smc+samba@dogphilosophy.net
2005-Jul-21 19:36 UTC
[Samba] ADS mode - differences between W2K and 2003?
I'm having a bizarre problem doing authentication via winbind against a Windows 2003 server. Aside from changing the hostname information, etc. as appropriate for krb5.conf and smb.conf, the configuration I'm using is one that I copied from another server that is successfully authenticating against ads. The two systems I'm having trouble with are running Suse Linux Enterprise Server 9 and Suse Linux Professional 9.3, respectively. Both have the same odd problem: As configured, everything seems like it should work. I kinit'd as administrator to the Windows 2003 server successfully. "net ads join" appears to have joined the computers to the domain successfully. "getent passwd" and "wbinfo -u" both give me listings of the "domain users" on the Windows 2003 server. "wbinfo -U (domain user UID)" does give me the SID of the domain user in question (domain users mapped as UID 15000-30000). However, "getent passwd (domain user name)" doesn't work at all. It gives no response (no errors, just drops back to command line). 'strace getent passwd (user)' doesn't even show that libnss_winbind.so is being opened (even though "getent passwd" to get the list is.) Is this a Windows 2003 issue? I've seen mention of winbind doing "funny things" like this before on the mailing list, but don't recall any firm resolutions. Any help would be appreciated. Thanks. (These symptoms appear to happen with both 3.0.14a from Suse and the 3.0.20pre2 rpm's from the Samba server).
lists@feilner-it.net
2005-Jul-21 21:57 UTC
[Samba] ADS mode - differences between W2K and 2003?
Am Donnerstag, 21. Juli 2005 21:36 schrieb smc+samba@dogphilosophy.net:> I'm having a bizarre problem doing authentication via winbind against a > Windows 2003 server. > > Aside from changing the hostname information, etc. as appropriate for > krb5.conf and smb.conf, the configuration I'm using is one that I copied > from another server that is successfully authenticating against ads. > > The two systems I'm having trouble with are running Suse Linux Enterprise > Server 9 and Suse Linux Professional 9.3, respectively. Both have the same > odd problem: > > As configured, everything seems like it should work. I kinit'd as > administrator to the Windows 2003 server successfully. "net ads join" > appears to have joined the computers to the domain successfully. "getent > passwd" and "wbinfo -u" both give me listings of the "domain users" on the > Windows 2003 server. "wbinfo -U (domain user UID)" does give me the SID > of the domain user in question (domain users mapped as UID 15000-30000). > > However, "getent passwd (domain user name)" doesn't work at all. It gives > no response (no errors, just drops back to command line). 'strace getent > passwd (user)' doesn't even show that libnss_winbind.so is being opened > (even though "getent passwd" to get the list is.) > > Is this a Windows 2003 issue? I've seen mention of winbind doing "funny > things" like this before on the mailing list, but don't recall any firm > resolutions. Any help would be appreciated. Thanks. > > (These symptoms appear to happen with both 3.0.14a from Suse and the > 3.0.20pre2 rpm's from the Samba server).Hi, I seem to have a similar, if not the same problem. On one system (debian 3.1) everything works fine. On the other (same config) ads integration does not work. - getent does not work - wbinfo -t fails on the other hand, i can get kerberos tickets with kinit and the same auth data for Administrator and net ads join works fine ... This problem appears under samba 3.0.14a on debian. Furthermore: I found that in the winbind logfile strange errors appear, when a ads user tries to acces a share: log.winbindd: ads_krb5_mk_req: krb5_get_credentials failed for xxxx$@yyyy.DE (Server not found in Kerberos database) with xxx being an old hostname, yyyy an old domainname. Botgh are not used anymore and are definitely not stored in any file on the linux system (grep -r ...) ??? Thanks! -- Mit freundlichen Gr??en Markus Feilner -------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 skype ID: mfeilner mail: mfeilner@feilner-it.net
S Clark
2005-Jul-29 23:50 UTC
[Samba] ADS/Winbind - works for everything except actually authenticating Windows logins!
On Thursday 21 July 2005 12:36 pm, smc+samba@dogphilosophy.net wrote:> I'm having a bizarre problem doing authentication via winbind against a > Windows 2003 server.[...etc...] Following up, still having this strange problem. More information - from the Samba box (now running the X86_64 SLES9 3.0.20rc1 rpm's, previously running the 3.0.14a ones) ALL of the wbinfo functions seem to work correctly: wbinfo -n (name) pulls up an SID. wbinfo -t says it's okay. wbinfo -a (user)%(password) succeeds. wbinfo -u gets the username list, etc. "getent passwd" successfully shows all users (including domain users) and "getent group" shows the domain groups in the list. "getent passwd (name of user that worked fine in 'wbinfo -n')" fails - no output at all, including no error messages. Same for "getent group (domain group name)" and "getent group (gid)". /var/log/samba/log.winbind shows: [2005/07/29 18:33:53, 1] nsswitch/winbindd.c:main(977) winbindd version 3.0.20rc1-0.1-SUSE started. Copyright The Samba Team 2000-2004 [2005/07/29 18:34:36, 0] nsswitch/winbindd.c:request_len_recv(573) process_loop: Invalid request size received: 1824 [2005/07/29 18:40:54, 0] nsswitch/winbindd.c:request_len_recv(573) process_loop: Invalid request size received: 1824 And, of course, trying to connect to a share from a Windows box, logged into the domain with an authorized user account, it pops up with the "enter your name and password" box, and the name and password don't work. I'm assuming this is caused by the same problem that's causing "getent passwd (user)" to fail. Any hints where to go from here? Thanks