samba - Jul 2005 - wbinfo can't list users

Hi,

I'm running debian sarge with kernel 2.6.8-2-sparc64. I'm trying
to use winbind to connect to a Windows 2000 server. I can use
"net rpc join" to join the domain, but "wbinfo -u" returns
an
error. The trusted domains listed doesn't include the domain.
Please see below:

cladms003:~# net rpc join -U Administrator
Password:
Joined domain CYBERLAB.

cladms003:~# wbinfo -u
Error looking up domain users

cladms003:~# wbinfo -g
BUILTIN+system operators
BUILTIN+replicators
BUILTIN+guests
BUILTIN+power users
BUILTIN+print operators
BUILTIN+administrators
BUILTIN+account operators
BUILTIN+backup operators
BUILTIN+users

cladms003:~# wbinfo -m
CLADMS003
BUILTIN

Debug level 3 gives the following info when I try wbinfo after starting
winbindd:

cladms003:~# winbindd -d 3 -i
winbindd version 3.0.14a-Debian started.
Copyright The Samba Team 2000-2004
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[Share]"
adding IPC service
adding IPC service
added interface ip=172.18.17.2 bcast=172.18.17.255 nmask=255.255.255.0
added interface ip=172.18.17.2 bcast=172.18.17.255 nmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Added domain CYBERLAB  S-0-0
cm_get_ipc_userpass: No auth-user defined
lsa_io_sec_qos: length c does not match size 8
add_trusted_domain: CYBERLAB is an ADS mixed mode domain
rpc: trusted_domains
cm_get_ipc_userpass: No auth-user defined
Added domain BUILTIN  S-1-5-32
Added domain CLADMS003  S-1-5-21-3711304764-3117404737-3876783093
rpc: trusted_domains
[ 5044]: request interface version
[ 5044]: request location of privileged pipe
[ 5044]: list users
cm_get_ipc_userpass: No auth-user defined

The debug level 5 output shows an error of NT_STATUS_INSUFFICIENT_RESOURCES 
near the end (I can provide the full log on request):

...skipped...
rpc_api_pipe: len left: 0 smbtrans read: 96
rpc_auth_pipe: pkt_type: 2 len: 96 auth_len: 32 NTLMSSP No schannel Yes sign Yes
seal No 
000000 smb_io_rpc_hdr_auth auth_hdr
    0000 auth_type    : 44
    0001 auth_level   : 05
    0002 padding      : 08
    0003 reserved     : 00
    0004 auth_context : 00000001
000008 smb_io_rpc_auth_netsec_chk schannel_auth_sign
    0008 sig  : 77 00 ff ff ff ff 00 00 
    0010 seq_num: 76 68 2a 4b f3 e0 bc ff 
    0018 packet_digest: 6c ff 52 eb 48 5c 57 50 
    0020 confounder: 00 00 00 00 00 00 00 00 
000018 samr_io_r_connect 
        0018 data1: 00000000
        001c data2: 00000000
        0020 data3: 0000
        0022 data4: 0000
        0024 data5: 00 00 00 00 00 00 00 00 
    002c status: NT_STATUS_INSUFFICIENT_RESOURCES

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kent Tong wrote:
| Hi,
|
| I'm running debian sarge with kernel 2.6.8-2-sparc64.
| I'm trying to use winbind to connect to a Windows
| 2000 server. I can use "net rpc join" to join
| the domain, but "wbinfo -u" returns an  error.
| The trusted domains listed doesn't include the domain.
| Please see below:
...
| rpc_api_pipe: len left: 0 smbtrans read: 96
| rpc_auth_pipe: pkt_type: 2 len: 96 auth_len: 32 NTLMSSP No schannel
Yes sign Yes
| seal No
| 000000 smb_io_rpc_hdr_auth auth_hdr
|     0000 auth_type    : 44
|     0001 auth_level   : 05
|     0002 padding      : 08
|     0003 reserved     : 00
|     0004 auth_context : 00000001
| 000008 smb_io_rpc_auth_netsec_chk schannel_auth_sign
|     0008 sig  : 77 00 ff ff ff ff 00 00
|     0010 seq_num: 76 68 2a 4b f3 e0 bc ff
|     0018 packet_digest: 6c ff 52 eb 48 5c 57 50
|     0020 confounder: 00 00 00 00 00 00 00 00
| 000018 samr_io_r_connect
|         0018 data1: 00000000
|         001c data2: 00000000
|         0020 data3: 0000
|         0022 data4: 0000
|         0024 data5: 00 00 00 00 00 00 00 00
|     002c status: NT_STATUS_INSUFFICIENT_RESOURCES

You've got Windows 2000 SP4 SR1 installed don't you?
The only current fix is to either set 'client schannel = no'
in smb.conf or to just disable schannel connections
oln the SAMR pipe in nsswitch/winbindd_cm.c.




cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC594MIR7qMdg1EfYRAtzFAJ4vcRgve+k5H/hCIZ3Z+IoZSL6DcACdFZqO
FaH1fAO/4xuq1+4GeX7+8FE=v07y
-----END PGP SIGNATURE-----

Gerald Carter wrote:
> You've got Windows 2000 SP4 SR1 installed don't you?
> The only current fix is to either set 'client schannel = no'
> in smb.conf or to just disable schannel connections
> oln the SAMR pipe in nsswitch/winbindd_cm.c.
Is it possible, that with 3.0.20rc1 it is necessarily to set 'client 
schannel = no' in smb.conf to properly join an mixed mode W2K SP4 (not 
SR1) AD domain with

net rpc join

even if winbind is not used?


A user of 3.0.20rc1 wrote:


eisfair # /usr/bin/net rpc join -d 3 -U
"Administrator"%"***" -S "***"
-w
  "***"
[2005/08/02 16:27:48, 3] param/loadparm.c:lp_load(4082)
   lp_load: refreshing parameters
[2005/08/02 16:27:48, 3] param/loadparm.c:init_globals(1366)
   Initialising global parameters
[2005/08/02 16:27:48, 3] param/params.c:pm_process(574)
   params.c:pm_process() - Processing configuration file
"/etc/smb.conf"
[2005/08/02 16:27:48, 3] param/loadparm.c:do_section(3542)
   Processing section "[global]"
[2005/08/02 16:27:48, 2] lib/interface.c:add_interface(81)
   added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
[2005/08/02 16:27:48, 2] lib/interface.c:add_interface(81)
   added interface ip=192.168.100.253 bcast=192.168.100.255
nmask=255.255.255.0
[2005/08/02 16:27:48, 3] libsmb/namequery.c:resolve_wins(752)
   resolve_wins: Attempting wins lookup for name Serv01<0x20>
[2005/08/02 16:27:48, 3] libsmb/namequery.c:resolve_wins(791)
   resolve_wins: using WINS server 192.168.100.1 and tag '*'
[2005/08/02 16:27:48, 2] libsmb/namequery.c:name_query(492)
   Got a positive name query response from 192.168.100.1 (
192.168.100.111 )
[2005/08/02 16:27:48, 3]
libsmb/cliconnect.c:cli_start_connection(1407)
   Connecting to host=Serv01
[2005/08/02 16:27:48, 3] lib/util_sock.c:open_socket_out(867)
   Connecting to 192.168.100.111 at port 445
[2005/08/02 16:27:49, 3]
rpc_client/cli_netlogon.c:cli_nt_setup_creds(394)
   cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2005/08/02 16:27:49, 3]
libsmb/trusts_util.c:just_change_the_password(43)
   just_change_the_password: unable to setup creds
(NT_STATUS_ACCESS_DENIED)!
[2005/08/02 16:27:49, 1] utils/net_rpc.c:run_rpc_command(140)
   rpc command function failed! (NT_STATUS_ACCESS_DENIED)
[2005/08/02 16:27:49, 3]
libsmb/cliconnect.c:cli_start_connection(1407)
   Connecting to host=Serv01
[2005/08/02 16:27:49, 3] lib/util_sock.c:open_socket_out(867)
   Connecting to 192.168.100.111 at port 445
[2005/08/02 16:27:49, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(709)
   Doing spnego session setup (blob length=109)
[2005/08/02 16:27:49, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(734)
   got OID=1 2 840 48018 1 2 2
[2005/08/02 16:27:49, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(734)
   got OID=1 2 840 113554 1 2 2
[2005/08/02 16:27:49, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(734)
   got OID=1 2 840 113554 1 2 2 3
[2005/08/02 16:27:49, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(734)
   got OID=1 3 6 1 4 1 311 2 2 10
[2005/08/02 16:27:49, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(743)
   got principal=serv01$@***
[2005/08/02 16:27:49, 3]
libsmb/ntlmssp.c:ntlmssp_client_challenge(869)
   Got challenge flags:
[2005/08/02 16:27:49, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
   Got NTLMSSP neg_flags=0x60890215
[2005/08/02 16:27:49, 3]
libsmb/ntlmssp.c:ntlmssp_client_challenge(891)
   NTLMSSP: Set final flags:
[2005/08/02 16:27:49, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
   Got NTLMSSP neg_flags=0x60080215
[2005/08/02 16:27:49, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
   NTLMSSP Sign/Seal - Initialising with flags:
[2005/08/02 16:27:49, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
   Got NTLMSSP neg_flags=0x60080215
[2005/08/02 16:27:49, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
   lsa_io_sec_qos: length c does not match size 8
[2005/08/02 16:27:49, 3] rpc_client/cli_pipe.c:rpc_api_pipe(476)
   Bind NACK received on pipe 4010!
[2005/08/02 16:27:49, 2]
rpc_client/cli_pipe.c:cli_nt_session_open(1507)
   cli_nt_session_open: rpc bind to \PIPE\NETLOGON failed
[2005/08/02 16:27:49, 0]
utils/net_rpc_join.c:net_rpc_join_newstyle(318)
   Error domain join verification (reused connection):
NT_STATUS_UNSUCCESSFUL

Unable to join domain ***.
[2005/08/02 16:27:49, 2] utils/net.c:main(873)
   return code = 1



der tom