I have my Mandrake 9.2 box running as a domain member for a W2K AD
domain. This is a new problem or I'm missing something really obvious.
Possible bug?
Setup:
Samba Server 3.0.1 = ANC-GENTOO
Windows Domain = LABOR
windows xp client = ANC-07-14927xp
tim = Windows Active Directory Domain Acccount
Getting this "check_winbind_security" error when trying to connect to
Samba vai windows client (xp):
**************************************************************
[2003/12/19 21:43:24, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[ANC-GENTOO]\[tim]@[ANC-07-14927XP] with the new password interface
[2003/12/19 21:43:24, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is:
[ANC-GENTOO]\[tim]@[ANC-07-14927XP]
[2003/12/19 21:43:24, 3] auth/auth_winbind.c:check_winbind_security(79)
check_winbind_security: Not using winbind, requested domain was for
this SAM.
[2003/12/19 21:43:24, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [tim] -> [tim] FAILED
with error NT_STATUS_NO_SUCH_US ER
[2003/12/19 21:43:25, 3] smbd/process.c:timeout_processing(1104)
timeout_processing: End of file from client (client has disconnected).
**************************************************************
1. winbind is working:
# wbinfo -u | grep tim
tim
# getent group | grep "Domain Admins"
Domain Admins:x:10003:tim, Administrator, etc..., ....,....,...,..
2. I noticed that when trying to connect to my Samba shares the username
and password comes back as:
username: ANC-Gentoo\tim
It should read:
username: LABOR\tim
3. I took it out of the domain and then rejoined the domain:
net ads join -U tim%password
Using short domain name -- LABOR
Joined 'ANC-GENTOO' to realm 'LABOR.AK'
4. klist -e
12/19/03 22:45:54 12/20/03 03:58:16 anc-07-14927xp$@LABOR.AK
Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with
RSA-MD5
Now when trying to connect to Samba from XP workstation:
****************************************************************
[2003/12/19 22:47:44, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[LABOR]\[tim]@[ANC-07-14927XP] with the new password interface
[2003/12/19 22:47:44, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [LABOR]\[tim]@[ANC-07-14927XP]
[2003/12/19 22:47:44, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/12/19 22:47:44, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/12/19 22:47:44, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/12/19 22:47:44, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/12/19 22:47:44, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [tim] -> [tim] FAILED
with error NT_STATUS_NO_SUCH_USER
[2003/12/19 22:47:44, 3] smbd/process.c:timeout_processing(1104)
timeout_processing: End of file from client (client has disconnected).
******************************************************************
I noticed the domain field changed to properly read LABOR\tim. Problem
is Samba still cant find my domain account!
My brain is melting so I'm taking a break...here are my .config files
Tim
smb.conf:
[global]
workgroup = LABOR
realm = LABOR.AK
server string = Samba Server %v
printcap name = cups
load printers = yes
printing = cups
printer admin = @"Domain Admins"
log file = /usr/local/samba/var/log.%m
max log size = 100
log level = 10
security = ads
password server = ipaddress of pdc
encrypt passwords = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
#winbind use default domain = yes
allow trusted domains = no
auth methods = winbind
template homedir = /home/%D/%U
obey pam restrictions = yes
template shell = /bin/bash
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
os level = 0
domain master = no
preferred master = no
domain logons = no
add user script = /usr/sbin/useradd -s /bin/false '%u'
idmap uid = 10000-20000
idmap gid = 10000-20000
name resolve order = wins lmhosts bcast
wins server = ipaddress of winsserver
dns proxy = no
