samba - May 2005 - CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems

Hi all,

Thus far, I have managed to get wbinfo -[u|g] to display users/group 
correctly, and getent passwd/group works.  However, wbinfo -t fails to 
work, giving me this error:

[root@billing samba]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret



Further, this seems to be related to a problem with wbinfo -a:

[root@billing samba]# wbinfo -a user%pass
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user user%pass with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user user with challenge/response


I was able to join the domain successfully:

[root@billing samba]# net ads join
[2005/05/23 10:09:35, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for billing already exists - 
modifying old account
Using short domain name -- DOMAIN
Joined 'BILLING' to realm 'DOMAIN.PRI'



At this point, I am at a loss as to what to do further.  I don't 
understand ADS well enough to know why I can get a list of usernames but 
I can't auth with them.  That seems to be a big clue to me what's going 
on, but I don't understand it well enough to take it.  :)

Here is my krb5.conf file:

[logging]
default = FILE:/var/log/krb5libs.log
kdr = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.PRI
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
DOMAIN.PRI = {
kdc = dc-1.domain.pri:88
admin_server = dc-1.domain.pri:749
default_domain = domain.PRI
}

[domain_realm]
.domain.pri = DOMAIN.PRI
domain.pri = DOMAIN.PRI

[pam]
debug           = false
ticket_lifetime = 36000
renew_lifetime  = 36000
forwardable     = true
krb4_convert    = false


And here are the relevant bits of my smb.conf file:

[global]
        workgroup = DOMAIN
        realm = DOMAIN.PRI
        netbios name = BILLING
        password server = 192.168.1.3

        #domain logons = yes
        security = ads
        server string = Billing Office File Server
        interfaces = 192.168.1.0/24 127.0.0.0/8
        bind interfaces only = yes
        encrypt passwords = yes
        log level = 3
        log file =/var/log/samba/%U.log
        guest account = nobody
        guest ok = no

        use spnego = yes
        use kerberos keytab = yes

        wins server = 192.168.1.3
        # Browsing Election options
        local master = yes
        preferred master = yes
        domain master = no
        os level = 55

        wins support = no
        name resolve order = wins hosts bcast
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        #domain admin group = @Domain Admins

        winbind uid = 1000-5000
        winbind gid = 1000-5000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%U
        template shell = /bin/bash
        winbind use default domain = yes
        winbind separator = +


Any help is greatly apprecaited!

Sean

ps: Sorry for the html folks, I'll send this as text too.  The html 
really helps with the formatting, which is why I use it.

On Monday 23 May 2005 11:23, Sean Kennedy wrote:
> Hi all,
>
> Thus far, I have managed to get wbinfo -[u|g] to display users/group
> correctly, and getent passwd/group works.  However, wbinfo -t fails to
> work, giving me this error:
>
> [root@billing samba]# wbinfo -t
> checking the trust secret via RPC calls failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> Could not check secret
Check the security settings on the ADS domain contollers. It looks like it may 
have been locked down to prevent remote access.

- John T.
>
>
>
> Further, this seems to be related to a problem with wbinfo -a:
>
> [root@billing samba]# wbinfo -a user%pass
> plaintext password authentication failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> error messsage was: Access denied
> Could not authenticate user user%pass with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> error messsage was: Access denied
> Could not authenticate user user with challenge/response
>
>
> I was able to join the domain successfully:
>
> [root@billing samba]# net ads join
> [2005/05/23 10:09:35, 0] libads/ldap.c:ads_add_machine_acct(1368)
>   ads_add_machine_acct: Host account for billing already exists -
> modifying old account
> Using short domain name -- DOMAIN
> Joined 'BILLING' to realm 'DOMAIN.PRI'
>
>
>
> At this point, I am at a loss as to what to do further.  I don't
> understand ADS well enough to know why I can get a list of usernames but
> I can't auth with them.  That seems to be a big clue to me what's
going
> on, but I don't understand it well enough to take it.  :)
>
> Here is my krb5.conf file:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdr = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = DOMAIN.PRI
> default_tkt_enctypes = des-cbc-crc des-cbc-md5
> default_tgs_enctypes = des-cbc-crc
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
> [realms]
> DOMAIN.PRI = {
> kdc = dc-1.domain.pri:88
> admin_server = dc-1.domain.pri:749
> default_domain = domain.PRI
> }
>
> [domain_realm]
> domain.pri = DOMAIN.PRI.
> domain.pri = DOMAIN.PRI
>
> [pam]
> debug           = false
> ticket_lifetime = 36000
> renew_lifetime  = 36000
> forwardable     = true
> krb4_convert    = false
>
>
> And here are the relevant bits of my smb.conf file:
>
> [global]
>         workgroup = DOMAIN
>         realm = DOMAIN.PRI
>         netbios name = BILLING
>         password server = 192.168.1.3
>
>         #domain logons = yes
>         security = ads
>         server string = Billing Office File Server
>         interfaces = 192.168.1.0/24 127.0.0.0/8
>         bind interfaces only = yes
>         encrypt passwords = yes
>         log level = 3
>         log file =/var/log/samba/%U.log
>         guest account = nobody
>         guest ok = no
>
>         use spnego = yes
>         use kerberos keytab = yes
>
>         wins server = 192.168.1.3
>         # Browsing Election options
>         local master = yes
>         preferred master = yes
>         domain master = no
>         os level = 55
>
>         wins support = no
>         name resolve order = wins hosts bcast
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
>         #domain admin group = @Domain Admins
>
>         winbind uid = 1000-5000
>         winbind gid = 1000-5000
>         winbind enum users = yes
>         winbind enum groups = yes
>         template homedir = /home/%U
>         template shell = /bin/bash
>         winbind use default domain = yes
>         winbind separator = +
>
>
> Any help is greatly apprecaited!
>
> Sean
>
> ps: Sorry for the html folks, I'll send this as text too.  The html
> really helps with the formatting, which is why I use it.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.