I have been (unsuccessfully) trying to get this up and running for the past few days. I have successfully setup samba itself NUMEROUS times but this winbind stuff has me stumped. I have built a fresh box for this server using Turbo Linux server 6.5 and samba 2.2.2. I have followed all the docs and man pages that i could find. 1. I have samba compiled (using --with-winbind --with-pam) and running. 2. The samba box has been successfully added to my NT domain. 3. Winbind appears to be communicating to some extent with my PDC because i can get a list of users with "wbinfo -u". The samba server shows up in the browse list on the Windows clients but when you click on the machine it is still prompting users for a name and password (none of which work). my smb.conf file has the following related entries: #winbind stuff winbind separator = + winbind cache = 10 winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template shell = /bin/false template homedir = /home/$D/$U security = domain password server = * encrypt passwords = yes [tmp] comment = Temporary file space path = /tmp read only = no public = yes [share] comment = none path = /shares/test valid users = TESTDOM+larry,TESTDOM+administrator public = yes writable = yes I created a file called "samba" in the /etc/pam.d/ dir which contains the following lines: auth required /lib/security/pam_securetty auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok account required /lib/security/pam_winbind.so I am ONLY concerned with users being able to access the samba shares. I don't want them to be able to login or ftp to the samba box. If anyone here can help me out with this one i would really appreciate it. If any more info is required, please don't hesitate to ask. Thanks, VeKTeReX
Not positive, but I think your UID and GID ranges should not intersect like that. Try winbind gid = 20001-30000 Josh .~. /V\ /( )\ ^^-^^ -----Original Message----- From: Kevin [mailto:kevin@mpcf.com] Sent: Thursday, November 08, 2001 9:39 AM To: samba@lists.samba.org Subject: Please help with winbind setup I have been (unsuccessfully) trying to get this up and running for the past few days. I have successfully setup samba itself NUMEROUS times but this winbind stuff has me stumped. I have built a fresh box for this server using Turbo Linux server 6.5 and samba 2.2.2. I have followed all the docs and man pages that i could find. 1. I have samba compiled (using --with-winbind --with-pam) and running. 2. The samba box has been successfully added to my NT domain. 3. Winbind appears to be communicating to some extent with my PDC because i can get a list of users with "wbinfo -u". The samba server shows up in the browse list on the Windows clients but when you click on the machine it is still prompting users for a name and password (none of which work). my smb.conf file has the following related entries: #winbind stuff winbind separator = + winbind cache = 10 winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template shell = /bin/false template homedir = /home/$D/$U security = domain password server = * encrypt passwords = yes [tmp] comment = Temporary file space path = /tmp read only = no public = yes [share] comment = none path = /shares/test valid users = TESTDOM+larry,TESTDOM+administrator public = yes writable = yes I created a file called "samba" in the /etc/pam.d/ dir which contains the following lines: auth required /lib/security/pam_securetty auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok account required /lib/security/pam_winbind.so I am ONLY concerned with users being able to access the samba shares. I don't want them to be able to login or ftp to the samba box. If anyone here can help me out with this one i would really appreciate it. If any more info is required, please don't hesitate to ask. Thanks, VeKTeReX -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Do 'getent passwd' and 'getent group' list your NT users? If not, check your /etc/nsswitch.conf file. Also, make sure you have /lib/libnss_winbind.so and /lib/libnss_winbind.so.2. (One should be an actual file, and the other one a link to that file. Run /sbin/ldconfig after changing these, if you need to change them.) If the getent commands don't work, PAM authentication won't work either. For your /etc/pam.d/samba file, try this: auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass nullok shadow account required /lib/security/pam_winbind.so The pam_securetty and pam_nologin.so lines may be confusing things. The above is what's working on my RedHat 7.0 system. -----Original Message----- From: Kevin [mailto:kevin@mpcf.com] Sent: Thursday, November 08, 2001 10:39 AM To: samba@lists.samba.org Subject: Please help with winbind setup I created a file called "samba" in the /etc/pam.d/ dir which contains the following lines: auth required /lib/security/pam_securetty auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok account required /lib/security/pam_winbind.so I am ONLY concerned with users being able to access the samba shares. I don't want them to be able to login or ftp to the samba box. If anyone here can help me out with this one i would really appreciate it. If any more info is required, please don't hesitate to ask.
Did you setup your /etc/nsswitch.conf file ?? You need to fix the following lines passwd: files nis winbind shadow: files nis winbind group: files nis winbind Are you getting any errors in the log.winbindd or log.smbd ?? Josh .~. /V\ /( )\ ^^-^^ -----Original Message----- From: Kevin [mailto:kevin@mpcf.com] Sent: Thursday, November 08, 2001 10:22 AM To: Konkol, Josh; samba@lists.samba.org Subject: Re: Please help with winbind setup No luck on that one. Kevin wrote:> > I'll give that a shot but i have my doubts too. I got > those numbers for both uid and gid directly from the > docs. > > Thanks for the input. > > VeKTeReX > > "Konkol, Josh" wrote: > > > > Not positive, but I think your UID and GID ranges should not intersectlike> > that. > > Try > > winbind gid = 20001-30000 > > > > Josh > > > > .~. > > /V\ > > /( )\ > > ^^-^^ > > > > -----Original Message----- > > From: Kevin [mailto:kevin@mpcf.com] > > Sent: Thursday, November 08, 2001 9:39 AM > > To: samba@lists.samba.org > > Subject: Please help with winbind setup > > > > I have been (unsuccessfully) trying to get this up and > > running for the past few days. I have successfully > > setup samba itself NUMEROUS times but this winbind > > stuff has me stumped. > > > > I have built a fresh box for this server using Turbo > > Linux server 6.5 and samba 2.2.2. I have followed all > > the docs and man pages that i could find. > > > > 1. I have samba compiled (using --with-winbind > > --with-pam) and running. > > 2. The samba box has been successfully added to my NT > > domain. > > 3. Winbind appears to be communicating to some extent > > with my PDC because i can get a list of users with > > "wbinfo -u". > > > > The samba server shows up in the browse list on the > > Windows clients but when you click on the machine it is > > still prompting users for a name and password (none of > > which work). > > > > my smb.conf file has the following related entries: > > > > #winbind stuff > > winbind separator = + > > winbind cache = 10 > > winbind uid = 10000-20000 > > winbind gid = 10000-20000 > > winbind enum users = yes > > winbind enum groups = yes > > template shell = /bin/false > > template homedir = /home/$D/$U > > > > security = domain > > password server = * > > encrypt passwords = yes > > > > [tmp] > > comment = Temporary file space > > path = /tmp > > read only = no > > public = yes > > > > [share] > > comment = none > > path = /shares/test > > valid users = TESTDOM+larry,TESTDOM+administrator > > public = yes > > writable = yes > > > > I created a file called "samba" in the /etc/pam.d/ dir > > which contains the following lines: > > > > auth required /lib/security/pam_securetty > > auth required /lib/security/pam_nologin.so > > auth sufficient /lib/security/pam_winbind.so > > auth required /lib/security/pam_pwdb.so use_first_pass > > shadow nullok > > account required /lib/security/pam_winbind.so > > > > I am ONLY concerned with users being able to access the > > samba shares. I don't want them to be able to login or > > ftp to the samba box. If anyone here can help me out > > with this one i would really appreciate it. If any > > more info is required, please don't hesitate to ask. > > > > Thanks, > > VeKTeReX > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
Yes, my /etc/nsswitch.conf file is setup with those lines. No info at all in log.smbd or log.winbind. I am increasing the log level of smbd and trying again. "Konkol, Josh" wrote:> > Did you setup your /etc/nsswitch.conf file ?? > > You need to fix the following lines > > passwd: files nis winbind > shadow: files nis winbind > group: files nis winbind > > Are you getting any errors in the log.winbindd or log.smbd ?? > > Josh > > .~. > /V\ > /( )\ > ^^-^^
I have tried specifying the login name as TESTDOM+larry, and it still does not work. WinXP will not even let you try it with a "+" as a separator. It just keeps saying the correct syntax is "TESTDOM\larry" (what a PITA). I've tried it from WIn2K and NT 4.0 boxes too with no success. When i type in just administrator or TESTDOM\administrator, it thinks for a moment then spits the username:password prompt back at me with no extra messages. When i try with TESTDOM+administrator from a Win2K, WinNT or WinXP box all three say that the specified username is invalid. I checked the log.ntserver (my PDC and test client for now) since i bumped up the log level one notch and now i am getting some error messages. I have attached the log file to this message. It says something to the effect that it could not fetch trust account password for the MPCFDOMAIN (my real domain name). The it appears to try the more traditional authentication methods. Thanks for the help, VeKTeReX David Brodbeck wrote:> > Hmm...that's interesting. Are you seeing any error messages at all when you > attempt to log in? You should be able to get something, though it may take > increasing the logging level a bit to see it. Also, if you have seperate > logs for each machine, it may be turning up there instead of in the main > logfile. > > Have you tried manually specifying the domain? You shouldn't have to, if > both machines are joined to the same domain, but you might want to try it > just to be sure. For example, if your domain seperator is +, try > "DOMAIN+joe" at the username prompt instead of just "joe".-------------- next part -------------- [2001/11/08 09:28:47, 2] smbd/server.c:exit_server(458) Closing connections [2001/11/08 09:28:59, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: could not fetch trust account password for domain MPCFDOMAIN [2001/11/08 09:28:59, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:28:59, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:28:59, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:28:59, 2] smbd/reply.c:reply_sesssetup_and_X(970) NT Password did not match for user 'administrator'! [2001/11/08 09:28:59, 2] smbd/reply.c:reply_sesssetup_and_X(980) Defaulting to Lanman password for administrator [2001/11/08 09:28:59, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:28:59, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:28:59, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:28:59, 1] smbd/reply.c:reply_sesssetup_and_X(995) Rejecting user 'administrator': authentication failed [2001/11/08 09:28:59, 2] smbd/server.c:exit_server(458) Closing connections [2001/11/08 09:28:59, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: could not fetch trust account password for domain MPCFDOMAIN [2001/11/08 09:28:59, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:28:59, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:28:59, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:28:59, 2] smbd/reply.c:reply_sesssetup_and_X(970) NT Password did not match for user 'administrator'! [2001/11/08 09:28:59, 2] smbd/reply.c:reply_sesssetup_and_X(980) Defaulting to Lanman password for administrator [2001/11/08 09:28:59, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:28:59, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:28:59, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:28:59, 1] smbd/reply.c:reply_sesssetup_and_X(995) Rejecting user 'administrator': authentication failed [2001/11/08 09:28:59, 2] smbd/server.c:exit_server(458) Closing connections [2001/11/08 09:29:08, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: could not fetch trust account password for domain MPCFDOMAIN [2001/11/08 09:29:08, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:29:08, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:29:08, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:29:08, 2] smbd/reply.c:reply_sesssetup_and_X(970) NT Password did not match for user 'administrator'! [2001/11/08 09:29:08, 2] smbd/reply.c:reply_sesssetup_and_X(980) Defaulting to Lanman password for administrator [2001/11/08 09:29:08, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:29:08, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:29:08, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:29:08, 1] smbd/reply.c:reply_sesssetup_and_X(995) Rejecting user 'administrator': authentication failed [2001/11/08 09:29:08, 2] smbd/server.c:exit_server(458) Closing connections [2001/11/08 09:31:46, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: could not fetch trust account password for domain MPCFDOMAIN [2001/11/08 09:31:46, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:31:46, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:31:46, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:31:46, 2] smbd/reply.c:reply_sesssetup_and_X(970) NT Password did not match for user 'administrator'! [2001/11/08 09:31:46, 2] smbd/reply.c:reply_sesssetup_and_X(980) Defaulting to Lanman password for administrator [2001/11/08 09:31:46, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:31:46, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:31:46, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:31:46, 1] smbd/reply.c:reply_sesssetup_and_X(995) Rejecting user 'administrator': authentication failed [2001/11/08 09:31:46, 2] smbd/server.c:exit_server(458) Closing connections [2001/11/08 09:31:46, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: could not fetch trust account password for domain MPCFDOMAIN [2001/11/08 09:31:46, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:31:46, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:31:46, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:31:46, 2] smbd/reply.c:reply_sesssetup_and_X(970) NT Password did not match for user 'administrator'! [2001/11/08 09:31:46, 2] smbd/reply.c:reply_sesssetup_and_X(980) Defaulting to Lanman password for administrator [2001/11/08 09:31:46, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:31:46, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:31:46, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:31:46, 1] smbd/reply.c:reply_sesssetup_and_X(995) Rejecting user 'administrator': authentication failed [2001/11/08 09:31:46, 2] smbd/server.c:exit_server(458) Closing connections [2001/11/08 09:32:03, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: could not fetch trust account password for domain MPCFDOMAIN [2001/11/08 09:32:03, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:32:03, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:32:03, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:32:03, 2] smbd/reply.c:reply_sesssetup_and_X(970) NT Password did not match for user 'administrator'! [2001/11/08 09:32:03, 2] smbd/reply.c:reply_sesssetup_and_X(980) Defaulting to Lanman password for administrator [2001/11/08 09:32:03, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:32:03, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:32:03, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:32:03, 1] smbd/reply.c:reply_sesssetup_and_X(995) Rejecting user 'administrator': authentication failed [2001/11/08 09:32:03, 2] smbd/server.c:exit_server(458) Closing connections [2001/11/08 09:32:03, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: could not fetch trust account password for domain MPCFDOMAIN [2001/11/08 09:32:03, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:32:03, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:32:03, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:32:03, 2] smbd/reply.c:reply_sesssetup_and_X(970) NT Password did not match for user 'administrator'! [2001/11/08 09:32:03, 2] smbd/reply.c:reply_sesssetup_and_X(980) Defaulting to Lanman password for administrator [2001/11/08 09:32:03, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:32:03, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:32:03, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:32:03, 1] smbd/reply.c:reply_sesssetup_and_X(995) Rejecting user 'administrator': authentication failed [2001/11/08 09:32:03, 2] smbd/server.c:exit_server(458) Closing connections [2001/11/08 09:32:17, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: could not fetch trust account password for domain MPCFDOMAIN [2001/11/08 09:32:17, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:32:17, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:32:17, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:32:17, 2] smbd/reply.c:reply_sesssetup_and_X(970) NT Password did not match for user 'administrator'! [2001/11/08 09:32:17, 2] smbd/reply.c:reply_sesssetup_and_X(980) Defaulting to Lanman password for administrator [2001/11/08 09:32:17, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:32:17, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:32:17, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:32:17, 1] smbd/reply.c:reply_sesssetup_and_X(995) Rejecting user 'administrator': authentication failed [2001/11/08 09:32:17, 2] smbd/server.c:exit_server(458) Closing connections [2001/11/08 09:35:53, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: could not fetch trust account password for domain MPCFDOMAIN [2001/11/08 09:35:53, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:35:53, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:35:53, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:35:53, 2] smbd/reply.c:reply_sesssetup_and_X(970) NT Password did not match for user 'administrator'! [2001/11/08 09:35:53, 2] smbd/reply.c:reply_sesssetup_and_X(980) Defaulting to Lanman password for administrator [2001/11/08 09:35:53, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:35:53, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:35:53, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:35:53, 1] smbd/reply.c:reply_sesssetup_and_X(995) Rejecting user 'administrator': authentication failed [2001/11/08 09:35:53, 2] smbd/server.c:exit_server(458) Closing connections [2001/11/08 09:35:53, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: could not fetch trust account password for domain MPCFDOMAIN [2001/11/08 09:35:53, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:35:53, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:35:53, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:35:53, 2] smbd/reply.c:reply_sesssetup_and_X(970) NT Password did not match for user 'administrator'! [2001/11/08 09:35:53, 2] smbd/reply.c:reply_sesssetup_and_X(980) Defaulting to Lanman password for administrator [2001/11/08 09:35:53, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2001/11/08 09:35:53, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2001/11/08 09:35:53, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'administrator' in passdb. [2001/11/08 09:35:53, 1] smbd/reply.c:reply_sesssetup_and_X(995) Rejecting user 'administrator': authentication failed [2001/11/08 09:35:53, 2] smbd/server.c:exit_server(458) Closing connections
I'm sorry, that's right...no matter what the "domain seperator" is set to in winbind's configuration, you always use \ under Windows. I forgot about that. The + seperator only applies on the UNIX side. It looks to me like the Samba machine is not properly joined to the MPCFDOMAIN domain. What I can't figure out is that if that's true, it seems to me that 'getent passwd' shouldn't work either (or rather, should return only local users.) Maybe someone on the list has an idea. Does 'wbinfo -t' return 'Secret is good'? -----Original Message----- From: Kevin [mailto:kevin@mpcf.com] Sent: Friday, November 16, 2001 1:46 PM To: David Brodbeck Cc: samba@lists.samba.org Subject: Re: Please help with winbind setup I have tried specifying the login name as TESTDOM+larry, and it still does not work. WinXP will not even let you try it with a "+" as a separator. It just keeps saying the correct syntax is "TESTDOM\larry" (what a PITA). I've tried it from WIn2K and NT 4.0 boxes too with no success. When i type in just administrator or TESTDOM\administrator, it thinks for a moment then spits the username:password prompt back at me with no extra messages. When i try with TESTDOM+administrator from a Win2K, WinNT or WinXP box all three say that the specified username is invalid. I checked the log.ntserver (my PDC and test client for now) since i bumped up the log level one notch and now i am getting some error messages. I have attached the log file to this message. It says something to the effect that it could not fetch trust account password for the MPCFDOMAIN (my real domain name). The it appears to try the more traditional authentication methods. Thanks for the help, VeKTeReX David Brodbeck wrote:> > Hmm...that's interesting. Are you seeing any error messages at all whenyou> attempt to log in? You should be able to get something, though it maytake> increasing the logging level a bit to see it. Also, if you have seperate > logs for each machine, it may be turning up there instead of in the main > logfile. > > Have you tried manually specifying the domain? You shouldn't have to, if > both machines are joined to the same domain, but you might want to try it > just to be sure. For example, if your domain seperator is +, try > "DOMAIN+joe" at the username prompt instead of just "joe".
That means you aren't properly joined to the domain. Try removing the Samba server's account on the PDC (with NT's server manager), re-creating it, then joining again. (See the -j option in the smbpasswd manpage.) Make sure that smbd and nmbd are *not* running when you do this, or it won't work. -----Original Message----- From: Kevin [mailto:kevin@mpcf.com] Sent: Friday, November 16, 2001 2:12 PM To: David Brodbeck Cc: samba@lists.samba.org Subject: Re: Please help with winbind setup wbinfo -t states that: "Secret is bad 0xc00000e5" What does this mean? What is the secret used for? And of course, how do i make it good :) Thanks a million, VeKTeReX David Brodbeck wrote:> > I'm sorry, that's right...no matter what the "domain seperator" is set toin> winbind's configuration, you always use \ under Windows. I forgot about > that. The + seperator only applies on the UNIX side. > > It looks to me like the Samba machine is not properly joined to the > MPCFDOMAIN domain. What I can't figure out is that if that's true, itseems> to me that 'getent passwd' shouldn't work either (or rather, should return > only local users.) Maybe someone on the list has an idea. > > Does 'wbinfo -t' return 'Secret is good'? > > -----Original Message----- > From: Kevin [mailto:kevin@mpcf.com] > Sent: Friday, November 16, 2001 1:46 PM > To: David Brodbeck > Cc: samba@lists.samba.org > Subject: Re: Please help with winbind setup > > I have tried specifying the login name as > TESTDOM+larry, and it still does not work. WinXP will > not even let you try it with a "+" as a separator. It > just keeps saying the correct syntax is "TESTDOM\larry" > (what a PITA). I've tried it from WIn2K and NT 4.0 > boxes too with no success. When i type in just > administrator or TESTDOM\administrator, it thinks for a > moment then spits the username:password prompt back at > me with no extra messages. When i try with > TESTDOM+administrator from a Win2K, WinNT or WinXP box > all three say that the specified username is invalid. > > I checked the log.ntserver (my PDC and test client for > now) since i bumped up the log level one notch and now > i am getting some error messages. I have attached the > log file to this message. It says something to the > effect that it could not fetch trust account password > for the MPCFDOMAIN (my real domain name). The it > appears to try the more traditional authentication > methods. > > Thanks for the help, > VeKTeReX > > David Brodbeck wrote: > > > > Hmm...that's interesting. Are you seeing any error messages at all when > you > > attempt to log in? You should be able to get something, though it may > take > > increasing the logging level a bit to see it. Also, if you haveseperate> > logs for each machine, it may be turning up there instead of in the main > > logfile. > > > > Have you tried manually specifying the domain? You shouldn't have to,if> > both machines are joined to the same domain, but you might want to tryit> > just to be sure. For example, if your domain seperator is +, try > > "DOMAIN+joe" at the username prompt instead of just "joe".
You can use the regular UNIX permission commands; they'll happily treat winbind user and group names like any others, though you may have to quote them if they contain spaces. For example, if I'm sharing a folder called /export/stuff, and want only members of the domain administrators group to be able to write it, but anyone to read it, I can do something like this: chmod 775 /export/stuff chown :"DOMAIN+Domain Admins" /export/stuff The only difficulty with this is that the column widths for the ls -l command are just too narrow to read the ownership information when using this notation. I haven't found a good way around that yet. (Though in my case I'm using ACLs, so I can always go a 'getfacl' on the file or directory and find out that way.) -----Original Message----- From: Kevin [mailto:kevin@mpcf.com] Sent: Friday, November 16, 2001 3:32 PM To: David Brodbeck Cc: samba@lists.samba.org Subject: Re: Please help with winbind setup Done. I removed the samba server from the domain using Server manager (is there a way to remove the machine using smbpasswd?) and re-added it to the domain using smbpasswd. Now i can see all my shares and access the ones that have no particular permissions set!!! Thanks a million. My only question left is how do i set permissions for the shares i create when using winbind? I used to use the valid users command and smbpasswd to create encrypted passwords. A fairly simple system but one that worked well for me. But that method doesn't appear to work when using winbind. How do i grant or deny access to my shares on a user or group basis now? Thanks again, VeKTeReX David Brodbeck wrote:> > That means you aren't properly joined to the domain. Try removing theSamba> server's account on the PDC (with NT's server manager), re-creating it,then> joining again. (See the -j option in the smbpasswd manpage.) Make surethat> smbd and nmbd are *not* running when you do this, or it won't work.