Doug Sampson
2006-Sep-06 04:59 UTC
[Samba] authenticating using winbindd against NT4 domain fails
Since version 3.0.23b, I have been having trouble getting Windows & OSX users to access an NT domain member server running FreeBSD 5.4. It is now at 3.0.23c (installed this morning the 5th). root@aries:/usr/local/lib# net rpc user Password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_NO_LOGON_SERVERS root@aries:/usr/local/lib# net rpc user Password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_NO_LOGON_SERVERS root@aries:/usr/local/lib# net rpc testjoin -U root Join to 'DSP' is OK root@aries:/usr/local/lib# net rpc info Password: Domain Name: DSP Domain SID: S-1-5-21-2008768363-1786319642-1659389152 Sequence number: 16744 Num users: 116 Num domain groups: 16 Num local groups: 1 root@aries:/usr/local/lib# net rpc testjoin Join to 'DSP' is OK root@aries:/usr/local/lib# wbinfo -u >>> works OK root@aries:/usr/local/lib# wbinfo -g >>> works OK root@aries:/usr/local/lib# tail -n 25 /var/log/samba/log.wb-DSP cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL [2006/09/05 20:07:07, 0] nsswitch/winbindd_dual.c:child_read_request(49) Got invalid request length: 0 [2006/09/05 20:08:22, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265) cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL [2006/09/05 20:23:42, 0] nsswitch/winbindd_dual.c:child_read_request(49) Got invalid request length: 0 [2006/09/05 20:25:00, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265) cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL [2006/09/05 21:00:06, 0] nsswitch/winbindd_dual.c:child_read_request(49) Got invalid request length: 0 [2006/09/05 21:00:06, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265) cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL [2006/09/05 21:00:06, 0] lib/util_sock.c:write_data(564) write_data: write failure. Error = Broken pipe [2006/09/05 21:00:06, 0] nsswitch/winbindd_dual.c:fork_domain_child(825) Could not write result [2006/09/05 21:00:06, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265) cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL [2006/09/05 21:00:06, 0] lib/util_sock.c:write_data(564) write_data: write failure. Error = Broken pipe [2006/09/05 21:00:06, 0] nsswitch/winbindd_dual.c:fork_domain_child(825) Could not write result [2006/09/05 21:00:06, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265) cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL root@aries:/usr/local/lib# tail -n 25 /var/log/messages Sep 5 20:25:00 aries winbindd[640]: [2006/09/05 20:25:00, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265) Sep 5 20:25:00 aries winbindd[640]: cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL Sep 5 20:25:11 aries apcupsd[557]: apcupsd 3.12.3 (26 April 2006) freebsd startup succeeded Sep 5 21:00:06 aries nmbd[627]: [2006/09/05 21:00:06, 0] nmbd/nmbd.c:terminate(58) Sep 5 21:00:06 aries nmbd[627]: Got SIGTERM: going down... Sep 5 21:00:06 aries winbindd[640]: [2006/09/05 21:00:06, 0] nsswitch/winbindd_dual.c:child_read_request(49) Sep 5 21:00:06 aries winbindd[640]: Got invalid request length: 0 Sep 5 21:00:06 aries winbindd[862]: [2006/09/05 21:00:06, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265) Sep 5 21:00:06 aries winbindd[862]: cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL Sep 5 21:00:06 aries nmbd[847]: [2006/09/05 21:00:06, 0] nmbd/nmbd.c:terminate(58) Sep 5 21:00:06 aries nmbd[847]: Got SIGTERM: going down... Sep 5 21:00:06 aries winbindd[862]: [2006/09/05 21:00:06, 0] lib/util_sock.c:write_data(564) Sep 5 21:00:06 aries winbindd[862]: write_data: write failure. Error Broken pipe Sep 5 21:00:06 aries winbindd[862]: [2006/09/05 21:00:06, 0] nsswitch/winbindd_dual.c:fork_domain_child(825) Sep 5 21:00:06 aries winbindd[862]: Could not write result Sep 5 21:00:06 aries winbindd[921]: [2006/09/05 21:00:06, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265) Sep 5 21:00:06 aries winbindd[921]: cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL Sep 5 21:00:06 aries nmbd[906]: [2006/09/05 21:00:06, 0] nmbd/nmbd.c:terminate(58) Sep 5 21:00:06 aries nmbd[906]: Got SIGTERM: going down... Sep 5 21:00:06 aries winbindd[921]: [2006/09/05 21:00:06, 0] lib/util_sock.c:write_data(564) Sep 5 21:00:06 aries winbindd[921]: write_data: write failure. Error Broken pipe Sep 5 21:00:06 aries winbindd[921]: [2006/09/05 21:00:06, 0] nsswitch/winbindd_dual.c:fork_domain_child(825) Sep 5 21:00:06 aries winbindd[921]: Could not write result Sep 5 21:00:06 aries winbindd[979]: [2006/09/05 21:00:06, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265) Sep 5 21:00:06 aries winbindd[979]: cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL root@aries:/usr/local/lib# vi /etc/nsswitch.conf passwd: files winbind passwd_compat: nis group: files winbind group_compat: nis hosts: files dns winbind networks: files shells: files root@aries:/usr/local/lib# ll *win* lrwxr-xr-x 1 root wheel 18 Sep 5 09:28 libnss_winbind.so -> ./nss_winbind.so.1 lrwxr-xr-x 1 root wheel 18 Sep 5 09:28 libnss_winbind.so.1 -> ./nss_winbind.so.1 lrwxr-xr-x 1 root wheel 18 Sep 5 09:28 libnss_winbind.so.2 -> ./nss_winbind.so.1 lrwxr-xr-x 1 root wheel 15 Sep 5 09:25 libnss_wins.so -> ./nss_wins.so.1 lrwxr-xr-x 1 root wheel 15 Sep 5 09:26 libnss_wins.so.1 -> ./nss_wins.so.1 lrwxr-xr-x 1 root wheel 15 Sep 5 09:26 libnss_wins.so.2 -> ./nss_wins.so.1 -r-xr-xr-x 1 root wheel 16696 Jul 14 14:29 nss_winbind.ol1 lrwxr-xr-x 1 root wheel 18 Sep 5 09:30 nss_winbind.so -> ./nss_winbind.so.1 -r-xr-xr-x 1 root wheel 18232 Sep 5 09:13 nss_winbind.so.1 lrwxr-xr-x 1 root wheel 18 Sep 5 09:30 nss_winbind.so.2 -> ./nss_winbind.so.1 -r-xr-xr-x 1 root wheel 18232 Aug 28 18:23 nss_winbind.so.ol2 -rwxr-xr-x 1 root wheel 23057 Sep 15 2005 nss_winbind.so.old lrwxr-xr-x 1 root wheel 15 Sep 5 09:31 nss_wins.so -> ./nss_wins.so.1 -r-xr-xr-x 1 root wheel 745440 Sep 5 09:13 nss_wins.so.1 lrwxr-xr-x 1 root wheel 15 Sep 5 09:31 nss_wins.so.2 -> ./nss_wins.so.1 -r-xr-xr-x 1 root wheel 745184 Aug 28 20:26 nss_wins.so.bkup -r-xr-xr-x 1 root wheel 744448 Jul 14 14:31 nss_wins.so.ol1 -rwxr-xr-x 1 root wheel 813451 Sep 15 2005 nss_wins.so.old -r-xr-xr-x 1 root wheel 33416 Sep 5 09:13 pam_winbind.so When a Windows attempts to connect to Aries using Windows Explorer and browsing through the Network Neighborhood, the user receives the following message: \\ARIES is not accessible. There are currently no logon servers available to service the logon request. root@aries:/usr/local/lib# testparm -s Load smb config files from /usr/local/etc/smb.conf Processing section "[homes]" Processing section "[macdata]" Processing section "[backup]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER [global] workgroup = DSP server string = Samba %v security = DOMAIN password server = altair gemini log file = /var/log/samba/log.%m max log size = 50 smb ports = 139 max xmit = 65535 deadtime = 15 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=4096 SO_SNDBUF=4096 os level = 33 local master = No dns proxy = No wins server = 192.168.1.1 idmap uid = 15000-20000 idmap gid = 15000-20000 template homedir = /usr/home/%D/%U template shell = /bin/bash winbind separator = - winbind enum users = Yes winbind enum groups = Yes hosts allow = 192.168.1., 192.168.2., 127., 10.8.0. [homes] comment = Home Directories read only = No create mask = 0700 directory mask = 0700 browseable = No [macdata] comment = Production Data path = /data valid users = DSP-alfredo, DSP-matte, DSP-michaelm, DSP-becky, DSP-marlah, DSP-doug, @production force group = @DSP-production read only = No create mask = 0770 force create mode = 0660 directory mask = 0770 force directory mode = 02770 guest ok = Yes hide files /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary Items/.DS_Store/ vfs objects = netatalk [backup] comment = backup volume path = /backup valid users = "@DSP-domain admins", DSP-doug read only = No create mask = 0774 directory mask = 0774 force directory mode = 0774 I understand that the winbind behavior has changed in 3.0.23x (or 3.0.22?) but it was my impression that nothing had changed in the way a Samba member server authenticates against a NT4 PDC using winbindd. What might I be doing wrong here? ~Doug