samba - Nov 2006 - winbind: getent passwd displays the user, but SAMBA says Get_Pwnam_internals didn't find user

SAMBA 3.0.21c (domain is LINBOXTEXT)
Windows 2000 SP4 (domain is ADTEST)

Hello,

I've established an interdomain trust relationship between SAMBA and
Windows.

Samba domain users can log into the Windows domain, but Windows domain
users can't log to the SAMBA server.

For example, if I try to log as "ADTEST/dupond" from Windows to SAMBA,
SAMBA log says:

[2006/11/15 20:17:05, 5] lib/username.c:Get_Pwnam_alloc(290)
  Finding user ADTEST\dupond
[2006/11/15 20:17:05, 5] lib/username.c:Get_Pwnam_internals(234)
  Trying _Get_Pwnam(), username as lowercase is adtest\dupond
[2006/11/15 20:17:05, 5] lib/username.c:Get_Pwnam_internals(242)
  Trying _Get_Pwnam(), username as given is ADTEST\dupond
[2006/11/15 20:17:05, 5] lib/username.c:Get_Pwnam_internals(252)
  Trying _Get_Pwnam(), username as uppercase is ADTEST\DUPOND
[2006/11/15 20:17:05, 5] lib/username.c:Get_Pwnam_internals(261)
  Checking combinations of 0 uppercase letters in adtest\dupond
[2006/11/15 20:17:05, 5] lib/username.c:Get_Pwnam_internals(267)
  Get_Pwnam_internals didn't find user [ADTEST\dupond]!

And I have this message in /var/log/samba/log.wb-ADTEST

[2006/11/15 20:34:57, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(585)
  [ 8617]: pam auth crap domain: ADTEST user: dupond

But "getent passwd" works:

# getent passwd "ADTEST\dupond"
ADTEST\dupond:x:30001:30000::/home/ADTEST/dupond:/bin/false

Other interesting commands:

# wbinfo -a 'ADTEST\dupond%dupond'
plaintext password authentication succeeded
challenge/response password authentication succeeded

# wbinfo -n 'ADTEST\dupond'
S-1-5-21-1409082233-1844237615-1801674531-1104 User (1)

# wbinfo -m
ADTEST

# wbinfo -s S-1-5-21-1409082233-1844237615-1801674531-1104
ADTEST\dupond 1

Any idea ? I don't understand what is the remaining problem.

My smb.conf:

[global]
        ldap group suffix = ou=Groups
        ldap admin dn = cn=admin,dc=linbox,dc=com
        add machine script = /usr/lib/lmc/add_machine_script '%u'
        domain logons = yes
        logon path = \\%N\profiles\%u
        netbios name = PDC01
        print command         null passwords = Yes
        logon script = logon.bat
        lprm command         printcap name = cups
        passdb backend = ldapsam:ldap://127.0.0.1/
        workgroup = LINBOXTEST
        enable privileges = Yes
        ldap user suffix = ou=Users
        map acl inherit = Yes
        map to guest = Bad User
        #name resolve order = bcast
        lpq command = %p
        log level = 3
        ldap suffix = dc=linbox,dc=com
        printing = cups
        ldap machine suffix = ou=Computers

        idmap backend = ldap:ldap://127.0.0.1/
        ldap idmap suffix = ou=Idmap
        idmap uid = 30000-40000
        idmap gid = 30000-40000

        wins support = yes
        #auth methods = guest sam winbind

        log level = 10


Best regards,

-- 
Cedric Delfosse                             Linbox / Free&ALter Soft
152, rue de Grigy - Technopole Metz              57070 METZ - FRANCE
tel: +33 (0)3 87 50 87 98                          http://linbox.com

Le mercredi 15 novembre 2006 ? 20:38 +0100, C?dric Delfosse a ?crit
:
> SAMBA 3.0.21c (domain is LINBOXTEXT)
> Windows 2000 SP4 (domain is ADTEST)
> 
> Hello,
> 
> I've established an interdomain trust relationship between SAMBA and
> Windows.
> 
> Samba domain users can log into the Windows domain, but Windows domain
> users can't log to the SAMBA server.
Hello,

I upgraded to SAMBA 3.0.23c, and it still doesn't work.
Now "getent passwd" doesn't display the winbind entries (and I
added
winbind enum users/groups = * to smb.conf), but wbinfo -u/-g works

And after one restart of samba/winbind, it's worse. I know have this:

# wbinfo --sequence
ADTEST : DISCONNECTED
BUILTIN : 137325808
LINBOXTEST : 137323728

# wbinfo -u
Error looking up domain users

But:

# wbinfo -a "ADTEST\dupond%dupond"
plaintext password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user ADTEST\dupond%dupond with plaintext password
challenge/response password authentication succeeded

So at least users can be authenticated, but their account information
aren't successfully look up.

I'm now trying Samba 3.0.21d, as it looks like there is tons of winbind
improvements in this version ! )

Regards,

My smb.conf:

[global]
        ldap group suffix = ou=Groups
        ldap admin dn = cn=admin,dc=linbox,dc=com
        add machine script = /usr/lib/lmc/add_machine_script '%u'

        domain master = yes
        domain logons = yes
        preferred master = yes

        logon path = \\%N\profiles\%u
        netbios name = PDC01
        print command         null passwords = Yes
        logon script = logon.bat
        lprm command         printcap name = cups
        passdb backend = ldapsam:ldap://127.0.0.1/
        workgroup = LINBOXTEST
        enable privileges = Yes
        ldap user suffix = ou=Users
        map acl inherit = Yes
        map to guest = Bad User
        #name resolve order = bcast
        lpq command = %p
        log level = 3
        ldap suffix = dc=linbox,dc=com
        printing = cups
        ldap machine suffix = ou=Computers

        idmap backend = ldap:ldap://127.0.0.1/
        ldap idmap suffix = ou=Idmap
        idmap uid = 30000-40000
        idmap gid = 30000-40000
        # SAMBA 3.0.23c
        winbind enum users = yes
        winbind enum groups = yes

        winbind cache time = 1

        wins support = yes
        #auth methods = guest sam winbind

        log level = 10


-- 
Cedric Delfosse                             Linbox / Free&ALter Soft
152, rue de Grigy - Technopole Metz              57070 METZ - FRANCE
tel: +33 (0)3 87 50 87 98                          http://linbox.com