Michael Wray
2005-Apr-25 20:25 UTC
[Samba] wbinfo -t fails but other wbinfo and getent items work.
Problem: wbinfo -t fails. As long as it fails, I am unable to map sids to Group Names. I need this functionality for my application. I can use just about everyother function of wbinfo at least partially... Distro: Debian woody. Packages: ii samba 3.0.11-0woody1 a LanManager-like file and printer server fo ii samba-common 3.0.11-0woody1 Samba common files used by both the server a ii samba-doc 3.0.11-0woody1 Samba documentation ii libpam-smbpass 3.0.11-0woody1 pluggable authentication module for SMB pass ii libsmbclient 3.0.11-0woody1 shared library that allows applications to t ii smbclient 3.0.11-0woody1 a LanManager-like simple client for Unix ii winbind 3.0.11-0woody1 service to resolve user and group informatio ii krb5-config 1.4 Configuration files for Kerberos Version 5 ii krb5-doc 1.2.4-5woody8 Documentation for krb5 ii libkrb-1-kerbe 1.2.2-8.dirk.1 Kerberos Libraries for Kerberos4 From KTH ii libkrb5-17-hei 0.6.3-0.dirk.1 Libraries for Heimdal Kerberos ii libkrb53 1.2.4-5woody8 MIT Kerberos runtime libraries ii heimdal-client 0.6.3-0.dirk.1 Clients for Heimdal Kerberos ii heimdal-kdc 0.6.3-0.dirk.1 KDC for Heimdal Kerberos rc heimdal-server 0.6.3-0.dirk.1 Servers for Heimdal Kerberos rc heimdal-server 0.6.3-0.dirk.1 X11 files for Heimdal Kerberos Caveat, I'm stuck with using "stable" backports for samba...due to the development environment I'm in..policy dictates I wait for the package to be backported before I can upgrade to it. log.winbindd,log.nmbd, and log.samba only show the services starting and stopping. If the answer is upgrading to yet a newer version of samba..then great..the solution will have to wait. Problem started out w/ version 3.0.7, and hasn't been working since..even with subsequent upgrades. Note: now I am on 3.0.11 (got that about the time everyone started talking about 3.0.14.) Here is the error from my log.%m (Of and relating to winbindd) test:/var/log/samba# tail -f log.ntlm [2005/04/25 14:38:40, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [26801]: request interface version [2005/04/25 14:38:40, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [26801]: request location of privileged pipe [2005/04/25 14:38:40, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(41) [26801]: check machine account [2005/04/25 14:38:40, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(109) IPC$ connections done anonymously [2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708) Doing spnego session setup (blob length=113) [2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) got OID=1 2 840 48018 1 2 2 [2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) got OID=1 2 840 113554 1 2 2 [2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) got OID=1 2 840 113554 1 2 2 3 [2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) got OID=1 3 6 1 4 1 311 2 2 10 [2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740) got principal=server03test$@TEST.COM [2005/04/25 14:38:40, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(533) Doing kerberos session setup [2005/04/25 14:38:40, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318) Ticket in ccache[MEMORY:cliconnect] expiration Tue, 26 Apr 2005 00:38:40 GMT [2005/04/25 14:38:40, 0] libsmb/smb_signing.c:signing_good(240) signing_good: BAD SIG: seq 1 [2005/04/25 14:38:40, 0] libsmb/clientgen.c:cli_receive_smb(121) SMB Signature verification failed on incoming packet! [2005/04/25 14:38:40, 3] nsswitch/winbindd_cm.c:new_cm_connection(755) Could not open a connection to TEST for \PIPE\NETLOGON (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) [2005/04/25 14:38:40, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(68) could not open handle to NETLOGON pipe [2005/04/25 14:38:40, 2] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98) Checking the trust account password returned NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND [2005/04/25 14:40:01, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27086]: request interface version [2005/04/25 14:40:01, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27086]: request location of privileged pipe [2005/04/25 14:40:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27086]: getgroups root [2005/04/25 14:40:01, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27087]: request interface version [2005/04/25 14:40:01, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27087]: request location of privileged pipe [2005/04/25 14:40:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27087]: getgroups root [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27090]: request interface version [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27090]: request location of privileged pipe [2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27090]: getgroups amavis [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27091]: request interface version [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27091]: request location of privileged pipe [2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27091]: getgroups root [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27097]: request interface version [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27097]: request location of privileged pipe [2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27097]: getgroups root [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27099]: request interface version [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27099]: request location of privileged pipe [2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27099]: getgroups root [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27100]: request interface version [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27100]: request location of privileged pipe [2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27100]: getgroups amavis [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27111]: request interface version [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27111]: request location of privileged pipe [2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27111]: getgroups postfix [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27112]: request interface version [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27112]: request location of privileged pipe [2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27112]: getgroups postfix [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27114]: request interface version [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27114]: request location of privileged pipe [2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27114]: getgroups postfix [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27118]: request interface version [2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27118]: request location of privileged pipe [2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27118]: getgroups root [2005/04/25 14:40:03, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27126]: request interface version [2005/04/25 14:40:03, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27126]: request location of privileged pipe [2005/04/25 14:40:03, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27126]: getgroups postfix [2005/04/25 14:40:03, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [27133]: request interface version [2005/04/25 14:40:03, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [27133]: request location of privileged pipe [2005/04/25 14:40:03, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004) [27133]: getgroups postfix The top shows NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, and an error on signing on an incoming packet. Is this where my problems lie? I can use wbinfo -g, -u, -r, -Y,-G,-n, and -S. wbinfo -s only works on "Builtin" groups and users. smb.conf: =====[global] server string = Filtering Server log file = /var/log/samba/log.ntlm max log size = 50 security = ads socket options = TCP_NODELAY dns proxy = no encrypt passwords = yes winbind enum users = yes winbind enum groups = yes winbind uid = 10000-20000 winbind gid = 10000-20000 workgroup = TEST passdb backend = tdbsam guest obey pam restrictions = yes password server = server03test.test.com realm = test.com use spnego = yes ==================krb5.conf ============[libdefaults] default_realm = TEST.COM # The following krb5.conf variables are only for MIT Kerberos. # default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 # default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 # permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true krb4_get_tickets=no # The following libdefaults parameters are only for Heimdal Kerberos. # v4_instance_resolve = false ## v4_name_convert = { # host = { # rcmd = host # ftp = ftp # } # plain = { # something = something-else # } # } [realms] TEST.COM = { kdc = server03test.test.com admin_server = server03test.test.com default_domain = test.com } [domain_realm] .test.com = TEST.COM -- Michael Wray AimConnect, an S4F Inc. Company 918.524.1010 ext 106 mwray@aimconnect.com http://www.aimconnect.com
Doug VanLeuven
2005-Apr-26 01:41 UTC
[Samba] wbinfo -t fails but other wbinfo and getent items work.
Michael Wray wrote:>Problem: wbinfo -t fails. As long as it fails, I am unable to map sids to >Group Names. I need this functionality for my application. I can use just >about everyother function of wbinfo at least partially... > >Distro: Debian woody. >Packages: >ii samba 3.0.11-0woody1 a LanManager-like file and printer server fo >ii samba-common 3.0.11-0woody1 Samba common files used by both the server a >ii samba-doc 3.0.11-0woody1 Samba documentation >ii libpam-smbpass 3.0.11-0woody1 pluggable authentication module for SMB pass >ii libsmbclient 3.0.11-0woody1 shared library that allows applications to t >ii smbclient 3.0.11-0woody1 a LanManager-like simple client for Unix >ii winbind 3.0.11-0woody1 service to resolve user and group informatio >ii krb5-config 1.4 Configuration files for Kerberos Version 5 >ii krb5-doc 1.2.4-5woody8 Documentation for krb5 >ii libkrb-1-kerbe 1.2.2-8.dirk.1 Kerberos Libraries for Kerberos4 From KTH >ii libkrb5-17-hei 0.6.3-0.dirk.1 Libraries for Heimdal Kerberos >ii libkrb53 1.2.4-5woody8 MIT Kerberos runtime libraries >ii heimdal-client 0.6.3-0.dirk.1 Clients for Heimdal Kerberos >ii heimdal-kdc 0.6.3-0.dirk.1 KDC for Heimdal Kerberos >rc heimdal-server 0.6.3-0.dirk.1 Servers for Heimdal Kerberos >rc heimdal-server 0.6.3-0.dirk.1 X11 files for Heimdal Kerberos > >Hard to believe MIT & Heimdal can coexist in the standard library paths. Anyone else ever done this? Anyway, looks like libkrb53 is version 1.2.4. I never got it to work reliably, across the boards, with less than MIT krb5 V1.3. When I googled "BAD SIG" I got this from samba lists http://lists.samba.org/archive/samba/2005-January/098500.html>Caveat, I'm stuck with using "stable" backports for samba...due to the >development environment I'm in..policy dictates I wait for the package to be >backported before I can upgrade to it. >log.winbindd,log.nmbd, and log.samba only show the services starting and >stopping. If the answer is upgrading to yet a newer version of samba..then >great..the solution will have to wait. Problem started out w/ version 3.0.7, >and hasn't been working since..even with subsequent upgrades. Note: now I am >on 3.0.11 (got that about the time everyone started talking about 3.0.14.) > > > >Here is the error from my log.%m (Of and relating to winbindd) > > > >test:/var/log/samba# tail -f log.ntlm >[2005/04/25 14:38:40, 3] >nsswitch/winbindd_misc.c:winbindd_interface_version(261) > [26801]: request interface version >[2005/04/25 14:38:40, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) > [26801]: request location of privileged pipe >[2005/04/25 14:38:40, 3] >nsswitch/winbindd_misc.c:winbindd_check_machine_acct(41) > [26801]: check machine account >[2005/04/25 14:38:40, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(109) > IPC$ connections done anonymously >[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708) > Doing spnego session setup (blob length=113) >[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) > got OID=1 2 840 48018 1 2 2 >[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) > got OID=1 2 840 113554 1 2 2 >[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) > got OID=1 2 840 113554 1 2 2 3 >[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) > got OID=1 3 6 1 4 1 311 2 2 10 >[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740) > got principal=server03test$@TEST.COM >[2005/04/25 14:38:40, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(533) > Doing kerberos session setup >[2005/04/25 14:38:40, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318) > Ticket in ccache[MEMORY:cliconnect] expiration Tue, 26 Apr 2005 00:38:40 GMT >[2005/04/25 14:38:40, 0] libsmb/smb_signing.c:signing_good(240) > signing_good: BAD SIG: seq 1 >Regards, Doug