I looked into the docs and searched thru the Net. Googling for "NT_STATUS_PIPE_NOT_AVAILABLE" yields rather large list of questions about this situatins, but no working hints so far. I believe my samba installation is done very carefully (entirely unlike "grab rpm and be happy" style) and I can try to find out what's going on. Let me describe what do I have so far: My samba is built from sources and is laid out as follows: /usr/app/samba-4.0.7/{bin,include,lib,man,sbin,swat} these files never change in normal samba operations and on reconfiguration/experiments /usr/app/samba-4.0.7/var/{etc,lock,log,pid,private} this is the "dynamic" data, configs, etc /lib/security/pam_winbind.so -> /app/samba-3.0.7/lib/pam_winbind.so /lib/libnss_winbind.so -> /app/samba-3.0.7/lib/libnss_winbind.so /lib/libnss_winbind.so.2 -> /app/samba-3.0.7/lib/libnss_winbind.so.2 /lib/libnss_wins.so -> /app/samba-3.0.7/lib/libnss_wins.so /lib/libnss_wins.so.2 -> /app/samba-3.0.7/lib/libnss_wins.so.2 symlinks to needed DSOs /var/service/{smb_n,smb_s,smb_w} daemontools-controlled 'services' which start nmbd, smbd and winbindd, respectively. Like this (all three daemons are started with these options): #!/bin/sh exec 2>&1 exec </dev/null echo "* Starting" exec env - winbindd --stdout --foreground --interactive /etc/nsswitch: ... passwd: compat winbind group: compat winbind hosts: files wins dns ... I plan to use sshd as one of ways to test NT auth, so: /etc/pam.d/sshd: auth required pam_unix_auth.so auth sufficient pam_winbind.so use_first_pass use_authtok account sufficient pam_winbind.so user_first_pass use_authtok password required pam_unix_passwd.so password sufficient pam_winbind.so use_first_pass use_authtok session required pam_unix_session.so session required pam_mkhomedir.so session sufficient pam_winbind.so use_first_pass use_authtok smb.conf - see below. I need to run this server as NT4 domain member. I start from completely clean state (var/lock and var/private are empty). I start the daemons: # cd /var/service; svc -u smb* (this is daemontools way of starting 'services') nmbd and smbd are working fine and I will not go into details like their log contents. Let's concentrate on winbindd. Apparently it tries to connect to PDC: * Starting winbindd version 3.0.7 started. Copyright The Samba Team 2000-2004 Processing section "[pub]" Processing section "[homes]" WARNING: The "only user" option is deprecated adding IPC service adding IPC service added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0 added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED add_trusted_domain: PORT is an NT4 domain Added domain PORT S-0-0 resolve_wins: Attempting wins lookup for name PORT<0x1c> resolve_wins: using WINS server 172.16.42.102 and tag '*' Got a positive name query response from 172.16.42.102 ( 172.16.42.102 172.16.42.102 ) rpc_dc_name: Returning DC PORT_PDC (172.16.42.102) for domain PORT IPC$ connections done anonymously Connecting to host=PORT_PDC Connecting to 172.16.42.102 at port 445 error connecting to 172.16.42.102:445 (Connection refused) Connecting to 172.16.42.102 at port 139 bind_rpc_pipe: transfer syntax differs rpc_pipe_bind: check_bind_response failed. cli_nt_session_open: rpc bind to \PIPE\lsarpc failed Could not fetch sid for our domain PORT rpc: trusted_domains rpc_dc_name: Returning DC PORT_PDC (172.16.42.102) for domain PORT IPC$ connections done anonymously Connecting to host=PORT_PDC Connecting to 172.16.42.102 at port 445 error connecting to 172.16.42.102:445 (Connection refused) Connecting to 172.16.42.102 at port 139 schannel refused - continuing without schannel (NT_STATUS_UNSUCCESSFUL) At this point, NT Server Manager shows HUNTER is the list of computers as: Computer Type Description ---------- ---------------------- ------------ HUNTER Windows NT 4.9 Server Samba 3.0.7 Which is a bit strange because I did not join domain yet. (It isn't listed if I uncheck View->Show Domain Members only) According to swat/help/Samba-Guide/unixclients.html#ch9-nsswbnd, I shall join the domain: net rpc join -U user%pass. Shall I do it while daemons are running or not? Shall I do "Computer->Add to Domain" in NT Server Manager before this? Docs does not answer these. Oh, well. Will try to do it with running daemons and without doing that thing to NT Server Manager. # net rpc join -U vda%XXXXXXXXXXXXXXX Joined domain PORT. Looks good? Not so. wbinfo -u fails with this in winbindd log: 2004-09-22 16:45:33.558053500 rpc: trusted_domains 2004-09-22 16:46:27.860356500 [ 6853]: request interface version 2004-09-22 16:46:27.862685500 [ 6853]: request location of privileged pipe 2004-09-22 16:46:27.866979500 [ 6853]: list users Let's see what will happen if I restart daemons: # svc -d smb*; sleep 5; svc -u smb* Winbindd log: * Starting winbindd version 3.0.7 started. Copyright The Samba Team 2000-2004 Processing section "[pub]" Processing section "[homes]" WARNING: The "only user" option is deprecated adding IPC service adding IPC service added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0 added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED add_trusted_domain: PORT is an NT4 domain Added domain PORT S-0-0 rpc_dc_name: Returning DC PORT_PDC (172.16.42.102) for domain PORT IPC$ connections done anonymously Connecting to host=PORT_PDC Connecting to 172.16.42.102 at port 445 error connecting to 172.16.42.102:445 (Connection refused) Connecting to 172.16.42.102 at port 139 bind_rpc_pipe: transfer syntax differs rpc_pipe_bind: check_bind_response failed. cli_nt_session_open: rpc bind to \PIPE\lsarpc failed rpc: trusted_domains rpc_dc_name: Returning DC PORT_PDC (172.16.42.102) for domain PORT IPC$ connections done anonymously Connecting to host=PORT_PDC Connecting to 172.16.42.102 at port 445 error connecting to 172.16.42.102:445 (Connection refused) Connecting to 172.16.42.102 at port 139 Bind NACK received on pipe 1802! cli_nt_session_open: rpc bind to \PIPE\lsarpc failed Could not open a connection to PORT for \PIPE\lsarpc (NT_STATUS_PIPE_NOT_AVAILABLE) add_trusted_domain: BUILTIN is an NT4 domain Added domain BUILTIN S-1-5-32 add_trusted_domain: HUNTER is an NT4 domain Added domain HUNTER S-1-5-21-4117605173-658000377-4279512090 rpc: trusted_domains Could not open a connection to PORT for \PIPE\lsarpc (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) Not good. Okay. Let's try to pre-join HUNTER in NT ServMan first. Stopping daemos. (Daemons forget to remove their pidfiles from var/pid/*. Oh well.) Purging everything in var/{lock,private}, deleting HUNTER from domain via ServMan. (HUNTER remains for 15 mins. Oh well #2. hostname hunter2 will hopefully work around that :) Pre-joining HUNTER2 in NT ServMan. Starting daemons. # net rpc join -U vda%XXXXXXXXXXXXXXX Joined domain PORT. # wbinfo -u Error looking up domain users Basically same info in all logs. Looks like my samba is unable to convince PDC that it is indeed a member of the domain. Any helpful hints? -- vda smb.conf =======# %U session username (the username that the client # wanted, not necessarily the same as the one they # got). # %G primary group name of %U. # %h the Internet hostname that Samba is running on. # %m the NetBIOS name of the client machine (very use- # ful). # %L the NetBIOS name of the server. This allows you to # change your config based on what the client calls # you. Your server can have a ``dual personality''. # %M the Internet name of the client machine. # %R the selected protocol level after protocol negotia- # tion. It can be one of CORE, COREPLUS, LANMAN1, # LANMAN2 or NT1. # %d The process id of the current server process. # %a the architecture of the remote machine. Only some # are recognized, and those may not be 100% reliable. # It currently recognizes Samba, Windows for Work- # groups, Windows 95, Windows NT and Windows 2000. # Anything else will be known as ``UNKNOWN''. If it # gets it wrong sending a level 3 log to # samba@samba.org should allow it to be fixed. # %I The IP address of the client machine. # %T the current date and time. # %D Name of the domain or workgroup of the current # user. # %$(envvar) # The value of the environment variable envar. # # The following substitutes apply only to some configuration # options (only those that are used when a connection has # been established): # # %S the name of the current service, if any. # %P the root directory of the current service, if any. # %u username of the current service, if any. # %g primary group name of %u. # %H the home directory of the user given by %u. # %N the name of your NIS home directory server. This is # obtained from your NIS auto.map entry. If you have # not compiled Samba with the --with-automount # option, this value will be the same as %L. # %p the path of the service's home directory, obtained # from your NIS auto.map entry. The NIS auto.map # entry is split up as ``%N:%p''. # Global parameters [global] ;;;;;;; Machine type (standalone/domain member/etc) ;;;;;;; Pick one type of config below ;# Authenticate users using given WinNT box ;# - VDA: ok ; workgroup = PORT ; encrypt passwords = yes ; security = server ; password server = PORT_PDC ; domain master = no # Authenticate users using given WinNT domain # - VDA: ok, but you'll need to create UNIX users for each connecting Win one # (same username as found on PDC) # Update: [2001/12/07] can't make it accept domain users # when winbindd is running even if local user exists in /etc/passwd workgroup = PORT encrypt passwords = yes security = domain password server = * domain master = no # domain logons = yes: provides the NETLOGON service # which only PDC and BDC shall provide. # This is a NO-GO for domain member machine. Set to NO. domain logons = no ;# Authenticate users using local Samba ;# (we are part of a workgroup) ;# - VDA: ok. ;# Set passwords for users via smbpasswd! ; workgroup = LINUX ; os level = 33 ; security = share ; domain logons = no ;# We are PDC for our domain (domain name set by 'workgroup') ;# Have to have [netlogon] ;# TODO: check:maybe we need [profiles] too? ; workgroup = PORT2 ; os level = 34 ; security = user ; domain logons = yes ; domain master = yes # affects browser elections ; ;# To be executed each time user logs in. Stored in [netlogon] ; ;logon script = %u.bat ; # Home dir and drive to map it to ; # (%L: our server netbios name, %u: final user name) ; logon home = \\%L\%u\home\%u ; logon drive = w: ; # Profiles dir for roaming profiles ; logon path = \\%L\%u\home\%u\profiles ;;;;;;; Browsing # force reelection on nmbd startup # use with caution, because if there are several such hosts... ouch... preferred master = No ;;;;;;; Connections # connection timeout, minutes deadtime = 15 ;;;;;;; File management # create mode = (((user_specified) AND cr_mode) OR force_mode) create mode = 0644 force create mode = 0400 # 0's disallow chmodding of corresponding bits security mask = 0777 # same for dirs directory mode = 755 force directory mode = 0111 directory security mask = 0777 # unix charset = koi8r display charset = koi8r dos charset = cp866 ;;;;;;; User management map to guest = Bad User guest account = guest guest ok = Yes null passwords = Yes template homedir = /home/%D+%U template shell = /bin/bash name resolve order = wins wins server = 172.16.42.102 winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 ;;;;;;; Logging # Higher numbers = more logging # Example: debuglevel = 3 passdb:5 auth:10 winbind:2 # (all tdb printdrivers lanman smb rpc_parse rpc_srv rpc_cli passdb sam auth winbind vfs idmap) debuglevel = 3 #log file = /usr/app/samba-3.0.7/var/log/samba.%m log file = /usr/app/samba-3.0.7/var/log/samba.all # in kb. Will rename to *.old when exceeded max log size = 128 debug hires timestamp = yes debug pid = yes debug timestamp = yes #debug uid = yes # Do not log to syslog if message's level is greater than... syslog = 0 # Do not log into files, syslog only? syslog only = no ;;;;;;; Shares ;default service = user ;[user] ; path = / ; username = %S ; read only = No ; guest ok = No ; only user = Yes ; browseable = Yes [pub] path = /pub guest only = Yes ;[in] ; path = /pub/in ; read only = No ; guest only = Yes [homes] path = / ;*;username = %S read only = No guest ok = No only user = Yes # we don't actually want users to see //me/homes ;) browseable = No ;[netlogon] ; path = /usr/app/samba-3.0.7/var/netlogon ; guest ok = No ; browseable = No ;[profiles] ; path = /usr/app/samba-3.0.7/var/profiles ; browseable = No