samba - May 2004 - Domain security, users still asked for login

Hello

I have been having problems with authentication on a suse 9 box with 
samba 3.0.3 installed from rpms.
I have googled till my fingers bled, there is just the question, no 
answer, someone must have been able to solve it out of all the people 
who had the problem?

I joined the domain with net join, this was successful
I can list users/groups, authenticate and check the secret with wbinfo
testparm gives no errors:
Load smb config files from /etc/samba/smb.conf
Processing section "[general]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = MYDOMAIN
        server string = DATASERVER
        security = DOMAIN
        password server = 2k3domaincontroller
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        os level = 33
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = /
        winbind cache time = 10
        admin users = MYDOMAIN/Administrator, domadm
        printer admin = domadm

[general]
        comment = General
        path = /share
        read only = No
        guest ok = Yes


When a user attempts to connect to the server, they are asked for 
authentication, this should not be because it is set to security=domain,
log.winbindd contains lines of
winbindd_create_user: Refusing to create user that already exists 
(%username%) for whichever user tries to connect.
log.smbd has lines of
make_server_info_info3: pdb_init_sam failed!

So it seems that winbind is working ok, im lost about how to fix this 
authentication problem though... please help!
Thank you,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hamish wrote:

| I have been having problems with authentication on a suse 9 box with
| samba 3.0.3 installed from rpms.
| I have googled till my fingers bled, there is just the question, no
| answer, someone must have been able to solve it out of all the people
| who had the problem?
|
| I joined the domain with net join, this was successful
| I can list users/groups, authenticate and check the secret with wbinfo
| testparm gives no errors:
| Load smb config files from /etc/samba/smb.conf
| Processing section "[general]"
| Loaded services file OK.
| Server role: ROLE_DOMAIN_MEMBER
| Press enter to see a dump of your service definitions
|
| # Global parameters
| [global]
|        workgroup = MYDOMAIN
|        server string = DATASERVER
|        security = DOMAIN
|        password server = 2k3domaincontroller
|        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
|        load printers = No
|        os level = 33
|        preferred master = No
|        local master = No
|        domain master = No
|        dns proxy = No
|        idmap uid = 10000-20000
|        idmap gid = 10000-20000
|        winbind separator = /
|        winbind cache time = 10
|        admin users = MYDOMAIN/Administrator, domadm
|        printer admin = domadm
|
| [general]
|        comment = General
|        path = /share
|        read only = No
|        guest ok = Yes
|
|
| When a user attempts to connect to the server, they are asked for
| authentication, this should not be because it is set to security=domain,
| log.winbindd contains lines of
| winbindd_create_user: Refusing to create user that already exists
| (%username%) for whichever user tries to connect.
| log.smbd has lines of
| make_server_info_info3: pdb_init_sam failed!

Set "winbind enable local accounts = no" and make sure thet
'getent passwd DOMAIN\user' returns information (replacing the
DOMAIN\user with some valid name).





cheers, jerry
- ----------------------------------------------------------------------
Hewlett-Packard            ------------------------- http://www.hp.com
SAMBA Team                 ---------------------- http://www.samba.org
GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
"...a hundred billion castaways looking for a home." ----------- Sting
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAmOwAIR7qMdg1EfYRAiEhAKC+fva3gSxk+RKHJjAmEcFy2rfwoACfe6zt
8MCPuoDKuTvcLYNOwEvnMgE=nmmA
-----END PGP SIGNATURE-----

I just used the rpms from suse, one of them was samba-winbind, so would 
this update the file you are talking of?

Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hamish wrote:
> | Thanks Jerry
> | I have reverted to 3.0.2a and it seems to work fine.
>
> ok, but I would really like to find out why upgrading
> to 3.0.3 broke your configuration?  Did you update
> /lib/*nss_winbind* ?
>
>
>
>
>
> cheers, jerry
> - ----------------------------------------------------------------------
> Hewlett-Packard            ------------------------- http://www.hp.com
> SAMBA Team                 ---------------------- http://www.samba.org
> GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
> "...a hundred billion castaways looking for a home." -----------
Sting
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFAmPphIR7qMdg1EfYRAs5mAJ91ceEOZRovzIDrtRVWrpw5T304YACZAYyK
> ZPnKgAzr7SEnQOKSNrt+UOk> =bBln
> -----END PGP SIGNATURE-----
>
>

Hi Jerry
Thanks for your patience, I have tried installing 3.0.3 again and it has 
once again started to ask for logins. I restarted all the services 
(nmb,smb,winbind) and it continued. After another 5 minutes, i restarted 
the services again, it started accepting connections - I am really sorry 
for the hassle, still trying to figure out what I did wrong!
Some things have been added to smb.conf: here is the working one:

[global]
        unix charset = LOCALE
        workgroup = MYDOMAIN
        realm = MYDOMAIN.MYDOMAIN.MY
        server string = dataserver
        interfaces = 127.0.0.1, eth0
        bind interfaces only = Yes
        security = DOMAIN
        password server = MYPWDSERVER
        local master = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000

[share defs...]

My next step is to move some multi-user (around 15 max users) approach 
database files to the samba server.
Thanks again, and sorry for being a pain!


Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hamish wrote:
> | Thanks Jerry
> | I have reverted to 3.0.2a and it seems to work fine.
>
> ok, but I would really like to find out why upgrading
> to 3.0.3 broke your configuration?  Did you update
> /lib/*nss_winbind* ?
>
>
>
>
>
> cheers, jerry
> - ----------------------------------------------------------------------
> Hewlett-Packard            ------------------------- http://www.hp.com
> SAMBA Team                 ---------------------- http://www.samba.org
> GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
> "...a hundred billion castaways looking for a home." -----------
Sting
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFAmPphIR7qMdg1EfYRAs5mAJ91ceEOZRovzIDrtRVWrpw5T304YACZAYyK
> ZPnKgAzr7SEnQOKSNrt+UOk> =bBln
> -----END PGP SIGNATURE-----
>
>

After installing 3.0.4 on suse, I had the same problem again, I figured 
it out this time! nscd was still running... stop nscd (on suse 
/etc/init.d/nscd stop) and it works fine!
Sorry for the hassle!

Hamish wrote:
> Hi Jerry
> Thanks for your patience, I have tried installing 3.0.3 again and it 
> has once again started to ask for logins. I restarted all the services 
> (nmb,smb,winbind) and it continued. After another 5 minutes, i 
> restarted the services again, it started accepting connections - I am 
> really sorry for the hassle, still trying to figure out what I did wrong!
> Some things have been added to smb.conf: here is the working one:
>
> [global]
>        unix charset = LOCALE
>        workgroup = MYDOMAIN
>        realm = MYDOMAIN.MYDOMAIN.MY
>        server string = dataserver
>        interfaces = 127.0.0.1, eth0
>        bind interfaces only = Yes
>        security = DOMAIN
>        password server = MYPWDSERVER
>        local master = No
>        idmap uid = 10000-20000
>        idmap gid = 10000-20000
>
> [share defs...]
>
> My next step is to move some multi-user (around 15 max users) approach 
> database files to the samba server.
> Thanks again, and sorry for being a pain!
>
>
> Gerald (Jerry) Carter wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hamish wrote:
>> | Thanks Jerry
>> | I have reverted to 3.0.2a and it seems to work fine.
>>
>> ok, but I would really like to find out why upgrading
>> to 3.0.3 broke your configuration?  Did you update
>> /lib/*nss_winbind* ?
>>
>>
>>
>>
>>
>> cheers, jerry
>> -
----------------------------------------------------------------------
>> Hewlett-Packard            ------------------------- http://www.hp.com
>> SAMBA Team                 ---------------------- http://www.samba.org
>> GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
>> "...a hundred billion castaways looking for a home."
----------- Sting
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.4 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFAmPphIR7qMdg1EfYRAs5mAJ91ceEOZRovzIDrtRVWrpw5T304YACZAYyK
>> ZPnKgAzr7SEnQOKSNrt+UOk>> =bBln
>> -----END PGP SIGNATURE-----
>>
>>