Jason.McGlamary@Medstar.net
2004-Aug-25 19:30 UTC
[Samba] Samba as NT Domain Member via Winbind - After Upgrade users prompted for password for any shares
Hello, Apparently, I did a stupid thing today. I used apt-get on my Debian Woody system to upgrade my Samba packages from 3.0.2 to 3.0.6. Since doing so, all my users are prompted for a password when trying to access shares. Even just listing the IPC$, Windows XP systems prompt for user name and password. Windows 98 machines prompt for password. None are successful. I believe winbind is working OK. When I run wbinfo -u all the users in my domain are listed as expected. Does anyone have any idea as to what the problem could be, or what information could help me solve the problem? I've been googling all day, but most issues have to do with making sure SECURITY=DOMAIN, which mine is. I've included my smb.conf and nsswitch.conf files below. I'd appreciate any insight you can offer. Thanks, Jason McGlamary PC/LAN Specialist Washington Hospital Center ********smb.conf # Samba config file created using SWAT # from 172.25.5.105 (172.25.5.105) # Date: 2004/08/25 14:46:03 # Global parameters [global] workgroup = MHG netbios aliases = MERCURY server string = DON App Server security = DOMAIN allow trusted domains = No passdb backend = tdbsam pam password change = Yes preferred master = No local master = No domain master = No wins server = a:192.168.121.9, a:198.50.86.251, a:198.50.78.20 ldap ssl = no idmap uid = 10000-40000 idmap gid = 10000-40000 template homedir = winbind use default domain = Yes admin users = mhg\jxmm [MRAudit] path = /usr/local/MRAudit/ admin users = mhg\jxmm, mhg\skb5 force group = UsrMRAudit read only = No create mask = 0740 directory mask = 02740 inherit permissions = Yes inherit acls = Yes map acl inherit = Yes hide unreadable = Yes level2 oplocks = No strict locking = No [EStaff] path = /usr/local/EStaff admin users = mhg\jxmm, mhg\skb5 force group = UsrEStaff read only = No create mask = 0740 directory mask = 02740 inherit permissions = Yes inherit acls = Yes map acl inherit = Yes hide unreadable = Yes level2 oplocks = No strict locking = No [StfEffect] path = /usr/local/StfEffect valid users = mhg\jxmm, mhg\ekr1 admin users = mhg\jxmm, mhg\ekr1 read only = No inherit permissions = Yes inherit acls = Yes map acl inherit = Yes [Wound] path = /usr/local/Wound valid users = mhg\jxmm, mhg\ekr1 admin users = mhg\jxmm, mhg\ekr1 read only = No inherit permissions = Yes inherit acls = Yes map acl inherit = Yes [NsgMgt] path = /usr/local/NsgMgt valid users = mhg\jxmm, mhg\ekr1, mhg\amp1, mhg\bxs5, mhg\crr2, mhg\dmh3, mhg\jmm5, mhg\lah5, mhg\lxf1, mhg\lxv3, mhg\mah7, mhg\pxg4, mhg\sbm1, mhg\sxe1, mhg\tso1, mhg\txbi, mhg\cao7, mhg\alv1, mhg\rxb8, mhg\ixd1 admin users = mhg\jxmm, mhg\ekr1 force group = UsrNsgMgmnt read only = No inherit permissions = Yes inherit acls = Yes map acl inherit = Yes [ORS DataFiles] path = /usr/local/ORS Data Files valid users = mhg\jxmm, mhg\ekr1, mhg\ddm5, mhg\bsg2, mhg\bas6 admin users = mhg\jxmm, mhg\ekr1 force group = UsrORSData read only = No create mask = 0760 directory mask = 02770 inherit permissions = Yes inherit acls = Yes map acl inherit = Yes [ORS Staff Chg] path = /usr/local/ORS Staffing Changes valid users = mhg\jxmm, mhg\ekr1, mhg\dqb1, mhg\amba, mhg\exb5, mhg\vlc4, mhg\blc3, mhg\ame3, mhg\yxf1, mhg\exf4, mhg\bsg2, mhg\ncg2, mhg\pxg4, mhg\exh6, mhg\sth3, mhg\lgk1, mhg\esm2, mhg\mxm8, mhg\amn1, mhg\exr4, mhg\bas6, mhg\cvs2, mhg\daw7, mhg\mxp6 admin users = mhg\jxmm, mhg\ekr1 force group = UsrORSStaffing read only = No create mask = 0760 directory mask = 02770 inherit permissions = Yes inherit acls = Yes map acl inherit = Yes [ORS OT] path = /usr/local/ORS OT Utilization valid users = mhg\jxmm, mhg\ekr1, mhg\exb5, mhg\exf4, mhg\bsg2, mhg\pxg4, mhg\exh6, mhg\mxm8, mhg\bas6, mhg\cvs2, mhg\daw7, mhg\sxw7 admin users = mhg\jxmm, mhg\ekr1 read list = mhg\pxg4, mhg\bas6 force group = UsrORSUtil read only = No create mask = 0760 directory mask = 02770 inherit permissions = Yes inherit acls = Yes map acl inherit = Yes [ORS Outcomes] path = /usr/local/ORS Volume Outcomes valid users = mhg\jxmm, mhg\ekr1, mhg\bsg2, mhg\ddm5, mhg\jme1, mhg\psb3 admin users = mhg\jxmm, mhg\ekr1 read list = mhg\jme1, mhg\psb3 force group = UsrORSOutcomes read only = No create mask = 0760 directory mask = 02770 inherit permissions = Yes inherit acls = Yes map acl inherit = Yes [TravelOffice] path = /usr/local/TravelOffice valid users = mhg\jxmm, mhg\ary2, mhg\bvg1, mhg\cam3, mhg\kmi1, mhg\llh3, mhg\mmm6, mhg\nls2 force group = UsrTravelOffice read only = No create mask = 0760 directory mask = 02770 inherit permissions = Yes inherit acls = Yes map acl inherit = Yes [TEST] path = /usr/local/test username = mhg\jxmm read only = No create mask = 0740 directory mask = 02740 inherit permissions = Yes inherit acls = Yes map acl inherit = Yes hide unreadable = Yes level2 oplocks = No strict locking = No *******nsswitch.conf # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat files winbind group: compat files winbind shadow: compat files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Gerald (Jerry) Carter
2004-Aug-25 19:54 UTC
[Samba] Samba as NT Domain Member via Winbind - After Upgrade users prompted for password for any shares
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason.McGlamary@Medstar.net wrote: | Debian Woody system to upgrade my Samba packages from | 3.0.2 to 3.0.6. Since doing so, all my users are prompted | for a password when trying to access shares. Would you mind setting 'winbind use default domain = no' and see if that helps. cheers, jerry - --------------------------------------------------------------------- Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLO5MIR7qMdg1EfYRAu9RAKCJC9fEvHO0WOUOYgw+fY7IeEfNmgCeJ2Y4 s9NjATMaeZ/1vVnES1NIH2U=f85R -----END PGP SIGNATURE-----
Thomas Pomroy
2004-Aug-27 00:18 UTC
[Samba] Samba as NT Domain Member via Winbind - After Upgrade users prompted for password for any shares
(Trying to pick up this thread though I can't reply to the original message) I'm having similar problems with Samba 3.0.6... Jason, try this for scientific purposes: 1. Stop Samba 2. Delete /%samba/var/locks/netsamlogon_cache.tdb 3. Start Samba 4. run 'getent passwd <username>' (where <username> includes the domain name and domain separator if necessary) If the account shows up, my guess is that your shares will work for that user for the moment. If you try to access a share before that (even anonymous "\\server"), you'll be locked out and won't be able to access anything until you delete netsamlogon_cache.tdb and start over. Jerry, why does this happen? ;) Here's my best definition of the situation and the problem: Existing Infrastructure - Windows NT 4.0 Domain - PDC, BDC - Two-way Domain Trust with external domain - SP6a Desired Samba server - Samba 3.0.6 - Red Hat Linux 7.2 - Domain member server - Winbind Successes - configure, make, make install run normally - net rpc join -U Admin joins server to domain - starting samba allows getent passwd, group - wbinfo -t, -p work fine Problems - Users can only connect to shares after doing a 'getent passwd <username>' *before* attempting a connection to \\servername - Trying to "Run..." \\servername before doing that locks out the user until the service is stopped, netsamlogon_cache.tdb is deleted, and the service is restarted. Diagnostics - setting "winbind use default domain = yes" or "no" has no effect. - setting "passdb backend = tdbsam" or "smbpasswd" or commenting out the line has no effect. - this line occurs repeatedly in the visiting workstation's log: [2004/08/26 15:04:48, 0] auth/auth_util.c:make_server_info_info3(1122) make_server_info_info3: pdb_init_sam failed! smb.conf Global Settings #======================= Global Settings ====================[global] workgroup = MY_DOMAIN netbios name = SERVERNAME server string = Server security = DOMAIN hosts allow = [my.ip.subnet]. 127. log level = 2 log file = /usr/local/samba/var/%m.log max log size = 500 password server = * idmap uid = 15000-20000 idmap gid = 15000-20000 winbind separator = + winbind use default domain = Yes use sendfile = Yes local master = no os level = 33 wins server = [my.wins.server.address] winbind enable local accounts = no # Backend to store user information in. New installations should # use either tdbsam or ldapsam. smbpasswd is available for backwards # compatibility. tdbsam requires no further configuration. passdb backend = tdbsam ; passdb backend = smbpasswd # You may want to add the following on a Linux system: # SO_RCVBUF=8192 SO_SNDBUF=8192 socket options = TCP_NODELAY # Configure Samba to use multiple interfaces # If you have multiple network interfaces then you must list them # here. See the man page for details. ; interfaces = 192.168.12.2/24 192.168.13.2/24 >Jerry, > >Thanks for your response. I tried tuning 'winbind use default domain >no' but still have the problem. When trying to browse the server for >shares, users are prompted for an IPC$ password. If they try to access >a specific share, they get a message saying the share cannot be found. >Any other ideas? I've included below my smb.conf file, modified w/ >suggested change as well as my logs for smbd, nmbd, and winbindd after >all services are restarted and a connection attempt was made. > >Thanks, > >Jason McGlamary >PC/LAN Specialist >Washington Hospital Center
Jason.McGlamary@Medstar.net
2004-Aug-27 01:25 UTC
[Samba] Re: Re: Samba as NT Domain Member via Winbind - After Upgrade users prompted for password for any shares
Thomas, I followed your instructions, and your theory proved correct. The user I performed 'getent passwd <username> was able to access the shares. It's something at least, and believe me I was getting ready to swear off technology forever. Now, how can I manage this task for 20000 users? Is this a problem only happeningn w/ 3.0.6? It didn't happen to me until I upgraded yesterday. Does anyone know how I can roll back to a previous version on Debian? I've really just started using the Distro recently. Thanks, Jason>----------------------------------------------------------------------- >I'm having similar problems with Samba 3.0.6...Jason, try this for scientific purposes: 1. Stop Samba 2. Delete /%samba/var/locks/netsamlogon_cache.tdb 3. Start Samba 4. run 'getent passwd <username>' (where <username> includes the domain name and domain separator if necessary) If the account shows up, my guess is that your shares will work for that user for the moment. If you try to access a share before that (even anonymous "\\server"), you'll be locked out and won't be able to access anything until you delete netsamlogon_cache.tdb and start over. Jerry, why does this happen? ;) Here's my best definition of the situation and the problem: Existing Infrastructure - Windows NT 4.0 Domain - PDC, BDC - Two-way Domain Trust with external domain - SP6a Desired Samba server - Samba 3.0.6 - Red Hat Linux 7.2 - Domain member server - Winbind Successes - configure, make, make install run normally - net rpc join -U Admin joins server to domain - starting samba allows getent passwd, group - wbinfo -t, -p work fine Problems - Users can only connect to shares after doing a 'getent passwd <username>' *before* attempting a connection to \\servername - Trying to "Run..." \\servername before doing that locks out the user until the service is stopped, netsamlogon_cache.tdb is deleted, and the service is restarted. Diagnostics - setting "winbind use default domain = yes" or "no" has no effect. - setting "passdb backend = tdbsam" or "smbpasswd" or commenting out the line has no effect. - this line occurs repeatedly in the visiting workstation's log: [2004/08/26 15:04:48, 0] auth/auth_util.c:make_server_info_info3(1122) make_server_info_info3: pdb_init_sam failed!