Ingmar Koecher
2002-Jun-03 15:54 UTC
[Samba] Winbind + machine account + non-anonymous access (RestrictAnonymous)
Hi everybody, my (our) goal here is to setup a samba server in a NT domain (and eventually in a Win2k domain - but for now I just want to test it on NT) and have it act like a member server - meaning that I don't use the local user database but instead assing permissions of shares to domain users and groups. To avoid having to administer both users in the NT domain and on the samba server(s) I have to use winbindd - I guess I am correct on this one. The samba processes are up and running but there is not much configured yet except for the most basic info like domain name and such. Now the problem is that "wbinfo -t" tells me that the machine account is bad and I also can't query the domain controller when "RestrictAnonymous" is in place. This is what I did: The contents of smb.conf: workgroup = OURDOMAIN server string security = DOMAIN encrypt passwords = Yes password server = thepdc log level = 4 winbind uid = 10000-20000 winbind gid = 10000-20000 winbind separator = + winbind use default domain = Yes Created a server/workstation account in the NT domain Joined the NT domain with "smbpasswd -j OURDOMAIN -r thepdc" - OK. Then I start "winbindd -d 10 -i" in a terminal window Then I issue "wbinfo -u" and voila, all the users are being listed. Then I issue "wbinfo -t" and it says: -- Secret is bad 0xc00000e5 -- The output of winbindd says: -- accepted socket 13 client_read: read 1304 bytes. Need 0 more for a full request. process_request: request fn CHECK_MACHACC [ 3114]: check machine account client_write: wrote 1300 bytes. read failed on sock 13, pid 3114: EOF -- I really don't understand that since it joined the domain successfully and since it shows up ok in server manager. Well, then I set "RestrictAnonymous" to "1" (before it was set to 0) and reboot the NT PDC. From that point on I can't query the users anymore with "wbinfo -u". The output of winbindd is: -- [ 3165]: list users IPC$ connections done anonymously Connecting to host=THEPDC share=IPC$ resolve_lmhosts: Attempting lmhosts lookup for name THEPDC<0x20> startlmhosts: Can't open lmhosts file /usr/local/samba/lib/lmhosts. Error was No such file or directory resolve_hosts: Attempting host lookup for name THEPDC<0x20> Connecting to 10.8.220.133 at port 445 error connecting to 10.8.220.133:445 (Connection refused) Connecting to 10.8.220.133 at port 139 -- (I added the lmhosts file in the meantime but it doesn't improve the situation) Now does winbindd even support non-anonymous connections? I recall somebody telling me that this can be done ...? How can I configure it to do so? Why is the secret bad? :( Thanks for any help, Ingmar.