samba - Jul 2005 - ADS mode - differences between W2K and 2003?

I'm having a bizarre problem doing authentication via winbind against a 
Windows 2003 server.

Aside from changing the hostname information, etc. as appropriate for 
krb5.conf and smb.conf, the configuration I'm using is one that I copied
from
another server that is successfully authenticating against ads.

The two systems I'm having trouble with are running Suse Linux Enterprise 
Server 9 and Suse Linux Professional 9.3, respectively.  Both have the same 
odd problem:

As configured, everything seems like it should work.  I kinit'd as 
administrator to the Windows 2003 server successfully.  "net ads join"
appears to have joined the computers to the domain successfully.  "getent 
passwd" and "wbinfo -u" both give me listings of the "domain
users" on the
Windows 2003 server.  "wbinfo -U (domain user UID)" does give me the
SID
of the domain user in question (domain users mapped as UID 15000-30000).

However, "getent passwd (domain user name)" doesn't work at all. 
It gives no
response (no errors, just drops back to command line).  'strace getent
passwd
(user)' doesn't even show that libnss_winbind.so is being opened (even
though
"getent passwd" to get the list is.)

Is this a Windows 2003 issue?  I've seen mention of winbind doing
"funny
things" like this before on the mailing list, but don't recall any firm
resolutions.  Any help would be appreciated.  Thanks.

(These symptoms appear to happen with both 3.0.14a from Suse and the 
3.0.20pre2 rpm's from the Samba server).

Am Donnerstag, 21. Juli 2005 21:36 schrieb
smc+samba@dogphilosophy.net:
> I'm having a bizarre problem doing authentication via winbind against a
> Windows 2003 server.
>
> Aside from changing the hostname information, etc. as appropriate for
> krb5.conf and smb.conf, the configuration I'm using is one that I
copied
> from another server that is successfully authenticating against ads.
>
> The two systems I'm having trouble with are running Suse Linux
Enterprise
> Server 9 and Suse Linux Professional 9.3, respectively.  Both have the same
> odd problem:
>
> As configured, everything seems like it should work.  I kinit'd as
> administrator to the Windows 2003 server successfully.  "net ads
join"
> appears to have joined the computers to the domain successfully. 
"getent
> passwd" and "wbinfo -u" both give me listings of the
"domain users" on the
> Windows 2003 server.  "wbinfo -U (domain user UID)" does give me
the SID
> of the domain user in question (domain users mapped as UID 15000-30000).
>
> However, "getent passwd (domain user name)" doesn't work at
all.  It gives
> no response (no errors, just drops back to command line).  'strace
getent
> passwd (user)' doesn't even show that libnss_winbind.so is being
opened
> (even though "getent passwd" to get the list is.)
>
> Is this a Windows 2003 issue?  I've seen mention of winbind doing
"funny
> things" like this before on the mailing list, but don't recall any
firm
> resolutions.  Any help would be appreciated.  Thanks.
>
> (These symptoms appear to happen with both 3.0.14a from Suse and the
> 3.0.20pre2 rpm's from the Samba server).
Hi, I seem to have a similar, if not the same problem. 
On one system (debian 3.1) everything works fine.
On the other (same config) ads integration does not work.
- getent does not work
- wbinfo -t fails 
on the other hand, i can get kerberos tickets with kinit and the same auth 
data for Administrator and net ads join works fine ...
This problem appears under samba 3.0.14a on debian. 

Furthermore: I found that in the winbind logfile strange errors appear, when a 
ads user tries to acces a share:
log.winbindd:  ads_krb5_mk_req: krb5_get_credentials failed for xxxx$@yyyy.DE 
(Server not found in Kerberos database)

with xxx being an old hostname, yyyy an old domainname.
Botgh are not used anymore and are definitely not stored in any file on the 
linux system (grep -r ...)
???
Thanks!
-- 
Mit freundlichen Gr??en
Markus Feilner

--------------------------
Feilner IT Linux & GIS 
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 
skype ID: mfeilner mail: mfeilner@feilner-it.net

On Thursday 21 July 2005 12:36 pm, smc+samba@dogphilosophy.net
wrote:
> I'm having a bizarre problem doing authentication via winbind against a
> Windows 2003 server.
[...etc...]

Following up, still having this strange problem.

More information - from the Samba box (now running the X86_64 SLES9 3.0.20rc1 
rpm's, previously running the 3.0.14a ones) ALL of the wbinfo functions seem
to work correctly:  wbinfo -n (name) pulls up an SID.  wbinfo -t says it's 
okay.  wbinfo -a (user)%(password) succeeds.  wbinfo -u gets the username 
list, etc.

"getent passwd" successfully shows all users (including domain users)
and
"getent group" shows the domain groups in the list.

"getent passwd (name of user that worked fine in 'wbinfo -n')"
fails - no
output at all, including no error messages.  Same for "getent group (domain
group name)" and "getent group (gid)".

/var/log/samba/log.winbind shows:
[2005/07/29 18:33:53, 1] nsswitch/winbindd.c:main(977)
  winbindd version 3.0.20rc1-0.1-SUSE started.
  Copyright The Samba Team 2000-2004
[2005/07/29 18:34:36, 0] nsswitch/winbindd.c:request_len_recv(573)
  process_loop: Invalid request size received: 1824
[2005/07/29 18:40:54, 0] nsswitch/winbindd.c:request_len_recv(573)
  process_loop: Invalid request size received: 1824

And, of course, trying to connect to a share from a Windows box, logged into 
the domain with an authorized user account, it pops up with the "enter your
name and password" box, and the name and password don't work.  I'm
assuming
this is caused by the same problem that's causing "getent passwd
(user)" to
fail.

Any hints where to go from here?

Thanks