Hi all. I have a problem whith winbind authentication. I have 2 samba domains, DOMA and DOMB, and these domains have trust in one another. On both pdc winbind is installed. I installed a proxy server using squid with ntlm authentication. I install on the server: squid samba winbind I have modify the smb.conf on proxy: [global] workgroup = DOMA server string = PROXY DOMA password server = xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy security = domain encrypt passwords = yes winbind separator = + winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = No log level = 2 log file = /var/log/samba/%m.log max log size = 100000 socket options = TCP_NODELAY wins server = xxx.xxx.xxx.xxx I have run this comand: #net rpc join -S PDC1 -U Administrator and the proxy server as joined in the domain Now this command executed successful: #wbinfo -t checking the trust secret via RPC calls succeeded #wbinfo -u DOMA+user1 DOMA+user2 DOMA+user3 DOMA+user4 ecc. ecc. #wbinfo -a DOMA+user1%pwduser1 plaintext password authentication succeeded challenge/response password authentication succeeded Until here everything ok. Every now and then but it seems that winbind loses the domain and users are no longer able to navigate. This is the log of winbind: [2009/05/27 12:54:21, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from remote machine SERVERA pipe \lsarpc fnum 0x74f0! [2009/05/27 12:54:28, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from remote machine SERVERA pipe \lsarpc fnum 0x751a! [2009/05/27 14:48:36, 0] libsmb/clientgen.c:cli_receive_smb(111) Receiving SMB: Server stopped responding [2009/05/27 14:48:36, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine SERVERA pipe \NETLOGON fnum 0x751ereturned critical error. Error was Call timed out: server did not respon d after 10000 milliseconds [2009/05/27 14:48:36, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931) NTLM CRAP authentication for user [DOMA]\[gonzaga] returned NT_STATUS_IO_TIMEOUT (PAM: 4) [2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386) cli_rpc_pipe_close: cli_close failed on pipe \samr, fnum 0x751b to machine SERVERA. Error was Call timed out: server did not respond a fter 1000 milliseconds [2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386) cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x751c to machine SERVERA. Error was Call timed out: server did not respond after 500 milliseconds [2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386) cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x751e to machine SERVERA. Error was Call timed out: server did not respo nd after 500 milliseconds [2009/05/27 14:48:46, 0] libsmb/clientgen.c:cli_receive_smb(111) Receiving SMB: Server stopped responding [2009/05/27 14:48:57, 0] libsmb/clientgen.c:cli_receive_smb(111) Receiving SMB: Server stopped responding [2009/05/27 14:49:07, 0] libsmb/clientgen.c:cli_receive_smb(111) Receiving SMB: Server stopped responding [2009/05/27 14:49:07, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931) NTLM CRAP authentication for user [DOMA]\[user1] returned NT_STATUS_IO_TIMEOUT (PAM: 4) [2009/05/27 14:49:26, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931) NTLM CRAP authentication for user [DOMA]\[user2] returned NT_STATUS_NO_LOGON_SERVERS (PAM: 9) [2009/05/27 14:49:32, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931) NTLM CRAP authentication for user [DOMA]\[user3] returned NT_STATUS_NO_LOGON_SERVERS (PAM: 9) [2009/05/27 14:49:50, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931) NTLM CRAP authentication for user [DOMA]\[user4] returned NT_STATUS_NO_LOGON_SERVERS (PAM: 9) [2009/05/27 14:49:52, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931) NTLM CRAP authentication for user [DOMA]\[user4] returned NT_STATUS_NO_LOGON_SERVERS (PAM: 9) [2009/05/27 14:50:36, 4] nsswitch/winbindd_dual.c:fork_domain_child(1080) child daemon request 47 [2009/05/27 14:50:36, 8] nsswitch/winbindd_cm.c:connection_ok(1515) connection_ok: Connection to for domain DOMA has NULL cli! [2009/05/27 14:50:36, 5] libsmb/namequery.c:saf_fetch(136) saf_fetch: Returning "SERVERA" for "DOMA" domain [2009/05/27 14:50:36, 5] libads/dns.c:sitename_fetch(706) sitename_fetch: No stored sitename for [2009/05/27 14:50:36, 5] libsmb/namecache.c:namecache_fetch(214) name SERVERA#20 found. [2009/05/27 14:50:36, 6] libsmb/clientgen.c:write_socket(152) write_socket(18,72) [2009/05/27 14:50:36, 6] libsmb/clientgen.c:write_socket(155) write_socket(18,72) wrote 72 [2009/05/27 14:50:36, 5] libsmb/cliconnect.c:cli_session_request(1407) Sent session request If restart winbind on proxy server browsing resumed without problems. Can you help?
On Wed, May 27, 2009 at 5:22 PM, Mailing pigna <lucapml@gmail.com> wrote:> Hi all. > I have a problem whith winbind authentication. > I have 2 samba domains, DOMA and DOMB, and these domains have trust in one > another. > > On both pdc winbind is installed. > > I installed a proxy server using squid with ntlm authentication. I install > on the server: > squid > samba > winbind > I have modify the smb.conf on proxy: > [global] > ?workgroup = DOMA > ?server string = PROXY DOMA > ?password server = xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy > ?security = domain > ?encrypt passwords = yes > ?winbind separator = + > ?winbind uid = 10000-20000 > ?winbind gid = 10000-20000 > ?winbind enum users = yes > ?winbind enum groups = yes > ?winbind use default domain = No > ?log level = 2 > ?log file = /var/log/samba/%m.log > ?max log size = 100000 > ?socket options = TCP_NODELAY > ?wins server = xxx.xxx.xxx.xxx > > I have run this comand: > #net rpc join -S PDC1 -U Administrator > and the proxy server as joined in the domain > Now this command executed successful: > #wbinfo -t > checking the trust secret via RPC calls succeeded > #wbinfo -u > DOMA+user1 > DOMA+user2 > DOMA+user3 > DOMA+user4 > ecc. ecc. > #wbinfo -a DOMA+user1%pwduser1 > plaintext password authentication succeeded > challenge/response password authentication succeeded > Until here everything ok. > Every now and then but it seems that winbind loses the domain and users are > no longer able to navigate. > This is the log of winbind: > [2009/05/27 12:54:21, 1] > rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) > ?cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR > received from remote machine SERVERA pipe \lsarpc fnum 0x74f0! > [2009/05/27 12:54:28, 1] > rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) > ?cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR > received from remote machine SERVERA pipe \lsarpc fnum 0x751a! > [2009/05/27 14:48:36, 0] libsmb/clientgen.c:cli_receive_smb(111) > ?Receiving SMB: Server stopped responding > [2009/05/27 14:48:36, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) > ?rpc_api_pipe: Remote machine SERVERA pipe \NETLOGON fnum 0x751ereturned > critical error. Error was Call timed out: server did not respon > d after 10000 milliseconds > [2009/05/27 14:48:36, 2] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931) > ?NTLM CRAP authentication for user [DOMA]\[gonzaga] returned > NT_STATUS_IO_TIMEOUT (PAM: 4) > [2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386) > ?cli_rpc_pipe_close: cli_close failed on pipe \samr, fnum 0x751b to machine > SERVERA. Error was Call timed out: server did not respond a > fter 1000 milliseconds > [2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386) > ?cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x751c to > machine SERVERA. Error was Call timed out: server did not respond > ?after 500 milliseconds > [2009/05/27 14:48:36, 1] libsmb/clientgen.c:cli_rpc_pipe_close(386) > ?cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x751e to > machine SERVERA. Error was Call timed out: server did not respo > nd after 500 milliseconds > [2009/05/27 14:48:46, 0] libsmb/clientgen.c:cli_receive_smb(111) > ?Receiving SMB: Server stopped responding > [2009/05/27 14:48:57, 0] libsmb/clientgen.c:cli_receive_smb(111) > ?Receiving SMB: Server stopped responding > [2009/05/27 14:49:07, 0] libsmb/clientgen.c:cli_receive_smb(111) > ?Receiving SMB: Server stopped responding > [2009/05/27 14:49:07, 2] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931) > ?NTLM CRAP authentication for user [DOMA]\[user1] returned > NT_STATUS_IO_TIMEOUT (PAM: 4) > [2009/05/27 14:49:26, 2] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931) > ?NTLM CRAP authentication for user [DOMA]\[user2] returned > NT_STATUS_NO_LOGON_SERVERS (PAM: 9) > [2009/05/27 14:49:32, 2] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931) > ?NTLM CRAP authentication for user [DOMA]\[user3] returned > NT_STATUS_NO_LOGON_SERVERS (PAM: 9) > [2009/05/27 14:49:50, 2] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931) > ?NTLM CRAP authentication for user [DOMA]\[user4] returned > NT_STATUS_NO_LOGON_SERVERS (PAM: 9) > [2009/05/27 14:49:52, 2] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931) > ?NTLM CRAP authentication for user [DOMA]\[user4] returned > NT_STATUS_NO_LOGON_SERVERS (PAM: 9) > [2009/05/27 14:50:36, 4] nsswitch/winbindd_dual.c:fork_domain_child(1080) > ?child daemon request 47 > [2009/05/27 14:50:36, 8] nsswitch/winbindd_cm.c:connection_ok(1515) > ?connection_ok: Connection to for domain DOMA has NULL cli! > [2009/05/27 14:50:36, 5] libsmb/namequery.c:saf_fetch(136) > ?saf_fetch: Returning "SERVERA" for "DOMA" domain > [2009/05/27 14:50:36, 5] libads/dns.c:sitename_fetch(706) > ?sitename_fetch: No stored sitename for > [2009/05/27 14:50:36, 5] libsmb/namecache.c:namecache_fetch(214) > ?name SERVERA#20 found. > [2009/05/27 14:50:36, 6] libsmb/clientgen.c:write_socket(152) > ?write_socket(18,72) > [2009/05/27 14:50:36, 6] libsmb/clientgen.c:write_socket(155) > ?write_socket(18,72) wrote 72 > [2009/05/27 14:50:36, 5] libsmb/cliconnect.c:cli_session_request(1407) > ?Sent session request > > If restart winbind on proxy server browsing resumed without problems. > > Can you help? > -- > To unsubscribe from this list go to the following URL and read the > instructions: ?https://lists.samba.org/mailman/options/samba >there was a post " samba two way trusts and winbind" few days ago. That may be your case. Liutauras
On Fri, May 29, 2009 at 10:28 AM, Mailing pigna <lucapml@gmail.com> wrote:> ?I solved the problem. > In the file smb.conf I put the parameter > smb port = 139 > changing the parameter > smb ports = 445 139 > Everything is back to work. > But do not understand 3 things: > 1) before winbind is working quietly on the pdc that the proxy, but now if > you do not rehabilitate the 445 I will have the problems I described. > 2) In a remote site I have installed a BDC and a proxy, and it works without > any problems leaving smb port = 139 .... > 3) I do not remember why I put smb port = 139:) >I put port 139 only then I want to have multi named samba server and to have one shares on one virtual samba and other shares on the other virtual samba.