Michael Wray
2005-Apr-25 20:25 UTC
[Samba] wbinfo -t fails but other wbinfo and getent items work.
Problem: wbinfo -t fails. As long as it fails, I am unable to map sids to
Group Names. I need this functionality for my application. I can use just
about everyother function of wbinfo at least partially...
Distro: Debian woody.
Packages:
ii samba 3.0.11-0woody1 a LanManager-like file and printer server fo
ii samba-common 3.0.11-0woody1 Samba common files used by both the server a
ii samba-doc 3.0.11-0woody1 Samba documentation
ii libpam-smbpass 3.0.11-0woody1 pluggable authentication module for SMB pass
ii libsmbclient 3.0.11-0woody1 shared library that allows applications to t
ii smbclient 3.0.11-0woody1 a LanManager-like simple client for Unix
ii winbind 3.0.11-0woody1 service to resolve user and group informatio
ii krb5-config 1.4 Configuration files for Kerberos Version 5
ii krb5-doc 1.2.4-5woody8 Documentation for krb5
ii libkrb-1-kerbe 1.2.2-8.dirk.1 Kerberos Libraries for Kerberos4 From KTH
ii libkrb5-17-hei 0.6.3-0.dirk.1 Libraries for Heimdal Kerberos
ii libkrb53 1.2.4-5woody8 MIT Kerberos runtime libraries
ii heimdal-client 0.6.3-0.dirk.1 Clients for Heimdal Kerberos
ii heimdal-kdc 0.6.3-0.dirk.1 KDC for Heimdal Kerberos
rc heimdal-server 0.6.3-0.dirk.1 Servers for Heimdal Kerberos
rc heimdal-server 0.6.3-0.dirk.1 X11 files for Heimdal Kerberos
Caveat, I'm stuck with using "stable" backports for samba...due to
the
development environment I'm in..policy dictates I wait for the package to be
backported before I can upgrade to it.
log.winbindd,log.nmbd, and log.samba only show the services starting and
stopping. If the answer is upgrading to yet a newer version of samba..then
great..the solution will have to wait. Problem started out w/ version 3.0.7,
and hasn't been working since..even with subsequent upgrades. Note: now I
am
on 3.0.11 (got that about the time everyone started talking about 3.0.14.)
Here is the error from my log.%m (Of and relating to winbindd)
test:/var/log/samba# tail -f log.ntlm
[2005/04/25 14:38:40, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[26801]: request interface version
[2005/04/25 14:38:40, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[26801]: request location of privileged pipe
[2005/04/25 14:38:40, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(41)
[26801]: check machine account
[2005/04/25 14:38:40, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(109)
IPC$ connections done anonymously
[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
Doing spnego session setup (blob length=113)
[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 48018 1 2 2
[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 113554 1 2 2
[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 113554 1 2 2 3
[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 3 6 1 4 1 311 2 2 10
[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740)
got principal=server03test$@TEST.COM
[2005/04/25 14:38:40, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(533)
Doing kerberos session setup
[2005/04/25 14:38:40, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318)
Ticket in ccache[MEMORY:cliconnect] expiration Tue, 26 Apr 2005 00:38:40 GMT
[2005/04/25 14:38:40, 0] libsmb/smb_signing.c:signing_good(240)
signing_good: BAD SIG: seq 1
[2005/04/25 14:38:40, 0] libsmb/clientgen.c:cli_receive_smb(121)
SMB Signature verification failed on incoming packet!
[2005/04/25 14:38:40, 3] nsswitch/winbindd_cm.c:new_cm_connection(755)
Could not open a connection to TEST for \PIPE\NETLOGON
(NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
[2005/04/25 14:38:40, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(68)
could not open handle to NETLOGON pipe
[2005/04/25 14:38:40, 2]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98)
Checking the trust account password returned
NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
[2005/04/25 14:40:01, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27086]: request interface version
[2005/04/25 14:40:01, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27086]: request location of privileged pipe
[2005/04/25 14:40:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27086]: getgroups root
[2005/04/25 14:40:01, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27087]: request interface version
[2005/04/25 14:40:01, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27087]: request location of privileged pipe
[2005/04/25 14:40:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27087]: getgroups root
[2005/04/25 14:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27090]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27090]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27090]: getgroups amavis
[2005/04/25 14:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27091]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27091]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27091]: getgroups root
[2005/04/25 14:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27097]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27097]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27097]: getgroups root
[2005/04/25 14:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27099]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27099]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27099]: getgroups root
[2005/04/25 14:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27100]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27100]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27100]: getgroups amavis
[2005/04/25 14:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27111]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27111]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27111]: getgroups postfix
[2005/04/25 14:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27112]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27112]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27112]: getgroups postfix
[2005/04/25 14:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27114]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27114]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27114]: getgroups postfix
[2005/04/25 14:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27118]: request interface version
[2005/04/25 14:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27118]: request location of privileged pipe
[2005/04/25 14:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27118]: getgroups root
[2005/04/25 14:40:03, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27126]: request interface version
[2005/04/25 14:40:03, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27126]: request location of privileged pipe
[2005/04/25 14:40:03, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27126]: getgroups postfix
[2005/04/25 14:40:03, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[27133]: request interface version
[2005/04/25 14:40:03, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[27133]: request location of privileged pipe
[2005/04/25 14:40:03, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[27133]: getgroups postfix
The top shows NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, and an error on signing
on an incoming packet. Is this where my problems lie? I can use wbinfo -g,
-u, -r, -Y,-G,-n, and -S. wbinfo -s only works on "Builtin" groups and
users.
smb.conf:
=====[global]
server string = Filtering Server
log file = /var/log/samba/log.ntlm
max log size = 50
security = ads
socket options = TCP_NODELAY
dns proxy = no
encrypt passwords = yes
winbind enum users = yes
winbind enum groups = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = TEST
passdb backend = tdbsam guest
obey pam restrictions = yes
password server = server03test.test.com
realm = test.com
use spnego = yes
==================krb5.conf
============[libdefaults]
default_realm = TEST.COM
# The following krb5.conf variables are only for MIT Kerberos.
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
# permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
krb4_get_tickets=no
# The following libdefaults parameters are only for Heimdal Kerberos.
# v4_instance_resolve = false
## v4_name_convert = {
# host = {
# rcmd = host
# ftp = ftp
# }
# plain = {
# something = something-else
# }
# }
[realms]
TEST.COM = {
kdc = server03test.test.com
admin_server = server03test.test.com
default_domain = test.com
}
[domain_realm]
.test.com = TEST.COM
--
Michael Wray
AimConnect, an S4F Inc. Company
918.524.1010 ext 106
mwray@aimconnect.com
http://www.aimconnect.com
Doug VanLeuven
2005-Apr-26 01:41 UTC
[Samba] wbinfo -t fails but other wbinfo and getent items work.
Michael Wray wrote:>Problem: wbinfo -t fails. As long as it fails, I am unable to map sids to >Group Names. I need this functionality for my application. I can use just >about everyother function of wbinfo at least partially... > >Distro: Debian woody. >Packages: >ii samba 3.0.11-0woody1 a LanManager-like file and printer server fo >ii samba-common 3.0.11-0woody1 Samba common files used by both the server a >ii samba-doc 3.0.11-0woody1 Samba documentation >ii libpam-smbpass 3.0.11-0woody1 pluggable authentication module for SMB pass >ii libsmbclient 3.0.11-0woody1 shared library that allows applications to t >ii smbclient 3.0.11-0woody1 a LanManager-like simple client for Unix >ii winbind 3.0.11-0woody1 service to resolve user and group informatio >ii krb5-config 1.4 Configuration files for Kerberos Version 5 >ii krb5-doc 1.2.4-5woody8 Documentation for krb5 >ii libkrb-1-kerbe 1.2.2-8.dirk.1 Kerberos Libraries for Kerberos4 From KTH >ii libkrb5-17-hei 0.6.3-0.dirk.1 Libraries for Heimdal Kerberos >ii libkrb53 1.2.4-5woody8 MIT Kerberos runtime libraries >ii heimdal-client 0.6.3-0.dirk.1 Clients for Heimdal Kerberos >ii heimdal-kdc 0.6.3-0.dirk.1 KDC for Heimdal Kerberos >rc heimdal-server 0.6.3-0.dirk.1 Servers for Heimdal Kerberos >rc heimdal-server 0.6.3-0.dirk.1 X11 files for Heimdal Kerberos > >Hard to believe MIT & Heimdal can coexist in the standard library paths. Anyone else ever done this? Anyway, looks like libkrb53 is version 1.2.4. I never got it to work reliably, across the boards, with less than MIT krb5 V1.3. When I googled "BAD SIG" I got this from samba lists http://lists.samba.org/archive/samba/2005-January/098500.html>Caveat, I'm stuck with using "stable" backports for samba...due to the >development environment I'm in..policy dictates I wait for the package to be >backported before I can upgrade to it. >log.winbindd,log.nmbd, and log.samba only show the services starting and >stopping. If the answer is upgrading to yet a newer version of samba..then >great..the solution will have to wait. Problem started out w/ version 3.0.7, >and hasn't been working since..even with subsequent upgrades. Note: now I am >on 3.0.11 (got that about the time everyone started talking about 3.0.14.) > > > >Here is the error from my log.%m (Of and relating to winbindd) > > > >test:/var/log/samba# tail -f log.ntlm >[2005/04/25 14:38:40, 3] >nsswitch/winbindd_misc.c:winbindd_interface_version(261) > [26801]: request interface version >[2005/04/25 14:38:40, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) > [26801]: request location of privileged pipe >[2005/04/25 14:38:40, 3] >nsswitch/winbindd_misc.c:winbindd_check_machine_acct(41) > [26801]: check machine account >[2005/04/25 14:38:40, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(109) > IPC$ connections done anonymously >[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708) > Doing spnego session setup (blob length=113) >[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) > got OID=1 2 840 48018 1 2 2 >[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) > got OID=1 2 840 113554 1 2 2 >[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) > got OID=1 2 840 113554 1 2 2 3 >[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) > got OID=1 3 6 1 4 1 311 2 2 10 >[2005/04/25 14:38:40, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740) > got principal=server03test$@TEST.COM >[2005/04/25 14:38:40, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(533) > Doing kerberos session setup >[2005/04/25 14:38:40, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318) > Ticket in ccache[MEMORY:cliconnect] expiration Tue, 26 Apr 2005 00:38:40 GMT >[2005/04/25 14:38:40, 0] libsmb/smb_signing.c:signing_good(240) > signing_good: BAD SIG: seq 1 >Regards, Doug