samba - Jul 2004 - Winbind problem

Posted: Thu Jul 15, 2004 11:34 am    Post subject: Samba/winbind and ADS 
problem  	
I almost have this.

I have read the docs, I have read this, I have purchased both books from the 
samba team, and I cannot find any help from any of these.

We are trying to migrate from OLDDOMAIN (an NT4 Domain) to NEWDOMAIN (our 
Win2k3 Domain). I have a two way trust right now between the domains. I have 
everything configured as per the docs as far as smb.conf, krb5.conf and 
nsswitch. I do:
Code:
# wbinfo -t
checking the trust secret via RPC calls succeeded

so everything looks good there, but the weird thing is when I do this:
Code:
# wbinfo -g
or
# wbinfo -u


I get a list of all the users and groups from OLDDOMAIN, and none of the 
groups from NEWDOMAIN! Same thing is true when I use getent. Which makes 
about zero sense to me... I had absolutely no error output when joining the 
ADS Domain (NEWDOMAIN), from wbinfo, kinit, sbmclient or smbmount.

So, I went to the log file:
Quote:
[2004/07/15 11:55:39, 1] nsswitch/winbindd.c:main(843)
winbindd version 3.0.4 started.
Copyright The Samba Team 2000-2004
[2004/07/15 11:55:39, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain NEWDOMAIN NEWDOMAIN.INT S-0-0
[2004/07/15 11:55:43, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain NEWDOMAIN failed: No such file or directory
[2004/07/15 11:55:44, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain OLDDOMAIN S-1-5-21-1898674339-994652211-837300805
[2004/07/15 11:55:44, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain BUILTIN S-1-5-32
[2004/07/15 11:55:44, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain CASPER S-1-5-21-789378082-241503064-2986860805
[2004/07/15 12:04:59, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain NEWDOMAIN failed: No such file or directory


I have been trying this since samba 3.0.0, and I still have problems. I am now 
using 3.0.4.

my smb.conf:

Code:

# Global parameters
[global]
        netbios name = JOE
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        dns proxy = no
        realm = NEWDOMAIN.INT
        workgroup = NEWDOMAIN
        netbios aliases = JOE
        server string = JOE server
        security = ADS
        wins proxy = no
        map to guest = Bad User
        password server = stan.newdomain.int
        name resolve order = lmhosts wins bcast
        time server = Yes
        os level = 0
        preferred master = No
        local master = No
        domain master = No
        wins server = 208.226.104.3
        hosts allow = 127.0.0.1, 208.226.104.
        oplocks = No
        follow symlinks = No
        printing = cups
        printcap name = cups
        load printers = yes
        idmap uid = 10000-20000
        winbind enum users = yes
        winbind gid = 10000-20000
        winbind enum groups = yes
        winbind separator = +
        os level = 20

[images]
        valid users = chrisd,kristynp,administrator
        public = no
        path = /images
        writable = yes
        write list = kristynp,chrisd,administrator
        admin users = kristynp,chrisd,administrator
        force user = root


my krb5.conf:
Code:
[libdefaults]
   default_realm = NEWDOMAIN.INT

   [realms]
   NEWDOMAIN.INT = {
         kdc = stan.naic.int
   }

   [domain_realms]
     .newdomain.int = NEWDOMAIN.INT


my nsswitch.conf:
Code:

# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 
2002/11/18 19:39:22 azarah Exp $

passwd:      compat winbind
shadow:      compat
group:       compat winbind

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files


I am at my wit's end here... I would really appreciate any help.

Thank you!

chris

Okay.  I got it.  I am posting it for posterity.

Yes, it was something stupid, as I suspected.  I am stunned no one has run 
into this yet.

Since we are dealing with ADS, I thought it would be safe to refer to things 
in ads nomanclature.  Aparently not the case with the password server.  The 
error output was likewise misleading:
 [2004/07/15 11:55:43, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
 ads_connect for domain NEWDOMAIN failed: No such file or directory

I was looking all around both machines' filesystems, LDAP and ADS for a file
or directory that was missing.  Turns out that had nothing to do with it.

The problem was this line in my smb.conf:
password server = stan.newdomain.int

It should have been
password server = STAN

i.e. in netbios nomanclature -- not ADS(DNS) nomanclature.

I am amazed that no one caught that, but there it is!  So much grief for such 
a stupid gaff.

I thank those who took the time to read my post, and hope that this will help 
someone in the future.


Chris



On Friday 16 July 2004 07:51 am, Chris wrote:
> Posted: Thu Jul 15, 2004 11:34 am    Post subject: Samba/winbind and ADS
> problem
> I almost have this.
>
> I have read the docs, I have read this, I have purchased both books from
> the samba team, and I cannot find any help from any of these.
>
> We are trying to migrate from OLDDOMAIN (an NT4 Domain) to NEWDOMAIN (our
> Win2k3 Domain). I have a two way trust right now between the domains. I
> have everything configured as per the docs as far as smb.conf, krb5.conf
> and nsswitch. I do:
> Code:
> # wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> so everything looks good there, but the weird thing is when I do this:
> Code:
> # wbinfo -g
> or
> # wbinfo -u
>
>
> I get a list of all the users and groups from OLDDOMAIN, and none of the
> groups from NEWDOMAIN! Same thing is true when I use getent. Which makes
> about zero sense to me... I had absolutely no error output when joining the
> ADS Domain (NEWDOMAIN), from wbinfo, kinit, sbmclient or smbmount.
>
> So, I went to the log file:
> Quote:
> [2004/07/15 11:55:39, 1] nsswitch/winbindd.c:main(843)
> winbindd version 3.0.4 started.
> Copyright The Samba Team 2000-2004
> [2004/07/15 11:55:39, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> Added domain NEWDOMAIN NEWDOMAIN.INT S-0-0
> [2004/07/15 11:55:43, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
> ads_connect for domain NEWDOMAIN failed: No such file or directory
> [2004/07/15 11:55:44, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> Added domain OLDDOMAIN S-1-5-21-1898674339-994652211-837300805
> [2004/07/15 11:55:44, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> Added domain BUILTIN S-1-5-32
> [2004/07/15 11:55:44, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> Added domain CASPER S-1-5-21-789378082-241503064-2986860805
> [2004/07/15 12:04:59, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
> ads_connect for domain NEWDOMAIN failed: No such file or directory
>
>
> I have been trying this since samba 3.0.0, and I still have problems. I am
> now using 3.0.4.
>
> my smb.conf:
>
> Code:
>
> # Global parameters
> [global]
>         netbios name = JOE
>         socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>         dns proxy = no
>         realm = NEWDOMAIN.INT
>         workgroup = NEWDOMAIN
>         netbios aliases = JOE
>         server string = JOE server
>         security = ADS
>         wins proxy = no
>         map to guest = Bad User
>         password server = stan.newdomain.int
>         name resolve order = lmhosts wins bcast
>         time server = Yes
>         os level = 0
>         preferred master = No
>         local master = No
>         domain master = No
>         wins server = 208.226.104.3
>         hosts allow = 127.0.0.1, 208.226.104.
>         oplocks = No
>         follow symlinks = No
>         printing = cups
>         printcap name = cups
>         load printers = yes
>         idmap uid = 10000-20000
>         winbind enum users = yes
>         winbind gid = 10000-20000
>         winbind enum groups = yes
>         winbind separator = +
>         os level = 20
>
> [images]
>         valid users = chrisd,kristynp,administrator
>         public = no
>         path = /images
>         writable = yes
>         write list = kristynp,chrisd,administrator
>         admin users = kristynp,chrisd,administrator
>         force user = root
>
>
> my krb5.conf:
> Code:
> [libdefaults]
>    default_realm = NEWDOMAIN.INT
>
>    [realms]
>    NEWDOMAIN.INT = {
>          kdc = stan.naic.int
>    }
>
>    [domain_realms]
>      .newdomain.int = NEWDOMAIN.INT
>
>
> my nsswitch.conf:
> Code:
>
> # /etc/nsswitch.conf:
> # $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4
> 2002/11/18 19:39:22 azarah Exp $
>
> passwd:      compat winbind
> shadow:      compat
> group:       compat winbind
>
> # passwd:    db files nis
> # shadow:    db files nis
> # group:     db files nis
>
> hosts:       files dns
> networks:    files dns
>
> services:    db files
> protocols:   db files
> rpc:         db files
> ethers:      db files
> netmasks:    files
> netgroup:    files
> bootparams:  files
>
> automount:   files
> aliases:     files
>
>
> I am at my wit's end here... I would really appreciate any help.
>
> Thank you!
>
> chris