Hello,
I am attempting to add a Redhat 9 box to our NT4 domain as a member
server. I want to enumerate user and group info so I don't have to make
two sets of user and group accounts. I've setup samba (version 2.2.7a)
and pamd the way I think I'm supposed to, but wbinfo -u always returns
0xc0000022. I've found this particular error mentioned in a few
articles, but applying the various remedies offered has resulted in no
change.
wbinfo -t: the secret was good, but over the weekend (and after a reboot
of the pdc and bdc) it's now bad. it returns 0xc00000e5.
I've used wbinfo -a to authenticate to the domain as the domain admin-
it authenticated successfully- no change in response of wbinfo -u. (also
i noticed it was passing the password in cleartext, something i'd rather
not do..)
in case this is an issue: RestrictAnonymous is set to 1 on the pdc.
I had no trouble adding the machine to the domain. I don't think I did,
at least. I started in the Server Manager of the pdc, then ran
smbpasswd. I can use smbmount to view shares in the domain on the redhat
box, plus test shares I've setup on the redhat box are viewable by
others if I've established a local account for them.
--various files, with a few things changed to protect privacy:
/etc/samba/smb.conf
NOTE: wins server is numeric ip and is correct; hosts allow does match
our subnet; password server and remote announce are the netbios names of
our pdc and bdc
[global]
log file = /var/log/samba/%m.log
smb passwd file = /etc/samba/smbpasswd
load printers = yes
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
obey pam restrictions = yes
wins server = xx.xx.xx.xx
encrypt passwords = yes
hosts allow = xx.xx
passwd program = /usr/bin/passwd %u
dns proxy = no
netbios name = netname
server string = serverstring
printing = cups
password server = pdc bdc
unix password sync = Yes
local master = no
remote announce = pdc
workgroup = DOMAIN
os level = 2
printcap name = /etc/printcap
security = domain
preferred master = no
max log size = 0
pam password change = yes
username map = /etc/samba/smbusers
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
template homedir = /home/%U
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
add user script = /usr/sbin/adduser -d /home/%D/%U %u
/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
account sufficient /lib/security/pam_winbind.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0022
/etc/pam.d/samba
#%PAM-1.0
auth required pam_nologin.so
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth sufficient pam_ldap.so
auth sufficient pam_smb_auth.so use_first_pass
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth required pam_deny.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
typepassword sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
/etc/pam_smb.conf
DOMAIN
pdc
bdc
(substitute actual domain and netbios names of pdc and bdc)
What should I check next? Any help would be appreciated.
Michael Salmons
salmonsm@missouri.edu
You should use wbinfo -A user%password
You need only a valid user, not an administrator user.
HTH.
"Salmons, Michael" <SalmonsM@missouri.edu> a écrit dans le
message de
news:7F5BBA66C483B1489B4B5749609361D311C6AD@UM-EMAIL08.um.umsystem.edu...
Hello,
I am attempting to add a Redhat 9 box to our NT4 domain as a member
server. I want to enumerate user and group info so I don't have to make
two sets of user and group accounts. I've setup samba (version 2.2.7a)
and pamd the way I think I'm supposed to, but wbinfo -u always returns
0xc0000022. I've found this particular error mentioned in a few
articles, but applying the various remedies offered has resulted in no
change.
wbinfo -t: the secret was good, but over the weekend (and after a reboot
of the pdc and bdc) it's now bad. it returns 0xc00000e5.
I've used wbinfo -a to authenticate to the domain as the domain admin-
it authenticated successfully- no change in response of wbinfo -u. (also
i noticed it was passing the password in cleartext, something i'd rather
not do..)
in case this is an issue: RestrictAnonymous is set to 1 on the pdc.
I had no trouble adding the machine to the domain. I don't think I did,
at least. I started in the Server Manager of the pdc, then ran
smbpasswd. I can use smbmount to view shares in the domain on the redhat
box, plus test shares I've setup on the redhat box are viewable by
others if I've established a local account for them.
--various files, with a few things changed to protect privacy:
/etc/samba/smb.conf
NOTE: wins server is numeric ip and is correct; hosts allow does match
our subnet; password server and remote announce are the netbios names of
our pdc and bdc
[global]
log file = /var/log/samba/%m.log
smb passwd file = /etc/samba/smbpasswd
load printers = yes
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
obey pam restrictions = yes
wins server = xx.xx.xx.xx
encrypt passwords = yes
hosts allow = xx.xx
passwd program = /usr/bin/passwd %u
dns proxy = no
netbios name = netname
server string = serverstring
printing = cups
password server = pdc bdc
unix password sync = Yes
local master = no
remote announce = pdc
workgroup = DOMAIN
os level = 2
printcap name = /etc/printcap
security = domain
preferred master = no
max log size = 0
pam password change = yes
username map = /etc/samba/smbusers
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
template homedir = /home/%U
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
add user script = /usr/sbin/adduser -d /home/%D/%U %u
/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
account sufficient /lib/security/pam_winbind.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0022
/etc/pam.d/samba
#%PAM-1.0
auth required pam_nologin.so
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth sufficient pam_ldap.so
auth sufficient pam_smb_auth.so use_first_pass
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth required pam_deny.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
typepassword sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
/etc/pam_smb.conf
DOMAIN
pdc
bdc
(substitute actual domain and netbios names of pdc and bdc)
What should I check next? Any help would be appreciated.
Michael Salmons
salmonsm@missouri.edu
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Thanks for that info. No effect on the problem, though..
-----Original Message-----
From: Zylo [mailto:shiningzylo@caramail.com]
Sent: Wednesday, March 03, 2004 5:05 AM
To: samba@lists.samba.org
Subject: [Samba] Re: wbinfo -u returns 0xc0000022
You should use wbinfo -A user%password
You need only a valid user, not an administrator user.
HTH.
"Salmons, Michael" <SalmonsM@missouri.edu> a ?crit dans le
message de
news:7F5BBA66C483B1489B4B5749609361D311C6AD@UM-EMAIL08.um.umsystem.edu...
Hello,
I am attempting to add a Redhat 9 box to our NT4 domain as a member server. I
want to enumerate user and group info so I don't have to make two sets of
user and group accounts. I've setup samba (version 2.2.7a) and pamd the way
I think I'm supposed to, but wbinfo -u always returns 0xc0000022. I've
found this particular error mentioned in a few articles, but applying the
various remedies offered has resulted in no change.
wbinfo -t: the secret was good, but over the weekend (and after a reboot of the
pdc and bdc) it's now bad. it returns 0xc00000e5.
I've used wbinfo -a to authenticate to the domain as the domain admin- it
authenticated successfully- no change in response of wbinfo -u. (also i noticed
it was passing the password in cleartext, something i'd rather not do..)
in case this is an issue: RestrictAnonymous is set to 1 on the pdc.
I had no trouble adding the machine to the domain. I don't think I did, at
least. I started in the Server Manager of the pdc, then ran smbpasswd. I can use
smbmount to view shares in the domain on the redhat box, plus test shares
I've setup on the redhat box are viewable by others if I've established
a local account for them.
--various files, with a few things changed to protect privacy:
/etc/samba/smb.conf
NOTE: wins server is numeric ip and is correct; hosts allow does match our
subnet; password server and remote announce are the netbios names of our pdc and
bdc
[global]
log file = /var/log/samba/%m.log
smb passwd file = /etc/samba/smbpasswd
load printers = yes
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 obey pam
restrictions = yes wins server = xx.xx.xx.xx encrypt passwords = yes hosts
allow = xx.xx passwd program = /usr/bin/passwd %u dns proxy = no netbios name
= netname server string = serverstring printing = cups password server = pdc
bdc unix password sync = Yes local master = no remote announce = pdc
workgroup = DOMAIN os level = 2 printcap name = /etc/printcap security =
domain preferred master = no max log size = 0 pam password change = yes
username map = /etc/samba/smbusers
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
template homedir = /home/%U
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
add user script = /usr/sbin/adduser -d /home/%D/%U %u
/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
account sufficient /lib/security/pam_winbind.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0022
/etc/pam.d/samba
#%PAM-1.0
auth required pam_nologin.so
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth sufficient pam_ldap.so
auth sufficient pam_smb_auth.so use_first_pass
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth required pam_deny.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
typepassword sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
/etc/pam_smb.conf
DOMAIN
pdc
bdc
(substitute actual domain and netbios names of pdc and bdc)
What should I check next? Any help would be appreciated.
Michael Salmons
salmonsm@missouri.edu
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
I figured out what was going on and thought I'd share it. The account I was invoking with wbinfo -A has a special character in the password that coincides with the character I myself had designated in the winbind config as the separator between domain and username! Du-uhhh. So the PDC thought I was trying to send the domain name couched inside the user's password. Made for some entertaining entries in the PDC's security logs. Thanks for your responses. Michael -----Original Message----- From: keith_allen@safeway.co.uk [mailto:keith_allen@safeway.co.uk] Sent: Wednesday, March 03, 2004 10:19 AM To: Salmons, Michael Subject: RE: [Samba] Re: wbinfo -u returns 0xc0000022 I also had the same problem when I first setup samba, I don't know if this will help but The samba server was on ethernet i.e with a frame size of 1500 and the NT domain controller it was talking to was on token ring with a frame size of 4096. I changed the token ring max frame size to 1500 and it solved the problem. I have also seen the windows error 'path too deep' caused by this problem. ? Hope this helps Keith?Allen **************************************************************************** Unencrypted electronic mail is not secure and may not be authentic. If you have any doubts as to the contents please telephone to confirm. The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems, please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. Opinions, conclusions and other information expressed in this message are not given or endorsed by Safeway unless otherwise indicated by an authorised representative independent of this message. ****************************************************************************