samba - May 2003 - wbinfo -u is returning 0xc0000022

Hi all,

I have a samba 2.2.8a install runing on a debian woody. The samba is working
fine and I am able to map shared drives. I want to use a Primary Domain
Controller to authenticate users. I have included the necessary options in
smb.conf,
# separate domain and username with '+', like DOMAIN+username
   winbind separator = +
# use uids from 10000 to 20000 for domain users
   winbind uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
   winbind gid = 10000-20000
# allow enumeration of winbind users and groups
# might need to disable these next two for performance
# reasons on the winbindd host
   winbind enum users = yes
   winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet/sshd/etc...
access)
   template homedir = /home/winnt/%D/%U
   template shell = /bin/bash
# don't trust other domains that are trusted
# by the PDC
   allow trusted domains = no

added the necessary stuff to /etc/pam.d/ssh,
#%PAM-1.0
auth       required     pam_nologin.so
auth       sufficient   pam_winbind.so debug
auth       required     pam_unix.so use_first_pass shadow
auth       required     pam_env.so # [1]

account    sufficient   pam_winbind.so debug
account    required     pam_unix.so use_first_pass

session    required     pam_unix.so
session    optional     pam_lastlog.so # [1]
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so

password   required     pam_unix.so

joined the domain and started smbd, nmbd and winbindd. When I execute wbinfo -u
I get 0xc0000022. I googled around for this error, but didn't find a decent
explanation. When I execute wbinfo -t, it claims the secret is good. If you want
the debug info returned by winbindd I can provide this as well.

Many thanks in advance.


regards,

Kenneth

I've never used debian before but with RH 9.0 your config looks OK.  I have
a couple linux servers running pretty well.  I tried your config with RH7.3 and
got the same errors.  I know there are some libraries that the later versions of
samba depend on to make all that stuff work integrating with a domain.  I think
one of the libraries are 'libacl'.  I'll let you know if I find
anything...

If you configure pam_smb_auth.so you should be able to authenticate this way.
In my system-auth file I have added:
auth sufficient pam_winbind.so use_first_pass
auth sufficient pam_smb_auth.so use_first_pass
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

in my smb.conf (important to the subject here)
security = DOMAIN
add user script = /usr/sbin/adduser -d /home/%D/%U %u

nsswitch.conf (need this for winbind)
passwd files winbind
shadow files winbind
group files winbind

This will get samba to automatically create a user in your passwd file.  I have
the winbind stuff too but doesn't work for RH73.  However with RH9 users can
connect remotely or log in locally it will auto create their home dir with skel
profile.

Hope this helps a little :-)

Craig Herring
> -----Original Message-----
> From: kenneth.westelinck@pandora.be
> [mailto:kenneth.westelinck@pandora.be]
> Sent: Thursday, May 08, 2003 3:54 AM
> To: samba@lists.samba.org
> Subject: [Samba] wbinfo -u is returning 0xc0000022
> 
> 
> Hi all,
> 
> I have a samba 2.2.8a install runing on a debian woody. The 
> samba is working fine and I am able to map shared drives. I 
> want to use a Primary Domain Controller to authenticate 
> users. I have included the necessary options in smb.conf,
> # separate domain and username with '+', like DOMAIN+username
>    winbind separator = +
> # use uids from 10000 to 20000 for domain users
>    winbind uid = 10000-20000
> # use gids from 10000 to 20000 for domain groups
>    winbind gid = 10000-20000
> # allow enumeration of winbind users and groups
> # might need to disable these next two for performance
> # reasons on the winbindd host
>    winbind enum users = yes
>    winbind enum groups = yes
> # give winbind users a real shell (only needed if they have 
> telnet/sshd/etc... access)
>    template homedir = /home/winnt/%D/%U
>    template shell = /bin/bash
> # don't trust other domains that are trusted
> # by the PDC
>    allow trusted domains = no
> 
> added the necessary stuff to /etc/pam.d/ssh,
> #%PAM-1.0
> auth       required     pam_nologin.so
> auth       sufficient   pam_winbind.so debug
> auth       required     pam_unix.so use_first_pass shadow
> auth       required     pam_env.so # [1]
> 
> account    sufficient   pam_winbind.so debug
> account    required     pam_unix.so use_first_pass
> 
> session    required     pam_unix.so
> session    optional     pam_lastlog.so # [1]
> session    optional     pam_motd.so # [1]
> session    optional     pam_mail.so standard noenv # [1]
> session    required     pam_limits.so
> 
> password   required     pam_unix.so
> 
> joined the domain and started smbd, nmbd and winbindd. When I 
> execute wbinfo -u I get 0xc0000022. I googled around for this 
> error, but didn't find a decent explanation. When I execute 
> wbinfo -t, it claims the secret is good. If you want the 
> debug info returned by winbindd I can provide this as well.
> 
> Many thanks in advance.
> 
> 
> regards,
> 
> Kenneth
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

Thanks for your reply. Someone suggested me to do wbinfo -A
administrator%<password> which solved the problem. I found the same
solution when googling for "wbinfo --sequence" + DISCONNECTED, which
brought me at this page:
http://www.faqchest.com/linux/samba-l/smb-03/smb-0302/smb-030220/smb03021902_03106.html
I think this username and password need to be set to access the IPC$ share.

Now the user is never created in the local passwd file (it's taken from the
PDC), but is able to login and receive a homedirectory (with pam_mkhomedir),
which is what I wanted.

Thanks for your help.

------------------------
 "Craig Herring" <cherring@nbbc.edu> wrote:
------------------------
I've never used debian before but with RH 9.0 your config looks OK.  I
>have a couple linux servers running pretty well.  I tried your config 
>with RH7.3 and got the same errors.  I know there are some libraries 
>that the later versions of samba depend on to make all that stuff work 
>integrating with a domain.  I think one of the libraries are
'libacl'.
>I'll let you know if I find anything...
>
>If you configure pam_smb_auth.so you should be able to authenticate this 
>way.
>In my system-auth file I have added:
>auth sufficient pam_winbind.so use_first_pass
>auth sufficient pam_smb_auth.so use_first_pass
>session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
>
>in my smb.conf (important to the subject here)
>security = DOMAIN
>add user script = /usr/sbin/adduser -d /home/%D/%U %u
>
>nsswitch.conf (need this for winbind)
>passwd files winbind
>shadow files winbind
>group files winbind
>
>This will get samba to automatically create a user in your passwd file.  
>I have the winbind stuff too but doesn't work for RH73.  However with 
>RH9 users can connect remotely or log in locally it will auto create 
>their home dir with skel profile.
>
>Hope this helps a little :-)
>
>Craig Herring
>
>> -----Original Message-----
>> From: kenneth.westelinck@pandora.be
>> [mailto:kenneth.westelinck@pandora.be]
>> Sent: Thursday, May 08, 2003 3:54 AM
>> To: samba@lists.samba.org
>> Subject: [Samba] wbinfo -u is returning 0xc0000022
>> 
>> 
>> Hi all,
>> 
>> I have a samba 2.2.8a install runing on a debian woody. The 
>> samba is working fine and I am able to map shared drives. I 
>> want to use a Primary Domain Controller to authenticate 
>> users. I have included the necessary options in smb.conf,
>> # separate domain and username with '+', like DOMAIN+username
>>    winbind separator = +
>> # use uids from 10000 to 20000 for domain users
>>    winbind uid = 10000-20000
>> # use gids from 10000 to 20000 for domain groups
>>    winbind gid = 10000-20000
>> # allow enumeration of winbind users and groups
>> # might need to disable these next two for performance
>> # reasons on the winbindd host
>>    winbind enum users = yes
>>    winbind enum groups = yes
>> # give winbind users a real shell (only needed if they have 
>> telnet/sshd/etc... access)
>>    template homedir = /home/winnt/%D/%U
>>    template shell = /bin/bash
>> # don't trust other domains that are trusted
>> # by the PDC
>>    allow trusted domains = no
>> 
>> added the necessary stuff to /etc/pam.d/ssh,
>> #%PAM-1.0
>> auth       required     pam_nologin.so
>> auth       sufficient   pam_winbind.so debug
>> auth       required     pam_unix.so use_first_pass shadow
>> auth       required     pam_env.so # [1]
>> 
>> account    sufficient   pam_winbind.so debug
>> account    required     pam_unix.so use_first_pass
>> 
>> session    required     pam_unix.so
>> session    optional     pam_lastlog.so # [1]
>> session    optional     pam_motd.so # [1]
>> session    optional     pam_mail.so standard noenv # [1]
>> session    required     pam_limits.so
>> 
>> password   required     pam_unix.so
>> 
>> joined the domain and started smbd, nmbd and winbindd. When I 
>> execute wbinfo -u I get 0xc0000022. I googled around for this 
>> error, but didn't find a decent explanation. When I execute 
>> wbinfo -t, it claims the secret is good. If you want the 
>> debug info returned by winbindd I can provide this as well.
>> 
>> Many thanks in advance.
>> 
>> 
>> regards,
>> 
>> Kenneth
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  http://lists.samba.org/mailman/listinfo/samba
>> 
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba

Cool! ... That helps...
I tried installing libacl and libattr from RH9 < works - no failed deps.

then I did the whole wbinfo --sequence thing and finally it worked after I
cleaned out the winbind stuff.  Thanks for the link!  Now on to dfs to integrate
with a win2k domain for eventual migration :-)

Craig Herring
> 
> Thanks for your reply. Someone suggested me to do wbinfo -A 
> administrator%<password> which solved the problem. I found 
> the same solution when googling for "wbinfo --sequence" + 
> DISCONNECTED, which brought me at this page: 
> http://www.faqchest.com/linux/samba-l/smb-03/smb-0302/smb-0302
> 20/smb03021902_03106.html
> I think this username and password need to be set to access 
> the IPC$ share.
> 
> Now the user is never created in the local passwd file (it's 
> taken from the PDC), but is able to login and receive a 
> homedirectory (with pam_mkhomedir), which is what I wanted.
> 
> Thanks for your help.
> 
>