Jason.McGlamary@Medstar.net
2004-Aug-25 19:30 UTC
[Samba] Samba as NT Domain Member via Winbind - After Upgrade users prompted for password for any shares
Hello,
Apparently, I did a stupid thing today. I used apt-get on my
Debian Woody system to upgrade my Samba packages from 3.0.2 to 3.0.6.
Since doing so, all my users are prompted for a password when trying to
access shares. Even just listing the IPC$, Windows XP systems prompt for
user name and password. Windows 98 machines prompt for password. None
are successful. I believe winbind is working OK. When I run wbinfo -u
all the users in my domain are listed as expected. Does anyone have any
idea as to what the problem could be, or what information could help me
solve the problem? I've been googling all day, but most issues have to do
with making sure SECURITY=DOMAIN, which mine is. I've included my
smb.conf and nsswitch.conf files below. I'd appreciate any insight you
can offer.
Thanks,
Jason McGlamary
PC/LAN Specialist
Washington Hospital Center
********smb.conf
# Samba config file created using SWAT
# from 172.25.5.105 (172.25.5.105)
# Date: 2004/08/25 14:46:03
# Global parameters
[global]
workgroup = MHG
netbios aliases = MERCURY
server string = DON App Server
security = DOMAIN
allow trusted domains = No
passdb backend = tdbsam
pam password change = Yes
preferred master = No
local master = No
domain master = No
wins server = a:192.168.121.9, a:198.50.86.251, a:198.50.78.20
ldap ssl = no
idmap uid = 10000-40000
idmap gid = 10000-40000
template homedir =
winbind use default domain = Yes
admin users = mhg\jxmm
[MRAudit]
path = /usr/local/MRAudit/
admin users = mhg\jxmm, mhg\skb5
force group = UsrMRAudit
read only = No
create mask = 0740
directory mask = 02740
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
hide unreadable = Yes
level2 oplocks = No
strict locking = No
[EStaff]
path = /usr/local/EStaff
admin users = mhg\jxmm, mhg\skb5
force group = UsrEStaff
read only = No
create mask = 0740
directory mask = 02740
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
hide unreadable = Yes
level2 oplocks = No
strict locking = No
[StfEffect]
path = /usr/local/StfEffect
valid users = mhg\jxmm, mhg\ekr1
admin users = mhg\jxmm, mhg\ekr1
read only = No
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
[Wound]
path = /usr/local/Wound
valid users = mhg\jxmm, mhg\ekr1
admin users = mhg\jxmm, mhg\ekr1
read only = No
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
[NsgMgt]
path = /usr/local/NsgMgt
valid users = mhg\jxmm, mhg\ekr1, mhg\amp1, mhg\bxs5, mhg\crr2,
mhg\dmh3, mhg\jmm5, mhg\lah5, mhg\lxf1, mhg\lxv3, mhg\mah7, mhg\pxg4,
mhg\sbm1, mhg\sxe1, mhg\tso1, mhg\txbi, mhg\cao7, mhg\alv1, mhg\rxb8,
mhg\ixd1
admin users = mhg\jxmm, mhg\ekr1
force group = UsrNsgMgmnt
read only = No
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
[ORS DataFiles]
path = /usr/local/ORS Data Files
valid users = mhg\jxmm, mhg\ekr1, mhg\ddm5, mhg\bsg2, mhg\bas6
admin users = mhg\jxmm, mhg\ekr1
force group = UsrORSData
read only = No
create mask = 0760
directory mask = 02770
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
[ORS Staff Chg]
path = /usr/local/ORS Staffing Changes
valid users = mhg\jxmm, mhg\ekr1, mhg\dqb1, mhg\amba, mhg\exb5,
mhg\vlc4, mhg\blc3, mhg\ame3, mhg\yxf1, mhg\exf4, mhg\bsg2, mhg\ncg2,
mhg\pxg4, mhg\exh6, mhg\sth3, mhg\lgk1, mhg\esm2, mhg\mxm8, mhg\amn1,
mhg\exr4, mhg\bas6, mhg\cvs2, mhg\daw7, mhg\mxp6
admin users = mhg\jxmm, mhg\ekr1
force group = UsrORSStaffing
read only = No
create mask = 0760
directory mask = 02770
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
[ORS OT]
path = /usr/local/ORS OT Utilization
valid users = mhg\jxmm, mhg\ekr1, mhg\exb5, mhg\exf4, mhg\bsg2,
mhg\pxg4, mhg\exh6, mhg\mxm8, mhg\bas6, mhg\cvs2, mhg\daw7, mhg\sxw7
admin users = mhg\jxmm, mhg\ekr1
read list = mhg\pxg4, mhg\bas6
force group = UsrORSUtil
read only = No
create mask = 0760
directory mask = 02770
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
[ORS Outcomes]
path = /usr/local/ORS Volume Outcomes
valid users = mhg\jxmm, mhg\ekr1, mhg\bsg2, mhg\ddm5, mhg\jme1,
mhg\psb3
admin users = mhg\jxmm, mhg\ekr1
read list = mhg\jme1, mhg\psb3
force group = UsrORSOutcomes
read only = No
create mask = 0760
directory mask = 02770
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
[TravelOffice]
path = /usr/local/TravelOffice
valid users = mhg\jxmm, mhg\ary2, mhg\bvg1, mhg\cam3, mhg\kmi1,
mhg\llh3, mhg\mmm6, mhg\nls2
force group = UsrTravelOffice
read only = No
create mask = 0760
directory mask = 02770
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
[TEST]
path = /usr/local/test
username = mhg\jxmm
read only = No
create mask = 0740
directory mask = 02740
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
hide unreadable = Yes
level2 oplocks = No
strict locking = No
*******nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat files winbind
group: compat files winbind
shadow: compat files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Gerald (Jerry) Carter
2004-Aug-25 19:54 UTC
[Samba] Samba as NT Domain Member via Winbind - After Upgrade users prompted for password for any shares
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason.McGlamary@Medstar.net wrote: | Debian Woody system to upgrade my Samba packages from | 3.0.2 to 3.0.6. Since doing so, all my users are prompted | for a password when trying to access shares. Would you mind setting 'winbind use default domain = no' and see if that helps. cheers, jerry - --------------------------------------------------------------------- Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLO5MIR7qMdg1EfYRAu9RAKCJC9fEvHO0WOUOYgw+fY7IeEfNmgCeJ2Y4 s9NjATMaeZ/1vVnES1NIH2U=f85R -----END PGP SIGNATURE-----
Thomas Pomroy
2004-Aug-27 00:18 UTC
[Samba] Samba as NT Domain Member via Winbind - After Upgrade users prompted for password for any shares
(Trying to pick up this thread though I can't reply to the original message)
I'm having similar problems with Samba 3.0.6...
Jason, try this for scientific purposes:
1. Stop Samba
2. Delete /%samba/var/locks/netsamlogon_cache.tdb
3. Start Samba
4. run 'getent passwd <username>' (where <username> includes
the domain
name and domain separator if necessary)
If the account shows up, my guess is that your shares will work for that
user for the moment. If you try to access a share before that (even
anonymous "\\server"), you'll be locked out and won't be able
to access
anything until you delete netsamlogon_cache.tdb and start over.
Jerry, why does this happen? ;)
Here's my best definition of the situation and the problem:
Existing Infrastructure
- Windows NT 4.0 Domain
- PDC, BDC
- Two-way Domain Trust with external domain
- SP6a
Desired Samba server
- Samba 3.0.6
- Red Hat Linux 7.2
- Domain member server
- Winbind
Successes
- configure, make, make install run normally
- net rpc join -U Admin joins server to domain
- starting samba allows getent passwd, group
- wbinfo -t, -p work fine
Problems
- Users can only connect to shares after doing a 'getent passwd
<username>' *before* attempting a connection to \\servername
- Trying to "Run..." \\servername before doing that locks out the user
until the service is stopped, netsamlogon_cache.tdb is deleted, and the
service is restarted.
Diagnostics
- setting "winbind use default domain = yes" or "no" has no
effect.
- setting "passdb backend = tdbsam" or "smbpasswd" or
commenting out the
line has no effect.
- this line occurs repeatedly in the visiting workstation's log:
[2004/08/26 15:04:48, 0] auth/auth_util.c:make_server_info_info3(1122)
make_server_info_info3: pdb_init_sam failed!
smb.conf Global Settings
#======================= Global Settings ====================[global]
workgroup = MY_DOMAIN
netbios name = SERVERNAME
server string = Server
security = DOMAIN
hosts allow = [my.ip.subnet]. 127.
log level = 2
log file = /usr/local/samba/var/%m.log
max log size = 500
password server = *
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind separator = +
winbind use default domain = Yes
use sendfile = Yes
local master = no
os level = 33
wins server = [my.wins.server.address]
winbind enable local accounts = no
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
passdb backend = tdbsam
; passdb backend = smbpasswd
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
>Jerry,
>
>Thanks for your response. I tried tuning 'winbind use default domain
>no' but still have the problem. When trying to browse the server for
>shares, users are prompted for an IPC$ password. If they try to
access >a specific share, they get a message saying the share cannot be
found. >Any other ideas? I've included below my smb.conf file,
modified w/ >suggested change as well as my logs for smbd, nmbd, and
winbindd after >all services are restarted and a connection attempt was
made.
>
>Thanks,
>
>Jason McGlamary
>PC/LAN Specialist
>Washington Hospital Center
Jason.McGlamary@Medstar.net
2004-Aug-27 01:25 UTC
[Samba] Re: Re: Samba as NT Domain Member via Winbind - After Upgrade users prompted for password for any shares
Thomas,
I followed your instructions, and your theory proved correct. The
user I performed 'getent passwd <username> was able to access the
shares.
It's something at least, and believe me I was getting ready to swear off
technology forever. Now, how can I manage this task for 20000 users? Is
this a problem only happeningn w/ 3.0.6? It didn't happen to me until I
upgraded yesterday. Does anyone know how I can roll back to a previous
version on Debian? I've really just started using the Distro recently.
Thanks,
Jason >-----------------------------------------------------------------------
>I'm having similar problems with Samba 3.0.6...
Jason, try this for scientific purposes:
1. Stop Samba
2. Delete /%samba/var/locks/netsamlogon_cache.tdb
3. Start Samba
4. run 'getent passwd <username>' (where <username> includes
the domain
name and domain separator if necessary)
If the account shows up, my guess is that your shares will work for that
user for the moment. If you try to access a share before that (even
anonymous "\\server"), you'll be locked out and won't be able
to access
anything until you delete netsamlogon_cache.tdb and start over.
Jerry, why does this happen? ;)
Here's my best definition of the situation and the problem:
Existing Infrastructure
- Windows NT 4.0 Domain
- PDC, BDC
- Two-way Domain Trust with external domain
- SP6a
Desired Samba server
- Samba 3.0.6
- Red Hat Linux 7.2
- Domain member server
- Winbind
Successes
- configure, make, make install run normally
- net rpc join -U Admin joins server to domain
- starting samba allows getent passwd, group
- wbinfo -t, -p work fine
Problems
- Users can only connect to shares after doing a 'getent passwd
<username>' *before* attempting a connection to \\servername
- Trying to "Run..." \\servername before doing that locks out the user
until the service is stopped, netsamlogon_cache.tdb is deleted, and the
service is restarted.
Diagnostics
- setting "winbind use default domain = yes" or "no" has no
effect.
- setting "passdb backend = tdbsam" or "smbpasswd" or
commenting out the
line has no effect.
- this line occurs repeatedly in the visiting workstation's log:
[2004/08/26 15:04:48, 0] auth/auth_util.c:make_server_info_info3(1122)
make_server_info_info3: pdb_init_sam failed!