or used yast for update ( which sometimes makes trouble) Service packs on windows will not be resolution and is not involved with that stuff after all after reinstalled service pack invokes a new domain trust....but i am neary sure you have a network problem.....try nmblookup to you nt server Best Regards ----- Original Message ----- From: "Thomas Zehbe" <tz@ingenion.de> To: <samba@lists.samba.org> Sent: Monday, October 27, 2003 11:54 AM Subject: [Samba] winbind cannot get domain SID, no authentication Hi Folks, an installation using samba 2.2.7a on a SuSE 8.2 box (2.4.20 kernel) doesn?t work using winbind to authenticate users at an NT 4.0 SP6a Server. But it did work until last Monday. Rejoining the domain (smbpasswd -j), setting the SID (smbpasswd -w), reinstalling SP6a on the NT box - nothing helps. Does anyone has any idea??? Here are some lines of the logs an configs. winbind (seems to me to be the core problem): ... [2003/10/22 11:22:34, 1] nsswitch/winbindd_util.c:init_domain_list(144) Retrying startup domain sid fetch for CDU ... smbd: ... [2003/10/22 08:01:58, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157) cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT [2003/10/22 08:01:58, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72) cli_nt_setup_creds: auth2 challenge failed [2003/10/22 08:01:58, 0] smbd/password.c:connect_to_domain_password_server(1367) connect_to_domain_password_server: unable to setup the PDC credentials to machine C150. Error was : NT_STATUS_OK. [2003/10/22 08:01:58, 0] smbd/password.c:domain_client_validate(1599) domain_client_validate: Domain password server not available. [2003/10/22 08:01:58, 1] lib/util_sock.c:get_socket_name(977) Gethostbyaddr failed for 192.168.2.232 [2003/10/22 08:01:58, 1] smbd/service.c:make_connection(636) stiewe2 (192.168.2.232) connect to service stiewe as user stiewe (uid=10025, gid=10000) (pid 4887) ... The 192.168.2.232 is the Client who tries to connect. smb.conf: [global] workgroup = xyz netbios name = GENERAL interfaces = 192.168.2.100/255.255.255.0 security = DOMAIN encrypt passwords = Yes password server = 192.168.2.200 log level = 1 null passwords = yes debug level = 1 syslog = 0 time server = Yes unix extensions = Yes socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY printcap name = CUPS character set = ISO8859-15 client code page = 850 add user script = useradd -d /dev/null -g 500 -s /bin/false %m$ logon path = \\%L\profiles\%U logon home = \\%L\%U\profile domain logons = Yes os level = 64 domain master = No wins server = 192.168.2.200 winbind uid = 10000-20000 winbind gid = 10000-20000 template homedir = /nutzerdaten/winhomes/%U obey pam restrictions = yes Thanks Thomas Zehbe INGENION GmbH Fon 0 50 31 / 9 02 04-2 Fax 0 50 31 / 9 02 04-9 www.ingenion.de -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Thomas Zehbe
2003-Oct-27 13:34 UTC
[Samba] winbind cannot get domain SID, no authentication
Hi, thanks for your hints! I think, the network is not a problem, because all user can authenticate at the NT domain during login an see the shares. Ping and nbtstat also succed. The LINUX box was installed from scratch wiht yast using standard options. No special iptable rules were applied. The configuration was working succesfully for serveral weeks without any Problems, but stopped working last Monday. Nothing has changed in the config at this time. Does anybody know, what the winbind message "Retrying startup domain sid fetch for ... " really means and what could be the reason for it? This ist the only permanently repeated message in the winbindlog. Thanks Thomas rruegner wrote:>Hi, first update your samba from the suse server to 2.2.8a (3.0) >which is on suses ftp server or via yast for serveral security bugs. >Gethostbyaddr failed for 192.168.2.232 seems to me like samba >cant connect to win server, maybe you have a broken nic cable hub etc, >did you check this by nmap or etherreal ping etc...have you installed >new iptables rules or used yast for update ( which sometimes makes trouble) >Service packs on windows will not be resolution and is not involved with >that stuff >after all after reinstalled service pack invokes a new domain trust....but i >am neary sure you have a network problem.....try nmblookup to you nt server >Best Regards >----- Original Message ----- >From: "Thomas Zehbe" <tz@ingenion.de> >To: <samba@lists.samba.org> >Sent: Monday, October 27, 2003 11:54 AM >Subject: [Samba] winbind cannot get domain SID, no authentication > > >Hi Folks, >an installation using samba 2.2.7a on a SuSE 8.2 >box (2.4.20 kernel) doesn?t work using winbind to authenticate users at >an NT 4.0 SP6a Server. But it did work until last Monday. > >Rejoining the domain (smbpasswd -j), setting the SID (smbpasswd -w), >reinstalling SP6a on the NT box - nothing helps. > >Does anyone has any idea??? >Here are some lines of the logs an configs. > >winbind (seems to me to be the core problem): >... >[2003/10/22 11:22:34, 1] nsswitch/winbindd_util.c:init_domain_list(144) >Retrying startup domain sid fetch for XYZ... >smbd: >... >[2003/10/22 08:01:58, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157) >cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT >[2003/10/22 08:01:58, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72) >cli_nt_setup_creds: auth2 challenge failed >[2003/10/22 08:01:58, 0] >smbd/password.c:connect_to_domain_password_server(1367) >connect_to_domain_password_server: unable to setup the PDC credentials >to machine C150. Error was : NT_STATUS_OK. >[2003/10/22 08:01:58, 0] smbd/password.c:domain_client_validate(1599) >domain_client_validate: Domain password server not available. >[2003/10/22 08:01:58, 1] lib/util_sock.c:get_socket_name(977) >Gethostbyaddr failed for 192.168.2.232 >[2003/10/22 08:01:58, 1] smbd/service.c:make_connection(636) >stiewe2 (192.168.2.232) connect to service stiewe as user stiewe >(uid=10025, gid=10000) (pid 4887) >... >The 192.168.2.232 is the Client who tries to connect. > >smb.conf: >[global] >workgroup = xyz >netbios name = GENERAL >interfaces = 192.168.2.100/255.255.255.0 >security = DOMAIN >encrypt passwords = Yes >password server = 192.168.2.200 >log level = 1 >null passwords = yes >debug level = 1 >syslog = 0 >time server = Yes >unix extensions = Yes >socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY >printcap name = CUPS >character set = ISO8859-15 >client code page = 850 >add user script = useradd -d /dev/null -g 500 -s /bin/false %m$ >logon path = \\%L\profiles\%U >logon home = \\%L\%U\profile >domain logons = Yes >os level = 64 >domain master = No >wins server = 192.168.2.200 > >winbind uid = 10000-20000 >winbind gid = 10000-20000 >template homedir = /nutzerdaten/winhomes/%U >obey pam restrictions = yes > >Thanks > >Thomas Zehbe > >INGENION GmbH >Fon 0 50 31 / 9 02 04-2 >Fax 0 50 31 / 9 02 04-9 >www.ingenion.de > > > > >-- Thomas Zehbe INGENION GmbH Fon 0 50 31 / 9 02 04-2 Fax 0 50 31 / 9 02 04-9 www.ingenion.de