Hello,
I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected this
server successfully to a Windows 2000 Active Directory (mixed mode). I have
nsswitch.conf, krb5.conf configured and winbind seems to be running properly for
the most part. With wbinfo I can get all of my user and group information.
Problem is, it seems that at random times, the samba server just stops
authenticating the windows user names and accounts. If I restart the winbind or
smb service, then all seems to be well again for a while. Right now the only
way I can keep this running is to run a cron job that restartes the samba and
winbind services every hour. This is really bugging me as I cannot figure out
what is going on. Can anyone help me? I have included some of my configuration
and log files below. Thanks in advance.
---------/etc/samba/smb.conf----------
# Samba Configuration File
[global]
workgroup = WAYNE
realm = WAYNE.LOCAL
server string = Samba Server
security = ADS
password server = adserver.wayne.local
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = no
winbind separator = /
[users]
comment = Users on Linux
path = /home/WAYNE
read only = No
browseable = Yes
---------/etc/nsswitch.conf-------
passwd: files winbind
group: files winbind
hosts: files dns wins winbind
networks: files dns
---------/etc/krb5.conf-----------
[libdefaults]
default_realm = WAYNE.LOCAL
clockskew = 300
[realms]
WAYNE.LOCAL = {
kdc = police.wayne.local
default_domain = WAYNE.LOCAL
kpasswd_server = adserver.wayne.local
}
[domain_realm]
.WAYNE.LOCAL = WAYNE.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
}
----------/var/log/samba/log.smbd--------
[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system
[2004/12/20 15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system
[2004/12/20 15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system
[2004/12/20 15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system
.
.
.
[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/DISPATCH_GW1$ is invalid on this system
[2004/12/20 16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/DISPATCH_GW1$ is invalid on this system
[2004/12/20 16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/DISPATCH_GW1$ is invalid on this system
----------/var/log/samba/log.winbindd-------------------
[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No such file or directory)
[2004/12/20 16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
????
Brian Kesting wrote:>Hello, > >I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected this server successfully to a Windows 2000 Active Directory (mixed mode). I have nsswitch.conf, krb5.conf configured and winbind seems to be running properly for the most part. With wbinfo I can get all of my user and group information. Problem is, it seems that at random times, the samba server just stops authenticating the windows user names and accounts. If I restart the winbind or smb service, then all seems to be well again for a while. Right now the only way I can keep this running is to run a cron job that restartes the samba and winbind services every hour. This is really bugging me as I cannot figure out what is going on. Can anyone help me? I have included some of my configuration and log files below. Thanks in advance. > >---------/etc/samba/smb.conf---------- ># Samba Configuration File > >[global] > workgroup = WAYNE > realm = WAYNE.LOCAL > server string = Samba Server > security = ADS > password server = adserver.wayne.local > encrypt passwords = yes > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template shell = /bin/bash > winbind use default domain = no > winbind separator = / > >The separator might be a problem.>[users] > comment = Users on Linux > path = /home/WAYNE > read only = No > browseable = Yes > >---------/etc/nsswitch.conf------- >passwd: files winbind >group: files winbind >hosts: files dns wins winbind >networks: files dns > >---------/etc/krb5.conf----------- >[libdefaults] > default_realm = WAYNE.LOCAL > clockskew = 300 > >[realms] >WAYNE.LOCAL = { > kdc = police.wayne.local > default_domain = WAYNE.LOCAL > kpasswd_server = adserver.wayne.local >} >[domain_realm] > .WAYNE.LOCAL = WAYNE.LOCAL >[appdefaults] >pam = { > ticket_lifetime = 365d > renew_lifetime = 365d > forwardable = true > proxiable = false > retain_after_close = true > minimum_uid = 0 >} > >----------/var/log/samba/log.smbd-------- >[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/LIEUTENANT1$ is invalid on this system >[2004/12/20 15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/LIEUTENANT1$ is invalid on this system >[2004/12/20 15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/LIEUTENANT1$ is invalid on this system >[2004/12/20 15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/LIEUTENANT1$ is invalid on this system >. >. >. >[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/DISPATCH_GW1$ is invalid on this system >[2004/12/20 16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/DISPATCH_GW1$ is invalid on this system >[2004/12/20 16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/DISPATCH_GW1$ is invalid on this system > >----------/var/log/samba/log.winbindd------------------- >[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) > krb5_cc_get_principal failed (No such file or directory) >[2004/12/20 16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) > user 'root' does not exist >[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) > user 'root' does not exist >[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) > >???? > >
I have tried using a + separator with no success. ---------- Original Message ---------------------------------- From: Tom Skeren <tms3@fsklaw.com> Date: Mon, 20 Dec 2004 15:25:54 -0800 Brian Kesting wrote:>Hello, > >I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected this server successfully to a Windows 2000 Active Directory (mixed mode). I have nsswitch.conf, krb5.conf configured and winbind seems to be running properly for the most part. With wbinfo I can get all of my user and group information. Problem is, it seems that at random times, the samba server just stops authenticating the windows user names and accounts. If I restart the winbind or smb service, then all seems to be well again for a while. Right now the only way I can keep this running is to run a cron job that restartes the samba and winbind services every hour. This is really bugging me as I cannot figure out what is going on. Can anyone help me? I have included some of my configuration and log files below. Thanks in advance. > >---------/etc/samba/smb.conf---------- ># Samba Configuration File > >[global] > workgroup = WAYNE > realm = WAYNE.LOCAL > server string = Samba Server > security = ADS > password server = adserver.wayne.local > encrypt passwords = yes > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template shell = /bin/bash > winbind use default domain = no > winbind separator = / > >The separator might be a problem.>[users] > comment = Users on Linux > path = /home/WAYNE > read only = No > browseable = Yes > >---------/etc/nsswitch.conf------- >passwd: files winbind >group: files winbind >hosts: files dns wins winbind >networks: files dns > >---------/etc/krb5.conf----------- >[libdefaults] > default_realm = WAYNE.LOCAL > clockskew = 300 > >[realms] >WAYNE.LOCAL = { > kdc = police.wayne.local > default_domain = WAYNE.LOCAL> > kpasswd_server = adserver.wayne.local >} >[domain_realm] > .WAYNE.LOCAL = WAYNE.LOCAL >[appdefaults] >pam = { > ticket_lifetime = 365d > renew_lifetime = 365d > forwardable = true > proxiable = false > retain_after_close = true > minimum_uid = 0 >} > >----------/var/log/samba/log.smbd-------- >[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/LIEUTENANT1$ is invalid on this system >[2004/12/20 15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/LIEUTENANT1$ is invalid on this system >[2004/12/20 15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/LIEUTENANT1$ is invalid on this system >[2004/12/20 15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/LIEUTENANT1$ is invalid on this system >. >. >. >[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/DISPATCH_GW1$ is invalid on this system >[2004/12/20 16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/DISPATCH_GW1$ is invalid on this system >[2004/12/20 16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/DISPATCH_GW1$ is invalid on this system > >----------/var/log/samba/log.winbindd------------------- >[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) > krb5_cc_get_principal failed (No such file or directory) >[2004/12/20 16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) > user 'root' does not exist >[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) > user 'root' does not exist >[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) > >???? > >
I have tried using a + separator with no success. I also get this in my log.winbindd file as soon as I restart winbind: [2004/12/20 17:33:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No such file or directory) ---------- Original Message ---------------------------------- From: Tom Skeren <tms3@fsklaw.com> Date: Mon, 20 Dec 2004 15:25:54 -0800 Brian Kesting wrote:>Hello, > >I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected this server successfully to a Windows 2000 Active Directory (mixed mode). I have nsswitch.conf, krb5.conf configured and winbind seems to be running properly for the most part. With wbinfo I can get all of my user and group information. Problem is, it seems that at random times, the samba server just stops authenticating the windows user names and accounts. If I restart the winbind or smb service, then all seems to be well again for a while. Right now the only way I can keep this running is to run a cron job that restartes the samba and winbind services every hour. This is really bugging me as I cannot figure out what is going on. Can anyone help me? I have included some of my configuration and log files below. Thanks in advance. > >---------/etc/samba/smb.conf---------- ># Samba Configuration File > >[global] > workgroup = WAYNE > realm = WAYNE.LOCAL > server string = Samba Server > security = ADS > password server = adserver.wayne.local > encrypt passwords = yes > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template shell = /bin/bash > winbind use default domain = no > winbind separator = / > >The separator might be a problem.>[users] > comment = Users on Linux > path = /home/WAYNE > read only = No > browseable = Yes > >---------/etc/nsswitch.conf------- >passwd: files winbind >group: files winbind >hosts: files dns wins winbind >networks: files dns > >---------/etc/krb5.conf----------- >[libdefaults] > default_realm = WAYNE.LOCAL > clockskew = 300 > >[realms] >WAYNE.LOCAL = { > kdc = police.wayne.local > default_domain = WAYNE.LOCAL> > kpasswd_server = adserver.wayne.local >} >[domain_realm] > .WAYNE.LOCAL = WAYNE.LOCAL >[appdefaults] >pam = { > ticket_lifetime = 365d > renew_lifetime = 365d > forwardable = true > proxiable = false > retain_after_close = true > minimum_uid = 0 >} > >----------/var/log/samba/log.smbd-------- >[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/LIEUTENANT1$ is invalid on this system >[2004/12/20 15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/LIEUTENANT1$ is invalid on this system >[2004/12/20 15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/LIEUTENANT1$ is invalid on this system >[2004/12/20 15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/LIEUTENANT1$ is invalid on this system >. >. >. >[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/DISPATCH_GW1$ is invalid on this system >[2004/12/20 16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/DISPATCH_GW1$ is invalid on this system >[2004/12/20 16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username WAYNE/DISPATCH_GW1$ is invalid on this system > >----------/var/log/samba/log.winbindd------------------- >[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) > krb5_cc_get_principal failed (No such file or directory) >[2004/12/20 16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) > user 'root' does not exist >[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) > user 'root' does not exist >[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245) > Failed to parse NTLMSSP packet, could not extract NTLMSSP command >[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) > >???? > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
I read something about nscd causing problems before I even installed the system,
so I never even installed that service.
Here is an updated /var/log/samba/log.winbindd file.....btw, thanks for the
quick help and tips so far, I appreciate it.
[2004/12/20 17:33:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No such file or directory)
[2004/12/20 17:38:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:43:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:45:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/20 17:49:01, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:52:26, 1] libads/ldap_utils.c:ads_do_search_retry(77)
ads_search_retry: failed to reconnect (Invalid credentials)
---------- Original Message ----------------------------------
From: Brett Stevens <brett.stevens@hubbub.com.au>
Date: Tue, 21 Dec 2004 10:33:30 +1100
One thing I moticed when having simmilar problems is that for some reason
nscd seems to be a problem stop this service and restart all samba services
including smbd nmbd and winbind
Let us know how it goes.
Brett Stevens
-----Original Message-----
From: Brian Kesting [mailto:bkesting@cityofwayne.org]
Sent: Tuesday, December 21, 2004 10:29 AM
To: samba@lists.samba.org
Subject: [Samba] winbind problems
Hello,
I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected
this server successfully to a Windows 2000 Active Directory (mixed mode). I
have nsswitch.conf, krb5.conf configured and winbind seems to be running
properly for the most part. With wbinfo I can get all of my user and group
information. Problem is, it seems that at random times, the samba server
just stops authenticating the windows user names and accounts. If I restart
the winbind or smb service, then all seems to be well again for a while.
Right now the only way I can keep this running is to run a cron job that
restartes the samba and winbind services every hour. This is really bugging
me as I cannot figure out what is going on. Can anyone help me? I have
included some of my configuration and log files below. Thanks in advance.
---------/etc/samba/smb.conf----------
# Samba Configuration File
[global]
workgroup = WAYNE
realm = WAYNE.LOCAL
server string = Samba Server
security = ADS
password server = adserver.wayne.local
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = no
winbind separator = /
[users]
comment = Users on Linux
path = /home/WAYNE
read only = No
browseable = Yes
---------/etc/nsswitch.conf-------
passwd: files winbind
group: files winbind
hosts: files dns wins winbind
networks: files dns
---------/etc/krb5.conf-----------
[libdefaults]
default_realm = WAYNE.LOCAL
clockskew = 300
[realms]
WAYNE.LOCAL = {
kdc = police.wayne.local
default_domain = WAYNE.LOCAL
kpasswd_server = adserver.wayne.local
}
[domain_realm]
.WAYNE.LOCAL = WAYNE.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
}
----------/var/log/samba/log.smbd--------
[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system
.
.
.
[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20
16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20
16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/DISPATCH_GW1$ is invalid on this system
----------/var/log/samba/log.winbindd-------------------
[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No such file or directory) [2004/12/20
16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
????
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Someone told me once to try to remove the Samba server from the domain, rename
it, and rejoin the domain......would that solve any problems in your opinion?
---------- Original Message ----------------------------------
From: "Brian Kesting" <bkesting@cityofwayne.org>
Reply-To: bkesting@cityofwayne.org
Date: Mon, 20 Dec 2004 18:05:47 -0600
I read something about nscd causing problems before I even installed the system,
so I never even installed that service.
Here is an updated /var/log/samba/log.winbindd file.....btw, thanks for the
quick help and tips so far, I appreciate it.
[2004/12/20 17:33:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No such file or directory)
[2004/12/20 17:38:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:43:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:45:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/20 17:49:01, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:52:26, 1] libads/ldap_utils.c:ads_do_search_retry(77)
ads_search_retry: failed to reconnect (Invalid credentials)
---------- Original Message ----------------------------------
From: Brett Stevens <brett.stevens@hubbub.com.au>
Date: Tue, 21 Dec 2004 10:33:30 +1100
One thing I moticed when having simmilar problems is that for some reason
nscd seems to be a problem stop this service and restart all samba services
including smbd nmbd and winbind
Let us know how it goes.
Brett Stevens
-----Original Message-----
From: Brian Kesting [mailto:bkesting@cityofwayne.org]
Sent: Tuesday, December 21, 2004 10:29 AM
To: samba@lists.samba.org
Subject: [Samba] winbind problems
Hello,
I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected
this server successfully to a Windows 2000 Active Directory (mixed mode). I
have nsswitch.conf, krb5.conf configured and winbind seems to be running
properly for the most part. With wbinfo I can get all of my user and group
information. Problem is, it seems that at random times, the samba server
just stops authenticating the windows user names and accounts. If I restart
the winbind or smb service, then all seems to be well again for a while.
Right now the only way I can keep this running is to run a cron job that
restartes the samba and winbind services every hour. This is really bugging
me as I cannot figure out what is going on. Can anyone help me? I have
included some of my configuration and log files below. Thanks in advance.
---------/etc/samba/smb.conf----------
# Samba Configuration File
[global]
workgroup = WAYNE
realm = WAYNE.LOCAL
server string = Samba Server
security = ADS
password server = adserver.wayne.local
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = no
winbind separator = /
[users]
comment = Users on Linux
path = /home/WAYNE
read only = No
browseable = Yes
---------/etc/nsswitch.conf-------
passwd: files winbind
group: files winbind
hosts: files dns wins winbind
networks: files dns
---------/etc/krb5.conf-----------
[libdefaults]
default_realm = WAYNE.LOCAL
clockskew = 300
[realms]
WAYNE.LOCAL = {
kdc = police.wayne.local
default_domain = WAYNE.LOCAL
kpasswd_server = adserver.wayne.local
}
[domain_realm]
.WAYNE.LOCAL = WAYNE.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
}
----------/var/log/samba/log.smbd--------
[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system
.
.
.
[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20
16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20
16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/DISPATCH_GW1$ is invalid on this system
----------/var/log/samba/log.winbindd-------------------
[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No such file or directory) [2004/12/20
16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
????
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
My setup looks about identical to the setup you have listed in the link you
provided.
Since this line:
libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No such file or directory)
keeps appearing in my winbind log file, I am thinking it is a kerberos problem
too. Do you see anything wrong with my /etc/krb5.conf file?
[libdefaults]
default_realm = WAYNE.LOCAL
clockskew = 300
[realms]
WAYNE.LOCAL = {
kdc = police.wayne.local
default_domain = WAYNE.LOCAL
kpasswd_server = police.wayne.local
}
[domain_realm]
.WAYNE.LOCAL = WAYNE.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
---------- Original Message ----------------------------------
From: "Thomas M. Skeren III" <tms3@fskklaw.com>
Date: Mon, 20 Dec 2004 17:16:38 -0800
Brian Kesting wrote:
>Someone told me once to try to remove the Samba server from the domain,
rename it, and rejoin the domain......would that solve any problems in your
opinion?
>
>
That is an odd solution, unless AD is mangled with respect to the samba
server name. Methinks you have a kerberos problem. My servers are
FreeBSD, but I do have a bare bones guide for setting up samba as an AD
member server in FreeBSD. If you use Linux it can only be a reference,
but it's an easy read.
<http://www.fsklaw.com/fbsdconfig.html>
>---------- Original Message ----------------------------------
>From: "Brian Kesting" <bkesting@cityofwayne.org>
>Reply-To: bkesting@cityofwayne.org
>Date: Mon, 20 Dec 2004 18:05:47 -0600
>
>I read something about nscd causing problems before I even installed the
system, so I never even installed that service.
>
>Here is an updated /var/log/samba/log.winbindd file.....btw, thanks for the
quick help and tips so far, I appreciate it.
>
>[2004/12/20 17:33:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
> krb5_cc_get_principal failed (No such file or directory)
>[2004/12/20 17:38:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
> Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>[2004/12/20 17:43:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
> Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>[2004/12/20 17:45:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
> user 'root' does not exist
>[2004/12/20 17:49:01, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
> Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>[2004/12/20 17:52:26, 1] libads/ldap_utils.c:ads_do_search_retry(77)
> ads_search_retry: failed to reconnect (Invalid credentials)
>
>
>---------- Original Message ----------------------------------
>From: Brett Stevens <brett.stevens@hubbub.com.au>
>Date: Tue, 21 Dec 2004 10:33:30 +1100
>
>One thing I moticed when having simmilar problems is that for some reason
>nscd seems to be a problem stop this service and restart all samba services
>including smbd nmbd and winbind
>
>Let us know how it goes.
>
>Brett Stevens
>
>-----Original Message-----
>From: Brian Kesting [mailto:bkesting@cityofwayne.org]
>Sent: Tuesday, December 21, 2004 10:29 AM
>To: samba@lists.samba.org
>Subject: [Samba] winbind problems
>
>
>Hello,
>
>I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected
>this server successfully to a Windows 2000 Active Directory (mixed mode). I
>have nsswitch.conf, krb5.conf configured and winbind seems to be running
>properly for the most part. With wbinfo I can get all of my user and group
>information. Problem is, it seems that at random times, the samba server
>just stops authenticating the windows user names and accounts. If I restart
>the winbind or smb service, then all seems to be well again for a while.
>Right now the only way I can keep this running is to run a cron job that
>restartes the samba and winbind services every hour. This is really bugging
>me as I cannot figure out what is going on. Can anyone help me? I have
>included some of my configuration and log files below. Thanks in advance.
>
>---------/etc/samba/smb.conf----------
># Samba Configuration File
>
>[global]
> workgroup = WAYNE
> realm = WAYNE.LOCAL
> server string = Samba Server
> security = ADS
> password server = adserver.wayne.local
> encrypt passwords = yes
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template shell = /bin/bash
> winbind use default domain = no
> winbind separator = /
>
>[users]
> comment = Users on Linux
> path = /home/WAYNE
> read only = No
> browseable = Yes
>
>---------/etc/nsswitch.conf-------
>passwd: files winbind
>group: files winbind
>hosts: files dns wins winbind
>networks: files dns
>
>---------/etc/krb5.conf-----------
>[libdefaults]
> default_realm = WAYNE.LOCAL
> clockskew = 300
>
>[realms]
>WAYNE.LOCAL = {
> kdc = police.wayne.local
> default_domain = WAYNE.LOCAL
> kpasswd_server = adserver.wayne.local
>}
>[domain_realm]
> .WAYNE.LOCAL = WAYNE.LOCAL
>[appdefaults]
>pam = {
> ticket_lifetime = 365d
> renew_lifetime = 365d
> forwardable = true
> proxiable = false
> retain_after_close = true
> minimum_uid = 0
>}
>
>----------/var/log/samba/log.smbd--------
>[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
> Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
>15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
> Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
>15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
> Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
>15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
> Username WAYNE/LIEUTENANT1$ is invalid on this system
>.
>.
>.
>[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
> Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20
>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
> Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20
>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
> Username WAYNE/DISPATCH_GW1$ is invalid on this system
>
>----------/var/log/samba/log.winbindd-------------------
>[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
> Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
> krb5_cc_get_principal failed (No such file or directory) [2004/12/20
>16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
> Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
> user 'root' does not exist
>[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
> user 'root' does not exist
>[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
> Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
> Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
> Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
>
>????
>
>
So the kticket needs to be valid for any samba/winbind services to work properly? It appears that when I issued the kinit command, my ticket will expire in about 10 hours with a ticket renewable lifetime of 1 week......how do I change that? I am still getting the odd messages in my winbind log file though....I am really perplexed. ---------- Original Message ---------------------------------- From: "Thomas M. Skeren III" <tms3@fskklaw.com> Date: Mon, 20 Dec 2004 17:19:22 -0800 Brian Kesting wrote:>I have changed the separator to '+' > >Also, my kerberos ticket was expired.....i re-issued a kinit username@DOMAIN command to renew it. > >Could that be the source of my problems? > >Yes.>---------- Original Message ---------------------------------- >From: "Thomas M. Skeren III" <tms3@fskklaw.com> >Date: Mon, 20 Dec 2004 17:09:33 -0800 > >Brian Kesting wrote: > > > >>I have tried using a + separator with no success. >> >> >> >> >I use _ which works well. I'm just guessing here, but *nix's use / as a >very significant charactrer. > > > >>---------- Original Message ---------------------------------- >>From: Tom Skeren <tms3@fsklaw.com> >>Date: Mon, 20 Dec 2004 15:25:54 -0800 >> >>Brian Kesting wrote: >> >> >> >> >> >>>Hello, >>> >>>I am running a Samba server (3.0.7) on >>> >>> > >a Suse 9.2 box. I have connected this server successfully to a Windows 2000 Active Directory (mixed mode). I have nsswitch.conf, krb5.conf configured and winbind seems to be running properly for the most part. With wbinfo I can get all of my user and group information. Problem is, it seems that at random times, the samba server just stops authenticating the windows user names and accounts. If I restart the winbind or smb service, then all seems to be well again for a while. Right now the only way I can keep this running is to run a cron job that restartes the samba and winbind services every hour. This is really bugging me as I cannot figure out what is going on. Can anyone help me? I have included some of my configuration and log files below. Thanks in advance. > > >>>---------/etc/samba/smb.conf---------- >>># Samba Configuration File >>> >>>[global] >>> workgroup = WAYNE >>> realm = WAYNE.LOCAL >>> server string = Samba Server >>> security = ADS >>> password server = adserver.wayne.local >>> encrypt passwords = yes >>> idmap uid = 10000-20000 >>> idmap gid = 10000-20000 >>> template shell = /bin/bash >>> winbind use default domain = no >>> winbind separator = / >>> >>> >>> >>> >>> >>> >>The separator might be a problem. >> >> >> >> >> >>>[users] >>> comment = Users on Linux >>> path = /home/WAYNE >>> read only = No >>> browseable = Yes >>> >>>---------/etc/nsswitch.conf------- >>>passwd: files winbind >>>group: files winbind >>>hosts: files dns wins winbind >>>networks: files dns >>> >>>---------/etc/krb5.conf----------- >>>[libdefaults] >>> default_realm = WAYNE.LOCAL >>> clockskew = 300 >>> >>>[realms] >>>WAYNE.LOCAL = { >>> kdc = police.wayne.local >>> default_domain = WAYNE.LOCAL> >>> kpasswd_server = adserver.wayne.local >>>} >>>[domain_realm] >>> .WAYNE.LOCAL = WAYNE.LOCAL >>>[appdefaults] >>>pam = { >>> ticket_lifetime = 365d >>> renew_lifetime = 365d >>> forwardable = true >>> proxiable = false >>> retain_after_close = true >>> minimum_uid = 0 >>>} >>> >>>----------/var/log/samba/log.smbd-------- >>>[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>Username WAYNE/LIEUTENANT1$ is invalid on this system >>>[2004/12/20 15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>Username WAYNE/LIEUTENANT1$ is invalid on this system >>>[2004/12/20 15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>Username WAYNE/LIEUTENANT1$ is invalid on this system >>>[2004/12/20 15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>Username WAYNE/LIEUTENANT1$ is invalid on this system >>>. >>>. >>>. >>>[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>Username WAYNE/DISPATCH_GW1$ is invalid on this system >>>[2004/12/20 16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>Username WAYNE/DISPATCH_GW1$ is invalid on this system >>>[2004/12/20 16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>Username WAYNE/DISPATCH_GW1$ is invalid on this system >>> >>>----------/var/log/samba/log.winbindd------------------- >>>[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>krb5_cc_get_principal failed (No such file or directory) >>>[2004/12/20 16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>user 'root' does not exist >>>[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>user 'root' does not exist >>>[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>> >>>???? >>> >>> >>> >>> >>> >>> >> >> >> >> >> > > > > > >
I am using Suse 9.2 and heimdal 0.6.2 ---------- Original Message ---------------------------------- From: "Thomas M. Skeren III" <tms3@fskklaw.com> Date: Mon, 20 Dec 2004 17:43:07 -0800 Brian Kesting wrote:>My setup looks about identical to the setup you have listed in the link you provided. > >Since this line: >libsmb/clikrb5.c:ads_krb5_mk_req(313) > krb5_cc_get_principal failed (No such file or directory) > >keeps appearing in my winbind log file, I am thinking it is a kerberos problem too. Do you see anything wrong with my /etc/krb5.conf file? > >[libdefaults] > default_realm = WAYNE.LOCAL > clockskew = 300 > >Try adding : dns_lookup_realm = false dns_lookup_kdc = false Also which OS are you using? What Kerberos? The default etypes lines are necessary for Heimdal, but I don't think they are necessary for MIT.>[realms] >WAYNE.LOCAL = { > kdc = police.wayne.local > default_domain = WAYNE.LOCAL > kpasswd_server = police.wayne.local >} > >Try: kdc = KERBEROS.WAYNE.LOCAL admin_server = police.wayne.local default_domain = wayne.local>[domain_realm] > .WAYNE.LOCAL = WAYNE.LOCAL > >Probably not enough info here. Try: (Remember caps must be in caps). .wayne.local = WAYNE.LOCAL wayne.local = WAYNE.LOCAL .WAYNE.LOCAL = WAYNE.LOCAL kerberos.server = KERBEROS.WAYNE.LOCAL>[appdefaults] >pam = { > ticket_lifetime = 365d > renew_lifetime = 365d > forwardable = true > proxiable = false > retain_after_close = true > minimum_uid = 0 > >Pam stuff is more OS dependent, so I have no suggestions here. MAKE SURE THAT YOU SAMBA SERVER IS USING THE W2K ADS SERVER AS DNS----THIS IS ABSOLUTELY CRITICAL.> >---------- Original Message ---------------------------------- >From: "Thomas M. Skeren III" <tms3@fskklaw.com> >Date: Mon, 20 Dec 2004 17:16:38 -0800 > >Brian Kesting wrote: > > > >>Someone told me once to try to remove the Samba server from the domain, rename it, and rejoin the domain......would that solve any problems in your opinion? >> >> >> >> >That is an odd solution, unless AD is mangled with respect to the samba >server name. Methinks you have a kerberos problem. My servers are >FreeBSD, but I do have a bare bones guide for setting up samba as an AD >member server in FreeBSD. If you use Linux it can only be a reference, >but it's an easy read. > ><http://www.fsklaw.com/fbsdconfig.html> > > > >>---------- Original Message ---------------------------------- >>From: "Brian Kesting" <bkesting@cityofwayne.org> >>Reply-To: bkesting@cityofwayne.org >>Date: Mon, 20 Dec 2004 18:05:47 -0600 >> >>I read something about nscd causing problems before I even installed the system, so I never even installed that service. >> >>Here is an updated /var/log/samba/log.winbindd file.....btw, thanks for the quick help and tips so far, I appreciate it. >> >>[2004/12/20 17:33:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) >> krb5_cc_get_principal failed (No such file or directory) >>[2004/12/20 17:38:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >> Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>[2004/12/20 17:43:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >> Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>[2004/12/20 17:45:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >> user 'root' does not exist >>[2004/12/20 17:49:01, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >> Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>[2004/12/20 17:52:26, 1] libads/ldap_utils.c:ads_do_search_retry(77) >> ads_search_retry: failed to reconnect (Invalid credentials) >> >> >>---------- Original Message ---------------------------------- >>From: Brett Stevens <brett.stevens@hubbub.com.au> >>Date: Tue, 21 Dec 2004 10:33:30 +1100 >> >>One thing I moticed when having simmilar problems is that for some reason >>nscd seems to be a problem stop this service and restart all samba services >>including smbd nmbd and winbind >> >>Let us know how it goes. >> >>Brett Stevens >> >>-----Original Message----- >>From: Brian Kesting [mailto:bkesting@cityofwayne.org] >>Sent: Tuesday, December 21, 2004 10:29 AM >>To: samba@lists.samba.org >>Subject: [Samba] winbind problems >> >> >>Hello, >> >>I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected >>this server successfully to a Windows 2000 Active Directory (mixed mode). I >>have nsswitch.conf, krb5.conf configured and winbind seems to be running >>properly for the most part. With wbinfo I can get all of my user and group >>information. Problem is, it seems that at random times, the samba server >>just stops authenticating the windows user names and accounts. If I restart >>the winbind or smb service, then all seems to be well again for a while. >>Right now the only way I can keep this running is to run a cron job that >>restartes the samba and winbind services every hour. This is really bugging >>me as I cannot figure out what is going on. Can anyone help me? I have >>included some of my configuration and log files below. Thanks in advance. >> >>---------/etc/samba/smb.conf---------- >># Samba Configuration File >> >>[global] >> workgroup = WAYNE >> realm = WAYNE.LOCAL >> server string = Samba Server >> security = ADS >> password server = adserver.wayne.local >> encrypt passwords = yes >> idmap uid = 10000-20000 >> idmap gid = 10000-20000 >> template shell = /bin/bash >> winbind use default domain = no >> winbind separator = / >> >>[users] >> comment = Users on Linux >> path = /home/WAYNE >> read only = No >> browseable = Yes >> >>---------/etc/nsswitch.conf------- >>passwd: files winbind >>group: files winbind >>hosts: files dns wins winbind >>networks: files dns >> >>---------/etc/krb5.conf----------- >>[libdefaults] >> default_realm = WAYNE.LOCAL >> clockskew = 300 >> >>[realms] >>WAYNE.LOCAL = { >> kdc = police.wayne.local >> default_domain = WAYNE.LOCAL >> kpasswd_server = adserver.wayne.local >>} >>[domain_realm] >> .WAYNE.LOCAL = WAYNE.LOCAL >>[appdefaults] >>pam = { >> ticket_lifetime = 365d >> renew_lifetime = 365d >> forwardable = true >> proxiable = false >> retain_after_close = true >> minimum_uid = 0 >>} >> >>----------/var/log/samba/log.smbd-------- >>[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >> Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >> Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >> Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20>>15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >> Username WAYNE/LIEUTENANT1$ is invalid on this system >>. >>. >>. >>[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >> Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20 >>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >> Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20 >>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >> Username WAYNE/DISPATCH_GW1$ is invalid on this system >> >>----------/var/log/samba/log.winbindd------------------- >>[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >> Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) >> krb5_cc_get_principal failed (No such file or directory) [2004/12/20 >>16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >> Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >> user 'root' does not exist >>[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >> user 'root' does not exist >>[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >> Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >> Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >> Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >> >>???? >> >> >> >> > > > > >
Even if I do not have users logging into this samba box locally, i still need to edit /etc/pam.d/login? ---------- Original Message ---------------------------------- From: "Thomas M. Skeren III" <tms3@fskklaw.com> Date: Mon, 20 Dec 2004 18:31:53 -0800 Brian Kesting wrote:>When I made those changes to krb5.conf I got the following in my smb log >and I could not access my samba share... > >[2004/12/20 20:13:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! >[2004/12/20 20:13:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! >[2004/12/20 20:14:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! >[2004/12/20 20:14:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! > >Not sure what I am missing, I may just start this whole project over from scratch and see if I have better luck. > >As I stated in my guide, Note: If you have a server and it isn't a production server, has nothing of value on it, and you have been stuffing programs on it to get Samba to work with ADS , but failed, put that 5.3 Release install cd into the cdrom drive, and reinstall FBSD 5.3 formatting the drives along the way. Don't bug me if you didn't start with a nice clean install. Make sure you have the pam.d/login stuff done. Without it pam can't authenticate non local users.> >---------- Original Message ---------------------------------- >From: "Thomas M. Skeren III" <tms3@fskklaw.com> >Date: Mon, 20 Dec 2004 17:50:47 -0800 > >Brian Kesting wrote: > > > >>I am using Suse 9.2 and heimdal 0.6.2 >> >> >> >> > >In that case you need: > > default_etypes = des-cbc-crc des-cbc-md5 > default_etypes_des = des-cbc-crc des-cbc-md5 > >In libdefaults. Read my whole response as I made changes throughout >your krb5.conf file. You may also need a keytab file, but I doubt it. > > > >>---------- Original Message ---------------------------------- >>From: "Thomas M. Skeren III" <tms3@fskklaw.com> >>Date: Mon, 20 Dec 2004 17:43:07 -0800 >> >>Brian Kesting wrote: >> >> > > > > >> >> >> >> >>>My setup looks about identical to the setup you have listed in the link you provided. >>> >>>Since this line: >>>libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>krb5_cc_get_principal failed (No such file or directory) >>> >>>keeps appearing in my winbind log file, I am thinking it is a kerberos problem too. Do you see anything wrong with my /etc/krb5.conf file? >>> >>>[libdefaults] >>> default_realm = WAYNE.LOCAL >>> clockskew = 300 >>> >>> >>> >>> >>> >>> >>Try adding : >> >>dns_lookup_realm = false >>dns_lookup_kdc = false >> >>Also which OS are you using? What Kerberos? The default etypes lines >>are necessary for Heimdal, but I don't think they are necessary for MIT. >> >> >> >> >> >>>[realms] >>>WAYNE.LOCAL = { >>> kdc = police.wayne.local >>> default_domain = WAYNE.LOCAL >>> kpasswd_server = police.wayne.local >>>} >>> >>> >>> >>> >>> >>> >>Try: >> >>kdc = KERBEROS.WAYNE.LOCAL >>admin_server = police.wayne.local >>default_domain = wayne.local >> >> >> >> >> >>>[domain_realm] >>> .WAYNE.LOCAL = WAYNE.LOCAL >>> >>> >>> >>> >>> >>> >>Probably not enough info here. Try: (Remember caps must be in caps). >> >>.wayne.local = WAYNE.LOCAL >>wayne.local = WAYNE.LOCAL >>.WAYNE.LOCAL = WAYNE.LOCAL >>kerberos.server = KERBEROS.WAYNE.LOCAL >> >> >> >> >> >>>[appdefaults] >>>pam = { >>> ticket_lifetime = 365d >>> renew_lifetime = 365d >>> forwardable = true >>> proxiable = false >>> retain_after_close = true >>> minimum_uid = 0 >>> >>> >>> >>> >>> >>> >>Pam stuff is more OS dependent, so I have no suggestions here. MAKE >>SURE THAT YOU SAMBA SERVER IS USING THE W2K ADS SERVER AS DNS----THIS IS >>ABSOLUTELY CRITICAL. >> >> >> >> >> >>>---------- Original Message ---------------------------------- >>>From: "Thomas M. Skeren III" <tms3@fskklaw.com> >>>Date: Mon, 20 Dec 2004 17:16:38 -0800 >>> >>>Brian Kesting wrote: >>> >>> >>> >>> >>> >>> >>> >>>>Someone told me once to try to remove the Samba server from the domain, rename it, and rejoin the domain......would that solve any problems in your opinion? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>That is an odd solution, unless AD is mangled with respect to the samba >>>server name. Methinks you have a kerberos problem. My servers are >>>FreeBSD, but I do have a bare bones guide for setting up samba as an AD >>>member server in FreeBSD. If you use Linux it can only be a reference, >>>but it's an easy read. >>> >>><http://www.fsklaw.com/fbsdconfig.html> >>> >>> >>> >>> >>> >>> >>> >>>>---------- Original Message ---------------------------------- >>>>From: "Brian Kesting" <bkesting@cityofwayne.org> >>>>Reply-To: bkesting@cityofwayne.org >>>>Date: Mon, 20 Dec 2004 18:05:47 -0600 >>>> >>>>I read something about nscd causing problems before I even installed the system, so I never even installed that service. >>>> >>>>Here is an updated /var/log/samba/log.winbindd file.....btw, thanks for the quick help and tips so far, I appreciate it. >>>> >>>>[2004/12/20 17:33:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>>krb5_cc_get_principal failed (No such file or directory) >>>>[2004/12/20 17:38:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 17:43:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 17:45:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>user 'root' does not exist >>>>[2004/12/20 17:49:01, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 17:52:26, 1] libads/ldap_utils.c:ads_do_search_retry(77) >>>>ads_search_retry: failed to reconnect (Invalid credentials) >>>> >>>> >>>>---------- Original Message ---------------------------------- >>>>From: Brett Stevens <brett.stevens@hubbub.com.au> >>>>Date: Tue, 21 Dec 2004 10:33:30 +1100 >>>> >>>>One thing I moticed when having simmilar problems is that for some reason >>>>nscd seems to be a problem stop this service and restart all samba services >>>>including smbd nmbd and winbind >>>> >>>>Let us know how it goes. >>>> >>>>Brett Stevens >>>> >>>>-----Original Message----- >>>>From: Brian Kesting [mailto:bkesting@cityofwayne.org] >>>>Sent: Tuesday, December 21, 2004 10:29 AM >>>>To: samba@lists.samba.org >>>>Subject: [Samba] winbind problems >>>> >>>> >>>>Hello, >>>> >>>>I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected >>>>this server successfully to a Windows 2000 Active Directory (mixed mode). I >>>>have nsswitch.conf, krb5.conf configured and winbind seems to be running >>>>properly for the most part. With wbinfo I can get all of my user and group >>>>information. Problem is, it seems that at random times, the samba server >>>>just stops authenticating the windows user names and accounts. If I restart >>>>the winbind or smb service, then all seems to be well again for a while. >>>>Right now the only way I can keep this running is to run a cron job that >>>>restartes the samba and winbind services every hour. This is really bugging >>>>me as I cannot figure out what is going on. Can anyone help me? I have >>>>included some of my configuration and log files below. Thanks in advance. >>>> >>>>---------/etc/samba/smb.conf---------- >>>># Samba Configuration File >>>> >>>>[global] >>>> workgroup = WAYNE >>>> realm = WAYNE.LOCAL >>>> server string = Samba Server >>>> security = ADS >>>> password server = adserver.wayne.local >>>> encrypt passwords = yes >>>> idmap uid = 10000-20000 >>>> idmap gid = 10000-20000 >>>> template shell = /bin/bash >>>> winbind use default domain = no >>>> winbind separator = / >>>> >>>>[users] >>>> comment = Users on Linux >>>> path = /home/WAYNE >>>> read only = No >>>> browseable = Yes >>>> >>>>---------/etc/nsswitch.conf------- >>>>passwd: files winbind >>>>group: files winbind >>>>hosts: files dns wins winbind >>>>networks: files dns >>>> >>>>---------/etc/krb5.conf----------- >>>>[libdefaults] >>>> default_realm = WAYNE.LOCAL >>>> clockskew = 300 >>>> >>>>[realms] >>>>WAYNE.LOCAL = { >>>> kdc = police.wayne.local >>>> default_domain = WAYNE.LOCAL >>>> kpasswd_server = adserver.wayne.local >>>>} >>>>[domain_realm] >>>> .WAYNE.LOCAL = WAYNE.LOCAL >>>>[appdefaults] >>>>pam = { >>>> ticket_lifetime = 365d >>>> renew_lifetime = 365d >>>> forwardable = true >>>> proxiable = false >>>> retain_after_close = true >>>> minimum_uid = 0 >>>>} >>>> >>>>----------/var/log/samba/log.smbd-------- >>>>[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>>>15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>>>15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>>> >>>> >>>> >>>> >> >> >> >> >>>>15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/LIEUTENANT1$ is invalid on this system >>>>. >>>>. >>>>. >>>>[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20 >>>>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20 >>>>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system >>>> >>>>----------/var/log/samba/log.winbindd------------------- >>>>[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>>krb5_cc_get_principal failed (No such file or directory) [2004/12/20 >>>>16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>user 'root' does not exist >>>>[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>user 'root' does not exist >>>>[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>> >>>>???? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> >> >> >> >> >> > > > > > >
I do have both servers pointed to the same ntp server....the time issue should
be negligent here.....i hope (lol)
---------- Original Message ----------------------------------
From: Brett Stevens <brett.stevens@hubbub.com.au>
Date: Tue, 21 Dec 2004 14:21:10 +1100
One other problem that I experenced was time. Make sure that your servers
are synced closely, preferbaly with the same server.
Brett Stevens
-----Original Message-----
From: Brian Kesting [mailto:bkesting@cityofwayne.org]
Sent: Tuesday, December 21, 2004 10:29 AM
To: samba@lists.samba.org
Subject: [Samba] winbind problems
Hello,
I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected
this server successfully to a Windows 2000 Active Directory (mixed mode). I
have nsswitch.conf, krb5.conf configured and winbind seems to be running
properly for the most part. With wbinfo I can get all of my user and group
information. Problem is, it seems that at random times, the samba server
just stops authenticating the windows user names and accounts. If I restart
the winbind or smb service, then all seems to be well again for a while.
Right now the only way I can keep this running is to run a cron job that
restartes the samba and winbind services every hour. This is really bugging
me as I cannot figure out what is going on. Can anyone help me? I have
included some of my configuration and log files below. Thanks in advance.
---------/etc/samba/smb.conf----------
# Samba Configuration File
[global]
workgroup = WAYNE
realm = WAYNE.LOCAL
server string = Samba Server
security = ADS
password server = adserver.wayne.local
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = no
winbind separator = /
[users]
comment = Users on Linux
path = /home/WAYNE
read only = No
browseable = Yes
---------/etc/nsswitch.conf-------
passwd: files winbind
group: files winbind
hosts: files dns wins winbind
networks: files dns
---------/etc/krb5.conf-----------
[libdefaults]
default_realm = WAYNE.LOCAL
clockskew = 300
[realms]
WAYNE.LOCAL = {
kdc = police.wayne.local
default_domain = WAYNE.LOCAL
kpasswd_server = adserver.wayne.local
}
[domain_realm]
.WAYNE.LOCAL = WAYNE.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
}
----------/var/log/samba/log.smbd--------
[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/LIEUTENANT1$ is invalid on this system
.
.
.
[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20
16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20
16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username WAYNE/DISPATCH_GW1$ is invalid on this system
----------/var/log/samba/log.winbindd-------------------
[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No such file or directory) [2004/12/20
16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
????
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Ok, I will set that up tomorrow. I had it setup at one time, but thought that if I didn't have local users logging into the local system I didn't need it. I really appreciate your quick and informative responses to my questions Thomas and everyone else....I really appreciate it. ---------- Original Message ---------------------------------- From: "Thomas M. Skeren III" <tms3@fskklaw.com> Date: Mon, 20 Dec 2004 20:12:05 -0800 Brian Kesting wrote:>Even if I do not have users logging into this samba box locally, i still need to edit /etc/pam.d/login? > >Yes> >---------- Original Message ---------------------------------- >From: "Thomas M. Skeren III" <tms3@fskklaw.com> >Date: Mon, 20 Dec 2004 18:31:53 -0800 > >Brian Kesting wrote: > > > >>When I made those changes to krb5.conf I got the following in my smb log >>and I could not access my samba share... >> >>[2004/12/20 20:13:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) >> Failed to verify incoming ticket! >>[2004/12/20 20:13:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) >> Failed to verify incoming ticket! >>[2004/12/20 20:14:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) >> Failed to verify incoming ticket! >>[2004/12/20 20:14:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) >> Failed to verify incoming ticket! >> >>Not sure what I am missing, I may just start this whole project over from scratch and see if I have better luck. >> >> >> >> >As I stated in my guide, > >Note: If you have a server and it isn't a production server, has >nothing of value on it, and you have been stuffing programs on it to get >Samba to work with ADS , but failed, put that 5.3 Release install cd >into the cdrom drive, and reinstall FBSD 5.3 formatting the drives along >the way. Don't bug me if you didn't start with a nice clean install. > >Make sure you have the pam.d/login stuff done. Without it pam can't >authenticate non local users. > > > >>---------- Original Message ---------------------------------- >>From: "Thomas M. Skeren III" <tms3@fskklaw.com> >>Date: Mon, 20 Dec 2004 17:50:47 -0800 >> >>Brian Kesting wrote: >> >> >> >> >> >>>I am using Suse 9.2 and heimdal 0.6.2 >>> >>> >>> >>> >>> >>> >>In that case you need: >> >> default_etypes = des-cbc-crc des-cbc-md5 >>default_etypes_des = des-cbc-crc des-cbc-md5 >> >>In libdefaults. Read my whole response as I made changes throughout >>your krb5.conf file. You may also need a keytab file, but I doubt it. >> >> >> >> >> >>>---------- Original Message ---------------------------------- >>>From: "Thomas M. Skeren III" <tms3@fskklaw.com> >>>Date: Mon, 20 Dec 2004 17:43:07 -0800 >>> >>>Brian Kesting wrote: >>> >>> >>> >>> >> >> >> >> >>> >>> >>> >>> >>>>My setup looks about identical to the setup you have listed in the link you provided. >>>> >>>>Since this line: >>>>libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>>krb5_cc_get_principal failed (No such file or directory) >>>> >>>>keeps appearing in my winbind log file, I am thinking it is a kerberos problem too. Do you see anything wrong with my /etc/krb5.conf file? >>>> >>>>[libdefaults] >>>> default_realm = WAYNE.LOCAL >>>> clockskew = 300 >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Try adding : >>> >>>dns_lookup_realm = false >>>dns_lookup_kdc = false >>> >>>Also which OS are you using? What Kerberos? The default etypes lines >>>are necessary for Heimdal, but I don't think they are necessary for MIT. >>> >>> >>> >>> >>> >>> >>> >>>>[realms] >>>>WAYNE.LOCAL = { >>>> kdc = police.wayne.local >>>> default_domain = WAYNE.LOCAL >>>> kpasswd_server = police.wayne.local >>>>} >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Try: >>> >>>kdc = KERBEROS.WAYNE.LOCAL >>>admin_server = police.wayne.local >>>default_domain = wayne.local >>> >>> >>> >>> >>> >>> >>> >>>>[domain_realm] >>>> .WAYNE.LOCAL = WAYNE.LOCAL >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Probably not enough info here. Try: (Remember caps must be in caps). >>> >>>.wayne.local = WAYNE.LOCAL >>>wayne.local = WAYNE.LOCAL >>>.WAYNE.LOCAL = WAYNE.LOCAL >>>kerberos.server = KERBEROS.WAYNE.LOCAL >>> >>> >>> >>> >>> >>> >>> >>>>[appdefaults] >>>>pam = { >>>> ticket_lifetime = 365d >>>> renew_lifetime = 365d >>>> forwardable = true >>>> proxiable = false >>>> retain_after_close = true >>>> minimum_uid = 0 >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Pam stuff is more OS dependent, so I have no suggestions here. MAKE >>>SURE THAT YOU SAMBA SERVER IS USING THE W2K ADS SERVER AS DNS----THIS IS >>>ABSOLUTELY CRITICAL. >>> >>> >>> >>> >>> >>> >>> >>>>---------- Original Message ---------------------------------- >>>>From: "Thomas M. Skeren III" <tms3@fskklaw.com> >>>>Date: Mon, 20 Dec 2004 17:16:38 -0800 >>>> >>>>Brian Kesting wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Someone told me once to try to remove the Samba server from the domain, rename it, and rejoin the domain......would that solve any problems in your opinion? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>That is an odd solution, unless AD is mangled with respect to the samba >>>>server name. Methinks you have a kerberos problem. My servers are >>>>FreeBSD, but I do have a bare bones guide for setting up samba as an AD >>>>member server in FreeBSD. If you use Linux it can only be a reference, >>>>but it's an easy read. >>>> >>>><http://www.fsklaw.com/fbsdconfig.html> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>---------- Original Message ---------------------------------- >>>>>From: "Brian Kesting" <bkesting@cityofwayne.org> >>>>>Reply-To: bkesting@cityofwayne.org >>>>>Date: Mon, 20 Dec 2004 18:05:47 -0600 >>>>> >>>>>I read something about nscd causing problems before I even installed the system, so I never even installed that service. >>>>> >>>>>Here is an updated /var/log/samba/log.winbindd file.....btw, thanks for the quick help and tips so far, I appreciate it. >>>>> >>>>>[2004/12/20 17:33:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>>>krb5_cc_get_principal failed (No such file or directory) >>>>>[2004/12/20 17:38:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 17:43:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 17:45:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>>user 'root' does not exist >>>>>[2004/12/20 17:49:01, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 17:52:26, 1] libads/ldap_utils.c:ads_do_search_retry(77) >>>>>ads_search_retry: failed to reconnect (Invalid credentials) >>>>> >>>>> >>>>>---------- Original Message ---------------------------------- >>>>>From: Brett Stevens <brett.stevens@hubbub.com.au> >>>>>Date: Tue, 21 Dec 2004 10:33:30 +1100 >>>>> >>>>>One thing I moticed when having simmilar problems is that for some reason >>>>>nscd seems to be a problem stop this service and restart all samba services >>>>>including smbd nmbd and winbind >>>>> >>>>>Let us know how it goes. >>>>> >>>>>Brett Stevens >>>>> >>>>>-----Original Message----- >>>>>From: Brian Kesting [mailto:bkesting@cityofwayne.org] >>>>>Sent: Tuesday, December 21, 2004 10:29 AM >>>>>To: samba@lists.samba.org >>>>>Subject: [Samba] winbind problems >>>>> >>>>> >>>>>Hello, >>>>> >>>>>I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected >>>>>this server successfully to a Windows 2000 Active Directory (mixed mode). I >>>>>have nsswitch.conf, krb5.conf configured and winbind seems to be running >>>>>properly for the most part. With wbinfo I can get all of my user and group >>>>>information. Problem is, it seems that at random times, the samba server >>>>>just stops authenticating the windows user names and accounts. If I restart >>>>>the winbind or smb service, then all seems to be well again for a while. >>>>>Right now the only way I can keep this running is to run a cron job that >>>>>restartes the samba and winbind services every hour. This is really bugging >>>>>me as I cannot figure out what is going on. Can anyone help me? I have >>>>>included some of my configuration and log files below. Thanks in advance. >>>>> >>>>>---------/etc/samba/smb.conf---------- >>>>># Samba Configuration File >>>>> >>>>>[global] >>>>> workgroup = WAYNE >>>>> realm = WAYNE.LOCAL >>>>> server string = Samba Server >>>>> security = ADS >>>>> password server = adserver.wayne.local >>>>> encrypt passwords = yes >>>>> idmap uid = 10000-20000 >>>>> idmap gid = 10000-20000 >>>>> template shell = /bin/bash >>>>> winbind use default domain = no >>>>> winbind separator = / >>>>> >>>>>[users] >>>>> comment = Users on Linux >>>>> path = /home/WAYNE >>>>> read only = No >>>>> browseable = Yes >>>>> >>>>>---------/etc/nsswitch.conf------- >>>>>passwd: files winbind >>>>>group: files winbind >>>>>hosts: files dns wins winbind >>>>>networks: files dns >>>>> >>>>>---------/etc/krb5.conf----------- >>>>>[libdefaults] >>>>> default_realm = WAYNE.LOCAL >>>>> clockskew = 300 >>>>> >>>>>[realms] >>>>>WAYNE.LOCAL = { >>>>> kdc = police.wayne.local >>>>> default_domain = WAYNE.LOCAL >>>>> kpasswd_server = adserver.wayne.local >>>>>} >>>>>[domain_realm] >>>>> .WAYNE.LOCAL = WAYNE.LOCAL >>>>>[appdefaults] >>>>>pam = { >>>>> ticket_lifetime = 365d >>>>> renew_lifetime = 365d >>>>> forwardable = true >>>>> proxiable = false >>>>> retain_after_close = true >>>>> minimum_uid = 0 >>>>>} >>>>> >>>>>----------/var/log/samba/log.smbd-------- >>>>>[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>>>>15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>>>>15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >>> >>> >>> >>>>>15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system >>>>>. >>>>>. >>>>>. >>>>>[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20 >>>>>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20 >>>>>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system >>>>> >>>>>----------/var/log/samba/log.winbindd------------------- >>>>>[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>>>krb5_cc_get_principal failed (No such file or directory) [2004/12/20 >>>>>16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>>user 'root' does not exist >>>>>[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>>user 'root' does not exist >>>>>[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>> >>>>>???? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> >> >> >> >> >> >> > > > > >