I have been unable to configure a Samba server I am testing to enumerate
the users and groups in our local NT domain, but I have been able to
configure it to enumerate the users and groups in our W2K domain. I am
hoping someone has some suggestions for what to try next.
The Samba server is running Linux installed with the XFS RedHat 7.2
installer CD. I get the same results running Samba 2.2.3a and Samba 3.0
alpha 15. I built both versions from source downloaded from samba.org and
configured both with the --with-quotas, --with-acl-support, and
--with-msdfs flags.
The Samba server seems to have joined the domain OK according to "wbinfo
-t":
[root@linafs2 bin]# ./wbinfo -t
Secret is good
[root@linafs2 bin]#
I next set the username and password for lookups and that looks like it
completed OK:
[root@linafs2 bin]# ./wbinfo -a jpjanosi%XXXXXXXX
plaintext password authentication failed
error code was NT_STATUS_INVALID_PARAMETER (0xc000000d)
Could not authenticate user jpjanosi%XXXXXXXX with plaintext password
challenge/response password authentication succeeded
error code was NT_STATUS_OK (0x0)
[root@linafs2 bin]#
Now I try to enumerate the users or groups and it fails:
[root@linafs2 bin]# ./wbinfo -u
Error looking up domain users
[root@linafs2 bin]#
Here is the output from winbindd -i -d 3 while running these commands:
[root@linafs2 bin]# ./winbindd -i -d3
INFO: Debug class all level = 10 (pid 17271 from pid 17271)
all: 10/1
tdb: 0/0
printdrivers: 0/0
lanman: 0/0
smb: 0/0
rpc: 0/0
rpc_hdr: 0/0
bdc: 0/0
doing parameter max log size = 0
doing parameter security = domain
doing parameter password server = rchn10dc
doing parameter encrypt passwords = yes
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter wins server = 9.10.244.40
wins_srv_load_list(): Building WINS server list:
9.10.244.40,
1 WINS server listed.
doing parameter dns proxy = no
Processing section "[homes]"
doing parameter comment = Home Directories
doing parameter browseable = no
doing parameter writable = yes
doing parameter nt acl support = yes
Processing section "[dfs]"
doing parameter path = /home/dfsroot
doing parameter msdfs root = yes
pm_process() returned Yes
adding IPC service
adding IPC service
added interface ip=9.10.227.115 bcast=9.10.227.127 nmask=255.255.255.128
fcntl_lock 4 13 0 1 1
fcntl_lock: Lock call successful
added interface ip=9.10.227.115 bcast=9.10.227.127 nmask=255.255.255.128
resolve_lmhosts: Attempting lmhosts lookup for name rchn10dc<0x20>
resolve_wins: Attempting wins lookup for name rchn10dc<0x20>
resolve_wins: WINS server == <9.10.244.40>
bind succeeded on port 0
Got a positive name query response from 9.10.244.40 ( 9.10.227.49 )
bind succeeded on port 0
Returning DC RCHN10DC (9.10.227.49) for domain RCHDNT
resolve_lmhosts: Attempting lmhosts lookup for name RCHN10DC<0x20>
resolve_wins: Attempting wins lookup for name RCHN10DC<0x20>
resolve_wins: WINS server == <9.10.244.40>
bind succeeded on port 0
Got a positive name query response from 9.10.244.40 ( 9.10.227.49 )
IPC$ connections done anonymously
Connecting to 9.10.227.49 at port 445
error connecting to 9.10.227.49:445 (Connection refused)
Connecting to 9.10.227.49 at port 139
Added domain RCHDNT (S-1-5-21-212947539-1368211815-1555891258)
getting trusted domain list
[17272]: check machine account
resolve_lmhosts: Attempting lmhosts lookup for name RCHN10DC<0x20>
resolve_wins: Attempting wins lookup for name RCHN10DC<0x20>
resolve_wins: WINS server == <9.10.244.40>
bind succeeded on port 0
Got a positive name query response from 9.10.244.40 ( 9.10.227.49 )
IPC$ connections done anonymously
Connecting to 9.10.227.49 at port 445
error connecting to 9.10.227.49:445 (Connection refused)
Connecting to 9.10.227.49 at port 139
secret is good
[17273]: pam auth jpjanosi
Plain-text authenticaion for user jpjanosi returned
NT_STATUS_INVALID_PARAMETER (PAM: 4)
[17273]: request misc info
[17273]: request domain name
[17273]: pam auth crap domain: RCHDNT user: jpjanosi
resolve_lmhosts: Attempting lmhosts lookup for name RCHN10DC<0x20>
resolve_wins: Attempting wins lookup for name RCHN10DC<0x20>
resolve_wins: WINS server == <9.10.244.40>
bind succeeded on port 0
Got a positive name query response from 9.10.244.40 ( 9.10.227.49 )
IPC$ connections done anonymously
Connecting to 9.10.227.49 at port 445
error connecting to 9.10.227.49:445 (Connection refused)
Connecting to 9.10.227.49 at port 139
NTLM CRAP authenticaion for user [RCHDNT]\[jpjanosi] returned NT_STATUS_OK
(PAM: 0)
[17274]: list users
resolve_lmhosts: Attempting lmhosts lookup for name rchn10dc<0x20>
resolve_wins: Attempting wins lookup for name rchn10dc<0x20>
resolve_wins: WINS server == <9.10.244.40>
bind succeeded on port 0
Got a positive name query response from 9.10.244.40 ( 9.10.227.49 )
bind succeeded on port 0
Returning DC RCHN10DC (9.10.227.49) for domain RCHDNT
resolve_lmhosts: Attempting lmhosts lookup for name RCHN10DC<0x20>
resolve_wins: Attempting wins lookup for name RCHN10DC<0x20>
resolve_wins: WINS server == <9.10.244.40>
bind succeeded on port 0
Got a positive name query response from 9.10.244.40 ( 9.10.227.49 )
IPC$ connections done anonymously
Connecting to 9.10.227.49 at port 445
error connecting to 9.10.227.49:445 (Connection refused)
Connecting to 9.10.227.49 at port 139
I have a level 10 log and a tcpdump of the traffic between the Samba server
and domain controller, but I don't see anything obviously wrong. I can
provide these if anyone is interested. I do not have access to the domain
controllers for either domain, the only differences I know of between the
domains besides the Windows version is that the NT domain is much larger,
~6000 accounts, compared to the W2k domain, only a few accounts.
Thanks for any suggestions,
John Janosik
IBM Global Services SDC Northeast
Rochester Server Support, AFS/DFS Team
(507)253-6790 t/l: 553-6790
jpjanosi@us.ibm.com
