All; I'm getting closer to tracking down my problem (I hope). Since I want samba to verify the windows users from the Windows domain, I did the usual net join. But it still doesn't get the users from there, I still need an smbpasswd file. So... now the question (for the real samba gurus): Is there a substantial difference between: net ads join -w <domain/workgroup> and net rpc join -w <domain/workgroup> ? I did the "net rpc ...." because I don't have ads compiled in (owing to the problems with IBMs implementation of Kerberos not being compatable with Samba..). BTW: The join was successful, but Samba isn't pulling user IDs from there. To do what I need to, do I HAVE to have ads compiled in? Thanks again! -ric
On Fri, Sep 30, 2005 at 10:01:45AM -0600, Ric Tibbetts wrote:> All; > I'm getting closer to tracking down my problem (I hope). > > Since I want samba to verify the windows users from the Windows > domain, I did the usual net join. But it still doesn't get the users > from there, I still need an smbpasswd file. > > So... now the question (for the real samba gurus): > Is there a substantial difference between: > > net ads join -w <domain/workgroup> > > and > > net rpc join -w <domain/workgroup> ? > > I did the "net rpc ...." because I don't have ads compiled in (owing > to the problems with IBMs implementation of Kerberos not being > compatable with Samba..). > > BTW: The join was successful, but Samba isn't pulling user IDs from > there. To do what I need to, do I HAVE to have ads compiled in?No, you shouldn't. What is the Domain controller running ? Is it W2K3 SP1 ? Can you post an smbd log level 10 showing a user trying to connect to your system, this should show us what is going on when smbd is trying to connect to the DC. Jeremy.
On Fri, Sep 30, 2005 at 11:10:14AM -0600, Ric Tibbetts wrote:> At > >In your IP address log you have : > > > >[2005/09/30 10:32:41, 5] auth/auth.c:make_auth_context_subsystem(480) > > Making default auth method list for standalone security=user, > >encrypt passwords = yes > > > > > >You need to have "security = domain" for this to work. > > > >Jeremy. > > Ooops. I had flipped that to test, and not put it back. Even with it > on "security = domain" it doesn't work. > Current logs attached.Interesting things with your logs : Firstly your DC *is* W2K3 SP1. Reading logs can be very interesting :-) [000] 41 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 AW.i.n.d .o.w.s. ^M [010] 00 53 00 65 00 72 00 76 00 65 00 72 00 20 00 32 .S.e.r.v .e.r. .2^M [020] 00 30 00 30 00 33 00 20 00 33 00 37 00 39 00 30 .0.0.3. .3.7.9.0^M [030] 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 . .S.e.r .v.i.c.e^M [040] 00 20 00 50 00 61 00 63 00 6B 00 20 00 31 00 00 . .P.a.c .k. .1..^M [050] 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 .W.i.n.d .o.w.s. ^M [060] 00 53 00 65 00 72 00 76 00 65 00 72 00 20 00 32 .S.e.r.v .e.r. .2^M [070] 00 30 00 30 00 33 00 20 00 35 00 2E 00 32 00 00 .0.0.3. .5...2..^M [080] 00 57 00 49 00 4E 00 00 .W.I.N.. ^M Secondly, the user logging in has the name Windows name "212442". The logon to the DC succeeds, this user is then mapped to user u212442 via a username map file. The problem is this user cannot be found on the local unix box - look at the log where it says : User u212442 does not exist, trying to add it So, your underlying problem is that the users who are logging in and being successfully authenticated against the W2K3 SP 1 DC don't exist locally. You'll either need to add them to /etc/passwd, or user winbindd. I'm CC:ing to the list so people can see the resolution of this issue. Jeremy.
On Fri, Sep 30, 2005 at 01:24:30PM -0600, Ric Tibbetts wrote:> At 01:13 PM 9/30/2005, you wrote: > >On Fri, Sep 30, 2005 at 12:38:28PM -0600, Ric Tibbetts wrote: > >> > >> So the user does exist. But for some strange reason (which I still > >> don't understand), it doesn't report that to Samba at login time. > >> > >> >I'm CC:ing to the list so people can see the resolution of this issue. > >> > >> Sorry to say, that it's not resolved yet. I think we've found the > >> symptom, but not the cause. > >> If the user exists, why doesn't samba see it? > >> > >> All of the assistance on this is greatly appreciated! > > > >Oops, sorry - I deleted the email with the logs. You'll have to > >send me another copy and I'll look further... > > > >Jeremy. > > > No problem. Fresh logs attached. > Again, the assist is greatly appreciated!Ok - it looks like you're trying to use winbindd on this box. If you already have a unix uid that you've mapped the numeric windows user to you don't need to use winbindd. Can you confirm if you are running winbindd or now ? If you are, kill it and retry. This is related to Jerry's code here in auth/auth_util.c so I might ask him to look at the log: /* try to fill the SAM account.. If getpwnam() fails, then try the add user script (2.2.x behavior). We use the _unmapped_ username here in an attempt to provide consistent username mapping behavior between kerberos and NTLM[SSP] authentication in domain mode security. I.E. Username mapping should be applied to the fully qualified username (e.g. DOMAIN\user) and no just the login name. Yes this mean swe called map_username() unnecessarily in make_user_info_map() but that is how the current code is designed. Making the change here is the least disruptive place. -- jerry */ nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, &found_username, &uid, &gid, &sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); smb_create_user( nt_domain, sent_nt_username, NULL); nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, &found_username, &uid, &gid, &sam_account ); } Jeremy.