Gaiseric Vandal
2009-Nov-17 19:16 UTC
[Samba] Samba trusts, mapping issue, and pam crap domain
I am running Samba ver 3.0.37 on Solaris 10 (sparc) as a PDC with LDAP for
the backend for both samba and unix accounts. Assume the samba SMBPDC is
called "PDC."
I have also set up a trust with an Windows domain- lets call it
WINDOMAIN- (the PDC for the Windows domain is Win 2003 but is in mixed mode
for backwards compat.) The SAMBA domain trusts the WINDOWS domain, not not
vice versa. Assume the Windows PDC is called "WINPDC."
I have winbind enabled. Idmap entries are stored in the backend.
On the Windows domain, I have a login script which maps R: to
\\PDC\dept\common. The "dept" share does not explicitly set or deny
any
users. The "common" directory has unix perms of
"rwxrwxr-t."
On the SMBPDC
smbpdc# getent passwd | grep linus
WINDOMAIN\linus:*:30197:30037:Linus Van Pelt:/home/ WINDOMAIN
/linus:/bin/false
smbpdc#
smbpdc -3.00# id " WINDOMAIN \linus"
uid=30197(ADMINISTRATION\linus) gid=30037(WINDOMAIN \domain users)
bash-3.00# id linus
id: invalid user name: "linus"
smbpdc -3.00#
Smb.conf includes
-------------------------
ntlm auth = Yes
passdb backend = ldapsam:ldap://ldap1.mydomain.com
ldap suffix=o=mydomain.com
ldap user suffix=ou=people
ldap group suffix=ou=smb_groups
ldap machine suffix=ou=machines
ldap admin dn="cn=Directory Manager"
ldap ssl = no
ldap passwd sync = no
ldap idmap suffix=ou=idmap
winbind enum users = Yes
winbind enum groups = no
winbind use default domain = no
winbind trusted domains only = no
#ldap time out default is 15 sec
ldap timeout=30
# idmap domains = WINDOMAIN, TESTDOMAIN
idmap domains = WINDOMAIN
idmap config WINDOMAIN:backend = ldap
idmap config WINDOMAIN:readonly = no
idmap config WINDOMAIN:default=no
idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com
idmap config WINDOMAIN:ldap_user_dn = cn=Directory Manager idmap config
WINDOMAIN:ldap_url =ldap1.mydomain.com idmap config WINDOMAIN:range 30000-39999
#idmap config TESTDOMAIN:backend = ldap
#idmap config TESTDOMAIN:readonly = no
#idmap config TESTDOMAIN:default=no
#idmap config TESTDOMAIN:ldap_base_dn =ou=testdomain,ou=idmap,o=mydomain.com
#idmap config TESTDOMAIN:ldap_user_dn = cn=Directory Manager #idmap config
TESTDOMAIN:ldap_url =ldap1.mydomain.com #idmap config TESTDOMAIN:range
40000-49999
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
idmap alloc config:ldap_user_dn = cn=Directory Manager
idmap alloc config:ldap_url = ldap1.mydomain.com
idmap alloc config:range = 70000 - 79999
[dept]
path = /zexport/Dept
read only = No
create mask = 0770
force create mode = 0600
directory mask = 0775
force directory mode = 0600
inherit permissions = Yes
inherit acls = Yes
hide special files = Yes
vfs objects = zfsacl
zfsacl:acesort = dontcare
nfs4:mode = special
nfs4:chown = yes
nfs4:acedup = merge
--------------------
I have a test user "linus" on the WINDOMAIN domain. If I log into a
WINDOMAIN account on WINPDC, I am prompted for credentials on the
SAMBA/SMBPDC share and am denied. This used to work (sort of) - I recently
added the Solaris patch to update from 3.0.35 to 3.0.37.
The /var/log/samba/WINPDC.log file shows
...
check_ntlm_password: Checking password for unmapped user
[WINDOMAIN]\[linus]@[WINPDC] with the new password interface
[2009/11/17 11:54:25, 3] auth/auth.c:(224)
check_ntlm_password: mapped user is: [WINDOMAIN]\[linus]@[ WINPDC]
[2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/11/17 11:54:25, 3] smbd/uid.c:(408)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/17 11:54:25, 2] auth/auth.c:(319)
check_ntlm_password: Authentication for user [linus] -> [linus] FAILED
with error NT_STATUS_NO_SUCH_USER
[2009/11/17 11:54:25, 3] smbd/error.c:(106)
error packet at smbd/sesssetup.c(107) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2009/11/17 11:54:35, 3] smbd/process.c:(1083)
...
The /var/samba/log/log.wb-WINDOMAIN shows
...
[2009/11/17 08:14:48, 3] nsswitch/winbindd_pam.c:(1755)
[13932]: pam auth crap domain: WINDOMAIN user: lucy
...
[13932]: pam auth crap domain: WINDOMAIN user: charlie
[2009/11/17 10:59:54, 3] nsswitch/winbindd_pam.c:(1755)
[13932]: pam auth crap domain: WINDOMAIN user: Administrator
[2009/11/17 10:59:54, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-21-xxxx
[2009/11/17 10:59:54, 3] nsswitch/winbindd_ads.c:(1062)
ads: fetch sequence_number for WINDOMAIN
[2009/11/17 10:59:54, 3] libsmb/namequery.c:(1557)
get_dc_list: preferred server list: ", *"
[2009/11/17 10:59:54, 3] libads/ldap.c:(443)
Connected to LDAP server 192.168.0.71
[2009/11/17 10:59:54, 3] libsmb/namequery.c:(1557)
get_dc_list: preferred server list: ", *"
[2009/11/17 10:59:54, 3] libads/ldap.c:(443)
Connected to LDAP server 192.168.0.71
[2009/11/17 10:59:54, 3] libads/ldap.c:(443)
Connected to LDAP server 192.168.0.71
[2009/11/17 10:59:54, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/11/17 10:59:54, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/11/17 10:59:54, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/11/17 10:59:54, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/11/17 10:59:54, 3] libads/sasl.c:(300)
ads_sasl_spnego_bind: got server principal name = SMBPDC$@
WINDOMAIN.DOMAIN.COM
[2009/11/17 10:59:54, 3] libsmb/clikrb5.c:(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file
found)
[2009/11/17 10:59:55, 3] libsmb/clikrb5.c:(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Tue, 17 Nov 2009 20:59:55 EST
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
sid_to_name [rpc] S-1-5-xxxx for domain WINDOMAIN
[2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-xxxx-
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
sid_to_name [rpc] S-1-5-21-xxxxx for domain WINDOMAIN
[2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-21-xxxx
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
sid_to_name [rpc] S-1-5-21-xxxx for domain WINDOMAIN
[2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-21-xxxx
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
sid_to_name [rpc] S-1-5-21-1935655697-920026266-725345543-512 for domain
WINDOMAIN
[2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-21-xxxx
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
sid_to_name [rpc] S-1-5-21-1935655697-920026266-725345543-519 for domain
WINDOMAIN
[2009/11/17 11:00:01, 3] nsswitch/winbindd_pam.c:(1755)
[13932]: pam auth crap domain: WINDOMAIN user: Administrator
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-xxxx
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-xxxx
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5xxxxx
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-xxxx
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-xxxx
[2009/11/17 11:28:15, 3] nsswitch/winbindd_ads.c:(1062)
ads: fetch sequence_number for WINDOMAIN
[2009/11/17 11:28:15, 3] libads/ldap.c:(745)
ads_do_paged_search_args: ldap_search_with_timeout((objectclass=*)) ->
Timelimit exceeded
[2009/11/17 11:28:15, 3] libads/ldap_utils.c:(76)
Reopening ads connection to realm WINDOMAIN.DOMAIN.COM' after error
Timelimit exceeded
[2009/11/17 11:28:15, 3] libsmb/namequery.c:(1557)
get_dc_list: preferred server list: ", *"
[2009/11/17 11:28:15, 3] libads/ldap.c:(443)
Connected to LDAP server 192.168.0.71
[2009/11/17 11:28:15, 3] libads/ldap.c:(443)
Connected to LDAP server 192.168.0.71
[2009/11/17 11:28:15, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/11/17 11:28:15, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/11/17 11:28:15, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/11/17 11:28:15, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/11/17 11:28:15, 3] libads/sasl.c:(300)
ads_sasl_spnego_bind: got server principal name = SMBPDC$@
WINDOMAIN.DOMAIN.COM
[2009/11/17 11:28:15, 3] libsmb/clikrb5.c:(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Tue, 17 Nov 2009 20:59:55 EST
[2009/11/17 11:28:15, 3] nsswitch/winbindd_rpc.c:(342)
...
I am not using kerberos for anything. As far as I know, this should be
an "NT4" type trust. NTLM a It seems to be some sort of mapping
error?
It looks like it doesn't handle the domain component properly, so strips it
off, and then tries to authenticate just the user name- which of course it
can't.
Thoughts?
Thanks
Gaiseric Vandal
2009-Nov-18 22:50 UTC
[Samba] Samba trusts, mapping issue, and pam crap domain
Before getting into too much detail-
Is it possible that my samba PDC server is trying to treat the
Windows PDC as an active directory domain controller (which of course it
is) rather than a Windows NT4 server (which it should be emulating)?
Would be it easier to setup a kerberos trust between my Samba
server and the Windows Active Directory
Maybe this will help isolate what is going wrong:
If I type the following command from a solaris or linux workstation
-> smbclient -U "WINDOMAIN\linus" -L SMBPDC
Enter WINDOMAIN\linus's password:
session setup failed: NT_STATUS_LOGON_FAILURE
->
If I have restarted winbind, and this is the first smbclient attempt,
/var/samba/log/wb-WINDOMAIN.log shows me the following:
*
*
[2009/11/18 17:28:22, 3] nsswitch/winbindd_cm.c:(504)
cm_get_ipc_userpass: No auth-user defined
[2009/11/18 17:28:22, 3] rpc_client/cli_pipe.c:(2082)
rpc_pipe_bind: Remote machine winpdc.windomain.domain.com pipe
\lsarpc fnum 0xc000 bind request returned ok.
[2009/11/18 17:28:22, 3] rpc_client/cli_pipe.c:(2082)
rpc_pipe_bind: Remote machine winpdc.windomain.domain.com pipe
\lsarpc fnum 0xc004 bind request returned ok.
[2009/11/18 17:28:22, 3] rpc_parse/parse_lsa.c:(224)
lsa_io_sec_qos: length c does not match size 8
[2009/11/18 17:28:22, 3] nsswitch/winbindd_pam.c:(1755)
[17996]: pam auth crap domain: WINDOMAIN user: linus
[2009/11/18 17:28:22, 3] rpc_client/cli_pipe.c:(2082)
rpc_pipe_bind: Remote machine winpdc.windomain.domain.comi.com pipe
\NETLOGON fnum 0xc002 bind request returned ok.
[2009/11/18 17:28:22, 3] rpc_client/cli_pipe.c:(2082)
rpc_pipe_bind: Remote machine winpdc.windomain.domain.com pipe
\NETLOGON fnum 0xc003 bind request returned ok.
...
Subsequent smbclient attempts just get logged as
[2009/11/18 17:35:31, 3] nsswitch/winbindd_pam.c:(1755)
[17996]: pam auth crap domain: WINDOMAIN user: linus
But if I type the wrong password, I will get
[2009/11/18 17:37:56, 3] nsswitch/winbindd_pam.c:(1755)
[17996]: pam auth crap domain: WINDOMAIN user: linus
[2009/11/18 17:37:56, 2] nsswitch/winbindd_pam.c:(1941)
NTLM CRAP authentication for user [WINDOMAIN]\[linus] returned
NT_STATUS_WRONG_PASSWORD (PAM: 9)
So it is definately validating the password.
smbpdc # ntlm_auth --username=linus --domain=WINDOMAIN
password:
NT_STATUS_OK: Success (0x0)
smbpdc# wbinfo -a WINDOMAIN\\linus%Password
plaintext password authentication succeeded
challenge/response password authentication succeeded
asterix#
(ALthough I would have expected plaintext to fail.)
If I type
-> smbclient -U "WINDOMAIN\linus" -L SMBPDC
but then don't enter a password, I will still see a list of shares (I
guess anonymously?)
If I type
-> smbclient -U "WINDOMAIN\Administrator" -L SMBPDC
I will get a list of shares. This will happen with any account name
that exists in both domains, even if the password is different. So it
all seems points to a mapping issue of some sort.
Why does PAM even come into play? Do I need to enable winbind in
pam.conf? I don't want to enable ssh or other "unix" level logins
for
the trusted users.
Thanks
On 11/17/09 14:16, Gaiseric Vandal wrote:>
>
> I am running Samba ver 3.0.37 on Solaris 10 (sparc) as a PDC with LDAP for
> the backend for both samba and unix accounts. Assume the samba SMBPDC is
> called "PDC."
>
> I have also set up a trust with an Windows domain- lets call it
> WINDOMAIN- (the PDC for the Windows domain is Win 2003 but is in mixed
> mode for backwards compat.) The SAMBA domain trusts the WINDOWS domain,
> not not vice versa. Assume the Windows PDC is called "WINPDC."
>
>
> I have winbind enabled. Idmap entries are stored in the backend.
>
>
> On the Windows domain, I have a login script which maps R: to
> \\PDC\dept\common. The "dept" share does not explicitly set or
deny any
> users. The "common" directory has unix perms of
"rwxrwxr-t."
>
>
>
>
> On the SMBPDC
>
> smbpdc# getent passwd | grep linus
> WINDOMAIN\linus:*:30197:30037:Linus Van Pelt:/home/ WINDOMAIN
> /linus:/bin/false
> smbpdc#
>
>
> smbpdc -3.00# id " WINDOMAIN \linus"
> uid=30197(ADMINISTRATION\linus) gid=30037(WINDOMAIN \domain users)
> bash-3.00# id linus
> id: invalid user name: "linus"
> smbpdc -3.00#
>
>
>
>
>
>
>
> Smb.conf includes
> -------------------------
>
> ntlm auth = Yes
>
> passdb backend = ldapsam:ldap://ldap1.mydomain.com
> ldap suffix=o=mydomain.com
> ldap user suffix=ou=people
> ldap group suffix=ou=smb_groups
> ldap machine suffix=ou=machines
> ldap admin dn="cn=Directory Manager"
> ldap ssl = no
> ldap passwd sync = no
> ldap idmap suffix=ou=idmap
>
> winbind enum users = Yes
> winbind enum groups = no
> winbind use default domain = no
> winbind trusted domains only = no
>
> #ldap time out default is 15 sec
> ldap timeout=30
>
> # idmap domains = WINDOMAIN, TESTDOMAIN
> idmap domains = WINDOMAIN
>
>
> idmap config WINDOMAIN:backend = ldap
> idmap config WINDOMAIN:readonly = no
> idmap config WINDOMAIN:default=no
> idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com
> idmap config WINDOMAIN:ldap_user_dn = cn=Directory Manager idmap config
> WINDOMAIN:ldap_url =ldap1.mydomain.com idmap config WINDOMAIN:range >
30000-39999
>
>
> #idmap config TESTDOMAIN:backend = ldap
> #idmap config TESTDOMAIN:readonly = no
> #idmap config TESTDOMAIN:default=no
> #idmap config TESTDOMAIN:ldap_base_dn
> =ou=testdomain,ou=idmap,o=mydomain.com
> #idmap config TESTDOMAIN:ldap_user_dn = cn=Directory Manager #idmap config
> TESTDOMAIN:ldap_url =ldap1.mydomain.com #idmap config TESTDOMAIN:range >
40000-49999
>
>
>
> idmap alloc backend = ldap
> idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
> idmap alloc config:ldap_user_dn = cn=Directory Manager
> idmap alloc config:ldap_url = ldap1.mydomain.com
> idmap alloc config:range = 70000 - 79999
>
>
>
> [dept]
> path = /zexport/Dept
> read only = No
> create mask = 0770
> force create mode = 0600
> directory mask = 0775
> force directory mode = 0600
> inherit permissions = Yes
> inherit acls = Yes
> hide special files = Yes
> vfs objects = zfsacl
> zfsacl:acesort = dontcare
> nfs4:mode = special
> nfs4:chown = yes
> nfs4:acedup = merge
>
> --------------------
>
>
>
> I have a test user "linus" on the WINDOMAIN domain. If I log
into a
> WINDOMAIN account on WINPDC, I am prompted for credentials on the
> SAMBA/SMBPDC share and am denied. This used to work (sort of) - I
> recently added the Solaris patch to update from 3.0.35 to 3.0.37.
>
>
> The /var/log/samba/WINPDC.log file shows
>
> ...
>
>
> check_ntlm_password: Checking password for unmapped user
> [WINDOMAIN]\[linus]@[WINPDC] with the new password interface
> [2009/11/17 11:54:25, 3] auth/auth.c:(224)
> check_ntlm_password: mapped user is: [WINDOMAIN]\[linus]@[ WINPDC]
> [2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(208)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2009/11/17 11:54:25, 3] smbd/uid.c:(408)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(241)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(356)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2009/11/17 11:54:25, 2] auth/auth.c:(319)
> check_ntlm_password: Authentication for user [linus] -> [linus]
FAILED
> with error NT_STATUS_NO_SUCH_USER
> [2009/11/17 11:54:25, 3] smbd/error.c:(106)
> error packet at smbd/sesssetup.c(107) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2009/11/17 11:54:35, 3] smbd/process.c:(1083)
> ...
>
>
> The /var/samba/log/log.wb-WINDOMAIN shows
>
> ...
> [2009/11/17 08:14:48, 3] nsswitch/winbindd_pam.c:(1755)
> [13932]: pam auth crap domain: WINDOMAIN user: lucy
> ...
> [13932]: pam auth crap domain: WINDOMAIN user: charlie
> [2009/11/17 10:59:54, 3] nsswitch/winbindd_pam.c:(1755)
> [13932]: pam auth crap domain: WINDOMAIN user: Administrator
> [2009/11/17 10:59:54, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-21-xxxx
> [2009/11/17 10:59:54, 3] nsswitch/winbindd_ads.c:(1062)
> ads: fetch sequence_number for WINDOMAIN
> [2009/11/17 10:59:54, 3] libsmb/namequery.c:(1557)
> get_dc_list: preferred server list: ", *"
> [2009/11/17 10:59:54, 3] libads/ldap.c:(443)
> Connected to LDAP server 192.168.0.71
> [2009/11/17 10:59:54, 3] libsmb/namequery.c:(1557)
> get_dc_list: preferred server list: ", *"
> [2009/11/17 10:59:54, 3] libads/ldap.c:(443)
> Connected to LDAP server 192.168.0.71
> [2009/11/17 10:59:54, 3] libads/ldap.c:(443)
> Connected to LDAP server 192.168.0.71
> [2009/11/17 10:59:54, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2009/11/17 10:59:54, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2009/11/17 10:59:54, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2009/11/17 10:59:54, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2009/11/17 10:59:54, 3] libads/sasl.c:(300)
> ads_sasl_spnego_bind: got server principal name = SMBPDC$@
> WINDOMAIN.DOMAIN.COM
> [2009/11/17 10:59:54, 3] libsmb/clikrb5.c:(593)
> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file
> found)
> [2009/11/17 10:59:55, 3] libsmb/clikrb5.c:(528)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> expiration Tue, 17 Nov 2009 20:59:55 EST
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
> sid_to_name [rpc] S-1-5-xxxx for domain WINDOMAIN
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-xxxx-
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
> sid_to_name [rpc] S-1-5-21-xxxxx for domain WINDOMAIN
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-21-xxxx
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
> sid_to_name [rpc] S-1-5-21-xxxx for domain WINDOMAIN
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-21-xxxx
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
> sid_to_name [rpc] S-1-5-21-1935655697-920026266-725345543-512 for domain
> WINDOMAIN
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-21-xxxx
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
> sid_to_name [rpc] S-1-5-21-1935655697-920026266-725345543-519 for domain
> WINDOMAIN
> [2009/11/17 11:00:01, 3] nsswitch/winbindd_pam.c:(1755)
> [13932]: pam auth crap domain: WINDOMAIN user: Administrator
> [2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-xxxx
> [2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-xxxx
> [2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5xxxxx
> [2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-xxxx
> [2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-xxxx
> [2009/11/17 11:28:15, 3] nsswitch/winbindd_ads.c:(1062)
> ads: fetch sequence_number for WINDOMAIN
> [2009/11/17 11:28:15, 3] libads/ldap.c:(745)
> ads_do_paged_search_args: ldap_search_with_timeout((objectclass=*))
->
> Timelimit exceeded
> [2009/11/17 11:28:15, 3] libads/ldap_utils.c:(76)
> Reopening ads connection to realm WINDOMAIN.DOMAIN.COM' after error
> Timelimit exceeded
> [2009/11/17 11:28:15, 3] libsmb/namequery.c:(1557)
> get_dc_list: preferred server list: ", *"
> [2009/11/17 11:28:15, 3] libads/ldap.c:(443)
> Connected to LDAP server 192.168.0.71
> [2009/11/17 11:28:15, 3] libads/ldap.c:(443)
> Connected to LDAP server 192.168.0.71
> [2009/11/17 11:28:15, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2009/11/17 11:28:15, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2009/11/17 11:28:15, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2009/11/17 11:28:15, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2009/11/17 11:28:15, 3] libads/sasl.c:(300)
> ads_sasl_spnego_bind: got server principal name = SMBPDC$@
> WINDOMAIN.DOMAIN.COM
> [2009/11/17 11:28:15, 3] libsmb/clikrb5.c:(528)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> expiration Tue, 17 Nov 2009 20:59:55 EST
> [2009/11/17 11:28:15, 3] nsswitch/winbindd_rpc.c:(342)
> ...
>
>
>
>
> I am not using kerberos for anything. As far as I know, this should be
> an "NT4" type trust. NTLM a It seems to be some sort of
mapping error?
>
>
> It looks like it doesn't handle the domain component properly, so
strips
> it off, and then tries to authenticate just the user name- which of
> course it can't.
>
> Thoughts?
>
> Thanks
>
>
>
>
>
>
>