Hi!
I'm trying to use Winbind to authenticate users through a NT 4.0
Terminal Server (EINFANTIL) acting as the PDC of the domain
RED_EINFANTIL.
That's my smb.conf
[global]
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = RED_EINFANTIL
security = domain
winbind used default domain = yes
password server = *
log level = 0
encrypt passwords = yes
I join my linux box to the Domain with:
nc0:~# net join -S EINFANTIL -U Administrator
[2003/08/14 11:17:11, 1] param/loadparm.c:lp_do_parameter(3114)
WARNING: The "winbind uid" option is deprecated
[2003/08/14 11:17:11, 1] param/loadparm.c:lp_do_parameter(3114)
WARNING: The "winbind gid" option is deprecated
[2003/08/14 11:17:11, 0] param/loadparm.c:map_parameter(2388)
Unknown parameter encountered: "winbind used default domain"
[2003/08/14 11:17:11, 0] param/loadparm.c:lp_do_parameter(3108)
Ignoring unknown parameter "winbind used default domain"
Administrator password:
Joined domain RED_EINFANTIL.
Winbind sees users and groups:
nc0:~# wbinfo -u
RED_EINFANTIL+Administrator
RED_EINFANTIL+Guest
RED_EINFANTIL+IUSR_EINFANTIL
RED_EINFANTIL+IWAM_EINFANTIL
RED_EINFANTIL+NSM_NFSROOT
RED_EINFANTIL+NSMNFS_User
RED_EINFANTIL+usuario
nc0:~# wbinfo -g
RED_EINFANTIL+Domain Admins
RED_EINFANTIL+Domain Guests
RED_EINFANTIL+Domain Users
but...
nc0:~# wbinfo -t
Secret is bad
0xc00000e5
I see my linux box added in the Server Manager tool from the NT 4, but
when I try to log in (I use pam_winbind.so) with the existent Domain
user RED_EINFANTIL+usuario...
nc0:~# winbindd -i
Unknown parameter encountered: "winbind used default domain"
Ignoring unknown parameter "winbind used default domain"
load_client_codepage: filename /usr/share/samba/codepages/codepage.850
does not exist.
load_unicode_map: filename /usr/share/samba/codepages/unicode_map.850
does not exist.
load_unicode_map: filename
/usr/share/samba/codepages/unicode_map.ISO8859-1 does not exist.
domain_client_validate: could not fetch trust account password for
domain RED_EINFANTIL
I have deleted so many times the workstation from the Server Manager and
the file secrets.tdb I don't remember.
If I debug SAMBA ->
nc0:~# net join -S EINFANTIL -U Administrator
[2003/08/14 11:35:05, 1] param/loadparm.c:lp_do_parameter(3114)
WARNING: The "winbind uid" option is deprecated
[2003/08/14 11:35:05, 1] param/loadparm.c:lp_do_parameter(3114)
WARNING: The "winbind gid" option is deprecated
[2003/08/14 11:35:05, 0] param/loadparm.c:map_parameter(2388)
Unknown parameter encountered: "winbind used default domain"
[2003/08/14 11:35:05, 0] param/loadparm.c:lp_do_parameter(3108)
Ignoring unknown parameter "winbind used default domain"
[2003/08/14 11:35:06, 2] lib/interface.c:add_interface(79)
added interface ip=192.168.1.69 bcast=192.168.1.255
nmask=255.255.255.0
Administrator password:
[2003/08/14 11:35:11, 1] utils/net_ads.c:ads_startup(176)
ads_connect: El otro extremo de la conexi?n no est? conectado
[2003/08/14 11:35:11, 3] libsmb/cliconnect.c:cli_full_connection(1265)
Connecting to host=EINFANTIL share=IPC$
[2003/08/14 11:35:11, 3] lib/util_sock.c:open_socket_out(676)
Connecting to 192.168.1.100 at port 445
[2003/08/14 11:35:12, 2] lib/util_sock.c:open_socket_out(705)
error connecting to 192.168.1.100:445 (Conexi?n rehusada)
[2003/08/14 11:35:12, 3] lib/util_sock.c:open_socket_out(676)
Connecting to 192.168.1.100 at port 139
[2003/08/14 11:35:12, 3]
rpc_client/cli_netlogon.c:cli_nt_setup_creds(283)
cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2003/08/14 11:35:12, 3]
libsmb/trusts_util.c:just_change_the_password(44)
just_change_the_password: unable to setup creds
(NT_STATUS_ACCESS_DENIED)!
[2003/08/14 11:35:12, 1] utils/net_rpc.c:run_rpc_command(154)
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
[2003/08/14 11:35:12, 3] libsmb/cliconnect.c:cli_full_connection(1265)
Connecting to host=EINFANTIL share=IPC$
[2003/08/14 11:35:12, 3] lib/util_sock.c:open_socket_out(676)
Connecting to 192.168.1.100 at port 445
[2003/08/14 11:35:12, 2] lib/util_sock.c:open_socket_out(705)
error connecting to 192.168.1.100:445 (Conexi?n rehusada)
[2003/08/14 11:35:12, 3] lib/util_sock.c:open_socket_out(676)
Connecting to 192.168.1.100 at port 139
[2003/08/14 11:35:13, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(186)
lsa_io_sec_qos: length c does not match size 8
[2003/08/14 11:35:13, 3] libsmb/cliconnect.c:cli_full_connection(1265)
Connecting to host=EINFANTIL share=IPC$
[2003/08/14 11:35:13, 3] lib/util_sock.c:open_socket_out(676)
Connecting to 192.168.1.100 at port 445
[2003/08/14 11:35:13, 2] lib/util_sock.c:open_socket_out(705)
error connecting to 192.168.1.100:445 (Conexi?n rehusada)
[2003/08/14 11:35:13, 3] lib/util_sock.c:open_socket_out(676)
Connecting to 192.168.1.100 at port 139
Joined domain RED_EINFANTIL.
[2003/08/14 11:35:13, 2] utils/net.c:main(668)
return code = 0
And....
[ 380]: getpwnam RED_EINFANTIL+usuario
CACHESEQ RED_EINFANTIL/USR/usuario is 4294967295
resolve_lmhosts: Attempting lmhosts lookup for name RED_EINFANTIL<0x1c>
resolve_wins: Attempting wins lookup for name RED_EINFANTIL<0x1c>
resolve_wins: WINS server resolution selected and no WINS servers
listed.
name_resolve_bcast: Attempting broadcast lookup for name
RED_EINFANTIL<0x1c>
bind succeeded on port 0
Got a positive name query response from 192.168.1.100 ( 192.168.1.100 )
bind succeeded on port 0
resolve_lmhosts: Attempting lmhosts lookup for name EINFANTIL<0x20>
resolve_hosts: Attempting host lookup for name EINFANTIL<0x20>
resolve_wins: Attempting wins lookup for name EINFANTIL<0x20>
resolve_wins: WINS server resolution selected and no WINS servers
listed.
name_resolve_bcast: Attempting broadcast lookup for name EINFANTIL<0x20>
bind succeeded on port 0
Got a positive name query response from 192.168.1.100 ( 192.168.1.100 )
IPC$ connections done anonymously
Connecting to 192.168.1.100 at port 445
error connecting to 192.168.1.100:445 (Connection refused)
Connecting to 192.168.1.100 at port 139
seq 4294967295 for RED_EINFANTIL has expired (not == 147)
CACHESEQ RED_EINFANTIL/SID/RED_EINFANTIL\usuario is 4294967295
cached sequence number for RED_EINFANTIL is 147
seq 4294967295 for RED_EINFANTIL has expired (not == 147)
cached sequence number for RED_EINFANTIL is 147
cached sequence number for RED_EINFANTIL is 147
cached sequence number for RED_EINFANTIL is 147
[ 380]: pam auth RED_EINFANTIL+usuario
domain_client_validate: User passwords not in encrypted format.
domain_client_validate: could not fetch trust account password for
domain RED_EINFANTIL
[ 380]: getpwnam RED_EINFANTIL+usuario
CACHESEQ RED_EINFANTIL/USR/usuario is 147
cached sequence number for RED_EINFANTIL is 147
[ 380]: getpwnam RED_EINFANTIL+usuario
CACHESEQ RED_EINFANTIL/USR/usuario is 147
cached sequence number for RED_EINFANTIL is 147
[ 380]: getpwnam RED_EINFANTIL+usuario
CACHESEQ RED_EINFANTIL/USR/usuario is 147
cached sequence number for RED_EINFANTIL is 147
I think, my linux box don't save the password from the negotiation?
I don't know but it regenerates secrets.tdb every time I join to the
domain.
In the event viewer from the NT, every time a try to join the domain
appears the 5723 event and every time I try to rejoin appears the 5722
event
Help, please!
--
Andr?s G?mez Garc?a
Ingeniero en Inform?tica
Telf: +34 981 91 39 91
Fax: +34 981 91 39 49
mailto:agomez@igalia.com
IGALIA, S.L. http://www.igalia.com
