Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine.
I installed with the winbind option and everything went though just find.
I was able to join the NT domain and now I can do a wbinfo -u "and get a
domain user list as well as a "wbinfo -g and get a group list. For some
reason though, the authentication isn't working.
I tried to "wbinfo -a" and used a number of possible names. The samba
server is on an NT domain called "jwad" and it has a trust
relationship with
"jhuapl". My user account is on jhuapl, and I want to get
authenticated.
When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on
both clear text and challange/reponse methods. From what I see though, it
doesn't even appear to be trying to talk to the domain controller, because
the Reponses are given way to quick for any real network activity to have
taken place.
Please lend some advice if you have any. I can probably get sample output
if needed.
-Dan
Daniel J. Thomas
Systems Administrator
Johns Hopkins University
Applied Physics Laboratory
Laurel, MD
Balt: (443) 778-7924
Wash: (240) 228-7924
"Always avoid a bad file copy...
You can never know when your replication proceeds you."
-Anonymous Author
MCCALL,DON (HP-USA,ex1)
2002-Feb-12 12:38 UTC
[Samba] Winbind - Why won't you authenticate???
Hi Daniel,
that should work - but I notice that you are using "\" for the
winbindd
separator - some unix'es will swallow this character as an 'escape'
character; for instance on HPUX you can see:
# ./wbinfo -a atl-wtec\atlwtec1%atlwtec1
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext
password
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with
challenge/response
NOTE in the above that the response does NOT display the "\" inbetween
the
domain
and the username.
Is this happening to you?
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 3:09 PM
To: Samba (E-mail)
Subject: [Samba] Winbind - Why won't you authenticate???
Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine.
I installed with the winbind option and everything went though just find.
I was able to join the NT domain and now I can do a wbinfo -u "and get a
domain user list as well as a "wbinfo -g and get a group list. For some
reason though, the authentication isn't working.
I tried to "wbinfo -a" and used a number of possible names. The samba
server is on an NT domain called "jwad" and it has a trust
relationship with
"jhuapl". My user account is on jhuapl, and I want to get
authenticated.
When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on
both clear text and challange/reponse methods. From what I see though, it
doesn't even appear to be trying to talk to the domain controller, because
the Reponses are given way to quick for any real network activity to have
taken place.
Please lend some advice if you have any. I can probably get sample output
if needed.
-Dan
Daniel J. Thomas
Systems Administrator
Johns Hopkins University
Applied Physics Laboratory
Laurel, MD
Balt: (443) 778-7924
Wash: (240) 228-7924
"Always avoid a bad file copy...
You can never know when your replication proceeds you."
-Anonymous Author
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Below is the beginning of the output which I just pasted into this e-mail.
You'll find the error on the bottom. Also at the bottom is a copy of the
smb.conf file. It this all correct?
Thanks,
-Dan
adams{root}5: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}6: ./wbinfo -u
adams{root}11: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}12: ./wbinfo -u
JWAD\Administrator
JWAD\dantest
JWAD\Guest
JWAD\guestuser
JWAD\Nelsojb1
JWAD\repladmin
JWAD\shaffjl1
JWAD\SMS&_JWAD-DC1
JWAD\SMSCliToknAcct&
JWAD\SQLAgentCmdExec
JWAD\SQLExecutiveCmdExec
JWAD\SQLServerService
JWAD\vashodp1
JWAD\Volga
JWAD\WestRL1
adams{root}13: ./wbinfo -g
JWAD\Domain Admins
JWAD\Domain Guests
JWAD\Domain Users
JWAD\MTS Trusted Impersonators
JWAD\SMSInternalCliGrp
adams{root}14: ./wbinfo -m
JHUAPL
adams{root}15: ./wbinfo -a JWAD+dantest%password
plaintext password authentication failed
Could not authenticate user JWAD+dantest%password with plaintext password
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
SMB Conf file:
# Samba config file created using SWAT
# from thomaDJ1.jhuapl.edu (128.244.11.37)
# Date: 2002/02/12 16:11:14
# Global parameters
[global]
workgroup = JWAD
netbios name = ADAMS
server string = adams samba
security = DOMAIN
encrypt passwords = Yes
null passwords = Yes
password server = *
log file = /usr/local/samba/var/log.%m
max log size = 50
large readwrite = Yes
load printers = No
os level = 0
preferred master = False
local master = No
domain master = False
dns proxy = No
valid chars = - _
winbind uid = 10000-20000
winbind gid = 10000-20000
template homedir = /apps/users/%U
winbind separator = +
hosts allow = 128.244.11.
strict locking = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[temp]
path = /apps/temp
write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator
jwad+dantest
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 3:32 PM
To: 'Thomas, Daniel J.'; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
that should work - but I notice that you are using "\" for the
winbindd
separator - some unix'es will swallow this character as an 'escape'
character; for instance on HPUX you can see:
# ./wbinfo -a atl-wtec\atlwtec1%atlwtec1
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext
password
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with
challenge/response
NOTE in the above that the response does NOT display the "\" inbetween
the
domain
and the username.
Is this happening to you?
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 3:09 PM
To: Samba (E-mail)
Subject: [Samba] Winbind - Why won't you authenticate???
Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine.
I installed with the winbind option and everything went though just find.
I was able to join the NT domain and now I can do a wbinfo -u "and get a
domain user list as well as a "wbinfo -g and get a group list. For some
reason though, the authentication isn't working.
I tried to "wbinfo -a" and used a number of possible names. The samba
server is on an NT domain called "jwad" and it has a trust
relationship with
"jhuapl". My user account is on jhuapl, and I want to get
authenticated.
When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on
both clear text and challange/reponse methods. From what I see though, it
doesn't even appear to be trying to talk to the domain controller, because
the Reponses are given way to quick for any real network activity to have
taken place.
Please lend some advice if you have any. I can probably get sample output
if needed.
-Dan
Daniel J. Thomas
Systems Administrator
Johns Hopkins University
Applied Physics Laboratory
Laurel, MD
Balt: (443) 778-7924
Wash: (240) 228-7924
"Always avoid a bad file copy...
You can never know when your replication proceeds you."
-Anonymous Author
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
MCCALL,DON (HP-USA,ex1)
2002-Feb-12 14:29 UTC
[Samba] Winbind - Why won't you authenticate???
Hi Daniel,
I see a couple of things that are suspicious.
Take a look at my output, from a winbindd system that is a member of the WT1
domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my
winbind separator is + (as your's appears to be in your smb.conf file):
# ./wbinfo -u
ATL-WTEC+Administrator
ATL-WTEC+atlwtec1
ATL-WTEC+ddmc
ATL-WTEC+Guest
ATL-WTEC+IUSR_ALBERTE
WT1+Administrator
WT1+ddmc
WT1+Guest
WT1+IUSR_CERES
WT1+IWAM_CERES
WT1+krbtgt
WT1+test
WT1+test1
WT1+test2
WT1+test3
WT1+test4
WT1+test5
# ./wbinfo -m
ATL-WTEC
#
NOTE it shows the users in the ATL-WTEC domain as well as my home domain
(this may be because
I have a 2 way trust between the domains); but NOTE also, that the wbinfo
output SHOWS my
users with the "+" separator, which matches what I have in my smb.conf
file
- YOURS DOES NOT:
it shows the separator being used as "\"...
You might try verifying your smb.conf file 'winbind separator' by
running
testparm|grep winbind
and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u
again. Verify that
it is using the "+", and if so, then try your wbinfo -a command again
(with
the + sign)...
That's all I have for now...
don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 5:03 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Below is the beginning of the output which I just pasted into this e-mail.
You'll find the error on the bottom. Also at the bottom is a copy of the
smb.conf file. It this all correct?
Thanks,
-Dan
adams{root}5: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}6: ./wbinfo -u
adams{root}11: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}12: ./wbinfo -u
JWAD\Administrator
JWAD\dantest
JWAD\Guest
JWAD\guestuser
JWAD\Nelsojb1
JWAD\repladmin
JWAD\shaffjl1
JWAD\SMS&_JWAD-DC1
JWAD\SMSCliToknAcct&
JWAD\SQLAgentCmdExec
JWAD\SQLExecutiveCmdExec
JWAD\SQLServerService
JWAD\vashodp1
JWAD\Volga
JWAD\WestRL1
adams{root}13: ./wbinfo -g
JWAD\Domain Admins
JWAD\Domain Guests
JWAD\Domain Users
JWAD\MTS Trusted Impersonators
JWAD\SMSInternalCliGrp
adams{root}14: ./wbinfo -m
JHUAPL
adams{root}15: ./wbinfo -a JWAD+dantest%password
plaintext password authentication failed
Could not authenticate user JWAD+dantest%password with plaintext password
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
SMB Conf file:
# Samba config file created using SWAT
# from thomaDJ1.jhuapl.edu (128.244.11.37)
# Date: 2002/02/12 16:11:14
# Global parameters
[global]
workgroup = JWAD
netbios name = ADAMS
server string = adams samba
security = DOMAIN
encrypt passwords = Yes
null passwords = Yes
password server = *
log file = /usr/local/samba/var/log.%m
max log size = 50
large readwrite = Yes
load printers = No
os level = 0
preferred master = False
local master = No
domain master = False
dns proxy = No
valid chars = - _
winbind uid = 10000-20000
winbind gid = 10000-20000
template homedir = /apps/users/%U
winbind separator = +
hosts allow = 128.244.11.
strict locking = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[temp]
path = /apps/temp
write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator
jwad+dantest
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 3:32 PM
To: 'Thomas, Daniel J.'; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
that should work - but I notice that you are using "\" for the
winbindd
separator - some unix'es will swallow this character as an 'escape'
character; for instance on HPUX you can see:
# ./wbinfo -a atl-wtec\atlwtec1%atlwtec1
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext
password
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with
challenge/response
NOTE in the above that the response does NOT display the "\" inbetween
the
domain
and the username.
Is this happening to you?
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 3:09 PM
To: Samba (E-mail)
Subject: [Samba] Winbind - Why won't you authenticate???
Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine.
I installed with the winbind option and everything went though just find.
I was able to join the NT domain and now I can do a wbinfo -u "and get a
domain user list as well as a "wbinfo -g and get a group list. For some
reason though, the authentication isn't working.
I tried to "wbinfo -a" and used a number of possible names. The samba
server is on an NT domain called "jwad" and it has a trust
relationship with
"jhuapl". My user account is on jhuapl, and I want to get
authenticated.
When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on
both clear text and challange/reponse methods. From what I see though, it
doesn't even appear to be trying to talk to the domain controller, because
the Reponses are given way to quick for any real network activity to have
taken place.
Please lend some advice if you have any. I can probably get sample output
if needed.
-Dan
Daniel J. Thomas
Systems Administrator
Johns Hopkins University
Applied Physics Laboratory
Laurel, MD
Balt: (443) 778-7924
Wash: (240) 228-7924
"Always avoid a bad file copy...
You can never know when your replication proceeds you."
-Anonymous Author
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Don,
I appreciate the insight. I hadn't tried restarting the winbindd deamon
before wbinfo -u. Now the correct sign is used and I think I've gotten a
bit further, however I still only get a list of uses from the JWAD domain.
I'll have to find out what type of trust is set up, but if it helps, my
users all have user accounts on the JHUAPL domain (along with the other
1000+ accounts on that domain) My unix machine should be on the JWAD
domain, which has a trust relationship with JHUAPL. My account is a JHUAPL
account, but I have admin rights on the JWAD domain. The JWAD\dantest
account I also created on the JWAD domain for testing purposes. I am
getting closer. JHUAPL user and JWAD users give the same result now, but
now what I want:
# ./wbinfo -a JWAD+dantest%password
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
It still doesn't work at all on the windows side.
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 5:24 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
I see a couple of things that are suspicious.
Take a look at my output, from a winbindd system that is a member of the WT1
domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my
winbind separator is + (as your's appears to be in your smb.conf file):
# ./wbinfo -u
ATL-WTEC+Administrator
ATL-WTEC+atlwtec1
ATL-WTEC+ddmc
ATL-WTEC+Guest
ATL-WTEC+IUSR_ALBERTE
WT1+Administrator
WT1+ddmc
WT1+Guest
WT1+IUSR_CERES
WT1+IWAM_CERES
WT1+krbtgt
WT1+test
WT1+test1
WT1+test2
WT1+test3
WT1+test4
WT1+test5
# ./wbinfo -m
ATL-WTEC
#
NOTE it shows the users in the ATL-WTEC domain as well as my home domain
(this may be because
I have a 2 way trust between the domains); but NOTE also, that the wbinfo
output SHOWS my
users with the "+" separator, which matches what I have in my smb.conf
file
- YOURS DOES NOT:
it shows the separator being used as "\"...
You might try verifying your smb.conf file 'winbind separator' by
running
testparm|grep winbind
and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u
again. Verify that
it is using the "+", and if so, then try your wbinfo -a command again
(with
the + sign)...
That's all I have for now...
don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 5:03 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Below is the beginning of the output which I just pasted into this e-mail.
You'll find the error on the bottom. Also at the bottom is a copy of the
smb.conf file. It this all correct?
Thanks,
-Dan
adams{root}5: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}6: ./wbinfo -u
adams{root}11: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}12: ./wbinfo -u
JWAD\Administrator
JWAD\dantest
JWAD\Guest
JWAD\guestuser
JWAD\Nelsojb1
JWAD\repladmin
JWAD\shaffjl1
JWAD\SMS&_JWAD-DC1
JWAD\SMSCliToknAcct&
JWAD\SQLAgentCmdExec
JWAD\SQLExecutiveCmdExec
JWAD\SQLServerService
JWAD\vashodp1
JWAD\Volga
JWAD\WestRL1
adams{root}13: ./wbinfo -g
JWAD\Domain Admins
JWAD\Domain Guests
JWAD\Domain Users
JWAD\MTS Trusted Impersonators
JWAD\SMSInternalCliGrp
adams{root}14: ./wbinfo -m
JHUAPL
adams{root}15: ./wbinfo -a JWAD+dantest%password
plaintext password authentication failed
Could not authenticate user JWAD+dantest%password with plaintext password
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
SMB Conf file:
# Samba config file created using SWAT
# from thomaDJ1.jhuapl.edu (128.244.11.37)
# Date: 2002/02/12 16:11:14
# Global parameters
[global]
workgroup = JWAD
netbios name = ADAMS
server string = adams samba
security = DOMAIN
encrypt passwords = Yes
null passwords = Yes
password server = *
log file = /usr/local/samba/var/log.%m
max log size = 50
large readwrite = Yes
load printers = No
os level = 0
preferred master = False
local master = No
domain master = False
dns proxy = No
valid chars = - _
winbind uid = 10000-20000
winbind gid = 10000-20000
template homedir = /apps/users/%U
winbind separator = +
hosts allow = 128.244.11.
strict locking = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[temp]
path = /apps/temp
write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator
jwad+dantest
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 3:32 PM
To: 'Thomas, Daniel J.'; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
that should work - but I notice that you are using "\" for the
winbindd
separator - some unix'es will swallow this character as an 'escape'
character; for instance on HPUX you can see:
# ./wbinfo -a atl-wtec\atlwtec1%atlwtec1
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext
password
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with
challenge/response
NOTE in the above that the response does NOT display the "\" inbetween
the
domain
and the username.
Is this happening to you?
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 3:09 PM
To: Samba (E-mail)
Subject: [Samba] Winbind - Why won't you authenticate???
Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine.
I installed with the winbind option and everything went though just find.
I was able to join the NT domain and now I can do a wbinfo -u "and get a
domain user list as well as a "wbinfo -g and get a group list. For some
reason though, the authentication isn't working.
I tried to "wbinfo -a" and used a number of possible names. The samba
server is on an NT domain called "jwad" and it has a trust
relationship with
"jhuapl". My user account is on jhuapl, and I want to get
authenticated.
When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on
both clear text and challange/reponse methods. From what I see though, it
doesn't even appear to be trying to talk to the domain controller, because
the Reponses are given way to quick for any real network activity to have
taken place.
Please lend some advice if you have any. I can probably get sample output
if needed.
-Dan
Daniel J. Thomas
Systems Administrator
Johns Hopkins University
Applied Physics Laboratory
Laurel, MD
Balt: (443) 778-7924
Wash: (240) 228-7924
"Always avoid a bad file copy...
You can never know when your replication proceeds you."
-Anonymous Author
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Another thing I noticed. I looked at the log file in samba/var and found
the log for my machine was filled with this:
[2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367)
unable to open passdb database.
Where is the pdb_smbpassd.c file and why would there be a problem opening
it?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 5:24 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
I see a couple of things that are suspicious.
Take a look at my output, from a winbindd system that is a member of the WT1
domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my
winbind separator is + (as your's appears to be in your smb.conf file):
# ./wbinfo -u
ATL-WTEC+Administrator
ATL-WTEC+atlwtec1
ATL-WTEC+ddmc
ATL-WTEC+Guest
ATL-WTEC+IUSR_ALBERTE
WT1+Administrator
WT1+ddmc
WT1+Guest
WT1+IUSR_CERES
WT1+IWAM_CERES
WT1+krbtgt
WT1+test
WT1+test1
WT1+test2
WT1+test3
WT1+test4
WT1+test5
# ./wbinfo -m
ATL-WTEC
#
NOTE it shows the users in the ATL-WTEC domain as well as my home domain
(this may be because
I have a 2 way trust between the domains); but NOTE also, that the wbinfo
output SHOWS my
users with the "+" separator, which matches what I have in my smb.conf
file
- YOURS DOES NOT:
it shows the separator being used as "\"...
You might try verifying your smb.conf file 'winbind separator' by
running
testparm|grep winbind
and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u
again. Verify that
it is using the "+", and if so, then try your wbinfo -a command again
(with
the + sign)...
That's all I have for now...
don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 5:03 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Below is the beginning of the output which I just pasted into this e-mail.
You'll find the error on the bottom. Also at the bottom is a copy of the
smb.conf file. It this all correct?
Thanks,
-Dan
adams{root}5: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}6: ./wbinfo -u
adams{root}11: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}12: ./wbinfo -u
JWAD\Administrator
JWAD\dantest
JWAD\Guest
JWAD\guestuser
JWAD\Nelsojb1
JWAD\repladmin
JWAD\shaffjl1
JWAD\SMS&_JWAD-DC1
JWAD\SMSCliToknAcct&
JWAD\SQLAgentCmdExec
JWAD\SQLExecutiveCmdExec
JWAD\SQLServerService
JWAD\vashodp1
JWAD\Volga
JWAD\WestRL1
adams{root}13: ./wbinfo -g
JWAD\Domain Admins
JWAD\Domain Guests
JWAD\Domain Users
JWAD\MTS Trusted Impersonators
JWAD\SMSInternalCliGrp
adams{root}14: ./wbinfo -m
JHUAPL
adams{root}15: ./wbinfo -a JWAD+dantest%password
plaintext password authentication failed
Could not authenticate user JWAD+dantest%password with plaintext password
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
SMB Conf file:
# Samba config file created using SWAT
# from thomaDJ1.jhuapl.edu (128.244.11.37)
# Date: 2002/02/12 16:11:14
# Global parameters
[global]
workgroup = JWAD
netbios name = ADAMS
server string = adams samba
security = DOMAIN
encrypt passwords = Yes
null passwords = Yes
password server = *
log file = /usr/local/samba/var/log.%m
max log size = 50
large readwrite = Yes
load printers = No
os level = 0
preferred master = False
local master = No
domain master = False
dns proxy = No
valid chars = - _
winbind uid = 10000-20000
winbind gid = 10000-20000
template homedir = /apps/users/%U
winbind separator = +
hosts allow = 128.244.11.
strict locking = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[temp]
path = /apps/temp
write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator
jwad+dantest
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 3:32 PM
To: 'Thomas, Daniel J.'; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
that should work - but I notice that you are using "\" for the
winbindd
separator - some unix'es will swallow this character as an 'escape'
character; for instance on HPUX you can see:
# ./wbinfo -a atl-wtec\atlwtec1%atlwtec1
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext
password
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with
challenge/response
NOTE in the above that the response does NOT display the "\" inbetween
the
domain
and the username.
Is this happening to you?
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 3:09 PM
To: Samba (E-mail)
Subject: [Samba] Winbind - Why won't you authenticate???
Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine.
I installed with the winbind option and everything went though just find.
I was able to join the NT domain and now I can do a wbinfo -u "and get a
domain user list as well as a "wbinfo -g and get a group list. For some
reason though, the authentication isn't working.
I tried to "wbinfo -a" and used a number of possible names. The samba
server is on an NT domain called "jwad" and it has a trust
relationship with
"jhuapl". My user account is on jhuapl, and I want to get
authenticated.
When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on
both clear text and challange/reponse methods. From what I see though, it
doesn't even appear to be trying to talk to the domain controller, because
the Reponses are given way to quick for any real network activity to have
taken place.
Please lend some advice if you have any. I can probably get sample output
if needed.
-Dan
Daniel J. Thomas
Systems Administrator
Johns Hopkins University
Applied Physics Laboratory
Laurel, MD
Balt: (443) 778-7924
Wash: (240) 228-7924
"Always avoid a bad file copy...
You can never know when your replication proceeds you."
-Anonymous Author
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
MCCALL,DON (HP-USA,ex1)
2002-Feb-13 10:07 UTC
[Samba] Winbind - Why won't you authenticate???
Hi Thomas,
The message from pdb_smbpasswd.c is saying that it can't find the smbpasswd
file;
this is normal if you are doing domain level authentication, and have not
created/populated
an smbpasswd file - if the domain authentication doesn't work, samba trys to
authenticate
you locally to the smbpasswd file. So this isn't the issue, I believe.
It looks to me as if your win2k dc has disabled support for NTLM v1
challenge response authentication.
Check you domain controller security policy under security settings/local
policies/
security options and see what the value of :
Lan Manager Authentication Level
says....
Also, If you would like, stop winbindd,remove the log.winbindd file,
set your log level in smb.conf to 10, and
start winbind, then do your wbinfo -a... command, and send me the
log.winbindd; perhaps I
can see what is happening from a full debug log.
Thanks,
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 12:29 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Another thing I noticed. I looked at the log file in samba/var and found
the log for my machine was filled with this:
[2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367)
unable to open passdb database.
Where is the pdb_smbpassd.c file and why would there be a problem opening
it?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 5:24 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
I see a couple of things that are suspicious.
Take a look at my output, from a winbindd system that is a member of the WT1
domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my
winbind separator is + (as your's appears to be in your smb.conf file):
# ./wbinfo -u
ATL-WTEC+Administrator
ATL-WTEC+atlwtec1
ATL-WTEC+ddmc
ATL-WTEC+Guest
ATL-WTEC+IUSR_ALBERTE
WT1+Administrator
WT1+ddmc
WT1+Guest
WT1+IUSR_CERES
WT1+IWAM_CERES
WT1+krbtgt
WT1+test
WT1+test1
WT1+test2
WT1+test3
WT1+test4
WT1+test5
# ./wbinfo -m
ATL-WTEC
#
NOTE it shows the users in the ATL-WTEC domain as well as my home domain
(this may be because
I have a 2 way trust between the domains); but NOTE also, that the wbinfo
output SHOWS my
users with the "+" separator, which matches what I have in my smb.conf
file
- YOURS DOES NOT:
it shows the separator being used as "\"...
You might try verifying your smb.conf file 'winbind separator' by
running
testparm|grep winbind
and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u
again. Verify that
it is using the "+", and if so, then try your wbinfo -a command again
(with
the + sign)...
That's all I have for now...
don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 5:03 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Below is the beginning of the output which I just pasted into this e-mail.
You'll find the error on the bottom. Also at the bottom is a copy of the
smb.conf file. It this all correct?
Thanks,
-Dan
adams{root}5: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}6: ./wbinfo -u
adams{root}11: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}12: ./wbinfo -u
JWAD\Administrator
JWAD\dantest
JWAD\Guest
JWAD\guestuser
JWAD\Nelsojb1
JWAD\repladmin
JWAD\shaffjl1
JWAD\SMS&_JWAD-DC1
JWAD\SMSCliToknAcct&
JWAD\SQLAgentCmdExec
JWAD\SQLExecutiveCmdExec
JWAD\SQLServerService
JWAD\vashodp1
JWAD\Volga
JWAD\WestRL1
adams{root}13: ./wbinfo -g
JWAD\Domain Admins
JWAD\Domain Guests
JWAD\Domain Users
JWAD\MTS Trusted Impersonators
JWAD\SMSInternalCliGrp
adams{root}14: ./wbinfo -m
JHUAPL
adams{root}15: ./wbinfo -a JWAD+dantest%password
plaintext password authentication failed
Could not authenticate user JWAD+dantest%password with plaintext password
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
SMB Conf file:
# Samba config file created using SWAT
# from thomaDJ1.jhuapl.edu (128.244.11.37)
# Date: 2002/02/12 16:11:14
# Global parameters
[global]
workgroup = JWAD
netbios name = ADAMS
server string = adams samba
security = DOMAIN
encrypt passwords = Yes
null passwords = Yes
password server = *
log file = /usr/local/samba/var/log.%m
max log size = 50
large readwrite = Yes
load printers = No
os level = 0
preferred master = False
local master = No
domain master = False
dns proxy = No
valid chars = - _
winbind uid = 10000-20000
winbind gid = 10000-20000
template homedir = /apps/users/%U
winbind separator = +
hosts allow = 128.244.11.
strict locking = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[temp]
path = /apps/temp
write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator
jwad+dantest
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 3:32 PM
To: 'Thomas, Daniel J.'; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
that should work - but I notice that you are using "\" for the
winbindd
separator - some unix'es will swallow this character as an 'escape'
character; for instance on HPUX you can see:
# ./wbinfo -a atl-wtec\atlwtec1%atlwtec1
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext
password
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with
challenge/response
NOTE in the above that the response does NOT display the "\" inbetween
the
domain
and the username.
Is this happening to you?
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 3:09 PM
To: Samba (E-mail)
Subject: [Samba] Winbind - Why won't you authenticate???
Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine.
I installed with the winbind option and everything went though just find.
I was able to join the NT domain and now I can do a wbinfo -u "and get a
domain user list as well as a "wbinfo -g and get a group list. For some
reason though, the authentication isn't working.
I tried to "wbinfo -a" and used a number of possible names. The samba
server is on an NT domain called "jwad" and it has a trust
relationship with
"jhuapl". My user account is on jhuapl, and I want to get
authenticated.
When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on
both clear text and challange/reponse methods. From what I see though, it
doesn't even appear to be trying to talk to the domain controller, because
the Reponses are given way to quick for any real network activity to have
taken place.
Please lend some advice if you have any. I can probably get sample output
if needed.
-Dan
Daniel J. Thomas
Systems Administrator
Johns Hopkins University
Applied Physics Laboratory
Laurel, MD
Balt: (443) 778-7924
Wash: (240) 228-7924
"Always avoid a bad file copy...
You can never know when your replication proceeds you."
-Anonymous Author
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
MCCALL,DON (HP-USA,ex1)
2002-Feb-13 13:48 UTC
[Samba] Winbind - Why won't you authenticate???
Hi Daniel,
Well, that nails it - take a look at the nm output from my winbindd:
# nm ../bin/winbindd|grep auth
authorise_login | 668456|extern|code |$CODE$
become_authenticated_pipe_user| 679768|extern|code |$CODE$
cli_net_auth2 | 687676|extern|code |$CODE$
init_q_auth_2 | 469520|extern|code |$CODE$
init_rpc_auth_ntlmssp_chal| 505008|extern|code |$CODE$
init_rpc_auth_ntlmssp_chk| 507856|extern|code |$CODE$
init_rpc_auth_ntlmssp_neg| 504188|extern|code |$CODE$
init_rpc_auth_ntlmssp_resp| 505372|extern|code |$CODE$
init_rpc_auth_verifier| 503964|extern|code |$CODE$
init_rpc_hdr_auth | 503592|extern|code |$CODE$
init_rpc_hdr_autha | 503208|extern|code |$CODE$
lp_lanman_auth | 102056|extern|code |$CODE$
net_io_q_auth | 469160|extern|code |$CODE$
net_io_q_auth_2 | 469772|extern|code |$CODE$
net_io_r_auth | 469352|extern|code |$CODE$
net_io_r_auth_2 | 470000|extern|code |$CODE$
new_cli_net_auth2 | 430004|extern|code |$CODE$
rpc_auth_ntlmssp_chk| 507596|extern|code |$CODE$
rpc_auth_pipe | 436536|static|entry |$CODE$
rpc_auth_verifier_chk| 503896|extern|code |$CODE$
rpc_hdr_auth_chk | 503560|extern|code |$CODE$
rpc_send_auth_reply | 444416|static|entry |$CODE$
smb_io_rpc_auth_ntlmssp_chal| 505084|extern|code |$CODE$
smb_io_rpc_auth_ntlmssp_chk| 507876|extern|code |$CODE$
smb_io_rpc_auth_ntlmssp_neg| 504328|extern|code |$CODE$
smb_io_rpc_auth_ntlmssp_resp| 506012|extern|code |$CODE$
smb_io_rpc_auth_verifier| 504012|extern|code |$CODE$
smb_io_rpc_hdr_auth | 503620|extern|code |$CODE$
smb_io_rpc_hdr_autha| 503256|extern|code |$CODE$
unbecome_authenticated_pipe_user| 679852|extern|code |$CODE$
winbindd_pam_auth | 56056|extern|entry |
winbindd_pam_auth | 56056|extern|code |$CODE$
winbindd_pam_auth_crap| 56252|extern|code |$CODE$
winbindd_pam_auth_crap| 56252|extern|entry |
winbindd_pam_chauthtok| 56744|extern|entry |
winbindd_pam_chauthtok| 56744|extern|code |$CODE$
#
^^^^^^^^^^^^^^^^specifically that I DO have entries not only for
winbindd_pam_auth,
but also for winbindd_pam_auth_crap - which you are missing, and therefore
when
wbinfo requests this function, winbindd fails when looking up the pointer to
the
function (null)...
I have NO immediate idea why this might be. As I said, I would recommend
doing a make clean, removing config.cache, and re-running configure
--with-winbind --with-pam
and doing a make again.
I don't have a sun system to try this on presently...
Let me know,
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 4:33 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Don,
I've inserted my results inline below. Also, this isn't really
pertinent to
your previous message, but I thought you might want to know that our JWAD
server are all Windows NT 4.0 SP6a, and only the workstations are Windows
2K. The bigger domain, JHUAPL, is also a Windows NT domain, but will soon
be migrated to a Windows 2000 domain. That may be something I need to keep
in mind for the future, however this case we are working on is a test
subject for me so I can apply this concept on our other private LAN which I
have full control over and is currently Windows NT with no plans on going to
Win2k domain at the present. This domain also has Win2k Pro workstations
though.
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 4:16 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Thomas,
this would be your issue, I'm guessing:
[2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(378)
process_request: unknown request fn number 12
[2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(531)
client_write: wrote 1300 bytes.
[2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(483)
client_read: read 0 bytes. Need 1044 more for a full request.
[2002/02/13 14:21:05, 5] nsswitch/winbindd.c:(490)
read failed on sock 12, pid 1623: EOF
WHAT SHOULD BE HAPPENING here is the following:
[2002/02/13 11:34:46, 10] nsswitch/winbindd.c:(369)
process_request: request fn AUTH_CRAP
[2002/02/13 11:34:46, 3] nsswitch/winbindd_pam.c:(92)
[25106]: pam auth crap wt1/administrator
(of course, with YOUR domain and username specified instead
of mine (wt1/administrator).
What is highly unusual is that process_request is reporting an unknown
request for fn 12 (which is what AUTH_CRAP ie WINBINDD_PAM_AUTH_CRAP
evaluates to). it SHOULD have found this function in the dispatch_table...
SOOOOO - what's going on?
It LOOKS like the pointer to the winbindd_pam_auth_crap routine is null!
if you have 'nm' on your system,
do and
nm winbindd|grep auth
Results:
adams{root}19: nm winbindd|grep auth
[2940] | 815960| 2476|FUNC |GLOB |0 |11 |authorise_login
[2803] | 828500| 60|FUNC |GLOB |0 |11
|become_authenticated_pipe_user
[2517] | 836548| 728|FUNC |GLOB |0 |11 |cli_net_auth2
[1415] | 614724| 268|FUNC |GLOB |0 |11 |init_q_auth_2
[2753] | 650796| 52|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_chal
[1889] | 653716| 20|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_chk
[2667] | 649992| 100|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_neg
[1673] | 651128| 616|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_resp
[2697] | 649780| 32|FUNC |GLOB |0 |11
|init_rpc_auth_verifier
[1725] | 649412| 36|FUNC |GLOB |0 |11 |init_rpc_hdr_auth
[1386] | 648956| 84|FUNC |GLOB |0 |11 |init_rpc_hdr_autha
[1706] | 250824| 12|FUNC |GLOB |0 |11 |lp_lanman_auth
[3278] | 614372| 184|FUNC |GLOB |0 |11 |net_io_q_auth
[1154] | 614992| 216|FUNC |GLOB |0 |11 |net_io_q_auth_2
[1379] | 614556| 168|FUNC |GLOB |0 |11 |net_io_r_auth
[1352] | 615208| 200|FUNC |GLOB |0 |11 |net_io_r_auth_2
[1607] | 575180| 532|FUNC |GLOB |0 |11 |new_cli_net_auth2
[462] | 955456| 132|OBJT |LOCL |0 |22 |nt_authority_users
[3241] | 653440| 276|FUNC |GLOB |0 |11 |rpc_auth_ntlmssp_chk
[725] | 581132| 1448|FUNC |LOCL |0 |11 |rpc_auth_pipe
[2856] | 649720| 60|FUNC |GLOB |0 |11 |rpc_auth_verifier_chk
[1622] | 649360| 52|FUNC |GLOB |0 |11 |rpc_hdr_auth_chk
[733] | 590224| 1020|FUNC |LOCL |0 |11 |rpc_send_auth_reply
[1157] | 650848| 264|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_chal
[2669] | 653736| 236|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_chk
[1118] | 650108| 688|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_neg
[2401] | 651744| 1696|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_resp
[1244] | 649812| 164|FUNC |GLOB |0 |11
|smb_io_rpc_auth_verifier
[1591] | 649448| 272|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_auth
[2752] | 649040| 320|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_autha
[2933] | 828576| 12|FUNC |GLOB |0 |11
|unbecome_authenticated_pipe_user
[2635] | 203828| 208|FUNC |GLOB |0 |11 |winbindd_pam_auth
[940] | 204036| 172|FUNC |GLOB |0 |11
|winbindd_pam_chauthtok
and
nm wbinfo|grep auth
Results:
adams{root}20: nm wbinfo|grep auth
[864] | 126880| 12|FUNC |GLOB |0 |11 |lp_lanman_auth
[365] | 413492| 132|OBJT |LOCL |0 |22 |nt_authority_users
[56] | 113376| 244|FUNC |LOCL |0 |11 |wbinfo_auth
[57] | 113636| 304|FUNC |LOCL |0 |11 |wbinfo_auth_crap
[60] | 114276| 184|FUNC |LOCL |0 |11 |wbinfo_set_auth_user
and let me know the results, ok?
Also if you can send the config.log and the exact command line you used to
do a configure when
you built samba, that would help as well; you might want to (while I look
at this), do a make clean
rm config.cache, and run configure again - configure --with-pam
--with-winbindd
and see if it doesnt work better for you - maybe you didn't clean out your
config.cache, and it screwed
you up...
Don
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 2:32 PM
To: 'MCCALL,DON (HP-USA,ex1)'
Subject: RE: [Samba] Winbind - Why won't you authenticate???
OK,
Set up log level 10 and recreated the log files. I just ran this:
adams{root}26: ./wbinfo -a JWAD+dantest%password
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
Also, it looks like I'm getting a complete domain listing now from both
domains with wbinfo -u.
I think it might be because I added a wins server address. the command does
keep winbind bussy for a minute of two to list all the users =)
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 1:01 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Thomas,
The message from pdb_smbpasswd.c is saying that it can't find the smbpasswd
file;
this is normal if you are doing domain level authentication, and have not
created/populated
an smbpasswd file - if the domain authentication doesn't work, samba trys to
authenticate
you locally to the smbpasswd file. So this isn't the issue, I believe.
It looks to me as if your win2k dc has disabled support for NTLM v1
challenge response authentication.
Check you domain controller security policy under security settings/local
policies/
security options and see what the value of :
Lan Manager Authentication Level
says....
Also, If you would like, stop winbindd,remove the log.winbindd file,
set your log level in smb.conf to 10, and
start winbind, then do your wbinfo -a... command, and send me the
log.winbindd; perhaps I
can see what is happening from a full debug log.
Thanks,
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 12:29 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Another thing I noticed. I looked at the log file in samba/var and found
the log for my machine was filled with this:
[2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367)
unable to open passdb database.
Where is the pdb_smbpassd.c file and why would there be a problem opening
it?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 5:24 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
I see a couple of things that are suspicious.
Take a look at my output, from a winbindd system that is a member of the WT1
domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my
winbind separator is + (as your's appears to be in your smb.conf file):
# ./wbinfo -u
ATL-WTEC+Administrator
ATL-WTEC+atlwtec1
ATL-WTEC+ddmc
ATL-WTEC+Guest
ATL-WTEC+IUSR_ALBERTE
WT1+Administrator
WT1+ddmc
WT1+Guest
WT1+IUSR_CERES
WT1+IWAM_CERES
WT1+krbtgt
WT1+test
WT1+test1
WT1+test2
WT1+test3
WT1+test4
WT1+test5
# ./wbinfo -m
ATL-WTEC
#
NOTE it shows the users in the ATL-WTEC domain as well as my home domain
(this may be because
I have a 2 way trust between the domains); but NOTE also, that the wbinfo
output SHOWS my
users with the "+" separator, which matches what I have in my smb.conf
file
- YOURS DOES NOT:
it shows the separator being used as "\"...
You might try verifying your smb.conf file 'winbind separator' by
running
testparm|grep winbind
and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u
again. Verify that
it is using the "+", and if so, then try your wbinfo -a command again
(with
the + sign)...
That's all I have for now...
don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 5:03 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Below is the beginning of the output which I just pasted into this e-mail.
You'll find the error on the bottom. Also at the bottom is a copy of the
smb.conf file. It this all correct?
Thanks,
-Dan
adams{root}5: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}6: ./wbinfo -u
adams{root}11: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}12: ./wbinfo -u
JWAD\Administrator
JWAD\dantest
JWAD\Guest
JWAD\guestuser
JWAD\Nelsojb1
JWAD\repladmin
JWAD\shaffjl1
JWAD\SMS&_JWAD-DC1
JWAD\SMSCliToknAcct&
JWAD\SQLAgentCmdExec
JWAD\SQLExecutiveCmdExec
JWAD\SQLServerService
JWAD\vashodp1
JWAD\Volga
JWAD\WestRL1
adams{root}13: ./wbinfo -g
JWAD\Domain Admins
JWAD\Domain Guests
JWAD\Domain Users
JWAD\MTS Trusted Impersonators
JWAD\SMSInternalCliGrp
adams{root}14: ./wbinfo -m
JHUAPL
adams{root}15: ./wbinfo -a JWAD+dantest%password
plaintext password authentication failed
Could not authenticate user JWAD+dantest%password with plaintext password
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
SMB Conf file:
# Samba config file created using SWAT
# from thomaDJ1.jhuapl.edu (128.244.11.37)
# Date: 2002/02/12 16:11:14
# Global parameters
[global]
workgroup = JWAD
netbios name = ADAMS
server string = adams samba
security = DOMAIN
encrypt passwords = Yes
null passwords = Yes
password server = *
log file = /usr/local/samba/var/log.%m
max log size = 50
large readwrite = Yes
load printers = No
os level = 0
preferred master = False
local master = No
domain master = False
dns proxy = No
valid chars = - _
winbind uid = 10000-20000
winbind gid = 10000-20000
template homedir = /apps/users/%U
winbind separator = +
hosts allow = 128.244.11.
strict locking = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[temp]
path = /apps/temp
write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator
jwad+dantest
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 3:32 PM
To: 'Thomas, Daniel J.'; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
that should work - but I notice that you are using "\" for the
winbindd
separator - some unix'es will swallow this character as an 'escape'
character; for instance on HPUX you can see:
# ./wbinfo -a atl-wtec\atlwtec1%atlwtec1
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext
password
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with
challenge/response
NOTE in the above that the response does NOT display the "\" inbetween
the
domain
and the username.
Is this happening to you?
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 3:09 PM
To: Samba (E-mail)
Subject: [Samba] Winbind - Why won't you authenticate???
Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine.
I installed with the winbind option and everything went though just find.
I was able to join the NT domain and now I can do a wbinfo -u "and get a
domain user list as well as a "wbinfo -g and get a group list. For some
reason though, the authentication isn't working.
I tried to "wbinfo -a" and used a number of possible names. The samba
server is on an NT domain called "jwad" and it has a trust
relationship with
"jhuapl". My user account is on jhuapl, and I want to get
authenticated.
When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on
both clear text and challange/reponse methods. From what I see though, it
doesn't even appear to be trying to talk to the domain controller, because
the Reponses are given way to quick for any real network activity to have
taken place.
Please lend some advice if you have any. I can probably get sample output
if needed.
-Dan
Daniel J. Thomas
Systems Administrator
Johns Hopkins University
Applied Physics Laboratory
Laurel, MD
Balt: (443) 778-7924
Wash: (240) 228-7924
"Always avoid a bad file copy...
You can never know when your replication proceeds you."
-Anonymous Author
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Oh! OK. I must have missed your other message. Now I thought that the
smbclient only worked on Linux. Can I compile the smbclient on my sun box?
(I think there is a --with option durring the build for that?)
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Thursday, February 14, 2002 9:39 AM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
Did you see my message from last night - I talked to some of the folks on
Samba-Technical, and this is a red herring; the version of SAmba you are
running has this functionality purposefully commented out. I was working on
an older version (about 2 weeks old cvs), where it was still there. Bottom
line is winbindd doesn't do pam_auth_crap anymore, so that wbinfo -a
functionality won't work. To see whether winbindd is actually working for
you, you have to go to a different testing method:
smbclient //servername/sharename -Udomain+user
then give your password. If this works, then youre getting there...
But NO, you don't need pam_winbind.so to do what you are trying to do.
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Thursday, February 14, 2002 9:35 AM
To: 'MCCALL,DON (HP-USA,ex1)'
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Found the file nsswitch/winbindd_pam.o and there was no instance of
winbindd_pam_auth_crap there. Now do you think I need to install Pam on my
UNIX machine and then recompile with pam support to make this work?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 4:58 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1)
Cc: Wieprecht, Karen M.
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
No, it SHOULD'nt be necessary.
Can you send me your Makefile?
also do an nm on nsswitch/winbindd_pam.o and grep for auth;
see if winbindd_pam_auth_crap shows up there - thats the module
that actually contains the code..
Thanks,
Don
PS: Samba-Technical; does this ring any bells with anyone?
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 4:47 PM
To: 'MCCALL,DON (HP-USA,ex1)'
Cc: Wieprecht, Karen M.
Subject: RE: [Samba] Winbind - Why won't you authenticate???
I hadn't tried to use pam for winbind. It was my impression from the
documentation on winbind that although it *can* use pam, it isn't required.
Do you think this is the problem? Should I install PAM on my server and
then recompile samba with --with-pam?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 4:43 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1);
'samba@lists.samba.org'
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
Well, that nails it - take a look at the nm output from my winbindd:
# nm ../bin/winbindd|grep auth
authorise_login | 668456|extern|code |$CODE$
become_authenticated_pipe_user| 679768|extern|code |$CODE$
cli_net_auth2 | 687676|extern|code |$CODE$
init_q_auth_2 | 469520|extern|code |$CODE$
init_rpc_auth_ntlmssp_chal| 505008|extern|code |$CODE$
init_rpc_auth_ntlmssp_chk| 507856|extern|code |$CODE$
init_rpc_auth_ntlmssp_neg| 504188|extern|code |$CODE$
init_rpc_auth_ntlmssp_resp| 505372|extern|code |$CODE$
init_rpc_auth_verifier| 503964|extern|code |$CODE$
init_rpc_hdr_auth | 503592|extern|code |$CODE$
init_rpc_hdr_autha | 503208|extern|code |$CODE$
lp_lanman_auth | 102056|extern|code |$CODE$
net_io_q_auth | 469160|extern|code |$CODE$
net_io_q_auth_2 | 469772|extern|code |$CODE$
net_io_r_auth | 469352|extern|code |$CODE$
net_io_r_auth_2 | 470000|extern|code |$CODE$
new_cli_net_auth2 | 430004|extern|code |$CODE$
rpc_auth_ntlmssp_chk| 507596|extern|code |$CODE$
rpc_auth_pipe | 436536|static|entry |$CODE$
rpc_auth_verifier_chk| 503896|extern|code |$CODE$
rpc_hdr_auth_chk | 503560|extern|code |$CODE$
rpc_send_auth_reply | 444416|static|entry |$CODE$
smb_io_rpc_auth_ntlmssp_chal| 505084|extern|code |$CODE$
smb_io_rpc_auth_ntlmssp_chk| 507876|extern|code |$CODE$
smb_io_rpc_auth_ntlmssp_neg| 504328|extern|code |$CODE$
smb_io_rpc_auth_ntlmssp_resp| 506012|extern|code |$CODE$
smb_io_rpc_auth_verifier| 504012|extern|code |$CODE$
smb_io_rpc_hdr_auth | 503620|extern|code |$CODE$
smb_io_rpc_hdr_autha| 503256|extern|code |$CODE$
unbecome_authenticated_pipe_user| 679852|extern|code |$CODE$
winbindd_pam_auth | 56056|extern|entry |
winbindd_pam_auth | 56056|extern|code |$CODE$
winbindd_pam_auth_crap| 56252|extern|code |$CODE$
winbindd_pam_auth_crap| 56252|extern|entry |
winbindd_pam_chauthtok| 56744|extern|entry |
winbindd_pam_chauthtok| 56744|extern|code |$CODE$
#
^^^^^^^^^^^^^^^^specifically that I DO have entries not only for
winbindd_pam_auth,
but also for winbindd_pam_auth_crap - which you are missing, and therefore
when
wbinfo requests this function, winbindd fails when looking up the pointer to
the
function (null)...
I have NO immediate idea why this might be. As I said, I would recommend
doing a make clean, removing config.cache, and re-running configure
--with-winbind --with-pam
and doing a make again.
I don't have a sun system to try this on presently...
Let me know,
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 4:33 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Don,
I've inserted my results inline below. Also, this isn't really
pertinent to
your previous message, but I thought you might want to know that our JWAD
server are all Windows NT 4.0 SP6a, and only the workstations are Windows
2K. The bigger domain, JHUAPL, is also a Windows NT domain, but will soon
be migrated to a Windows 2000 domain. That may be something I need to keep
in mind for the future, however this case we are working on is a test
subject for me so I can apply this concept on our other private LAN which I
have full control over and is currently Windows NT with no plans on going to
Win2k domain at the present. This domain also has Win2k Pro workstations
though.
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 4:16 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Thomas,
this would be your issue, I'm guessing:
[2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(378)
process_request: unknown request fn number 12
[2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(531)
client_write: wrote 1300 bytes.
[2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(483)
client_read: read 0 bytes. Need 1044 more for a full request.
[2002/02/13 14:21:05, 5] nsswitch/winbindd.c:(490)
read failed on sock 12, pid 1623: EOF
WHAT SHOULD BE HAPPENING here is the following:
[2002/02/13 11:34:46, 10] nsswitch/winbindd.c:(369)
process_request: request fn AUTH_CRAP
[2002/02/13 11:34:46, 3] nsswitch/winbindd_pam.c:(92)
[25106]: pam auth crap wt1/administrator
(of course, with YOUR domain and username specified instead
of mine (wt1/administrator).
What is highly unusual is that process_request is reporting an unknown
request for fn 12 (which is what AUTH_CRAP ie WINBINDD_PAM_AUTH_CRAP
evaluates to). it SHOULD have found this function in the dispatch_table...
SOOOOO - what's going on?
It LOOKS like the pointer to the winbindd_pam_auth_crap routine is null!
if you have 'nm' on your system,
do and
nm winbindd|grep auth
Results:
adams{root}19: nm winbindd|grep auth
[2940] | 815960| 2476|FUNC |GLOB |0 |11 |authorise_login
[2803] | 828500| 60|FUNC |GLOB |0 |11
|become_authenticated_pipe_user
[2517] | 836548| 728|FUNC |GLOB |0 |11 |cli_net_auth2
[1415] | 614724| 268|FUNC |GLOB |0 |11 |init_q_auth_2
[2753] | 650796| 52|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_chal
[1889] | 653716| 20|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_chk
[2667] | 649992| 100|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_neg
[1673] | 651128| 616|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_resp
[2697] | 649780| 32|FUNC |GLOB |0 |11
|init_rpc_auth_verifier
[1725] | 649412| 36|FUNC |GLOB |0 |11 |init_rpc_hdr_auth
[1386] | 648956| 84|FUNC |GLOB |0 |11 |init_rpc_hdr_autha
[1706] | 250824| 12|FUNC |GLOB |0 |11 |lp_lanman_auth
[3278] | 614372| 184|FUNC |GLOB |0 |11 |net_io_q_auth
[1154] | 614992| 216|FUNC |GLOB |0 |11 |net_io_q_auth_2
[1379] | 614556| 168|FUNC |GLOB |0 |11 |net_io_r_auth
[1352] | 615208| 200|FUNC |GLOB |0 |11 |net_io_r_auth_2
[1607] | 575180| 532|FUNC |GLOB |0 |11 |new_cli_net_auth2
[462] | 955456| 132|OBJT |LOCL |0 |22 |nt_authority_users
[3241] | 653440| 276|FUNC |GLOB |0 |11 |rpc_auth_ntlmssp_chk
[725] | 581132| 1448|FUNC |LOCL |0 |11 |rpc_auth_pipe
[2856] | 649720| 60|FUNC |GLOB |0 |11 |rpc_auth_verifier_chk
[1622] | 649360| 52|FUNC |GLOB |0 |11 |rpc_hdr_auth_chk
[733] | 590224| 1020|FUNC |LOCL |0 |11 |rpc_send_auth_reply
[1157] | 650848| 264|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_chal
[2669] | 653736| 236|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_chk
[1118] | 650108| 688|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_neg
[2401] | 651744| 1696|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_resp
[1244] | 649812| 164|FUNC |GLOB |0 |11
|smb_io_rpc_auth_verifier
[1591] | 649448| 272|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_auth
[2752] | 649040| 320|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_autha
[2933] | 828576| 12|FUNC |GLOB |0 |11
|unbecome_authenticated_pipe_user
[2635] | 203828| 208|FUNC |GLOB |0 |11 |winbindd_pam_auth
[940] | 204036| 172|FUNC |GLOB |0 |11
|winbindd_pam_chauthtok
and
nm wbinfo|grep auth
Results:
adams{root}20: nm wbinfo|grep auth
[864] | 126880| 12|FUNC |GLOB |0 |11 |lp_lanman_auth
[365] | 413492| 132|OBJT |LOCL |0 |22 |nt_authority_users
[56] | 113376| 244|FUNC |LOCL |0 |11 |wbinfo_auth
[57] | 113636| 304|FUNC |LOCL |0 |11 |wbinfo_auth_crap
[60] | 114276| 184|FUNC |LOCL |0 |11 |wbinfo_set_auth_user
and let me know the results, ok?
Also if you can send the config.log and the exact command line you used to
do a configure when
you built samba, that would help as well; you might want to (while I look
at this), do a make clean
rm config.cache, and run configure again - configure --with-pam
--with-winbindd
and see if it doesnt work better for you - maybe you didn't clean out your
config.cache, and it screwed
you up...
Don
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 2:32 PM
To: 'MCCALL,DON (HP-USA,ex1)'
Subject: RE: [Samba] Winbind - Why won't you authenticate???
OK,
Set up log level 10 and recreated the log files. I just ran this:
adams{root}26: ./wbinfo -a JWAD+dantest%password
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
Also, it looks like I'm getting a complete domain listing now from both
domains with wbinfo -u.
I think it might be because I added a wins server address. the command does
keep winbind bussy for a minute of two to list all the users =)
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 1:01 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Thomas,
The message from pdb_smbpasswd.c is saying that it can't find the smbpasswd
file;
this is normal if you are doing domain level authentication, and have not
created/populated
an smbpasswd file - if the domain authentication doesn't work, samba trys to
authenticate
you locally to the smbpasswd file. So this isn't the issue, I believe.
It looks to me as if your win2k dc has disabled support for NTLM v1
challenge response authentication.
Check you domain controller security policy under security settings/local
policies/
security options and see what the value of :
Lan Manager Authentication Level
says....
Also, If you would like, stop winbindd,remove the log.winbindd file,
set your log level in smb.conf to 10, and
start winbind, then do your wbinfo -a... command, and send me the
log.winbindd; perhaps I
can see what is happening from a full debug log.
Thanks,
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 12:29 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Another thing I noticed. I looked at the log file in samba/var and found
the log for my machine was filled with this:
[2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367)
unable to open passdb database.
Where is the pdb_smbpassd.c file and why would there be a problem opening
it?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 5:24 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
I see a couple of things that are suspicious.
Take a look at my output, from a winbindd system that is a member of the WT1
domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my
winbind separator is + (as your's appears to be in your smb.conf file):
# ./wbinfo -u
ATL-WTEC+Administrator
ATL-WTEC+atlwtec1
ATL-WTEC+ddmc
ATL-WTEC+Guest
ATL-WTEC+IUSR_ALBERTE
WT1+Administrator
WT1+ddmc
WT1+Guest
WT1+IUSR_CERES
WT1+IWAM_CERES
WT1+krbtgt
WT1+test
WT1+test1
WT1+test2
WT1+test3
WT1+test4
WT1+test5
# ./wbinfo -m
ATL-WTEC
#
NOTE it shows the users in the ATL-WTEC domain as well as my home domain
(this may be because
I have a 2 way trust between the domains); but NOTE also, that the wbinfo
output SHOWS my
users with the "+" separator, which matches what I have in my smb.conf
file
- YOURS DOES NOT:
it shows the separator being used as "\"...
You might try verifying your smb.conf file 'winbind separator' by
running
testparm|grep winbind
and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u
again. Verify that
it is using the "+", and if so, then try your wbinfo -a command again
(with
the + sign)...
That's all I have for now...
don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 5:03 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Below is the beginning of the output which I just pasted into this e-mail.
You'll find the error on the bottom. Also at the bottom is a copy of the
smb.conf file. It this all correct?
Thanks,
-Dan
adams{root}5: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}6: ./wbinfo -u
adams{root}11: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}12: ./wbinfo -u
JWAD\Administrator
JWAD\dantest
JWAD\Guest
JWAD\guestuser
JWAD\Nelsojb1
JWAD\repladmin
JWAD\shaffjl1
JWAD\SMS&_JWAD-DC1
JWAD\SMSCliToknAcct&
JWAD\SQLAgentCmdExec
JWAD\SQLExecutiveCmdExec
JWAD\SQLServerService
JWAD\vashodp1
JWAD\Volga
JWAD\WestRL1
adams{root}13: ./wbinfo -g
JWAD\Domain Admins
JWAD\Domain Guests
JWAD\Domain Users
JWAD\MTS Trusted Impersonators
JWAD\SMSInternalCliGrp
adams{root}14: ./wbinfo -m
JHUAPL
adams{root}15: ./wbinfo -a JWAD+dantest%password
plaintext password authentication failed
Could not authenticate user JWAD+dantest%password with plaintext password
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
SMB Conf file:
# Samba config file created using SWAT
# from thomaDJ1.jhuapl.edu (128.244.11.37)
# Date: 2002/02/12 16:11:14
# Global parameters
[global]
workgroup = JWAD
netbios name = ADAMS
server string = adams samba
security = DOMAIN
encrypt passwords = Yes
null passwords = Yes
password server = *
log file = /usr/local/samba/var/log.%m
max log size = 50
large readwrite = Yes
load printers = No
os level = 0
preferred master = False
local master = No
domain master = False
dns proxy = No
valid chars = - _
winbind uid = 10000-20000
winbind gid = 10000-20000
template homedir = /apps/users/%U
winbind separator = +
hosts allow = 128.244.11.
strict locking = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[temp]
path = /apps/temp
write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator
jwad+dantest
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 3:32 PM
To: 'Thomas, Daniel J.'; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
that should work - but I notice that you are using "\" for the
winbindd
separator - some unix'es will swallow this character as an 'escape'
character; for instance on HPUX you can see:
# ./wbinfo -a atl-wtec\atlwtec1%atlwtec1
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext
password
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with
challenge/response
NOTE in the above that the response does NOT display the "\" inbetween
the
domain
and the username.
Is this happening to you?
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 3:09 PM
To: Samba (E-mail)
Subject: [Samba] Winbind - Why won't you authenticate???
Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine.
I installed with the winbind option and everything went though just find.
I was able to join the NT domain and now I can do a wbinfo -u "and get a
domain user list as well as a "wbinfo -g and get a group list. For some
reason though, the authentication isn't working.
I tried to "wbinfo -a" and used a number of possible names. The samba
server is on an NT domain called "jwad" and it has a trust
relationship with
"jhuapl". My user account is on jhuapl, and I want to get
authenticated.
When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on
both clear text and challange/reponse methods. From what I see though, it
doesn't even appear to be trying to talk to the domain controller, because
the Reponses are given way to quick for any real network activity to have
taken place.
Please lend some advice if you have any. I can probably get sample output
if needed.
-Dan
Daniel J. Thomas
Systems Administrator
Johns Hopkins University
Applied Physics Laboratory
Laurel, MD
Balt: (443) 778-7924
Wash: (240) 228-7924
"Always avoid a bad file copy...
You can never know when your replication proceeds you."
-Anonymous Author
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
MCCALL,DON (HP-USA,ex1)
2002-Feb-14 06:53 UTC
[Samba] Winbind - Why won't you authenticate???
Smbclient works on all boxes that I know of - I think you are thinking about
smbfs...
smbclient is just another program in your samba bin directory...
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Thursday, February 14, 2002 9:45 AM
To: 'MCCALL,DON (HP-USA,ex1)'; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Oh! OK. I must have missed your other message. Now I thought that the
smbclient only worked on Linux. Can I compile the smbclient on my sun box?
(I think there is a --with option durring the build for that?)
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Thursday, February 14, 2002 9:39 AM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
Did you see my message from last night - I talked to some of the folks on
Samba-Technical, and this is a red herring; the version of SAmba you are
running has this functionality purposefully commented out. I was working on
an older version (about 2 weeks old cvs), where it was still there. Bottom
line is winbindd doesn't do pam_auth_crap anymore, so that wbinfo -a
functionality won't work. To see whether winbindd is actually working for
you, you have to go to a different testing method:
smbclient //servername/sharename -Udomain+user
then give your password. If this works, then youre getting there...
But NO, you don't need pam_winbind.so to do what you are trying to do.
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Thursday, February 14, 2002 9:35 AM
To: 'MCCALL,DON (HP-USA,ex1)'
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Found the file nsswitch/winbindd_pam.o and there was no instance of
winbindd_pam_auth_crap there. Now do you think I need to install Pam on my
UNIX machine and then recompile with pam support to make this work?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 4:58 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1)
Cc: Wieprecht, Karen M.
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
No, it SHOULD'nt be necessary.
Can you send me your Makefile?
also do an nm on nsswitch/winbindd_pam.o and grep for auth;
see if winbindd_pam_auth_crap shows up there - thats the module
that actually contains the code..
Thanks,
Don
PS: Samba-Technical; does this ring any bells with anyone?
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 4:47 PM
To: 'MCCALL,DON (HP-USA,ex1)'
Cc: Wieprecht, Karen M.
Subject: RE: [Samba] Winbind - Why won't you authenticate???
I hadn't tried to use pam for winbind. It was my impression from the
documentation on winbind that although it *can* use pam, it isn't required.
Do you think this is the problem? Should I install PAM on my server and
then recompile samba with --with-pam?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 4:43 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1);
'samba@lists.samba.org'
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
Well, that nails it - take a look at the nm output from my winbindd:
# nm ../bin/winbindd|grep auth
authorise_login | 668456|extern|code |$CODE$
become_authenticated_pipe_user| 679768|extern|code |$CODE$
cli_net_auth2 | 687676|extern|code |$CODE$
init_q_auth_2 | 469520|extern|code |$CODE$
init_rpc_auth_ntlmssp_chal| 505008|extern|code |$CODE$
init_rpc_auth_ntlmssp_chk| 507856|extern|code |$CODE$
init_rpc_auth_ntlmssp_neg| 504188|extern|code |$CODE$
init_rpc_auth_ntlmssp_resp| 505372|extern|code |$CODE$
init_rpc_auth_verifier| 503964|extern|code |$CODE$
init_rpc_hdr_auth | 503592|extern|code |$CODE$
init_rpc_hdr_autha | 503208|extern|code |$CODE$
lp_lanman_auth | 102056|extern|code |$CODE$
net_io_q_auth | 469160|extern|code |$CODE$
net_io_q_auth_2 | 469772|extern|code |$CODE$
net_io_r_auth | 469352|extern|code |$CODE$
net_io_r_auth_2 | 470000|extern|code |$CODE$
new_cli_net_auth2 | 430004|extern|code |$CODE$
rpc_auth_ntlmssp_chk| 507596|extern|code |$CODE$
rpc_auth_pipe | 436536|static|entry |$CODE$
rpc_auth_verifier_chk| 503896|extern|code |$CODE$
rpc_hdr_auth_chk | 503560|extern|code |$CODE$
rpc_send_auth_reply | 444416|static|entry |$CODE$
smb_io_rpc_auth_ntlmssp_chal| 505084|extern|code |$CODE$
smb_io_rpc_auth_ntlmssp_chk| 507876|extern|code |$CODE$
smb_io_rpc_auth_ntlmssp_neg| 504328|extern|code |$CODE$
smb_io_rpc_auth_ntlmssp_resp| 506012|extern|code |$CODE$
smb_io_rpc_auth_verifier| 504012|extern|code |$CODE$
smb_io_rpc_hdr_auth | 503620|extern|code |$CODE$
smb_io_rpc_hdr_autha| 503256|extern|code |$CODE$
unbecome_authenticated_pipe_user| 679852|extern|code |$CODE$
winbindd_pam_auth | 56056|extern|entry |
winbindd_pam_auth | 56056|extern|code |$CODE$
winbindd_pam_auth_crap| 56252|extern|code |$CODE$
winbindd_pam_auth_crap| 56252|extern|entry |
winbindd_pam_chauthtok| 56744|extern|entry |
winbindd_pam_chauthtok| 56744|extern|code |$CODE$
#
^^^^^^^^^^^^^^^^specifically that I DO have entries not only for
winbindd_pam_auth,
but also for winbindd_pam_auth_crap - which you are missing, and therefore
when
wbinfo requests this function, winbindd fails when looking up the pointer to
the
function (null)...
I have NO immediate idea why this might be. As I said, I would recommend
doing a make clean, removing config.cache, and re-running configure
--with-winbind --with-pam
and doing a make again.
I don't have a sun system to try this on presently...
Let me know,
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 4:33 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Don,
I've inserted my results inline below. Also, this isn't really
pertinent to
your previous message, but I thought you might want to know that our JWAD
server are all Windows NT 4.0 SP6a, and only the workstations are Windows
2K. The bigger domain, JHUAPL, is also a Windows NT domain, but will soon
be migrated to a Windows 2000 domain. That may be something I need to keep
in mind for the future, however this case we are working on is a test
subject for me so I can apply this concept on our other private LAN which I
have full control over and is currently Windows NT with no plans on going to
Win2k domain at the present. This domain also has Win2k Pro workstations
though.
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 4:16 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Thomas,
this would be your issue, I'm guessing:
[2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(378)
process_request: unknown request fn number 12
[2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(531)
client_write: wrote 1300 bytes.
[2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(483)
client_read: read 0 bytes. Need 1044 more for a full request.
[2002/02/13 14:21:05, 5] nsswitch/winbindd.c:(490)
read failed on sock 12, pid 1623: EOF
WHAT SHOULD BE HAPPENING here is the following:
[2002/02/13 11:34:46, 10] nsswitch/winbindd.c:(369)
process_request: request fn AUTH_CRAP
[2002/02/13 11:34:46, 3] nsswitch/winbindd_pam.c:(92)
[25106]: pam auth crap wt1/administrator
(of course, with YOUR domain and username specified instead
of mine (wt1/administrator).
What is highly unusual is that process_request is reporting an unknown
request for fn 12 (which is what AUTH_CRAP ie WINBINDD_PAM_AUTH_CRAP
evaluates to). it SHOULD have found this function in the dispatch_table...
SOOOOO - what's going on?
It LOOKS like the pointer to the winbindd_pam_auth_crap routine is null!
if you have 'nm' on your system,
do and
nm winbindd|grep auth
Results:
adams{root}19: nm winbindd|grep auth
[2940] | 815960| 2476|FUNC |GLOB |0 |11 |authorise_login
[2803] | 828500| 60|FUNC |GLOB |0 |11
|become_authenticated_pipe_user
[2517] | 836548| 728|FUNC |GLOB |0 |11 |cli_net_auth2
[1415] | 614724| 268|FUNC |GLOB |0 |11 |init_q_auth_2
[2753] | 650796| 52|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_chal
[1889] | 653716| 20|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_chk
[2667] | 649992| 100|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_neg
[1673] | 651128| 616|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_resp
[2697] | 649780| 32|FUNC |GLOB |0 |11
|init_rpc_auth_verifier
[1725] | 649412| 36|FUNC |GLOB |0 |11 |init_rpc_hdr_auth
[1386] | 648956| 84|FUNC |GLOB |0 |11 |init_rpc_hdr_autha
[1706] | 250824| 12|FUNC |GLOB |0 |11 |lp_lanman_auth
[3278] | 614372| 184|FUNC |GLOB |0 |11 |net_io_q_auth
[1154] | 614992| 216|FUNC |GLOB |0 |11 |net_io_q_auth_2
[1379] | 614556| 168|FUNC |GLOB |0 |11 |net_io_r_auth
[1352] | 615208| 200|FUNC |GLOB |0 |11 |net_io_r_auth_2
[1607] | 575180| 532|FUNC |GLOB |0 |11 |new_cli_net_auth2
[462] | 955456| 132|OBJT |LOCL |0 |22 |nt_authority_users
[3241] | 653440| 276|FUNC |GLOB |0 |11 |rpc_auth_ntlmssp_chk
[725] | 581132| 1448|FUNC |LOCL |0 |11 |rpc_auth_pipe
[2856] | 649720| 60|FUNC |GLOB |0 |11 |rpc_auth_verifier_chk
[1622] | 649360| 52|FUNC |GLOB |0 |11 |rpc_hdr_auth_chk
[733] | 590224| 1020|FUNC |LOCL |0 |11 |rpc_send_auth_reply
[1157] | 650848| 264|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_chal
[2669] | 653736| 236|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_chk
[1118] | 650108| 688|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_neg
[2401] | 651744| 1696|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_resp
[1244] | 649812| 164|FUNC |GLOB |0 |11
|smb_io_rpc_auth_verifier
[1591] | 649448| 272|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_auth
[2752] | 649040| 320|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_autha
[2933] | 828576| 12|FUNC |GLOB |0 |11
|unbecome_authenticated_pipe_user
[2635] | 203828| 208|FUNC |GLOB |0 |11 |winbindd_pam_auth
[940] | 204036| 172|FUNC |GLOB |0 |11
|winbindd_pam_chauthtok
and
nm wbinfo|grep auth
Results:
adams{root}20: nm wbinfo|grep auth
[864] | 126880| 12|FUNC |GLOB |0 |11 |lp_lanman_auth
[365] | 413492| 132|OBJT |LOCL |0 |22 |nt_authority_users
[56] | 113376| 244|FUNC |LOCL |0 |11 |wbinfo_auth
[57] | 113636| 304|FUNC |LOCL |0 |11 |wbinfo_auth_crap
[60] | 114276| 184|FUNC |LOCL |0 |11 |wbinfo_set_auth_user
and let me know the results, ok?
Also if you can send the config.log and the exact command line you used to
do a configure when
you built samba, that would help as well; you might want to (while I look
at this), do a make clean
rm config.cache, and run configure again - configure --with-pam
--with-winbindd
and see if it doesnt work better for you - maybe you didn't clean out your
config.cache, and it screwed
you up...
Don
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 2:32 PM
To: 'MCCALL,DON (HP-USA,ex1)'
Subject: RE: [Samba] Winbind - Why won't you authenticate???
OK,
Set up log level 10 and recreated the log files. I just ran this:
adams{root}26: ./wbinfo -a JWAD+dantest%password
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
Also, it looks like I'm getting a complete domain listing now from both
domains with wbinfo -u.
I think it might be because I added a wins server address. the command does
keep winbind bussy for a minute of two to list all the users =)
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 1:01 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Thomas,
The message from pdb_smbpasswd.c is saying that it can't find the smbpasswd
file;
this is normal if you are doing domain level authentication, and have not
created/populated
an smbpasswd file - if the domain authentication doesn't work, samba trys to
authenticate
you locally to the smbpasswd file. So this isn't the issue, I believe.
It looks to me as if your win2k dc has disabled support for NTLM v1
challenge response authentication.
Check you domain controller security policy under security settings/local
policies/
security options and see what the value of :
Lan Manager Authentication Level
says....
Also, If you would like, stop winbindd,remove the log.winbindd file,
set your log level in smb.conf to 10, and
start winbind, then do your wbinfo -a... command, and send me the
log.winbindd; perhaps I
can see what is happening from a full debug log.
Thanks,
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 12:29 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Another thing I noticed. I looked at the log file in samba/var and found
the log for my machine was filled with this:
[2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367)
unable to open passdb database.
Where is the pdb_smbpassd.c file and why would there be a problem opening
it?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 5:24 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
I see a couple of things that are suspicious.
Take a look at my output, from a winbindd system that is a member of the WT1
domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my
winbind separator is + (as your's appears to be in your smb.conf file):
# ./wbinfo -u
ATL-WTEC+Administrator
ATL-WTEC+atlwtec1
ATL-WTEC+ddmc
ATL-WTEC+Guest
ATL-WTEC+IUSR_ALBERTE
WT1+Administrator
WT1+ddmc
WT1+Guest
WT1+IUSR_CERES
WT1+IWAM_CERES
WT1+krbtgt
WT1+test
WT1+test1
WT1+test2
WT1+test3
WT1+test4
WT1+test5
# ./wbinfo -m
ATL-WTEC
#
NOTE it shows the users in the ATL-WTEC domain as well as my home domain
(this may be because
I have a 2 way trust between the domains); but NOTE also, that the wbinfo
output SHOWS my
users with the "+" separator, which matches what I have in my smb.conf
file
- YOURS DOES NOT:
it shows the separator being used as "\"...
You might try verifying your smb.conf file 'winbind separator' by
running
testparm|grep winbind
and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u
again. Verify that
it is using the "+", and if so, then try your wbinfo -a command again
(with
the + sign)...
That's all I have for now...
don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 5:03 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Below is the beginning of the output which I just pasted into this e-mail.
You'll find the error on the bottom. Also at the bottom is a copy of the
smb.conf file. It this all correct?
Thanks,
-Dan
adams{root}5: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}6: ./wbinfo -u
adams{root}11: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}12: ./wbinfo -u
JWAD\Administrator
JWAD\dantest
JWAD\Guest
JWAD\guestuser
JWAD\Nelsojb1
JWAD\repladmin
JWAD\shaffjl1
JWAD\SMS&_JWAD-DC1
JWAD\SMSCliToknAcct&
JWAD\SQLAgentCmdExec
JWAD\SQLExecutiveCmdExec
JWAD\SQLServerService
JWAD\vashodp1
JWAD\Volga
JWAD\WestRL1
adams{root}13: ./wbinfo -g
JWAD\Domain Admins
JWAD\Domain Guests
JWAD\Domain Users
JWAD\MTS Trusted Impersonators
JWAD\SMSInternalCliGrp
adams{root}14: ./wbinfo -m
JHUAPL
adams{root}15: ./wbinfo -a JWAD+dantest%password
plaintext password authentication failed
Could not authenticate user JWAD+dantest%password with plaintext password
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
SMB Conf file:
# Samba config file created using SWAT
# from thomaDJ1.jhuapl.edu (128.244.11.37)
# Date: 2002/02/12 16:11:14
# Global parameters
[global]
workgroup = JWAD
netbios name = ADAMS
server string = adams samba
security = DOMAIN
encrypt passwords = Yes
null passwords = Yes
password server = *
log file = /usr/local/samba/var/log.%m
max log size = 50
large readwrite = Yes
load printers = No
os level = 0
preferred master = False
local master = No
domain master = False
dns proxy = No
valid chars = - _
winbind uid = 10000-20000
winbind gid = 10000-20000
template homedir = /apps/users/%U
winbind separator = +
hosts allow = 128.244.11.
strict locking = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[temp]
path = /apps/temp
write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator
jwad+dantest
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 3:32 PM
To: 'Thomas, Daniel J.'; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
that should work - but I notice that you are using "\" for the
winbindd
separator - some unix'es will swallow this character as an 'escape'
character; for instance on HPUX you can see:
# ./wbinfo -a atl-wtec\atlwtec1%atlwtec1
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext
password
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with
challenge/response
NOTE in the above that the response does NOT display the "\" inbetween
the
domain
and the username.
Is this happening to you?
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 3:09 PM
To: Samba (E-mail)
Subject: [Samba] Winbind - Why won't you authenticate???
Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine.
I installed with the winbind option and everything went though just find.
I was able to join the NT domain and now I can do a wbinfo -u "and get a
domain user list as well as a "wbinfo -g and get a group list. For some
reason though, the authentication isn't working.
I tried to "wbinfo -a" and used a number of possible names. The samba
server is on an NT domain called "jwad" and it has a trust
relationship with
"jhuapl". My user account is on jhuapl, and I want to get
authenticated.
When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on
both clear text and challange/reponse methods. From what I see though, it
doesn't even appear to be trying to talk to the domain controller, because
the Reponses are given way to quick for any real network activity to have
taken place.
Please lend some advice if you have any. I can probably get sample output
if needed.
-Dan
Daniel J. Thomas
Systems Administrator
Johns Hopkins University
Applied Physics Laboratory
Laurel, MD
Balt: (443) 778-7924
Wash: (240) 228-7924
"Always avoid a bad file copy...
You can never know when your replication proceeds you."
-Anonymous Author
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Found it. I ran the command on both my JHUAPL account and my JWAD test
account and received the same results:
adams{root}19: ./smbclient //adams/temp -UJWAD+dantest
added interface ip=128.244.11.176 bcast=128.244.11.255 nmask=255.255.255.0
Password:
Domain=[JWAD] OS=[Unix] Server=[Samba 2.2.3]
tree connect failed: NT_STATUS_WRONG_PASSWORD
I did it a couple times to make sure I hadn't miss-entered the password and
same result every time. Where do you think I should head from here?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Thursday, February 14, 2002 9:47 AM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Smbclient works on all boxes that I know of - I think you are thinking about
smbfs...
smbclient is just another program in your samba bin directory...
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Thursday, February 14, 2002 9:45 AM
To: 'MCCALL,DON (HP-USA,ex1)'; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Oh! OK. I must have missed your other message. Now I thought that the
smbclient only worked on Linux. Can I compile the smbclient on my sun box?
(I think there is a --with option durring the build for that?)
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Thursday, February 14, 2002 9:39 AM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
Did you see my message from last night - I talked to some of the folks on
Samba-Technical, and this is a red herring; the version of SAmba you are
running has this functionality purposefully commented out. I was working on
an older version (about 2 weeks old cvs), where it was still there. Bottom
line is winbindd doesn't do pam_auth_crap anymore, so that wbinfo -a
functionality won't work. To see whether winbindd is actually working for
you, you have to go to a different testing method:
smbclient //servername/sharename -Udomain+user
then give your password. If this works, then youre getting there...
But NO, you don't need pam_winbind.so to do what you are trying to do.
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Thursday, February 14, 2002 9:35 AM
To: 'MCCALL,DON (HP-USA,ex1)'
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Found the file nsswitch/winbindd_pam.o and there was no instance of
winbindd_pam_auth_crap there. Now do you think I need to install Pam on my
UNIX machine and then recompile with pam support to make this work?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 4:58 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1)
Cc: Wieprecht, Karen M.
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
No, it SHOULD'nt be necessary.
Can you send me your Makefile?
also do an nm on nsswitch/winbindd_pam.o and grep for auth;
see if winbindd_pam_auth_crap shows up there - thats the module
that actually contains the code..
Thanks,
Don
PS: Samba-Technical; does this ring any bells with anyone?
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 4:47 PM
To: 'MCCALL,DON (HP-USA,ex1)'
Cc: Wieprecht, Karen M.
Subject: RE: [Samba] Winbind - Why won't you authenticate???
I hadn't tried to use pam for winbind. It was my impression from the
documentation on winbind that although it *can* use pam, it isn't required.
Do you think this is the problem? Should I install PAM on my server and
then recompile samba with --with-pam?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 4:43 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1);
'samba@lists.samba.org'
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
Well, that nails it - take a look at the nm output from my winbindd:
# nm ../bin/winbindd|grep auth
authorise_login | 668456|extern|code |$CODE$
become_authenticated_pipe_user| 679768|extern|code |$CODE$
cli_net_auth2 | 687676|extern|code |$CODE$
init_q_auth_2 | 469520|extern|code |$CODE$
init_rpc_auth_ntlmssp_chal| 505008|extern|code |$CODE$
init_rpc_auth_ntlmssp_chk| 507856|extern|code |$CODE$
init_rpc_auth_ntlmssp_neg| 504188|extern|code |$CODE$
init_rpc_auth_ntlmssp_resp| 505372|extern|code |$CODE$
init_rpc_auth_verifier| 503964|extern|code |$CODE$
init_rpc_hdr_auth | 503592|extern|code |$CODE$
init_rpc_hdr_autha | 503208|extern|code |$CODE$
lp_lanman_auth | 102056|extern|code |$CODE$
net_io_q_auth | 469160|extern|code |$CODE$
net_io_q_auth_2 | 469772|extern|code |$CODE$
net_io_r_auth | 469352|extern|code |$CODE$
net_io_r_auth_2 | 470000|extern|code |$CODE$
new_cli_net_auth2 | 430004|extern|code |$CODE$
rpc_auth_ntlmssp_chk| 507596|extern|code |$CODE$
rpc_auth_pipe | 436536|static|entry |$CODE$
rpc_auth_verifier_chk| 503896|extern|code |$CODE$
rpc_hdr_auth_chk | 503560|extern|code |$CODE$
rpc_send_auth_reply | 444416|static|entry |$CODE$
smb_io_rpc_auth_ntlmssp_chal| 505084|extern|code |$CODE$
smb_io_rpc_auth_ntlmssp_chk| 507876|extern|code |$CODE$
smb_io_rpc_auth_ntlmssp_neg| 504328|extern|code |$CODE$
smb_io_rpc_auth_ntlmssp_resp| 506012|extern|code |$CODE$
smb_io_rpc_auth_verifier| 504012|extern|code |$CODE$
smb_io_rpc_hdr_auth | 503620|extern|code |$CODE$
smb_io_rpc_hdr_autha| 503256|extern|code |$CODE$
unbecome_authenticated_pipe_user| 679852|extern|code |$CODE$
winbindd_pam_auth | 56056|extern|entry |
winbindd_pam_auth | 56056|extern|code |$CODE$
winbindd_pam_auth_crap| 56252|extern|code |$CODE$
winbindd_pam_auth_crap| 56252|extern|entry |
winbindd_pam_chauthtok| 56744|extern|entry |
winbindd_pam_chauthtok| 56744|extern|code |$CODE$
#
^^^^^^^^^^^^^^^^specifically that I DO have entries not only for
winbindd_pam_auth,
but also for winbindd_pam_auth_crap - which you are missing, and therefore
when
wbinfo requests this function, winbindd fails when looking up the pointer to
the
function (null)...
I have NO immediate idea why this might be. As I said, I would recommend
doing a make clean, removing config.cache, and re-running configure
--with-winbind --with-pam
and doing a make again.
I don't have a sun system to try this on presently...
Let me know,
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 4:33 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Don,
I've inserted my results inline below. Also, this isn't really
pertinent to
your previous message, but I thought you might want to know that our JWAD
server are all Windows NT 4.0 SP6a, and only the workstations are Windows
2K. The bigger domain, JHUAPL, is also a Windows NT domain, but will soon
be migrated to a Windows 2000 domain. That may be something I need to keep
in mind for the future, however this case we are working on is a test
subject for me so I can apply this concept on our other private LAN which I
have full control over and is currently Windows NT with no plans on going to
Win2k domain at the present. This domain also has Win2k Pro workstations
though.
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 4:16 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Thomas,
this would be your issue, I'm guessing:
[2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(378)
process_request: unknown request fn number 12
[2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(531)
client_write: wrote 1300 bytes.
[2002/02/13 14:21:05, 10] nsswitch/winbindd.c:(483)
client_read: read 0 bytes. Need 1044 more for a full request.
[2002/02/13 14:21:05, 5] nsswitch/winbindd.c:(490)
read failed on sock 12, pid 1623: EOF
WHAT SHOULD BE HAPPENING here is the following:
[2002/02/13 11:34:46, 10] nsswitch/winbindd.c:(369)
process_request: request fn AUTH_CRAP
[2002/02/13 11:34:46, 3] nsswitch/winbindd_pam.c:(92)
[25106]: pam auth crap wt1/administrator
(of course, with YOUR domain and username specified instead
of mine (wt1/administrator).
What is highly unusual is that process_request is reporting an unknown
request for fn 12 (which is what AUTH_CRAP ie WINBINDD_PAM_AUTH_CRAP
evaluates to). it SHOULD have found this function in the dispatch_table...
SOOOOO - what's going on?
It LOOKS like the pointer to the winbindd_pam_auth_crap routine is null!
if you have 'nm' on your system,
do and
nm winbindd|grep auth
Results:
adams{root}19: nm winbindd|grep auth
[2940] | 815960| 2476|FUNC |GLOB |0 |11 |authorise_login
[2803] | 828500| 60|FUNC |GLOB |0 |11
|become_authenticated_pipe_user
[2517] | 836548| 728|FUNC |GLOB |0 |11 |cli_net_auth2
[1415] | 614724| 268|FUNC |GLOB |0 |11 |init_q_auth_2
[2753] | 650796| 52|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_chal
[1889] | 653716| 20|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_chk
[2667] | 649992| 100|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_neg
[1673] | 651128| 616|FUNC |GLOB |0 |11
|init_rpc_auth_ntlmssp_resp
[2697] | 649780| 32|FUNC |GLOB |0 |11
|init_rpc_auth_verifier
[1725] | 649412| 36|FUNC |GLOB |0 |11 |init_rpc_hdr_auth
[1386] | 648956| 84|FUNC |GLOB |0 |11 |init_rpc_hdr_autha
[1706] | 250824| 12|FUNC |GLOB |0 |11 |lp_lanman_auth
[3278] | 614372| 184|FUNC |GLOB |0 |11 |net_io_q_auth
[1154] | 614992| 216|FUNC |GLOB |0 |11 |net_io_q_auth_2
[1379] | 614556| 168|FUNC |GLOB |0 |11 |net_io_r_auth
[1352] | 615208| 200|FUNC |GLOB |0 |11 |net_io_r_auth_2
[1607] | 575180| 532|FUNC |GLOB |0 |11 |new_cli_net_auth2
[462] | 955456| 132|OBJT |LOCL |0 |22 |nt_authority_users
[3241] | 653440| 276|FUNC |GLOB |0 |11 |rpc_auth_ntlmssp_chk
[725] | 581132| 1448|FUNC |LOCL |0 |11 |rpc_auth_pipe
[2856] | 649720| 60|FUNC |GLOB |0 |11 |rpc_auth_verifier_chk
[1622] | 649360| 52|FUNC |GLOB |0 |11 |rpc_hdr_auth_chk
[733] | 590224| 1020|FUNC |LOCL |0 |11 |rpc_send_auth_reply
[1157] | 650848| 264|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_chal
[2669] | 653736| 236|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_chk
[1118] | 650108| 688|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_neg
[2401] | 651744| 1696|FUNC |GLOB |0 |11
|smb_io_rpc_auth_ntlmssp_resp
[1244] | 649812| 164|FUNC |GLOB |0 |11
|smb_io_rpc_auth_verifier
[1591] | 649448| 272|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_auth
[2752] | 649040| 320|FUNC |GLOB |0 |11 |smb_io_rpc_hdr_autha
[2933] | 828576| 12|FUNC |GLOB |0 |11
|unbecome_authenticated_pipe_user
[2635] | 203828| 208|FUNC |GLOB |0 |11 |winbindd_pam_auth
[940] | 204036| 172|FUNC |GLOB |0 |11
|winbindd_pam_chauthtok
and
nm wbinfo|grep auth
Results:
adams{root}20: nm wbinfo|grep auth
[864] | 126880| 12|FUNC |GLOB |0 |11 |lp_lanman_auth
[365] | 413492| 132|OBJT |LOCL |0 |22 |nt_authority_users
[56] | 113376| 244|FUNC |LOCL |0 |11 |wbinfo_auth
[57] | 113636| 304|FUNC |LOCL |0 |11 |wbinfo_auth_crap
[60] | 114276| 184|FUNC |LOCL |0 |11 |wbinfo_set_auth_user
and let me know the results, ok?
Also if you can send the config.log and the exact command line you used to
do a configure when
you built samba, that would help as well; you might want to (while I look
at this), do a make clean
rm config.cache, and run configure again - configure --with-pam
--with-winbindd
and see if it doesnt work better for you - maybe you didn't clean out your
config.cache, and it screwed
you up...
Don
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 2:32 PM
To: 'MCCALL,DON (HP-USA,ex1)'
Subject: RE: [Samba] Winbind - Why won't you authenticate???
OK,
Set up log level 10 and recreated the log files. I just ran this:
adams{root}26: ./wbinfo -a JWAD+dantest%password
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
Also, it looks like I'm getting a complete domain listing now from both
domains with wbinfo -u.
I think it might be because I added a wins server address. the command does
keep winbind bussy for a minute of two to list all the users =)
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Wednesday, February 13, 2002 1:01 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Thomas,
The message from pdb_smbpasswd.c is saying that it can't find the smbpasswd
file;
this is normal if you are doing domain level authentication, and have not
created/populated
an smbpasswd file - if the domain authentication doesn't work, samba trys to
authenticate
you locally to the smbpasswd file. So this isn't the issue, I believe.
It looks to me as if your win2k dc has disabled support for NTLM v1
challenge response authentication.
Check you domain controller security policy under security settings/local
policies/
security options and see what the value of :
Lan Manager Authentication Level
says....
Also, If you would like, stop winbindd,remove the log.winbindd file,
set your log level in smb.conf to 10, and
start winbind, then do your wbinfo -a... command, and send me the
log.winbindd; perhaps I
can see what is happening from a full debug log.
Thanks,
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Wednesday, February 13, 2002 12:29 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Another thing I noticed. I looked at the log file in samba/var and found
the log for my machine was filled with this:
[2002/02/13 12:23:19, 0] passdb/pdb_smbpasswd.c:(1367)
unable to open passdb database.
Where is the pdb_smbpassd.c file and why would there be a problem opening
it?
-Dan
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 5:24 PM
To: 'Thomas, Daniel J.'; MCCALL,DON (HP-USA,ex1); Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
I see a couple of things that are suspicious.
Take a look at my output, from a winbindd system that is a member of the WT1
domain, and the WT1 domain has a trust to the atl-wtec domain NOTE that my
winbind separator is + (as your's appears to be in your smb.conf file):
# ./wbinfo -u
ATL-WTEC+Administrator
ATL-WTEC+atlwtec1
ATL-WTEC+ddmc
ATL-WTEC+Guest
ATL-WTEC+IUSR_ALBERTE
WT1+Administrator
WT1+ddmc
WT1+Guest
WT1+IUSR_CERES
WT1+IWAM_CERES
WT1+krbtgt
WT1+test
WT1+test1
WT1+test2
WT1+test3
WT1+test4
WT1+test5
# ./wbinfo -m
ATL-WTEC
#
NOTE it shows the users in the ATL-WTEC domain as well as my home domain
(this may be because
I have a 2 way trust between the domains); but NOTE also, that the wbinfo
output SHOWS my
users with the "+" separator, which matches what I have in my smb.conf
file
- YOURS DOES NOT:
it shows the separator being used as "\"...
You might try verifying your smb.conf file 'winbind separator' by
running
testparm|grep winbind
and if it DOES say +, then stop winbindd, restart it, and do your wbinfo -u
again. Verify that
it is using the "+", and if so, then try your wbinfo -a command again
(with
the + sign)...
That's all I have for now...
don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 5:03 PM
To: 'MCCALL,DON (HP-USA,ex1)'; Thomas, Daniel J.; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Below is the beginning of the output which I just pasted into this e-mail.
You'll find the error on the bottom. Also at the bottom is a copy of the
smb.conf file. It this all correct?
Thanks,
-Dan
adams{root}5: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}6: ./wbinfo -u
adams{root}11: ./wbinfo
Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm | -aA user%pas
-u lists all domain users
-g lists all domain groups
-h name converts NetBIOS hostname to IP
-i ip converts IP address to NetBIOS name
-n name converts name to sid
-s sid converts sid to name
-U uid converts uid to sid
-G gid converts gid to sid
-S sid converts sid to uid
-Y sid converts sid to gid
-t check shared secret
-m list trusted domains
-r user get user groups
-a user%password authenticate user
-A user%password store session setup auth password
adams{root}12: ./wbinfo -u
JWAD\Administrator
JWAD\dantest
JWAD\Guest
JWAD\guestuser
JWAD\Nelsojb1
JWAD\repladmin
JWAD\shaffjl1
JWAD\SMS&_JWAD-DC1
JWAD\SMSCliToknAcct&
JWAD\SQLAgentCmdExec
JWAD\SQLExecutiveCmdExec
JWAD\SQLServerService
JWAD\vashodp1
JWAD\Volga
JWAD\WestRL1
adams{root}13: ./wbinfo -g
JWAD\Domain Admins
JWAD\Domain Guests
JWAD\Domain Users
JWAD\MTS Trusted Impersonators
JWAD\SMSInternalCliGrp
adams{root}14: ./wbinfo -m
JHUAPL
adams{root}15: ./wbinfo -a JWAD+dantest%password
plaintext password authentication failed
Could not authenticate user JWAD+dantest%password with plaintext password
challenge/response password authentication failed
Could not authenticate user JWAD+dantest%password with challenge/response
SMB Conf file:
# Samba config file created using SWAT
# from thomaDJ1.jhuapl.edu (128.244.11.37)
# Date: 2002/02/12 16:11:14
# Global parameters
[global]
workgroup = JWAD
netbios name = ADAMS
server string = adams samba
security = DOMAIN
encrypt passwords = Yes
null passwords = Yes
password server = *
log file = /usr/local/samba/var/log.%m
max log size = 50
large readwrite = Yes
load printers = No
os level = 0
preferred master = False
local master = No
domain master = False
dns proxy = No
valid chars = - _
winbind uid = 10000-20000
winbind gid = 10000-20000
template homedir = /apps/users/%U
winbind separator = +
hosts allow = 128.244.11.
strict locking = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[temp]
path = /apps/temp
write list = jhuapl+wieprkm1 jhuapl+thomadj1 jwad+administrator
jwad+dantest
-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com]
Sent: Tuesday, February 12, 2002 3:32 PM
To: 'Thomas, Daniel J.'; Samba (E-mail)
Subject: RE: [Samba] Winbind - Why won't you authenticate???
Hi Daniel,
that should work - but I notice that you are using "\" for the
winbindd
separator - some unix'es will swallow this character as an 'escape'
character; for instance on HPUX you can see:
# ./wbinfo -a atl-wtec\atlwtec1%atlwtec1
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with plaintext
password
Could not authenticate user atl-wtecatlwtec1%atlwtec1 with
challenge/response
NOTE in the above that the response does NOT display the "\" inbetween
the
domain
and the username.
Is this happening to you?
Don
-----Original Message-----
From: Thomas, Daniel J. [mailto:Daniel.Thomas@jhuapl.edu]
Sent: Tuesday, February 12, 2002 3:09 PM
To: Samba (E-mail)
Subject: [Samba] Winbind - Why won't you authenticate???
Well, I managed to get Samba 2.2.3 up and running on our Solaris 8 machine.
I installed with the winbind option and everything went though just find.
I was able to join the NT domain and now I can do a wbinfo -u "and get a
domain user list as well as a "wbinfo -g and get a group list. For some
reason though, the authentication isn't working.
I tried to "wbinfo -a" and used a number of possible names. The samba
server is on an NT domain called "jwad" and it has a trust
relationship with
"jhuapl". My user account is on jhuapl, and I want to get
authenticated.
When I try the wbinfo -a jhuapl\thomadj1%PASSWORD it returns fail signals on
both clear text and challange/reponse methods. From what I see though, it
doesn't even appear to be trying to talk to the domain controller, because
the Reponses are given way to quick for any real network activity to have
taken place.
Please lend some advice if you have any. I can probably get sample output
if needed.
-Dan
Daniel J. Thomas
Systems Administrator
Johns Hopkins University
Applied Physics Laboratory
Laurel, MD
Balt: (443) 778-7924
Wash: (240) 228-7924
"Always avoid a bad file copy...
You can never know when your replication proceeds you."
-Anonymous Author
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Maybe Matching Threads
- Sharing to domain users?
- Memory leak in winbindd
- Samba Team? - "ld.so.1: ls: fatal: relocation error: file /usr/lib/nss_winbind.so.1: symbol socket: referenced symbol not fou n d"
- Samba Team? - "ld.so.1: ls: fatal: relocation error: file /usr/lib/nss_winbind.so.1: symbol socket: referenced symbol not foun d"
- Winbind on HPUX 11, some small progress