samba - May 2004 - prerequisites for winbind (Samba-3.0.4-SuSE-9.0)

Hi there,


I'm not able to get winbind to work, although searched google and studied
and tried nearly every howto
and forum entry on the net the last week.... it simply doesn't work and I
don't understand
why....

My Samba3-Domain SUPZ (samba & ldap Linux PDC, Windows Clients) works
perfektly
with all ldap users, groups (linux and from windows) and computer accounts
(Win2000 WS).

I'm using samba3-3.0.4-1.i586.rpm (etc) for SuSE 9.0 and smpldap-tools 0.8.4
form www.idealx.org



But I cannot get the winbind stuff zu work. I'm trying to integrate winbind
for ntlm_auth and Squid.





What do prequisites do I need for winbind?





my smb.conf (only winbind, logon & ldap related stuff)

--------------
[...]

        logon script = \\supzli02pdc\netlogon\logon.bat
        logon path         logon drive = H:
        logon home         domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes

        add user script = /usr/local/sbin/smbldap-useradd -m
        add group script = /usr/local/sbin/smbldap-groupadd -p
        add user to group script = /usr/local/sbin/smbldap-groupmod -m
        delete user from group script = /usr/local/sbin/smbldap-groupmod -x
        set primary group script = /usr/local/sbin/smbldap-usermod -g
        add machine script = /usr/local/sbin/smbldap-useradd -w

        passdb backend = ldapsam:ldap://192.168.10.50/
        passwd program = /usr/local/sbin/smbldap-passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
        username map = /etc/samba/smbusers

        ldap suffix = dc=supz,dc=schulenge,dc=de
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap admin dn = cn=admin,dc=schulenge,dc=de
        ldap ssl = no
        ldap passwd sync = Yes
        ldap delete dn = Yes

        winbind use default domain = yes
        winbind trusted domains only = yes
        #winbind separator = +
        #winbind nested groups = no
        idmap uid = 50000-60000
        idmap gid = 50000-60000
        template shell = /bin/bash
        template homedir = /home/%D/%U
        winbind enum groups = yes
        winbind enum users = yes
        winbind enable local accounts = yes
        winbind cache time = 10

[...]
--------------

I always get the following errors:

----------
supzli02pdc:/ # wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret

supzli02pdc:/etc/samba # wbinfo -u
Error looking up domain users

supzli02pdc:/ # wbinfo -a SUPZ\\Hans.Meiserestme
plaintext password authentication failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Could not authenticate user SUPZ\Hans.Meiserestme with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Could not authenticate user SUPZ\Hans.Meiserestme with challenge/response
-------------



=> tried setting an user vor wbinfo, but this doesn't help:



supzli02pdc:/ # wbinfo --set-auth-user=administrator
Password:
Press any key to continue...
supzli02pdc:/ # wbinfo --get-auth-user
SUPZ\administrator%[...]


=> password replaced in posting and verified:



supzli02pdc:/etc/samba # smbclient -UAdministrator -L supzli02pdc
Password:
Domain=[SUPZ] OS=[Unix] Server=[Samba 3.0.4-SerNet-SuSE]

Sharename Type Comment
--------- ---- -------
netlogon Disk Netlogon administrator
print$ Disk
public Disk fuer alle
Meine Kurse Disk
Meine Stufen Disk
Willkommen Disk
IPC$ IPC IPC Service (SUPZ Master Samba Server 3.0.4-SerNet-SuSE)
ADMIN$ IPC IPC Service (SUPZ Master Samba Server 3.0.4-SerNet-SuSE)
Domain=[SUPZ] OS=[Unix] Server=[Samba 3.0.4-SerNet-SuSE]

Server Comment
--------- -------
SUPZLI02PDC SUPZ Master Samba Server 3.0.4-SerNet-SuSE

Workgroup Master
--------- -------
[...]




=> this works, so Account 'Administrator' and Pwassoword works.



Is selfjoing to Domain SUPZ required for my pdc SUPZLI02PDC to make winbind
work? this doesn't work too...

---------
supzli02pdc:/ # net rpc join -U administrator
Password:
Create of workstation account failed
User specified does not have administrator privileges
Unable to join domain SUPZ.
---------




ldap entries for the administator account:

supzli02pdc:/etc/smbldap-tools # smbldap-usershow Administrator
dn: uid=Administrator,ou=Users,dc=supz,dc=schulenge,dc=de
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount
gidNumber: 512
uid: Administrator
uidNumber: 0
homeDirectory: /home
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaHomePath: \\SUPZLI02PDC\homes
sambaHomeDrive: H:
sambaPrimaryGroupSID: S-1-5-21-1040516133-489134623-588480087-512
sambaSID: S-1-5-21-1040516133-489134623-588480087-2996
loginShell: /bin/false
sambaAcctFlags: [U]
sambaLMPassword: [...]
sambaNTPassword: [...]
gecos: Netbios Domain Administrator
sambaPwdCanChange: 1083754399
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1083754399
employeeType: PROXYACCESS
userPassword: {CRYPT} [...]

password are correct set and verified, I replaced them in the post with
[...]




Question: Is it required for winbindd use winbind in nsswitch.conf ???? I
only need winbind for squid & ntlm_auth

my /etc/nsswitch.conf:
    passwd: compat ldap
    group:  compat ldap




I get my accounts from LDAP and posixAccount-class:

supzli02pdc:/etc # getent passwd
root:x:0:0:root:/root:/bin/bash
[...]
squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
Administrator:x:0:512:Netbios Domain Administrator:/home:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
supz0100$:x:1000:553:supz0100$:/dev/null:/bin/false
testmw1:x:1001:513:System User:/home/testmw1:/bin/bash
Martin.Monster:x:1005:513:Monster, Martin:/home/Martin.Monster:/bin/bash
Karl.King:x:1006:513:King, Karl:/home/Karl.King:/bin/bash
Holger.Mertens:x:1011:513:Mertens, Holger:/home/Holger.Mertens:/bin/bash
Lieschen.Mueller:x:1018:513:Mueller,
Lieschen:/home/Lieschen.Mueller:/bin/bash
Franz.Meier:x:1027:513:Meier, Franz:/home/Franz.Meier:/bin/bash

[...]

this works perfectly and shows all local and ldap users





Any ideas what I did wrong or what I missed ??


Thanks in advance for reading the detailed infos




I'm using SuSE 9.0 pro and the samba3-rpm from
http://us3.samba.org/samba/ftp/Binary_Packages/SuSE/3.0/i386/9.0/
(tried http://ftp.sernet.de/pub/samba/suse90/ - with no different effect on
my winbind problem)




-- 
Best regards,
 Malte                          mailto:malte.woelky@gmx.de

_________________
Malte Woelky -=[SkyNet]=- 
Unix/DBs/Networks/LDAP/Active Directory 
Cert  : MCSA 2000+2003, MCSA:msg, MCSE 2000+2003
voice : 0209/977 37 03 : 0174/95 32 105 
eMail : Malte.Woelky@gmx.de 
WWW : http://www.woelky.net/ 
_________ ICQ# 12 767 43 99 _________

Hallo,


Cool, figured it out this night or better this morning (6 o'ckock ;-) , too.


Maybe  wbinfo -a / -u  seems not to work because of our
missing/uncomplete PAM or nsswitch configuration, but we don't need
it vor squid auth... my accounts/groups come from pam_ldap & nss_ldap &
Co




My biggest mistake was running this from within mc (Midnight
Commander) e.g.  wbinfo -a User.xy%3xyz

   which expanses to something like    wbinfo -a User.xyxyz
   and enver works.

   But from pure command line it succeeds ;-)


   At the time of writing of my post last evening, I additionally
   mixed up my Administrator/uid=0 - Account, so I couldn't join from
Win2k-Workstation,
   which days  ago was alredy working for nearly four month... shit happens ;-)


   (I'm writing my diplom thesis)
   
   
Yours
Malte
   
Tuesday, June 1, 2004, 11:06:31 AM, you wrote:


FD> hello, I'v the same problem with wbinfo -{u,g} but winbind works
FD> when used with squid, also wbinfo -a Administrator%XXXXXX
FD> work.

FD> [root@pdc root]# wbinfo -a Administrator%XXXXX
FD> plaintext password authentication succeeded
FD> challenge/response password authentication succeeded

FD> but

FD> [root@va2 root]# wbinfo -u
FD> Error looking up domain users
FD> [root@va2 root]# wbinfo -g
FD> Error looking up domain groups


FD> francesco.

FD> Malte Woelky wrote:
>>Hi there,
>>
>>
>>I'm not able to get winbind to work, although searched google and
studied
>>and tried nearly every howto
>>and forum entry on the net the last week.... it simply doesn't work
and I don't understand
>>why....
>>
>>My Samba3-Domain SUPZ (samba & ldap Linux PDC, Windows Clients)
works
>>perfektly
>>with all ldap users, groups (linux and from windows) and computer
accounts
>>(Win2000 WS).
>>
>>I'm using samba3-3.0.4-1.i586.rpm (etc) for SuSE 9.0 and
smpldap-tools 0.8.4
>>form www.idealx.org
>>
>>
>>
>>But I cannot get the winbind stuff zu work. I'm trying to integrate
winbind
>>for ntlm_auth and Squid.
>>
>>
>>
>>
>>
>>What do prequisites do I need for winbind?
>>
>>
>>
>>
>>
>>my smb.conf (only winbind, logon & ldap related stuff)
>>
>>--------------
>>[...]
>>
>>        logon script = \\supzli02pdc\netlogon\logon.bat
>>        logon path >>        logon drive = H:
>>        logon home >>        domain logons = Yes
>>        os level = 65
>>        preferred master = Yes
>>        domain master = Yes
>>        wins support = Yes
>>
>>        add user script = /usr/local/sbin/smbldap-useradd -m
>>        add group script = /usr/local/sbin/smbldap-groupadd -p
>>        add user to group script = /usr/local/sbin/smbldap-groupmod -m
>>        delete user from group script = /usr/local/sbin/smbldap-groupmod
-x
>>        set primary group script = /usr/local/sbin/smbldap-usermod -g
>>        add machine script = /usr/local/sbin/smbldap-useradd -w
>>
>>        passdb backend = ldapsam:ldap://192.168.10.50/
>>        passwd program = /usr/local/sbin/smbldap-passwd %u
>>        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>>*all*authentication*tokens*updated*
>>        username map = /etc/samba/smbusers
>>
>>        ldap suffix = dc=supz,dc=schulenge,dc=de
>>        ldap machine suffix = ou=Computers
>>        ldap user suffix = ou=Users
>>        ldap group suffix = ou=Groups
>>        ldap admin dn = cn=admin,dc=schulenge,dc=de
>>        ldap ssl = no
>>        ldap passwd sync = Yes
>>        ldap delete dn = Yes
>>
>>        winbind use default domain = yes
>>        winbind trusted domains only = yes
>>        #winbind separator = +
>>        #winbind nested groups = no
>>        idmap uid = 50000-60000
>>        idmap gid = 50000-60000
>>        template shell = /bin/bash
>>        template homedir = /home/%D/%U
>>        winbind enum groups = yes
>>        winbind enum users = yes
>>        winbind enable local accounts = yes
>>        winbind cache time = 10
>>
>>[...]
>>--------------
>>
>>I always get the following errors:
>>
>>----------
>>supzli02pdc:/ # wbinfo -t
>>checking the trust secret via RPC calls failed
>>error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
>>Could not check secret
>>
>>supzli02pdc:/etc/samba # wbinfo -u
>>Error looking up domain users
>>
>>supzli02pdc:/ # wbinfo -a SUPZ\\Hans.Meiserestme
>>plaintext password authentication failed
>>error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
>>error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>>Could not authenticate user SUPZ\Hans.Meiserestme with plaintext
password
>>challenge/response password authentication failed
>>error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
>>error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>>Could not authenticate user SUPZ\Hans.Meiserestme with
challenge/response
>>-------------
>>
>>
>>
>>=> tried setting an user vor wbinfo, but this doesn't help:
>>
>>
>>
>>supzli02pdc:/ # wbinfo --set-auth-user=administrator
>>Password:
>>Press any key to continue...
>>supzli02pdc:/ # wbinfo --get-auth-user
>>SUPZ\administrator%[...]
>>
>>
>>=> password replaced in posting and verified:
>>
>>
>>
>>supzli02pdc:/etc/samba # smbclient -UAdministrator -L supzli02pdc
>>Password:
>>Domain=[SUPZ] OS=[Unix] Server=[Samba 3.0.4-SerNet-SuSE]
>>
>>Sharename Type Comment
>>--------- ---- -------
>>netlogon Disk Netlogon administrator
>>print$ Disk
>>public Disk fuer alle
>>Meine Kurse Disk
>>Meine Stufen Disk
>>Willkommen Disk
>>IPC$ IPC IPC Service (SUPZ Master Samba Server 3.0.4-SerNet-SuSE)
>>ADMIN$ IPC IPC Service (SUPZ Master Samba Server 3.0.4-SerNet-SuSE)
>>Domain=[SUPZ] OS=[Unix] Server=[Samba 3.0.4-SerNet-SuSE]
>>
>>Server Comment
>>--------- -------
>>SUPZLI02PDC SUPZ Master Samba Server 3.0.4-SerNet-SuSE
>>
>>Workgroup Master
>>--------- -------
>>[...]
>>
>>
>>
>>
>>=> this works, so Account 'Administrator' and Pwassoword
works.
>>
>>
>>
>>Is selfjoing to Domain SUPZ required for my pdc SUPZLI02PDC to make
winbind
>>work? this doesn't work too...
>>
>>---------
>>supzli02pdc:/ # net rpc join -U administrator
>>Password:
>>Create of workstation account failed
>>User specified does not have administrator privileges
>>Unable to join domain SUPZ.
>>---------
>>
>>
>>
>>
>>ldap entries for the administator account:
>>
>>supzli02pdc:/etc/smbldap-tools # smbldap-usershow Administrator
>>dn: uid=Administrator,ou=Users,dc=supz,dc=schulenge,dc=de
>>cn: Administrator
>>sn: Administrator
>>objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount
>>gidNumber: 512
>>uid: Administrator
>>uidNumber: 0
>>homeDirectory: /home
>>sambaLogonTime: 0
>>sambaLogoffTime: 2147483647
>>sambaKickoffTime: 2147483647
>>sambaHomePath: \\SUPZLI02PDC\homes
>>sambaHomeDrive: H:
>>sambaPrimaryGroupSID: S-1-5-21-1040516133-489134623-588480087-512
>>sambaSID: S-1-5-21-1040516133-489134623-588480087-2996
>>loginShell: /bin/false
>>sambaAcctFlags: [U]
>>sambaLMPassword: [...]
>>sambaNTPassword: [...]
>>gecos: Netbios Domain Administrator
>>sambaPwdCanChange: 1083754399
>>sambaPwdMustChange: 2147483647
>>sambaPwdLastSet: 1083754399
>>employeeType: PROXYACCESS
>>userPassword: {CRYPT} [...]
>>
>>password are correct set and verified, I replaced them in the post with
>>[...]
>>
>>
>>
>>
>>Question: Is it required for winbindd use winbind in nsswitch.conf ????
I
>>only need winbind for squid & ntlm_auth
>>
>>my /etc/nsswitch.conf:
>>    passwd: compat ldap
>>    group:  compat ldap
>>
>>
>>
>>
>>I get my accounts from LDAP and posixAccount-class:
>>
>>supzli02pdc:/etc # getent passwd
>>root:x:0:0:root:/root:/bin/bash
>>[...]
>>squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
>>Administrator:x:0:512:Netbios Domain Administrator:/home:/bin/false
>>nobody:x:999:514:nobody:/dev/null:/bin/false
>>supz0100$:x:1000:553:supz0100$:/dev/null:/bin/false
>>testmw1:x:1001:513:System User:/home/testmw1:/bin/bash
>>Martin.Monster:x:1005:513:Monster, Martin:/home/Martin.Monster:/bin/bash
>>Karl.King:x:1006:513:King, Karl:/home/Karl.King:/bin/bash
>>Holger.Mertens:x:1011:513:Mertens, Holger:/home/Holger.Mertens:/bin/bash
>>Lieschen.Mueller:x:1018:513:Mueller,
>>Lieschen:/home/Lieschen.Mueller:/bin/bash
>>Franz.Meier:x:1027:513:Meier, Franz:/home/Franz.Meier:/bin/bash
>>
>>[...]
>>
>>this works perfectly and shows all local and ldap users
>>
>>
>>
>>
>>
>>Any ideas what I did wrong or what I missed ??
>>
>>
>>Thanks in advance for reading the detailed infos
>>
>>
>>
>>
>>I'm using SuSE 9.0 pro and the samba3-rpm from
>>http://us3.samba.org/samba/ftp/Binary_Packages/SuSE/3.0/i386/9.0/
>>(tried http://ftp.sernet.de/pub/samba/suse90/ - with no different effect
on
>>my winbind problem)
>>
>>
>>
>>
>>  
>>


-- 
Best regards,
 Malte                            mailto:malte.woelky@gmx.de

Malte Woelky -=[SkyNet]=- 
Unix/DBs/Networks/LDAP/Active Directory 
Cert  : MCSA 2000+2003, MCSA:msg, MCSE 2000+2003
voice : 0209/977 37 03 : 0174/95 32 105 
eMail : Malte.Woelky@gmx.de 
WWW : http://www.woelky.net/ 
_________ ICQ# 12 767 43 99 _________