Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine. I installed with the winbind option and everything went though just find. I was able to join the NT domain and now I can do a wbinfo -u "and get a domain user list as well as a "wbinfo -g and get a group list. For some reason though, the authentication isn't working. I tried to "wbinfo -a" and used a number of possible names. The samba server is on an NT domain called "jwad" and it has a trust relationship with "jhuapl". My user account is on jhuapl, and I want to get authenticated. When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on both clear text and challange/reponse methods. From what I see though, it doesn't even appear to be trying to talk to the domain controller, because the Reponses are given way to quick for any real network activity to have taken place. Please lend some advice if you have any. I can probably get sample output if needed. -Dan Daniel J. Thomas Systems Administrator Johns Hopkins University Applied Physics Laboratory Laurel, MD Balt: (443) 778-7924 Wash: (240) 228-7924 "Always avoid a bad file copy... You can never know when your replication proceeds you." -Anonymous Author
MCCALL,DON (HP-USA,ex1)
2002-Feb-12 12:38 UTC
[Samba] Winbind - Why won't you authenticate???
Hi Daniel, that should work - but I notice that you are using "\" for the winbindd separator - some unix'es will swallow this character as an 'escape' character; for instance on HPUX you can see: # ./wbinfo -a atl-wtec\atlwtec1%atlwtec1 Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext password Could not authenticate user atl-wtecatlwtec1%atlwtec1 with challenge/response NOTE in the above that the response does NOT display the "\" inbetween the domain and the username. Is this happening to you? Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 3:09 PM To: Samba (E-mail) Subject: [Samba] Winbind - Why won't you authenticate??? Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine. I installed with the winbind option and everything went though just find. I was able to join the NT domain and now I can do a wbinfo -u "and get a domain user list as well as a "wbinfo -g and get a group list. For some reason though, the authentication isn't working. I tried to "wbinfo -a" and used a number of possible names. The samba server is on an NT domain called "jwad" and it has a trust relationship with "jhuapl". My user account is on jhuapl, and I want to get authenticated. When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on both clear text and challange/reponse methods. From what I see though, it doesn't even appear to be trying to talk to the domain controller, because the Reponses are given way to quick for any real network activity to have taken place. Please lend some advice if you have any. I can probably get sample output if needed. -Dan Daniel J. Thomas Systems Administrator Johns Hopkins University Applied Physics Laboratory Laurel, MD Balt: (443) 778-7924 Wash: (240) 228-7924 "Always avoid a bad file copy... You can never know when your replication proceeds you." -Anonymous Author -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Below is the beginning of the output which I just pasted into this e-mail. You'll find the error on the bottom. Also at the bottom is a copy of the smb.conf file. It this all correct? Thanks, -Dan adams{root}5: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}6: ./wbinfo -u adams{root}11: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}12: ./wbinfo -u JWAD\Administrator JWAD\dantest JWAD\Guest JWAD\guestuser JWAD\Nelsojb1 JWAD\repladmin JWAD\shaffjl1 JWAD\SMS&_JWAD-DC1 JWAD\SMSCliToknAcct& JWAD\SQLAgentCmdExec JWAD\SQLExecutiveCmdExec JWAD\SQLServerService JWAD\vashodp1 JWAD\Volga JWAD\WestRL1 adams{root}13: ./wbinfo -g JWAD\Domain Admins JWAD\Domain Guests JWAD\Domain Users JWAD\MTS Trusted Impersonators JWAD\SMSInternalCliGrp adams{root}14: ./wbinfo -m JHUAPL adams{root}15: ./wbinfo -a JWAD+dantest%password plaintext password authentication failed Could not authenticate user JWAD+dantest%password with plaintext password challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response SMB Conf file: # Samba config file created using SWAT # from thomaDJ1.jhuapl.edu (128.244.11.37) # Date: 2002/02/12 16:11:14 # Global parameters [global] workgroup = JWAD netbios name = ADAMS server string = adams samba security = DOMAIN encrypt passwords = Yes null passwords = Yes password server = * log file = /usr/local/samba/var/log.%m max log size = 50 large readwrite = Yes load printers = No os level = 0 preferred master = False local master = No domain master = False dns proxy = No valid chars = - _ winbind uid = 10000-20000 winbind gid = 10000-20000 template homedir = /apps/users/%U winbind separator = + hosts allow = 128.244.11. strict locking = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [temp] path = /apps/temp write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator jwad+dantest -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 3:32 PM To: 'Thomas, Daniel J.'; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, that should work - but I notice that you are using "\" for the winbindd separator - some unix'es will swallow this character as an 'escape' character; for instance on HPUX you can see: # ./wbinfo -a atl-wtec\atlwtec1%atlwtec1 Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext password Could not authenticate user atl-wtecatlwtec1%atlwtec1 with challenge/response NOTE in the above that the response does NOT display the "\" inbetween the domain and the username. Is this happening to you? Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 3:09 PM To: Samba (E-mail) Subject: [Samba] Winbind - Why won't you authenticate??? Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine. I installed with the winbind option and everything went though just find. I was able to join the NT domain and now I can do a wbinfo -u "and get a domain user list as well as a "wbinfo -g and get a group list. For some reason though, the authentication isn't working. I tried to "wbinfo -a" and used a number of possible names. The samba server is on an NT domain called "jwad" and it has a trust relationship with "jhuapl". My user account is on jhuapl, and I want to get authenticated. When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on both clear text and challange/reponse methods. From what I see though, it doesn't even appear to be trying to talk to the domain controller, because the Reponses are given way to quick for any real network activity to have taken place. Please lend some advice if you have any. I can probably get sample output if needed. -Dan Daniel J. Thomas Systems Administrator Johns Hopkins University Applied Physics Laboratory Laurel, MD Balt: (443) 778-7924 Wash: (240) 228-7924 "Always avoid a bad file copy... You can never know when your replication proceeds you." -Anonymous Author -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
MCCALL,DON (HP-USA,ex1)
2002-Feb-12 14:29 UTC
[Samba] Winbind - Why won't you authenticate???
Hi Daniel, I see a couple of things that are suspicious. Take a look at my output, from a winbindd system that is a member of the WT1 domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my winbind separator is + (as your's appears to be in your smb.conf file): # ./wbinfo -u ATL-WTEC+Administrator ATL-WTEC+atlwtec1 ATL-WTEC+ddmc ATL-WTEC+Guest ATL-WTEC+IUSR_ALBERTE WT1+Administrator WT1+ddmc WT1+Guest WT1+IUSR_CERES WT1+IWAM_CERES WT1+krbtgt WT1+test WT1+test1 WT1+test2 WT1+test3 WT1+test4 WT1+test5 # ./wbinfo -m ATL-WTEC # NOTE it shows the users in the ATL-WTEC domain as well as my home domain (this may be because I have a 2 way trust between the domains); but NOTE also, that the wbinfo output SHOWS my users with the "+" separator, which matches what I have in my smb.conf file - YOURS DOES NOT: it shows the separator being used as "\"... You might try verifying your smb.conf file 'winbind separator' by running testparm|grep winbind and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u again. Verify that it is using the "+", and if so, then try your wbinfo -a command again (with the + sign)... That's all I have for now... don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 5:03 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Below is the beginning of the output which I just pasted into this e-mail. You'll find the error on the bottom. Also at the bottom is a copy of the smb.conf file. It this all correct? Thanks, -Dan adams{root}5: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}6: ./wbinfo -u adams{root}11: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}12: ./wbinfo -u JWAD\Administrator JWAD\dantest JWAD\Guest JWAD\guestuser JWAD\Nelsojb1 JWAD\repladmin JWAD\shaffjl1 JWAD\SMS&_JWAD-DC1 JWAD\SMSCliToknAcct& JWAD\SQLAgentCmdExec JWAD\SQLExecutiveCmdExec JWAD\SQLServerService JWAD\vashodp1 JWAD\Volga JWAD\WestRL1 adams{root}13: ./wbinfo -g JWAD\Domain Admins JWAD\Domain Guests JWAD\Domain Users JWAD\MTS Trusted Impersonators JWAD\SMSInternalCliGrp adams{root}14: ./wbinfo -m JHUAPL adams{root}15: ./wbinfo -a JWAD+dantest%password plaintext password authentication failed Could not authenticate user JWAD+dantest%password with plaintext password challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response SMB Conf file: # Samba config file created using SWAT # from thomaDJ1.jhuapl.edu (128.244.11.37) # Date: 2002/02/12 16:11:14 # Global parameters [global] workgroup = JWAD netbios name = ADAMS server string = adams samba security = DOMAIN encrypt passwords = Yes null passwords = Yes password server = * log file = /usr/local/samba/var/log.%m max log size = 50 large readwrite = Yes load printers = No os level = 0 preferred master = False local master = No domain master = False dns proxy = No valid chars = - _ winbind uid = 10000-20000 winbind gid = 10000-20000 template homedir = /apps/users/%U winbind separator = + hosts allow = 128.244.11. strict locking = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [temp] path = /apps/temp write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator jwad+dantest -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 3:32 PM To: 'Thomas, Daniel J.'; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, that should work - but I notice that you are using "\" for the winbindd separator - some unix'es will swallow this character as an 'escape' character; for instance on HPUX you can see: # ./wbinfo -a atl-wtec\atlwtec1%atlwtec1 Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext password Could not authenticate user atl-wtecatlwtec1%atlwtec1 with challenge/response NOTE in the above that the response does NOT display the "\" inbetween the domain and the username. Is this happening to you? Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 3:09 PM To: Samba (E-mail) Subject: [Samba] Winbind - Why won't you authenticate??? Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine. I installed with the winbind option and everything went though just find. I was able to join the NT domain and now I can do a wbinfo -u "and get a domain user list as well as a "wbinfo -g and get a group list. For some reason though, the authentication isn't working. I tried to "wbinfo -a" and used a number of possible names. The samba server is on an NT domain called "jwad" and it has a trust relationship with "jhuapl". My user account is on jhuapl, and I want to get authenticated. When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on both clear text and challange/reponse methods. From what I see though, it doesn't even appear to be trying to talk to the domain controller, because the Reponses are given way to quick for any real network activity to have taken place. Please lend some advice if you have any. I can probably get sample output if needed. -Dan Daniel J. Thomas Systems Administrator Johns Hopkins University Applied Physics Laboratory Laurel, MD Balt: (443) 778-7924 Wash: (240) 228-7924 "Always avoid a bad file copy... You can never know when your replication proceeds you." -Anonymous Author -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Don, I appreciate the insight. I hadn't tried restarting the winbindd deamon before wbinfo -u. Now the correct sign is used and I think I've gotten a bit further, however I still only get a list of uses from the JWAD domain. I'll have to find out what type of trust is set up, but if it helps, my users all have user accounts on the JHUAPL domain (along with the other 1000+ accounts on that domain) My unix machine should be on the JWAD domain, which has a trust relationship with JHUAPL. My account is a JHUAPL account, but I have admin rights on the JWAD domain. The JWAD\dantest account I also created on the JWAD domain for testing purposes. I am getting closer. JHUAPL user and JWAD users give the same result now, but now what I want: # ./wbinfo -a JWAD+dantest%password plaintext password authentication succeeded challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response It still doesn't work at all on the windows side. -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 5:24 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, I see a couple of things that are suspicious. Take a look at my output, from a winbindd system that is a member of the WT1 domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my winbind separator is + (as your's appears to be in your smb.conf file): # ./wbinfo -u ATL-WTEC+Administrator ATL-WTEC+atlwtec1 ATL-WTEC+ddmc ATL-WTEC+Guest ATL-WTEC+IUSR_ALBERTE WT1+Administrator WT1+ddmc WT1+Guest WT1+IUSR_CERES WT1+IWAM_CERES WT1+krbtgt WT1+test WT1+test1 WT1+test2 WT1+test3 WT1+test4 WT1+test5 # ./wbinfo -m ATL-WTEC # NOTE it shows the users in the ATL-WTEC domain as well as my home domain (this may be because I have a 2 way trust between the domains); but NOTE also, that the wbinfo output SHOWS my users with the "+" separator, which matches what I have in my smb.conf file - YOURS DOES NOT: it shows the separator being used as "\"... You might try verifying your smb.conf file 'winbind separator' by running testparm|grep winbind and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u again. Verify that it is using the "+", and if so, then try your wbinfo -a command again (with the + sign)... That's all I have for now... don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 5:03 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Below is the beginning of the output which I just pasted into this e-mail. You'll find the error on the bottom. Also at the bottom is a copy of the smb.conf file. It this all correct? Thanks, -Dan adams{root}5: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}6: ./wbinfo -u adams{root}11: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}12: ./wbinfo -u JWAD\Administrator JWAD\dantest JWAD\Guest JWAD\guestuser JWAD\Nelsojb1 JWAD\repladmin JWAD\shaffjl1 JWAD\SMS&_JWAD-DC1 JWAD\SMSCliToknAcct& JWAD\SQLAgentCmdExec JWAD\SQLExecutiveCmdExec JWAD\SQLServerService JWAD\vashodp1 JWAD\Volga JWAD\WestRL1 adams{root}13: ./wbinfo -g JWAD\Domain Admins JWAD\Domain Guests JWAD\Domain Users JWAD\MTS Trusted Impersonators JWAD\SMSInternalCliGrp adams{root}14: ./wbinfo -m JHUAPL adams{root}15: ./wbinfo -a JWAD+dantest%password plaintext password authentication failed Could not authenticate user JWAD+dantest%password with plaintext password challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response SMB Conf file: # Samba config file created using SWAT # from thomaDJ1.jhuapl.edu (128.244.11.37) # Date: 2002/02/12 16:11:14 # Global parameters [global] workgroup = JWAD netbios name = ADAMS server string = adams samba security = DOMAIN encrypt passwords = Yes null passwords = Yes password server = * log file = /usr/local/samba/var/log.%m max log size = 50 large readwrite = Yes load printers = No os level = 0 preferred master = False local master = No domain master = False dns proxy = No valid chars = - _ winbind uid = 10000-20000 winbind gid = 10000-20000 template homedir = /apps/users/%U winbind separator = + hosts allow = 128.244.11. strict locking = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [temp] path = /apps/temp write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator jwad+dantest -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 3:32 PM To: 'Thomas, Daniel J.'; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, that should work - but I notice that you are using "\" for the winbindd separator - some unix'es will swallow this character as an 'escape' character; for instance on HPUX you can see: # ./wbinfo -a atl-wtec\atlwtec1%atlwtec1 Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext password Could not authenticate user atl-wtecatlwtec1%atlwtec1 with challenge/response NOTE in the above that the response does NOT display the "\" inbetween the domain and the username. Is this happening to you? Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 3:09 PM To: Samba (E-mail) Subject: [Samba] Winbind - Why won't you authenticate??? Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine. I installed with the winbind option and everything went though just find. I was able to join the NT domain and now I can do a wbinfo -u "and get a domain user list as well as a "wbinfo -g and get a group list. For some reason though, the authentication isn't working. I tried to "wbinfo -a" and used a number of possible names. The samba server is on an NT domain called "jwad" and it has a trust relationship with "jhuapl". My user account is on jhuapl, and I want to get authenticated. When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on both clear text and challange/reponse methods. From what I see though, it doesn't even appear to be trying to talk to the domain controller, because the Reponses are given way to quick for any real network activity to have taken place. Please lend some advice if you have any. I can probably get sample output if needed. -Dan Daniel J. Thomas Systems Administrator Johns Hopkins University Applied Physics Laboratory Laurel, MD Balt: (443) 778-7924 Wash: (240) 228-7924 "Always avoid a bad file copy... You can never know when your replication proceeds you." -Anonymous Author -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Another thing I noticed. I looked at the log file in samba/var and found the log for my machine was filled with this: [2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367) unable to open passdb database. Where is the pdb_smbpassd.c file and why would there be a problem opening it? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 5:24 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, I see a couple of things that are suspicious. Take a look at my output, from a winbindd system that is a member of the WT1 domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my winbind separator is + (as your's appears to be in your smb.conf file): # ./wbinfo -u ATL-WTEC+Administrator ATL-WTEC+atlwtec1 ATL-WTEC+ddmc ATL-WTEC+Guest ATL-WTEC+IUSR_ALBERTE WT1+Administrator WT1+ddmc WT1+Guest WT1+IUSR_CERES WT1+IWAM_CERES WT1+krbtgt WT1+test WT1+test1 WT1+test2 WT1+test3 WT1+test4 WT1+test5 # ./wbinfo -m ATL-WTEC # NOTE it shows the users in the ATL-WTEC domain as well as my home domain (this may be because I have a 2 way trust between the domains); but NOTE also, that the wbinfo output SHOWS my users with the "+" separator, which matches what I have in my smb.conf file - YOURS DOES NOT: it shows the separator being used as "\"... You might try verifying your smb.conf file 'winbind separator' by running testparm|grep winbind and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u again. Verify that it is using the "+", and if so, then try your wbinfo -a command again (with the + sign)... That's all I have for now... don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 5:03 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Below is the beginning of the output which I just pasted into this e-mail. You'll find the error on the bottom. Also at the bottom is a copy of the smb.conf file. It this all correct? Thanks, -Dan adams{root}5: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}6: ./wbinfo -u adams{root}11: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}12: ./wbinfo -u JWAD\Administrator JWAD\dantest JWAD\Guest JWAD\guestuser JWAD\Nelsojb1 JWAD\repladmin JWAD\shaffjl1 JWAD\SMS&_JWAD-DC1 JWAD\SMSCliToknAcct& JWAD\SQLAgentCmdExec JWAD\SQLExecutiveCmdExec JWAD\SQLServerService JWAD\vashodp1 JWAD\Volga JWAD\WestRL1 adams{root}13: ./wbinfo -g JWAD\Domain Admins JWAD\Domain Guests JWAD\Domain Users JWAD\MTS Trusted Impersonators JWAD\SMSInternalCliGrp adams{root}14: ./wbinfo -m JHUAPL adams{root}15: ./wbinfo -a JWAD+dantest%password plaintext password authentication failed Could not authenticate user JWAD+dantest%password with plaintext password challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response SMB Conf file: # Samba config file created using SWAT # from thomaDJ1.jhuapl.edu (128.244.11.37) # Date: 2002/02/12 16:11:14 # Global parameters [global] workgroup = JWAD netbios name = ADAMS server string = adams samba security = DOMAIN encrypt passwords = Yes null passwords = Yes password server = * log file = /usr/local/samba/var/log.%m max log size = 50 large readwrite = Yes load printers = No os level = 0 preferred master = False local master = No domain master = False dns proxy = No valid chars = - _ winbind uid = 10000-20000 winbind gid = 10000-20000 template homedir = /apps/users/%U winbind separator = + hosts allow = 128.244.11. strict locking = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [temp] path = /apps/temp write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator jwad+dantest -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 3:32 PM To: 'Thomas, Daniel J.'; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, that should work - but I notice that you are using "\" for the winbindd separator - some unix'es will swallow this character as an 'escape' character; for instance on HPUX you can see: # ./wbinfo -a atl-wtec\atlwtec1%atlwtec1 Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext password Could not authenticate user atl-wtecatlwtec1%atlwtec1 with challenge/response NOTE in the above that the response does NOT display the "\" inbetween the domain and the username. Is this happening to you? Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 3:09 PM To: Samba (E-mail) Subject: [Samba] Winbind - Why won't you authenticate??? Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine. I installed with the winbind option and everything went though just find. I was able to join the NT domain and now I can do a wbinfo -u "and get a domain user list as well as a "wbinfo -g and get a group list. For some reason though, the authentication isn't working. I tried to "wbinfo -a" and used a number of possible names. The samba server is on an NT domain called "jwad" and it has a trust relationship with "jhuapl". My user account is on jhuapl, and I want to get authenticated. When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on both clear text and challange/reponse methods. From what I see though, it doesn't even appear to be trying to talk to the domain controller, because the Reponses are given way to quick for any real network activity to have taken place. Please lend some advice if you have any. I can probably get sample output if needed. -Dan Daniel J. Thomas Systems Administrator Johns Hopkins University Applied Physics Laboratory Laurel, MD Balt: (443) 778-7924 Wash: (240) 228-7924 "Always avoid a bad file copy... You can never know when your replication proceeds you." -Anonymous Author -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
MCCALL,DON (HP-USA,ex1)
2002-Feb-13 10:07 UTC
[Samba] Winbind - Why won't you authenticate???
Hi Thomas, The message from pdb_smbpasswd.c is saying that it can't find the smbpasswd file; this is normal if you are doing domain level authentication, and have not created/populated an smbpasswd file - if the domain authentication doesn't work, samba trys to authenticate you locally to the smbpasswd file. So this isn't the issue, I believe. It looks to me as if your win2k dc has disabled support for NTLM v1 challenge response authentication. Check you domain controller security policy under security settings/local policies/ security options and see what the value of : Lan Manager Authentication Level says.... Also, If you would like, stop winbindd,remove the log.winbindd file, set your log level in smb.conf to 10, and start winbind, then do your wbinfo -a... command, and send me the log.winbindd; perhaps I can see what is happening from a full debug log. Thanks, Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 12:29 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Another thing I noticed. I looked at the log file in samba/var and found the log for my machine was filled with this: [2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367) unable to open passdb database. Where is the pdb_smbpassd.c file and why would there be a problem opening it? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 5:24 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, I see a couple of things that are suspicious. Take a look at my output, from a winbindd system that is a member of the WT1 domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my winbind separator is + (as your's appears to be in your smb.conf file): # ./wbinfo -u ATL-WTEC+Administrator ATL-WTEC+atlwtec1 ATL-WTEC+ddmc ATL-WTEC+Guest ATL-WTEC+IUSR_ALBERTE WT1+Administrator WT1+ddmc WT1+Guest WT1+IUSR_CERES WT1+IWAM_CERES WT1+krbtgt WT1+test WT1+test1 WT1+test2 WT1+test3 WT1+test4 WT1+test5 # ./wbinfo -m ATL-WTEC # NOTE it shows the users in the ATL-WTEC domain as well as my home domain (this may be because I have a 2 way trust between the domains); but NOTE also, that the wbinfo output SHOWS my users with the "+" separator, which matches what I have in my smb.conf file - YOURS DOES NOT: it shows the separator being used as "\"... You might try verifying your smb.conf file 'winbind separator' by running testparm|grep winbind and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u again. Verify that it is using the "+", and if so, then try your wbinfo -a command again (with the + sign)... That's all I have for now... don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 5:03 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Below is the beginning of the output which I just pasted into this e-mail. You'll find the error on the bottom. Also at the bottom is a copy of the smb.conf file. It this all correct? Thanks, -Dan adams{root}5: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}6: ./wbinfo -u adams{root}11: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}12: ./wbinfo -u JWAD\Administrator JWAD\dantest JWAD\Guest JWAD\guestuser JWAD\Nelsojb1 JWAD\repladmin JWAD\shaffjl1 JWAD\SMS&_JWAD-DC1 JWAD\SMSCliToknAcct& JWAD\SQLAgentCmdExec JWAD\SQLExecutiveCmdExec JWAD\SQLServerService JWAD\vashodp1 JWAD\Volga JWAD\WestRL1 adams{root}13: ./wbinfo -g JWAD\Domain Admins JWAD\Domain Guests JWAD\Domain Users JWAD\MTS Trusted Impersonators JWAD\SMSInternalCliGrp adams{root}14: ./wbinfo -m JHUAPL adams{root}15: ./wbinfo -a JWAD+dantest%password plaintext password authentication failed Could not authenticate user JWAD+dantest%password with plaintext password challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response SMB Conf file: # Samba config file created using SWAT # from thomaDJ1.jhuapl.edu (128.244.11.37) # Date: 2002/02/12 16:11:14 # Global parameters [global] workgroup = JWAD netbios name = ADAMS server string = adams samba security = DOMAIN encrypt passwords = Yes null passwords = Yes password server = * log file = /usr/local/samba/var/log.%m max log size = 50 large readwrite = Yes load printers = No os level = 0 preferred master = False local master = No domain master = False dns proxy = No valid chars = - _ winbind uid = 10000-20000 winbind gid = 10000-20000 template homedir = /apps/users/%U winbind separator = + hosts allow = 128.244.11. strict locking = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [temp] path = /apps/temp write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator jwad+dantest -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 3:32 PM To: 'Thomas, Daniel J.'; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, that should work - but I notice that you are using "\" for the winbindd separator - some unix'es will swallow this character as an 'escape' character; for instance on HPUX you can see: # ./wbinfo -a atl-wtec\atlwtec1%atlwtec1 Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext password Could not authenticate user atl-wtecatlwtec1%atlwtec1 with challenge/response NOTE in the above that the response does NOT display the "\" inbetween the domain and the username. Is this happening to you? Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 3:09 PM To: Samba (E-mail) Subject: [Samba] Winbind - Why won't you authenticate??? Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine. I installed with the winbind option and everything went though just find. I was able to join the NT domain and now I can do a wbinfo -u "and get a domain user list as well as a "wbinfo -g and get a group list. For some reason though, the authentication isn't working. I tried to "wbinfo -a" and used a number of possible names. The samba server is on an NT domain called "jwad" and it has a trust relationship with "jhuapl". My user account is on jhuapl, and I want to get authenticated. When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on both clear text and challange/reponse methods. From what I see though, it doesn't even appear to be trying to talk to the domain controller, because the Reponses are given way to quick for any real network activity to have taken place. Please lend some advice if you have any. I can probably get sample output if needed. -Dan Daniel J. Thomas Systems Administrator Johns Hopkins University Applied Physics Laboratory Laurel, MD Balt: (443) 778-7924 Wash: (240) 228-7924 "Always avoid a bad file copy... You can never know when your replication proceeds you." -Anonymous Author -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
MCCALL,DON (HP-USA,ex1)
2002-Feb-13 13:48 UTC
[Samba] Winbind - Why won't you authenticate???
Hi Daniel, Well, that nails it - take a look at the nm output from my winbindd: # nm ../bin/winbindd|grep auth authorise_login | 668456|extern|code |$CODE$ become_authenticated_pipe_user| 679768|extern|code |$CODE$ cli_net_auth2 | 687676|extern|code |$CODE$ init_q_auth_2 | 469520|extern|code |$CODE$ init_rpc_auth_ntlmssp_chal| 505008|extern|code |$CODE$ init_rpc_auth_ntlmssp_chk| 507856|extern|code |$CODE$ init_rpc_auth_ntlmssp_neg| 504188|extern|code |$CODE$ init_rpc_auth_ntlmssp_resp| 505372|extern|code |$CODE$ init_rpc_auth_verifier| 503964|extern|code |$CODE$ init_rpc_hdr_auth | 503592|extern|code |$CODE$ init_rpc_hdr_autha | 503208|extern|code |$CODE$ lp_lanman_auth | 102056|extern|code |$CODE$ net_io_q_auth | 469160|extern|code |$CODE$ net_io_q_auth_2 | 469772|extern|code |$CODE$ net_io_r_auth | 469352|extern|code |$CODE$ net_io_r_auth_2 | 470000|extern|code |$CODE$ new_cli_net_auth2 | 430004|extern|code |$CODE$ rpc_auth_ntlmssp_chk| 507596|extern|code |$CODE$ rpc_auth_pipe | 436536|static|entry |$CODE$ rpc_auth_verifier_chk| 503896|extern|code |$CODE$ rpc_hdr_auth_chk | 503560|extern|code |$CODE$ rpc_send_auth_reply | 444416|static|entry |$CODE$ smb_io_rpc_auth_ntlmssp_chal| 505084|extern|code |$CODE$ smb_io_rpc_auth_ntlmssp_chk| 507876|extern|code |$CODE$ smb_io_rpc_auth_ntlmssp_neg| 504328|extern|code |$CODE$ smb_io_rpc_auth_ntlmssp_resp| 506012|extern|code |$CODE$ smb_io_rpc_auth_verifier| 504012|extern|code |$CODE$ smb_io_rpc_hdr_auth | 503620|extern|code |$CODE$ smb_io_rpc_hdr_autha| 503256|extern|code |$CODE$ unbecome_authenticated_pipe_user| 679852|extern|code |$CODE$ winbindd_pam_auth | 56056|extern|entry | winbindd_pam_auth | 56056|extern|code |$CODE$ winbindd_pam_auth_crap| 56252|extern|code |$CODE$ winbindd_pam_auth_crap| 56252|extern|entry | winbindd_pam_chauthtok| 56744|extern|entry | winbindd_pam_chauthtok| 56744|extern|code |$CODE$ # ^^^^^^^^^^^^^^^^specifically that I DO have entries not only for winbindd_pam_auth, but also for winbindd_pam_auth_crap - which you are missing, and therefore when wbinfo requests this function, winbindd fails when looking up the pointer to the function (null)... I have NO immediate idea why this might be. As I said, I would recommend doing a make clean, removing config.cache, and re-running configure --with-winbind --with-pam and doing a make again. I don't have a sun system to try this on presently... Let me know, Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 4:33 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J. Subject: RE: [Samba] Winbind - Why won't you authenticate??? Don, I've inserted my results inline below. Also, this isn't really pertinent to your previous message, but I thought you might want to know that our JWAD server are all Windows NT 4.0 SP6a, and only the workstations are Windows 2K. The bigger domain, JHUAPL, is also a Windows NT domain, but will soon be migrated to a Windows 2000 domain. That may be something I need to keep in mind for the future, however this case we are working on is a test subject for me so I can apply this concept on our other private LAN which I have full control over and is currently Windows NT with no plans on going to Win2k domain at the present. This domain also has Win2k Pro workstations though. -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 4:16 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Thomas, this would be your issue, I'm guessing: [2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(378) process_request: unknown request fn number 12 [2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(531) client_write: wrote 1300 bytes. [2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(483) client_read: read 0 bytes. Need 1044 more for a full request. [2002/02/13 14:21:05, 5] nsswitch/winbindd.c:(490) read failed on sock 12, pid 1623: EOF WHAT SHOULD BE HAPPENING here is the following: [2002/02/13 11:34:46, 10] nsswitch/winbindd.c:(369) process_request: request fn AUTH_CRAP [2002/02/13 11:34:46, 3] nsswitch/winbindd_pam.c:(92) [25106]: pam auth crap wt1/administrator (of course, with YOUR domain and username specified instead of mine (wt1/administrator). What is highly unusual is that process_request is reporting an unknown request for fn 12 (which is what AUTH_CRAP ie WINBINDD_PAM_AUTH_CRAP evaluates to). it SHOULD have found this function in the dispatch_table... SOOOOO - what's going on? It LOOKS like the pointer to the winbindd_pam_auth_crap routine is null! if you have 'nm' on your system, do and nm winbindd|grep auth Results: adams{root}19: nm winbindd|grep auth [2940] | 815960| 2476|FUNC |GLOB |0 |11 |authorise_login [2803] | 828500| 60|FUNC |GLOB |0 |11 |become_authenticated_pipe_user [2517] | 836548| 728|FUNC |GLOB |0 |11 |cli_net_auth2 [1415] | 614724| 268|FUNC |GLOB |0 |11 |init_q_auth_2 [2753] | 650796| 52|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_chal [1889] | 653716| 20|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_chk [2667] | 649992| 100|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_neg [1673] | 651128| 616|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_resp [2697] | 649780| 32|FUNC |GLOB |0 |11 |init_rpc_auth_verifier [1725] | 649412| 36|FUNC |GLOB |0 |11 |init_rpc_hdr_auth [1386] | 648956| 84|FUNC |GLOB |0 |11 |init_rpc_hdr_autha [1706] | 250824| 12|FUNC |GLOB |0 |11 |lp_lanman_auth [3278] | 614372| 184|FUNC |GLOB |0 |11 |net_io_q_auth [1154] | 614992| 216|FUNC |GLOB |0 |11 |net_io_q_auth_2 [1379] | 614556| 168|FUNC |GLOB |0 |11 |net_io_r_auth [1352] | 615208| 200|FUNC |GLOB |0 |11 |net_io_r_auth_2 [1607] | 575180| 532|FUNC |GLOB |0 |11 |new_cli_net_auth2 [462] | 955456| 132|OBJT |LOCL |0 |22 |nt_authority_users [3241] | 653440| 276|FUNC |GLOB |0 |11 |rpc_auth_ntlmssp_chk [725] | 581132| 1448|FUNC |LOCL |0 |11 |rpc_auth_pipe [2856] | 649720| 60|FUNC |GLOB |0 |11 |rpc_auth_verifier_chk [1622] | 649360| 52|FUNC |GLOB |0 |11 |rpc_hdr_auth_chk [733] | 590224| 1020|FUNC |LOCL |0 |11 |rpc_send_auth_reply [1157] | 650848| 264|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_chal [2669] | 653736| 236|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_chk [1118] | 650108| 688|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_neg [2401] | 651744| 1696|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_resp [1244] | 649812| 164|FUNC |GLOB |0 |11 |smb_io_rpc_auth_verifier [1591] | 649448| 272|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_auth [2752] | 649040| 320|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_autha [2933] | 828576| 12|FUNC |GLOB |0 |11 |unbecome_authenticated_pipe_user [2635] | 203828| 208|FUNC |GLOB |0 |11 |winbindd_pam_auth [940] | 204036| 172|FUNC |GLOB |0 |11 |winbindd_pam_chauthtok and nm wbinfo|grep auth Results: adams{root}20: nm wbinfo|grep auth [864] | 126880| 12|FUNC |GLOB |0 |11 |lp_lanman_auth [365] | 413492| 132|OBJT |LOCL |0 |22 |nt_authority_users [56] | 113376| 244|FUNC |LOCL |0 |11 |wbinfo_auth [57] | 113636| 304|FUNC |LOCL |0 |11 |wbinfo_auth_crap [60] | 114276| 184|FUNC |LOCL |0 |11 |wbinfo_set_auth_user and let me know the results, ok? Also if you can send the config.log and the exact command line you used to do a configure when you built samba, that would help as well; you might want to (while I look at this), do a make clean rm config.cache, and run configure again - configure --with-pam --with-winbindd and see if it doesnt work better for you - maybe you didn't clean out your config.cache, and it screwed you up... Don Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 2:32 PM To: 'MCCALL,DON (HP-USA,ex1)' Subject: RE: [Samba] Winbind - Why won't you authenticate??? OK, Set up log level 10 and recreated the log files. I just ran this: adams{root}26: ./wbinfo -a JWAD+dantest%password plaintext password authentication succeeded challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response Also, it looks like I'm getting a complete domain listing now from both domains with wbinfo -u. I think it might be because I added a wins server address. the command does keep winbind bussy for a minute of two to list all the users =) -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 1:01 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Thomas, The message from pdb_smbpasswd.c is saying that it can't find the smbpasswd file; this is normal if you are doing domain level authentication, and have not created/populated an smbpasswd file - if the domain authentication doesn't work, samba trys to authenticate you locally to the smbpasswd file. So this isn't the issue, I believe. It looks to me as if your win2k dc has disabled support for NTLM v1 challenge response authentication. Check you domain controller security policy under security settings/local policies/ security options and see what the value of : Lan Manager Authentication Level says.... Also, If you would like, stop winbindd,remove the log.winbindd file, set your log level in smb.conf to 10, and start winbind, then do your wbinfo -a... command, and send me the log.winbindd; perhaps I can see what is happening from a full debug log. Thanks, Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 12:29 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Another thing I noticed. I looked at the log file in samba/var and found the log for my machine was filled with this: [2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367) unable to open passdb database. Where is the pdb_smbpassd.c file and why would there be a problem opening it? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 5:24 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, I see a couple of things that are suspicious. Take a look at my output, from a winbindd system that is a member of the WT1 domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my winbind separator is + (as your's appears to be in your smb.conf file): # ./wbinfo -u ATL-WTEC+Administrator ATL-WTEC+atlwtec1 ATL-WTEC+ddmc ATL-WTEC+Guest ATL-WTEC+IUSR_ALBERTE WT1+Administrator WT1+ddmc WT1+Guest WT1+IUSR_CERES WT1+IWAM_CERES WT1+krbtgt WT1+test WT1+test1 WT1+test2 WT1+test3 WT1+test4 WT1+test5 # ./wbinfo -m ATL-WTEC # NOTE it shows the users in the ATL-WTEC domain as well as my home domain (this may be because I have a 2 way trust between the domains); but NOTE also, that the wbinfo output SHOWS my users with the "+" separator, which matches what I have in my smb.conf file - YOURS DOES NOT: it shows the separator being used as "\"... You might try verifying your smb.conf file 'winbind separator' by running testparm|grep winbind and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u again. Verify that it is using the "+", and if so, then try your wbinfo -a command again (with the + sign)... That's all I have for now... don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 5:03 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Below is the beginning of the output which I just pasted into this e-mail. You'll find the error on the bottom. Also at the bottom is a copy of the smb.conf file. It this all correct? Thanks, -Dan adams{root}5: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}6: ./wbinfo -u adams{root}11: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}12: ./wbinfo -u JWAD\Administrator JWAD\dantest JWAD\Guest JWAD\guestuser JWAD\Nelsojb1 JWAD\repladmin JWAD\shaffjl1 JWAD\SMS&_JWAD-DC1 JWAD\SMSCliToknAcct& JWAD\SQLAgentCmdExec JWAD\SQLExecutiveCmdExec JWAD\SQLServerService JWAD\vashodp1 JWAD\Volga JWAD\WestRL1 adams{root}13: ./wbinfo -g JWAD\Domain Admins JWAD\Domain Guests JWAD\Domain Users JWAD\MTS Trusted Impersonators JWAD\SMSInternalCliGrp adams{root}14: ./wbinfo -m JHUAPL adams{root}15: ./wbinfo -a JWAD+dantest%password plaintext password authentication failed Could not authenticate user JWAD+dantest%password with plaintext password challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response SMB Conf file: # Samba config file created using SWAT # from thomaDJ1.jhuapl.edu (128.244.11.37) # Date: 2002/02/12 16:11:14 # Global parameters [global] workgroup = JWAD netbios name = ADAMS server string = adams samba security = DOMAIN encrypt passwords = Yes null passwords = Yes password server = * log file = /usr/local/samba/var/log.%m max log size = 50 large readwrite = Yes load printers = No os level = 0 preferred master = False local master = No domain master = False dns proxy = No valid chars = - _ winbind uid = 10000-20000 winbind gid = 10000-20000 template homedir = /apps/users/%U winbind separator = + hosts allow = 128.244.11. strict locking = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [temp] path = /apps/temp write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator jwad+dantest -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 3:32 PM To: 'Thomas, Daniel J.'; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, that should work - but I notice that you are using "\" for the winbindd separator - some unix'es will swallow this character as an 'escape' character; for instance on HPUX you can see: # ./wbinfo -a atl-wtec\atlwtec1%atlwtec1 Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext password Could not authenticate user atl-wtecatlwtec1%atlwtec1 with challenge/response NOTE in the above that the response does NOT display the "\" inbetween the domain and the username. Is this happening to you? Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 3:09 PM To: Samba (E-mail) Subject: [Samba] Winbind - Why won't you authenticate??? Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine. I installed with the winbind option and everything went though just find. I was able to join the NT domain and now I can do a wbinfo -u "and get a domain user list as well as a "wbinfo -g and get a group list. For some reason though, the authentication isn't working. I tried to "wbinfo -a" and used a number of possible names. The samba server is on an NT domain called "jwad" and it has a trust relationship with "jhuapl". My user account is on jhuapl, and I want to get authenticated. When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on both clear text and challange/reponse methods. From what I see though, it doesn't even appear to be trying to talk to the domain controller, because the Reponses are given way to quick for any real network activity to have taken place. Please lend some advice if you have any. I can probably get sample output if needed. -Dan Daniel J. Thomas Systems Administrator Johns Hopkins University Applied Physics Laboratory Laurel, MD Balt: (443) 778-7924 Wash: (240) 228-7924 "Always avoid a bad file copy... You can never know when your replication proceeds you." -Anonymous Author -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Oh! OK. I must have missed your other message. Now I thought that the smbclient only worked on Linux. Can I compile the smbclient on my sun box? (I think there is a --with option durring the build for that?) -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Thursday, February 14, 2002 9:39 AM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, Did you see my message from last night - I talked to some of the folks on Samba-Technical, and this is a red herring; the version of SAmba you are running has this functionality purposefully commented out. I was working on an older version (about 2 weeks old cvs), where it was still there. Bottom line is winbindd doesn't do pam_auth_crap anymore, so that wbinfo -a functionality won't work. To see whether winbindd is actually working for you, you have to go to a different testing method: smbclient //servername/sharename -Udomain+user then give your password. If this works, then youre getting there... But NO, you don't need pam_winbind.so to do what you are trying to do. Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Thursday, February 14, 2002 9:35 AM To: 'MCCALL,DON (HP-USA,ex1)' Subject: RE: [Samba] Winbind - Why won't you authenticate??? Found the file nsswitch/winbindd_pam.o and there was no instance of winbindd_pam_auth_crap there. Now do you think I need to install Pam on my UNIX machine and then recompile with pam support to make this work? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 4:58 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1) Cc: Wieprecht, Karen M. Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, No, it SHOULD'nt be necessary. Can you send me your Makefile? also do an nm on nsswitch/winbindd_pam.o and grep for auth; see if winbindd_pam_auth_crap shows up there - thats the module that actually contains the code.. Thanks, Don PS: Samba-Technical; does this ring any bells with anyone? -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 4:47 PM To: 'MCCALL,DON (HP-USA,ex1)' Cc: Wieprecht, Karen M. Subject: RE: [Samba] Winbind - Why won't you authenticate??? I hadn't tried to use pam for winbind. It was my impression from the documentation on winbind that although it *can* use pam, it isn't required. Do you think this is the problem? Should I install PAM on my server and then recompile samba with --with-pam? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 4:43 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); 'samba@lists.samba.org' Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, Well, that nails it - take a look at the nm output from my winbindd: # nm ../bin/winbindd|grep auth authorise_login | 668456|extern|code |$CODE$ become_authenticated_pipe_user| 679768|extern|code |$CODE$ cli_net_auth2 | 687676|extern|code |$CODE$ init_q_auth_2 | 469520|extern|code |$CODE$ init_rpc_auth_ntlmssp_chal| 505008|extern|code |$CODE$ init_rpc_auth_ntlmssp_chk| 507856|extern|code |$CODE$ init_rpc_auth_ntlmssp_neg| 504188|extern|code |$CODE$ init_rpc_auth_ntlmssp_resp| 505372|extern|code |$CODE$ init_rpc_auth_verifier| 503964|extern|code |$CODE$ init_rpc_hdr_auth | 503592|extern|code |$CODE$ init_rpc_hdr_autha | 503208|extern|code |$CODE$ lp_lanman_auth | 102056|extern|code |$CODE$ net_io_q_auth | 469160|extern|code |$CODE$ net_io_q_auth_2 | 469772|extern|code |$CODE$ net_io_r_auth | 469352|extern|code |$CODE$ net_io_r_auth_2 | 470000|extern|code |$CODE$ new_cli_net_auth2 | 430004|extern|code |$CODE$ rpc_auth_ntlmssp_chk| 507596|extern|code |$CODE$ rpc_auth_pipe | 436536|static|entry |$CODE$ rpc_auth_verifier_chk| 503896|extern|code |$CODE$ rpc_hdr_auth_chk | 503560|extern|code |$CODE$ rpc_send_auth_reply | 444416|static|entry |$CODE$ smb_io_rpc_auth_ntlmssp_chal| 505084|extern|code |$CODE$ smb_io_rpc_auth_ntlmssp_chk| 507876|extern|code |$CODE$ smb_io_rpc_auth_ntlmssp_neg| 504328|extern|code |$CODE$ smb_io_rpc_auth_ntlmssp_resp| 506012|extern|code |$CODE$ smb_io_rpc_auth_verifier| 504012|extern|code |$CODE$ smb_io_rpc_hdr_auth | 503620|extern|code |$CODE$ smb_io_rpc_hdr_autha| 503256|extern|code |$CODE$ unbecome_authenticated_pipe_user| 679852|extern|code |$CODE$ winbindd_pam_auth | 56056|extern|entry | winbindd_pam_auth | 56056|extern|code |$CODE$ winbindd_pam_auth_crap| 56252|extern|code |$CODE$ winbindd_pam_auth_crap| 56252|extern|entry | winbindd_pam_chauthtok| 56744|extern|entry | winbindd_pam_chauthtok| 56744|extern|code |$CODE$ # ^^^^^^^^^^^^^^^^specifically that I DO have entries not only for winbindd_pam_auth, but also for winbindd_pam_auth_crap - which you are missing, and therefore when wbinfo requests this function, winbindd fails when looking up the pointer to the function (null)... I have NO immediate idea why this might be. As I said, I would recommend doing a make clean, removing config.cache, and re-running configure --with-winbind --with-pam and doing a make again. I don't have a sun system to try this on presently... Let me know, Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 4:33 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J. Subject: RE: [Samba] Winbind - Why won't you authenticate??? Don, I've inserted my results inline below. Also, this isn't really pertinent to your previous message, but I thought you might want to know that our JWAD server are all Windows NT 4.0 SP6a, and only the workstations are Windows 2K. The bigger domain, JHUAPL, is also a Windows NT domain, but will soon be migrated to a Windows 2000 domain. That may be something I need to keep in mind for the future, however this case we are working on is a test subject for me so I can apply this concept on our other private LAN which I have full control over and is currently Windows NT with no plans on going to Win2k domain at the present. This domain also has Win2k Pro workstations though. -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 4:16 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Thomas, this would be your issue, I'm guessing: [2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(378) process_request: unknown request fn number 12 [2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(531) client_write: wrote 1300 bytes. [2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(483) client_read: read 0 bytes. Need 1044 more for a full request. [2002/02/13 14:21:05, 5] nsswitch/winbindd.c:(490) read failed on sock 12, pid 1623: EOF WHAT SHOULD BE HAPPENING here is the following: [2002/02/13 11:34:46, 10] nsswitch/winbindd.c:(369) process_request: request fn AUTH_CRAP [2002/02/13 11:34:46, 3] nsswitch/winbindd_pam.c:(92) [25106]: pam auth crap wt1/administrator (of course, with YOUR domain and username specified instead of mine (wt1/administrator). What is highly unusual is that process_request is reporting an unknown request for fn 12 (which is what AUTH_CRAP ie WINBINDD_PAM_AUTH_CRAP evaluates to). it SHOULD have found this function in the dispatch_table... SOOOOO - what's going on? It LOOKS like the pointer to the winbindd_pam_auth_crap routine is null! if you have 'nm' on your system, do and nm winbindd|grep auth Results: adams{root}19: nm winbindd|grep auth [2940] | 815960| 2476|FUNC |GLOB |0 |11 |authorise_login [2803] | 828500| 60|FUNC |GLOB |0 |11 |become_authenticated_pipe_user [2517] | 836548| 728|FUNC |GLOB |0 |11 |cli_net_auth2 [1415] | 614724| 268|FUNC |GLOB |0 |11 |init_q_auth_2 [2753] | 650796| 52|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_chal [1889] | 653716| 20|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_chk [2667] | 649992| 100|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_neg [1673] | 651128| 616|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_resp [2697] | 649780| 32|FUNC |GLOB |0 |11 |init_rpc_auth_verifier [1725] | 649412| 36|FUNC |GLOB |0 |11 |init_rpc_hdr_auth [1386] | 648956| 84|FUNC |GLOB |0 |11 |init_rpc_hdr_autha [1706] | 250824| 12|FUNC |GLOB |0 |11 |lp_lanman_auth [3278] | 614372| 184|FUNC |GLOB |0 |11 |net_io_q_auth [1154] | 614992| 216|FUNC |GLOB |0 |11 |net_io_q_auth_2 [1379] | 614556| 168|FUNC |GLOB |0 |11 |net_io_r_auth [1352] | 615208| 200|FUNC |GLOB |0 |11 |net_io_r_auth_2 [1607] | 575180| 532|FUNC |GLOB |0 |11 |new_cli_net_auth2 [462] | 955456| 132|OBJT |LOCL |0 |22 |nt_authority_users [3241] | 653440| 276|FUNC |GLOB |0 |11 |rpc_auth_ntlmssp_chk [725] | 581132| 1448|FUNC |LOCL |0 |11 |rpc_auth_pipe [2856] | 649720| 60|FUNC |GLOB |0 |11 |rpc_auth_verifier_chk [1622] | 649360| 52|FUNC |GLOB |0 |11 |rpc_hdr_auth_chk [733] | 590224| 1020|FUNC |LOCL |0 |11 |rpc_send_auth_reply [1157] | 650848| 264|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_chal [2669] | 653736| 236|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_chk [1118] | 650108| 688|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_neg [2401] | 651744| 1696|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_resp [1244] | 649812| 164|FUNC |GLOB |0 |11 |smb_io_rpc_auth_verifier [1591] | 649448| 272|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_auth [2752] | 649040| 320|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_autha [2933] | 828576| 12|FUNC |GLOB |0 |11 |unbecome_authenticated_pipe_user [2635] | 203828| 208|FUNC |GLOB |0 |11 |winbindd_pam_auth [940] | 204036| 172|FUNC |GLOB |0 |11 |winbindd_pam_chauthtok and nm wbinfo|grep auth Results: adams{root}20: nm wbinfo|grep auth [864] | 126880| 12|FUNC |GLOB |0 |11 |lp_lanman_auth [365] | 413492| 132|OBJT |LOCL |0 |22 |nt_authority_users [56] | 113376| 244|FUNC |LOCL |0 |11 |wbinfo_auth [57] | 113636| 304|FUNC |LOCL |0 |11 |wbinfo_auth_crap [60] | 114276| 184|FUNC |LOCL |0 |11 |wbinfo_set_auth_user and let me know the results, ok? Also if you can send the config.log and the exact command line you used to do a configure when you built samba, that would help as well; you might want to (while I look at this), do a make clean rm config.cache, and run configure again - configure --with-pam --with-winbindd and see if it doesnt work better for you - maybe you didn't clean out your config.cache, and it screwed you up... Don Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 2:32 PM To: 'MCCALL,DON (HP-USA,ex1)' Subject: RE: [Samba] Winbind - Why won't you authenticate??? OK, Set up log level 10 and recreated the log files. I just ran this: adams{root}26: ./wbinfo -a JWAD+dantest%password plaintext password authentication succeeded challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response Also, it looks like I'm getting a complete domain listing now from both domains with wbinfo -u. I think it might be because I added a wins server address. the command does keep winbind bussy for a minute of two to list all the users =) -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 1:01 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Thomas, The message from pdb_smbpasswd.c is saying that it can't find the smbpasswd file; this is normal if you are doing domain level authentication, and have not created/populated an smbpasswd file - if the domain authentication doesn't work, samba trys to authenticate you locally to the smbpasswd file. So this isn't the issue, I believe. It looks to me as if your win2k dc has disabled support for NTLM v1 challenge response authentication. Check you domain controller security policy under security settings/local policies/ security options and see what the value of : Lan Manager Authentication Level says.... Also, If you would like, stop winbindd,remove the log.winbindd file, set your log level in smb.conf to 10, and start winbind, then do your wbinfo -a... command, and send me the log.winbindd; perhaps I can see what is happening from a full debug log. Thanks, Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 12:29 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Another thing I noticed. I looked at the log file in samba/var and found the log for my machine was filled with this: [2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367) unable to open passdb database. Where is the pdb_smbpassd.c file and why would there be a problem opening it? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 5:24 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, I see a couple of things that are suspicious. Take a look at my output, from a winbindd system that is a member of the WT1 domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my winbind separator is + (as your's appears to be in your smb.conf file): # ./wbinfo -u ATL-WTEC+Administrator ATL-WTEC+atlwtec1 ATL-WTEC+ddmc ATL-WTEC+Guest ATL-WTEC+IUSR_ALBERTE WT1+Administrator WT1+ddmc WT1+Guest WT1+IUSR_CERES WT1+IWAM_CERES WT1+krbtgt WT1+test WT1+test1 WT1+test2 WT1+test3 WT1+test4 WT1+test5 # ./wbinfo -m ATL-WTEC # NOTE it shows the users in the ATL-WTEC domain as well as my home domain (this may be because I have a 2 way trust between the domains); but NOTE also, that the wbinfo output SHOWS my users with the "+" separator, which matches what I have in my smb.conf file - YOURS DOES NOT: it shows the separator being used as "\"... You might try verifying your smb.conf file 'winbind separator' by running testparm|grep winbind and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u again. Verify that it is using the "+", and if so, then try your wbinfo -a command again (with the + sign)... That's all I have for now... don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 5:03 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Below is the beginning of the output which I just pasted into this e-mail. You'll find the error on the bottom. Also at the bottom is a copy of the smb.conf file. It this all correct? Thanks, -Dan adams{root}5: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}6: ./wbinfo -u adams{root}11: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}12: ./wbinfo -u JWAD\Administrator JWAD\dantest JWAD\Guest JWAD\guestuser JWAD\Nelsojb1 JWAD\repladmin JWAD\shaffjl1 JWAD\SMS&_JWAD-DC1 JWAD\SMSCliToknAcct& JWAD\SQLAgentCmdExec JWAD\SQLExecutiveCmdExec JWAD\SQLServerService JWAD\vashodp1 JWAD\Volga JWAD\WestRL1 adams{root}13: ./wbinfo -g JWAD\Domain Admins JWAD\Domain Guests JWAD\Domain Users JWAD\MTS Trusted Impersonators JWAD\SMSInternalCliGrp adams{root}14: ./wbinfo -m JHUAPL adams{root}15: ./wbinfo -a JWAD+dantest%password plaintext password authentication failed Could not authenticate user JWAD+dantest%password with plaintext password challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response SMB Conf file: # Samba config file created using SWAT # from thomaDJ1.jhuapl.edu (128.244.11.37) # Date: 2002/02/12 16:11:14 # Global parameters [global] workgroup = JWAD netbios name = ADAMS server string = adams samba security = DOMAIN encrypt passwords = Yes null passwords = Yes password server = * log file = /usr/local/samba/var/log.%m max log size = 50 large readwrite = Yes load printers = No os level = 0 preferred master = False local master = No domain master = False dns proxy = No valid chars = - _ winbind uid = 10000-20000 winbind gid = 10000-20000 template homedir = /apps/users/%U winbind separator = + hosts allow = 128.244.11. strict locking = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [temp] path = /apps/temp write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator jwad+dantest -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 3:32 PM To: 'Thomas, Daniel J.'; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, that should work - but I notice that you are using "\" for the winbindd separator - some unix'es will swallow this character as an 'escape' character; for instance on HPUX you can see: # ./wbinfo -a atl-wtec\atlwtec1%atlwtec1 Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext password Could not authenticate user atl-wtecatlwtec1%atlwtec1 with challenge/response NOTE in the above that the response does NOT display the "\" inbetween the domain and the username. Is this happening to you? Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 3:09 PM To: Samba (E-mail) Subject: [Samba] Winbind - Why won't you authenticate??? Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine. I installed with the winbind option and everything went though just find. I was able to join the NT domain and now I can do a wbinfo -u "and get a domain user list as well as a "wbinfo -g and get a group list. For some reason though, the authentication isn't working. I tried to "wbinfo -a" and used a number of possible names. The samba server is on an NT domain called "jwad" and it has a trust relationship with "jhuapl". My user account is on jhuapl, and I want to get authenticated. When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on both clear text and challange/reponse methods. From what I see though, it doesn't even appear to be trying to talk to the domain controller, because the Reponses are given way to quick for any real network activity to have taken place. Please lend some advice if you have any. I can probably get sample output if needed. -Dan Daniel J. Thomas Systems Administrator Johns Hopkins University Applied Physics Laboratory Laurel, MD Balt: (443) 778-7924 Wash: (240) 228-7924 "Always avoid a bad file copy... You can never know when your replication proceeds you." -Anonymous Author -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
MCCALL,DON (HP-USA,ex1)
2002-Feb-14 06:53 UTC
[Samba] Winbind - Why won't you authenticate???
Smbclient works on all boxes that I know of - I think you are thinking about smbfs... smbclient is just another program in your samba bin directory... Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Thursday, February 14, 2002 9:45 AM To: 'MCCALL,DON (HP-USA,ex1)'; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Oh! OK. I must have missed your other message. Now I thought that the smbclient only worked on Linux. Can I compile the smbclient on my sun box? (I think there is a --with option durring the build for that?) -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Thursday, February 14, 2002 9:39 AM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, Did you see my message from last night - I talked to some of the folks on Samba-Technical, and this is a red herring; the version of SAmba you are running has this functionality purposefully commented out. I was working on an older version (about 2 weeks old cvs), where it was still there. Bottom line is winbindd doesn't do pam_auth_crap anymore, so that wbinfo -a functionality won't work. To see whether winbindd is actually working for you, you have to go to a different testing method: smbclient //servername/sharename -Udomain+user then give your password. If this works, then youre getting there... But NO, you don't need pam_winbind.so to do what you are trying to do. Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Thursday, February 14, 2002 9:35 AM To: 'MCCALL,DON (HP-USA,ex1)' Subject: RE: [Samba] Winbind - Why won't you authenticate??? Found the file nsswitch/winbindd_pam.o and there was no instance of winbindd_pam_auth_crap there. Now do you think I need to install Pam on my UNIX machine and then recompile with pam support to make this work? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 4:58 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1) Cc: Wieprecht, Karen M. Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, No, it SHOULD'nt be necessary. Can you send me your Makefile? also do an nm on nsswitch/winbindd_pam.o and grep for auth; see if winbindd_pam_auth_crap shows up there - thats the module that actually contains the code.. Thanks, Don PS: Samba-Technical; does this ring any bells with anyone? -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 4:47 PM To: 'MCCALL,DON (HP-USA,ex1)' Cc: Wieprecht, Karen M. Subject: RE: [Samba] Winbind - Why won't you authenticate??? I hadn't tried to use pam for winbind. It was my impression from the documentation on winbind that although it *can* use pam, it isn't required. Do you think this is the problem? Should I install PAM on my server and then recompile samba with --with-pam? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 4:43 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); 'samba@lists.samba.org' Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, Well, that nails it - take a look at the nm output from my winbindd: # nm ../bin/winbindd|grep auth authorise_login | 668456|extern|code |$CODE$ become_authenticated_pipe_user| 679768|extern|code |$CODE$ cli_net_auth2 | 687676|extern|code |$CODE$ init_q_auth_2 | 469520|extern|code |$CODE$ init_rpc_auth_ntlmssp_chal| 505008|extern|code |$CODE$ init_rpc_auth_ntlmssp_chk| 507856|extern|code |$CODE$ init_rpc_auth_ntlmssp_neg| 504188|extern|code |$CODE$ init_rpc_auth_ntlmssp_resp| 505372|extern|code |$CODE$ init_rpc_auth_verifier| 503964|extern|code |$CODE$ init_rpc_hdr_auth | 503592|extern|code |$CODE$ init_rpc_hdr_autha | 503208|extern|code |$CODE$ lp_lanman_auth | 102056|extern|code |$CODE$ net_io_q_auth | 469160|extern|code |$CODE$ net_io_q_auth_2 | 469772|extern|code |$CODE$ net_io_r_auth | 469352|extern|code |$CODE$ net_io_r_auth_2 | 470000|extern|code |$CODE$ new_cli_net_auth2 | 430004|extern|code |$CODE$ rpc_auth_ntlmssp_chk| 507596|extern|code |$CODE$ rpc_auth_pipe | 436536|static|entry |$CODE$ rpc_auth_verifier_chk| 503896|extern|code |$CODE$ rpc_hdr_auth_chk | 503560|extern|code |$CODE$ rpc_send_auth_reply | 444416|static|entry |$CODE$ smb_io_rpc_auth_ntlmssp_chal| 505084|extern|code |$CODE$ smb_io_rpc_auth_ntlmssp_chk| 507876|extern|code |$CODE$ smb_io_rpc_auth_ntlmssp_neg| 504328|extern|code |$CODE$ smb_io_rpc_auth_ntlmssp_resp| 506012|extern|code |$CODE$ smb_io_rpc_auth_verifier| 504012|extern|code |$CODE$ smb_io_rpc_hdr_auth | 503620|extern|code |$CODE$ smb_io_rpc_hdr_autha| 503256|extern|code |$CODE$ unbecome_authenticated_pipe_user| 679852|extern|code |$CODE$ winbindd_pam_auth | 56056|extern|entry | winbindd_pam_auth | 56056|extern|code |$CODE$ winbindd_pam_auth_crap| 56252|extern|code |$CODE$ winbindd_pam_auth_crap| 56252|extern|entry | winbindd_pam_chauthtok| 56744|extern|entry | winbindd_pam_chauthtok| 56744|extern|code |$CODE$ # ^^^^^^^^^^^^^^^^specifically that I DO have entries not only for winbindd_pam_auth, but also for winbindd_pam_auth_crap - which you are missing, and therefore when wbinfo requests this function, winbindd fails when looking up the pointer to the function (null)... I have NO immediate idea why this might be. As I said, I would recommend doing a make clean, removing config.cache, and re-running configure --with-winbind --with-pam and doing a make again. I don't have a sun system to try this on presently... Let me know, Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 4:33 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J. Subject: RE: [Samba] Winbind - Why won't you authenticate??? Don, I've inserted my results inline below. Also, this isn't really pertinent to your previous message, but I thought you might want to know that our JWAD server are all Windows NT 4.0 SP6a, and only the workstations are Windows 2K. The bigger domain, JHUAPL, is also a Windows NT domain, but will soon be migrated to a Windows 2000 domain. That may be something I need to keep in mind for the future, however this case we are working on is a test subject for me so I can apply this concept on our other private LAN which I have full control over and is currently Windows NT with no plans on going to Win2k domain at the present. This domain also has Win2k Pro workstations though. -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 4:16 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Thomas, this would be your issue, I'm guessing: [2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(378) process_request: unknown request fn number 12 [2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(531) client_write: wrote 1300 bytes. [2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(483) client_read: read 0 bytes. Need 1044 more for a full request. [2002/02/13 14:21:05, 5] nsswitch/winbindd.c:(490) read failed on sock 12, pid 1623: EOF WHAT SHOULD BE HAPPENING here is the following: [2002/02/13 11:34:46, 10] nsswitch/winbindd.c:(369) process_request: request fn AUTH_CRAP [2002/02/13 11:34:46, 3] nsswitch/winbindd_pam.c:(92) [25106]: pam auth crap wt1/administrator (of course, with YOUR domain and username specified instead of mine (wt1/administrator). What is highly unusual is that process_request is reporting an unknown request for fn 12 (which is what AUTH_CRAP ie WINBINDD_PAM_AUTH_CRAP evaluates to). it SHOULD have found this function in the dispatch_table... SOOOOO - what's going on? It LOOKS like the pointer to the winbindd_pam_auth_crap routine is null! if you have 'nm' on your system, do and nm winbindd|grep auth Results: adams{root}19: nm winbindd|grep auth [2940] | 815960| 2476|FUNC |GLOB |0 |11 |authorise_login [2803] | 828500| 60|FUNC |GLOB |0 |11 |become_authenticated_pipe_user [2517] | 836548| 728|FUNC |GLOB |0 |11 |cli_net_auth2 [1415] | 614724| 268|FUNC |GLOB |0 |11 |init_q_auth_2 [2753] | 650796| 52|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_chal [1889] | 653716| 20|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_chk [2667] | 649992| 100|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_neg [1673] | 651128| 616|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_resp [2697] | 649780| 32|FUNC |GLOB |0 |11 |init_rpc_auth_verifier [1725] | 649412| 36|FUNC |GLOB |0 |11 |init_rpc_hdr_auth [1386] | 648956| 84|FUNC |GLOB |0 |11 |init_rpc_hdr_autha [1706] | 250824| 12|FUNC |GLOB |0 |11 |lp_lanman_auth [3278] | 614372| 184|FUNC |GLOB |0 |11 |net_io_q_auth [1154] | 614992| 216|FUNC |GLOB |0 |11 |net_io_q_auth_2 [1379] | 614556| 168|FUNC |GLOB |0 |11 |net_io_r_auth [1352] | 615208| 200|FUNC |GLOB |0 |11 |net_io_r_auth_2 [1607] | 575180| 532|FUNC |GLOB |0 |11 |new_cli_net_auth2 [462] | 955456| 132|OBJT |LOCL |0 |22 |nt_authority_users [3241] | 653440| 276|FUNC |GLOB |0 |11 |rpc_auth_ntlmssp_chk [725] | 581132| 1448|FUNC |LOCL |0 |11 |rpc_auth_pipe [2856] | 649720| 60|FUNC |GLOB |0 |11 |rpc_auth_verifier_chk [1622] | 649360| 52|FUNC |GLOB |0 |11 |rpc_hdr_auth_chk [733] | 590224| 1020|FUNC |LOCL |0 |11 |rpc_send_auth_reply [1157] | 650848| 264|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_chal [2669] | 653736| 236|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_chk [1118] | 650108| 688|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_neg [2401] | 651744| 1696|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_resp [1244] | 649812| 164|FUNC |GLOB |0 |11 |smb_io_rpc_auth_verifier [1591] | 649448| 272|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_auth [2752] | 649040| 320|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_autha [2933] | 828576| 12|FUNC |GLOB |0 |11 |unbecome_authenticated_pipe_user [2635] | 203828| 208|FUNC |GLOB |0 |11 |winbindd_pam_auth [940] | 204036| 172|FUNC |GLOB |0 |11 |winbindd_pam_chauthtok and nm wbinfo|grep auth Results: adams{root}20: nm wbinfo|grep auth [864] | 126880| 12|FUNC |GLOB |0 |11 |lp_lanman_auth [365] | 413492| 132|OBJT |LOCL |0 |22 |nt_authority_users [56] | 113376| 244|FUNC |LOCL |0 |11 |wbinfo_auth [57] | 113636| 304|FUNC |LOCL |0 |11 |wbinfo_auth_crap [60] | 114276| 184|FUNC |LOCL |0 |11 |wbinfo_set_auth_user and let me know the results, ok? Also if you can send the config.log and the exact command line you used to do a configure when you built samba, that would help as well; you might want to (while I look at this), do a make clean rm config.cache, and run configure again - configure --with-pam --with-winbindd and see if it doesnt work better for you - maybe you didn't clean out your config.cache, and it screwed you up... Don Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 2:32 PM To: 'MCCALL,DON (HP-USA,ex1)' Subject: RE: [Samba] Winbind - Why won't you authenticate??? OK, Set up log level 10 and recreated the log files. I just ran this: adams{root}26: ./wbinfo -a JWAD+dantest%password plaintext password authentication succeeded challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response Also, it looks like I'm getting a complete domain listing now from both domains with wbinfo -u. I think it might be because I added a wins server address. the command does keep winbind bussy for a minute of two to list all the users =) -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 1:01 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Thomas, The message from pdb_smbpasswd.c is saying that it can't find the smbpasswd file; this is normal if you are doing domain level authentication, and have not created/populated an smbpasswd file - if the domain authentication doesn't work, samba trys to authenticate you locally to the smbpasswd file. So this isn't the issue, I believe. It looks to me as if your win2k dc has disabled support for NTLM v1 challenge response authentication. Check you domain controller security policy under security settings/local policies/ security options and see what the value of : Lan Manager Authentication Level says.... Also, If you would like, stop winbindd,remove the log.winbindd file, set your log level in smb.conf to 10, and start winbind, then do your wbinfo -a... command, and send me the log.winbindd; perhaps I can see what is happening from a full debug log. Thanks, Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 12:29 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Another thing I noticed. I looked at the log file in samba/var and found the log for my machine was filled with this: [2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367) unable to open passdb database. Where is the pdb_smbpassd.c file and why would there be a problem opening it? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 5:24 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, I see a couple of things that are suspicious. Take a look at my output, from a winbindd system that is a member of the WT1 domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my winbind separator is + (as your's appears to be in your smb.conf file): # ./wbinfo -u ATL-WTEC+Administrator ATL-WTEC+atlwtec1 ATL-WTEC+ddmc ATL-WTEC+Guest ATL-WTEC+IUSR_ALBERTE WT1+Administrator WT1+ddmc WT1+Guest WT1+IUSR_CERES WT1+IWAM_CERES WT1+krbtgt WT1+test WT1+test1 WT1+test2 WT1+test3 WT1+test4 WT1+test5 # ./wbinfo -m ATL-WTEC # NOTE it shows the users in the ATL-WTEC domain as well as my home domain (this may be because I have a 2 way trust between the domains); but NOTE also, that the wbinfo output SHOWS my users with the "+" separator, which matches what I have in my smb.conf file - YOURS DOES NOT: it shows the separator being used as "\"... You might try verifying your smb.conf file 'winbind separator' by running testparm|grep winbind and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u again. Verify that it is using the "+", and if so, then try your wbinfo -a command again (with the + sign)... That's all I have for now... don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 5:03 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Below is the beginning of the output which I just pasted into this e-mail. You'll find the error on the bottom. Also at the bottom is a copy of the smb.conf file. It this all correct? Thanks, -Dan adams{root}5: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}6: ./wbinfo -u adams{root}11: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}12: ./wbinfo -u JWAD\Administrator JWAD\dantest JWAD\Guest JWAD\guestuser JWAD\Nelsojb1 JWAD\repladmin JWAD\shaffjl1 JWAD\SMS&_JWAD-DC1 JWAD\SMSCliToknAcct& JWAD\SQLAgentCmdExec JWAD\SQLExecutiveCmdExec JWAD\SQLServerService JWAD\vashodp1 JWAD\Volga JWAD\WestRL1 adams{root}13: ./wbinfo -g JWAD\Domain Admins JWAD\Domain Guests JWAD\Domain Users JWAD\MTS Trusted Impersonators JWAD\SMSInternalCliGrp adams{root}14: ./wbinfo -m JHUAPL adams{root}15: ./wbinfo -a JWAD+dantest%password plaintext password authentication failed Could not authenticate user JWAD+dantest%password with plaintext password challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response SMB Conf file: # Samba config file created using SWAT # from thomaDJ1.jhuapl.edu (128.244.11.37) # Date: 2002/02/12 16:11:14 # Global parameters [global] workgroup = JWAD netbios name = ADAMS server string = adams samba security = DOMAIN encrypt passwords = Yes null passwords = Yes password server = * log file = /usr/local/samba/var/log.%m max log size = 50 large readwrite = Yes load printers = No os level = 0 preferred master = False local master = No domain master = False dns proxy = No valid chars = - _ winbind uid = 10000-20000 winbind gid = 10000-20000 template homedir = /apps/users/%U winbind separator = + hosts allow = 128.244.11. strict locking = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [temp] path = /apps/temp write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator jwad+dantest -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 3:32 PM To: 'Thomas, Daniel J.'; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, that should work - but I notice that you are using "\" for the winbindd separator - some unix'es will swallow this character as an 'escape' character; for instance on HPUX you can see: # ./wbinfo -a atl-wtec\atlwtec1%atlwtec1 Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext password Could not authenticate user atl-wtecatlwtec1%atlwtec1 with challenge/response NOTE in the above that the response does NOT display the "\" inbetween the domain and the username. Is this happening to you? Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 3:09 PM To: Samba (E-mail) Subject: [Samba] Winbind - Why won't you authenticate??? Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine. I installed with the winbind option and everything went though just find. I was able to join the NT domain and now I can do a wbinfo -u "and get a domain user list as well as a "wbinfo -g and get a group list. For some reason though, the authentication isn't working. I tried to "wbinfo -a" and used a number of possible names. The samba server is on an NT domain called "jwad" and it has a trust relationship with "jhuapl". My user account is on jhuapl, and I want to get authenticated. When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on both clear text and challange/reponse methods. From what I see though, it doesn't even appear to be trying to talk to the domain controller, because the Reponses are given way to quick for any real network activity to have taken place. Please lend some advice if you have any. I can probably get sample output if needed. -Dan Daniel J. Thomas Systems Administrator Johns Hopkins University Applied Physics Laboratory Laurel, MD Balt: (443) 778-7924 Wash: (240) 228-7924 "Always avoid a bad file copy... You can never know when your replication proceeds you." -Anonymous Author -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Found it. I ran the command on both my JHUAPL account and my JWAD test account and received the same results: adams{root}19: ./smbclient //adams/temp -UJWAD+dantest added interface ip=128.244.11.176 bcast=128.244.11.255 nmask=255.255.255.0 Password: Domain=[JWAD] OS=[Unix] Server=[Samba 2.2.3] tree connect failed: NT_STATUS_WRONG_PASSWORD I did it a couple times to make sure I hadn't miss-entered the password and same result every time. Where do you think I should head from here? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Thursday, February 14, 2002 9:47 AM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Smbclient works on all boxes that I know of - I think you are thinking about smbfs... smbclient is just another program in your samba bin directory... Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Thursday, February 14, 2002 9:45 AM To: 'MCCALL,DON (HP-USA,ex1)'; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Oh! OK. I must have missed your other message. Now I thought that the smbclient only worked on Linux. Can I compile the smbclient on my sun box? (I think there is a --with option durring the build for that?) -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Thursday, February 14, 2002 9:39 AM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, Did you see my message from last night - I talked to some of the folks on Samba-Technical, and this is a red herring; the version of SAmba you are running has this functionality purposefully commented out. I was working on an older version (about 2 weeks old cvs), where it was still there. Bottom line is winbindd doesn't do pam_auth_crap anymore, so that wbinfo -a functionality won't work. To see whether winbindd is actually working for you, you have to go to a different testing method: smbclient //servername/sharename -Udomain+user then give your password. If this works, then youre getting there... But NO, you don't need pam_winbind.so to do what you are trying to do. Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Thursday, February 14, 2002 9:35 AM To: 'MCCALL,DON (HP-USA,ex1)' Subject: RE: [Samba] Winbind - Why won't you authenticate??? Found the file nsswitch/winbindd_pam.o and there was no instance of winbindd_pam_auth_crap there. Now do you think I need to install Pam on my UNIX machine and then recompile with pam support to make this work? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 4:58 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1) Cc: Wieprecht, Karen M. Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, No, it SHOULD'nt be necessary. Can you send me your Makefile? also do an nm on nsswitch/winbindd_pam.o and grep for auth; see if winbindd_pam_auth_crap shows up there - thats the module that actually contains the code.. Thanks, Don PS: Samba-Technical; does this ring any bells with anyone? -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 4:47 PM To: 'MCCALL,DON (HP-USA,ex1)' Cc: Wieprecht, Karen M. Subject: RE: [Samba] Winbind - Why won't you authenticate??? I hadn't tried to use pam for winbind. It was my impression from the documentation on winbind that although it *can* use pam, it isn't required. Do you think this is the problem? Should I install PAM on my server and then recompile samba with --with-pam? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 4:43 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); 'samba@lists.samba.org' Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, Well, that nails it - take a look at the nm output from my winbindd: # nm ../bin/winbindd|grep auth authorise_login | 668456|extern|code |$CODE$ become_authenticated_pipe_user| 679768|extern|code |$CODE$ cli_net_auth2 | 687676|extern|code |$CODE$ init_q_auth_2 | 469520|extern|code |$CODE$ init_rpc_auth_ntlmssp_chal| 505008|extern|code |$CODE$ init_rpc_auth_ntlmssp_chk| 507856|extern|code |$CODE$ init_rpc_auth_ntlmssp_neg| 504188|extern|code |$CODE$ init_rpc_auth_ntlmssp_resp| 505372|extern|code |$CODE$ init_rpc_auth_verifier| 503964|extern|code |$CODE$ init_rpc_hdr_auth | 503592|extern|code |$CODE$ init_rpc_hdr_autha | 503208|extern|code |$CODE$ lp_lanman_auth | 102056|extern|code |$CODE$ net_io_q_auth | 469160|extern|code |$CODE$ net_io_q_auth_2 | 469772|extern|code |$CODE$ net_io_r_auth | 469352|extern|code |$CODE$ net_io_r_auth_2 | 470000|extern|code |$CODE$ new_cli_net_auth2 | 430004|extern|code |$CODE$ rpc_auth_ntlmssp_chk| 507596|extern|code |$CODE$ rpc_auth_pipe | 436536|static|entry |$CODE$ rpc_auth_verifier_chk| 503896|extern|code |$CODE$ rpc_hdr_auth_chk | 503560|extern|code |$CODE$ rpc_send_auth_reply | 444416|static|entry |$CODE$ smb_io_rpc_auth_ntlmssp_chal| 505084|extern|code |$CODE$ smb_io_rpc_auth_ntlmssp_chk| 507876|extern|code |$CODE$ smb_io_rpc_auth_ntlmssp_neg| 504328|extern|code |$CODE$ smb_io_rpc_auth_ntlmssp_resp| 506012|extern|code |$CODE$ smb_io_rpc_auth_verifier| 504012|extern|code |$CODE$ smb_io_rpc_hdr_auth | 503620|extern|code |$CODE$ smb_io_rpc_hdr_autha| 503256|extern|code |$CODE$ unbecome_authenticated_pipe_user| 679852|extern|code |$CODE$ winbindd_pam_auth | 56056|extern|entry | winbindd_pam_auth | 56056|extern|code |$CODE$ winbindd_pam_auth_crap| 56252|extern|code |$CODE$ winbindd_pam_auth_crap| 56252|extern|entry | winbindd_pam_chauthtok| 56744|extern|entry | winbindd_pam_chauthtok| 56744|extern|code |$CODE$ # ^^^^^^^^^^^^^^^^specifically that I DO have entries not only for winbindd_pam_auth, but also for winbindd_pam_auth_crap - which you are missing, and therefore when wbinfo requests this function, winbindd fails when looking up the pointer to the function (null)... I have NO immediate idea why this might be. As I said, I would recommend doing a make clean, removing config.cache, and re-running configure --with-winbind --with-pam and doing a make again. I don't have a sun system to try this on presently... Let me know, Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 4:33 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J. Subject: RE: [Samba] Winbind - Why won't you authenticate??? Don, I've inserted my results inline below. Also, this isn't really pertinent to your previous message, but I thought you might want to know that our JWAD server are all Windows NT 4.0 SP6a, and only the workstations are Windows 2K. The bigger domain, JHUAPL, is also a Windows NT domain, but will soon be migrated to a Windows 2000 domain. That may be something I need to keep in mind for the future, however this case we are working on is a test subject for me so I can apply this concept on our other private LAN which I have full control over and is currently Windows NT with no plans on going to Win2k domain at the present. This domain also has Win2k Pro workstations though. -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 4:16 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Thomas, this would be your issue, I'm guessing: [2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(378) process_request: unknown request fn number 12 [2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(531) client_write: wrote 1300 bytes. [2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(483) client_read: read 0 bytes. Need 1044 more for a full request. [2002/02/13 14:21:05, 5] nsswitch/winbindd.c:(490) read failed on sock 12, pid 1623: EOF WHAT SHOULD BE HAPPENING here is the following: [2002/02/13 11:34:46, 10] nsswitch/winbindd.c:(369) process_request: request fn AUTH_CRAP [2002/02/13 11:34:46, 3] nsswitch/winbindd_pam.c:(92) [25106]: pam auth crap wt1/administrator (of course, with YOUR domain and username specified instead of mine (wt1/administrator). What is highly unusual is that process_request is reporting an unknown request for fn 12 (which is what AUTH_CRAP ie WINBINDD_PAM_AUTH_CRAP evaluates to). it SHOULD have found this function in the dispatch_table... SOOOOO - what's going on? It LOOKS like the pointer to the winbindd_pam_auth_crap routine is null! if you have 'nm' on your system, do and nm winbindd|grep auth Results: adams{root}19: nm winbindd|grep auth [2940] | 815960| 2476|FUNC |GLOB |0 |11 |authorise_login [2803] | 828500| 60|FUNC |GLOB |0 |11 |become_authenticated_pipe_user [2517] | 836548| 728|FUNC |GLOB |0 |11 |cli_net_auth2 [1415] | 614724| 268|FUNC |GLOB |0 |11 |init_q_auth_2 [2753] | 650796| 52|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_chal [1889] | 653716| 20|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_chk [2667] | 649992| 100|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_neg [1673] | 651128| 616|FUNC |GLOB |0 |11 |init_rpc_auth_ntlmssp_resp [2697] | 649780| 32|FUNC |GLOB |0 |11 |init_rpc_auth_verifier [1725] | 649412| 36|FUNC |GLOB |0 |11 |init_rpc_hdr_auth [1386] | 648956| 84|FUNC |GLOB |0 |11 |init_rpc_hdr_autha [1706] | 250824| 12|FUNC |GLOB |0 |11 |lp_lanman_auth [3278] | 614372| 184|FUNC |GLOB |0 |11 |net_io_q_auth [1154] | 614992| 216|FUNC |GLOB |0 |11 |net_io_q_auth_2 [1379] | 614556| 168|FUNC |GLOB |0 |11 |net_io_r_auth [1352] | 615208| 200|FUNC |GLOB |0 |11 |net_io_r_auth_2 [1607] | 575180| 532|FUNC |GLOB |0 |11 |new_cli_net_auth2 [462] | 955456| 132|OBJT |LOCL |0 |22 |nt_authority_users [3241] | 653440| 276|FUNC |GLOB |0 |11 |rpc_auth_ntlmssp_chk [725] | 581132| 1448|FUNC |LOCL |0 |11 |rpc_auth_pipe [2856] | 649720| 60|FUNC |GLOB |0 |11 |rpc_auth_verifier_chk [1622] | 649360| 52|FUNC |GLOB |0 |11 |rpc_hdr_auth_chk [733] | 590224| 1020|FUNC |LOCL |0 |11 |rpc_send_auth_reply [1157] | 650848| 264|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_chal [2669] | 653736| 236|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_chk [1118] | 650108| 688|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_neg [2401] | 651744| 1696|FUNC |GLOB |0 |11 |smb_io_rpc_auth_ntlmssp_resp [1244] | 649812| 164|FUNC |GLOB |0 |11 |smb_io_rpc_auth_verifier [1591] | 649448| 272|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_auth [2752] | 649040| 320|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_autha [2933] | 828576| 12|FUNC |GLOB |0 |11 |unbecome_authenticated_pipe_user [2635] | 203828| 208|FUNC |GLOB |0 |11 |winbindd_pam_auth [940] | 204036| 172|FUNC |GLOB |0 |11 |winbindd_pam_chauthtok and nm wbinfo|grep auth Results: adams{root}20: nm wbinfo|grep auth [864] | 126880| 12|FUNC |GLOB |0 |11 |lp_lanman_auth [365] | 413492| 132|OBJT |LOCL |0 |22 |nt_authority_users [56] | 113376| 244|FUNC |LOCL |0 |11 |wbinfo_auth [57] | 113636| 304|FUNC |LOCL |0 |11 |wbinfo_auth_crap [60] | 114276| 184|FUNC |LOCL |0 |11 |wbinfo_set_auth_user and let me know the results, ok? Also if you can send the config.log and the exact command line you used to do a configure when you built samba, that would help as well; you might want to (while I look at this), do a make clean rm config.cache, and run configure again - configure --with-pam --with-winbindd and see if it doesnt work better for you - maybe you didn't clean out your config.cache, and it screwed you up... Don Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 2:32 PM To: 'MCCALL,DON (HP-USA,ex1)' Subject: RE: [Samba] Winbind - Why won't you authenticate??? OK, Set up log level 10 and recreated the log files. I just ran this: adams{root}26: ./wbinfo -a JWAD+dantest%password plaintext password authentication succeeded challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response Also, it looks like I'm getting a complete domain listing now from both domains with wbinfo -u. I think it might be because I added a wins server address. the command does keep winbind bussy for a minute of two to list all the users =) -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, February 13, 2002 1:01 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Thomas, The message from pdb_smbpasswd.c is saying that it can't find the smbpasswd file; this is normal if you are doing domain level authentication, and have not created/populated an smbpasswd file - if the domain authentication doesn't work, samba trys to authenticate you locally to the smbpasswd file. So this isn't the issue, I believe. It looks to me as if your win2k dc has disabled support for NTLM v1 challenge response authentication. Check you domain controller security policy under security settings/local policies/ security options and see what the value of : Lan Manager Authentication Level says.... Also, If you would like, stop winbindd,remove the log.winbindd file, set your log level in smb.conf to 10, and start winbind, then do your wbinfo -a... command, and send me the log.winbindd; perhaps I can see what is happening from a full debug log. Thanks, Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Wednesday, February 13, 2002 12:29 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Another thing I noticed. I looked at the log file in samba/var and found the log for my machine was filled with this: [2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367) unable to open passdb database. Where is the pdb_smbpassd.c file and why would there be a problem opening it? -Dan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 5:24 PM To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, I see a couple of things that are suspicious. Take a look at my output, from a winbindd system that is a member of the WT1 domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my winbind separator is + (as your's appears to be in your smb.conf file): # ./wbinfo -u ATL-WTEC+Administrator ATL-WTEC+atlwtec1 ATL-WTEC+ddmc ATL-WTEC+Guest ATL-WTEC+IUSR_ALBERTE WT1+Administrator WT1+ddmc WT1+Guest WT1+IUSR_CERES WT1+IWAM_CERES WT1+krbtgt WT1+test WT1+test1 WT1+test2 WT1+test3 WT1+test4 WT1+test5 # ./wbinfo -m ATL-WTEC # NOTE it shows the users in the ATL-WTEC domain as well as my home domain (this may be because I have a 2 way trust between the domains); but NOTE also, that the wbinfo output SHOWS my users with the "+" separator, which matches what I have in my smb.conf file - YOURS DOES NOT: it shows the separator being used as "\"... You might try verifying your smb.conf file 'winbind separator' by running testparm|grep winbind and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u again. Verify that it is using the "+", and if so, then try your wbinfo -a command again (with the + sign)... That's all I have for now... don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 5:03 PM To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Below is the beginning of the output which I just pasted into this e-mail. You'll find the error on the bottom. Also at the bottom is a copy of the smb.conf file. It this all correct? Thanks, -Dan adams{root}5: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}6: ./wbinfo -u adams{root}11: ./wbinfo Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas -u lists all domain users -g lists all domain groups -h name converts NetBIOS hostname to IP -i ip converts IP address to NetBIOS name -n name converts name to sid -s sid converts sid to name -U uid converts uid to sid -G gid converts gid to sid -S sid converts sid to uid -Y sid converts sid to gid -t check shared secret -m list trusted domains -r user get user groups -a user%password authenticate user -A user%password store session setup auth password adams{root}12: ./wbinfo -u JWAD\Administrator JWAD\dantest JWAD\Guest JWAD\guestuser JWAD\Nelsojb1 JWAD\repladmin JWAD\shaffjl1 JWAD\SMS&_JWAD-DC1 JWAD\SMSCliToknAcct& JWAD\SQLAgentCmdExec JWAD\SQLExecutiveCmdExec JWAD\SQLServerService JWAD\vashodp1 JWAD\Volga JWAD\WestRL1 adams{root}13: ./wbinfo -g JWAD\Domain Admins JWAD\Domain Guests JWAD\Domain Users JWAD\MTS Trusted Impersonators JWAD\SMSInternalCliGrp adams{root}14: ./wbinfo -m JHUAPL adams{root}15: ./wbinfo -a JWAD+dantest%password plaintext password authentication failed Could not authenticate user JWAD+dantest%password with plaintext password challenge/response password authentication failed Could not authenticate user JWAD+dantest%password with challenge/response SMB Conf file: # Samba config file created using SWAT # from thomaDJ1.jhuapl.edu (128.244.11.37) # Date: 2002/02/12 16:11:14 # Global parameters [global] workgroup = JWAD netbios name = ADAMS server string = adams samba security = DOMAIN encrypt passwords = Yes null passwords = Yes password server = * log file = /usr/local/samba/var/log.%m max log size = 50 large readwrite = Yes load printers = No os level = 0 preferred master = False local master = No domain master = False dns proxy = No valid chars = - _ winbind uid = 10000-20000 winbind gid = 10000-20000 template homedir = /apps/users/%U winbind separator = + hosts allow = 128.244.11. strict locking = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [temp] path = /apps/temp write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator jwad+dantest -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Tuesday, February 12, 2002 3:32 PM To: 'Thomas, Daniel J.'; Samba (E-mail) Subject: RE: [Samba] Winbind - Why won't you authenticate??? Hi Daniel, that should work - but I notice that you are using "\" for the winbindd separator - some unix'es will swallow this character as an 'escape' character; for instance on HPUX you can see: # ./wbinfo -a atl-wtec\atlwtec1%atlwtec1 Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext password Could not authenticate user atl-wtecatlwtec1%atlwtec1 with challenge/response NOTE in the above that the response does NOT display the "\" inbetween the domain and the username. Is this happening to you? Don -----Original Message----- From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu] Sent: Tuesday, February 12, 2002 3:09 PM To: Samba (E-mail) Subject: [Samba] Winbind - Why won't you authenticate??? Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine. I installed with the winbind option and everything went though just find. I was able to join the NT domain and now I can do a wbinfo -u "and get a domain user list as well as a "wbinfo -g and get a group list. For some reason though, the authentication isn't working. I tried to "wbinfo -a" and used a number of possible names. The samba server is on an NT domain called "jwad" and it has a trust relationship with "jhuapl". My user account is on jhuapl, and I want to get authenticated. When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on both clear text and challange/reponse methods. From what I see though, it doesn't even appear to be trying to talk to the domain controller, because the Reponses are given way to quick for any real network activity to have taken place. Please lend some advice if you have any. I can probably get sample output if needed. -Dan Daniel J. Thomas Systems Administrator Johns Hopkins University Applied Physics Laboratory Laurel, MD Balt: (443) 778-7924 Wash: (240) 228-7924 "Always avoid a bad file copy... You can never know when your replication proceeds you." -Anonymous Author -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Seemingly Similar Threads
- Sharing to domain users?
- Memory leak in winbindd
- Samba Team? - "ld.so.1: ls: fatal: relocation error: file /usr/lib/nss_winbind.so.1: symbol socket: referenced symbol not fou n d"
- Samba Team? - "ld.so.1: ls: fatal: relocation error: file /usr/lib/nss_winbind.so.1: symbol socket: referenced symbol not foun d"
- Winbind on HPUX 11, some small progress