Ashley Moran
2006-Oct-23 15:22 UTC
[Samba] Getting users and groups through winbind on FreeBSD
Hi
We have a few Linux samba servers that authenticate against our
Active Directory domain (Small Business Server 2000). I've added a
couple of disks to a FreeBSD 6.1 server in our office and I'm trying
to achieve the same but not having much luck. I'm new to all
this... I'm not our network admin, but he is BSD-phobic so I thought
it was safer to do it myself.
I've installed these relevant ports:
cyrus-sasl-2.1.22 RFC 2222 SASL (Simple Authentication and Security
Layer)
openldap-sasl-client-2.3.27 Open source LDAP client implementation
with SASL2 support
samba-3.0.23c_2,1 A free SMB and CIFS client and server for UNIX
Here is how the server is configured:
# cat /etc/nsswitch.conf
group: files winbind
hosts: files dns
networks: files
passwd: files winbind
shells: files
# sed -nE '/^[^#;]/p' /usr/local/etc/smb.conf
[global]
workgroup = JIGSAWHQ
server string = dim samba server
security = ADS
hosts allow = 192.168.0. 127.
log file = /var/log/samba3/log.%m
log level = 4
max log size = 50
password server = jigsaw-sbs02.jigsawhq.com
realm = JIGSAWHQ.COM
socket options = TCP_NODELAY
local master = no
dns proxy = no
map hidden = no
map system = no
map archive = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
allow trusted domains = no
idmap backend = rid:JIGSAWHQ=10000-20000
winbind nested groups = yes
ldap ssl = no
template shell = /bin/tcsh
template homedir = /usr/home/%U
[Share]
comment = codeweavers share
path = /var/share
writeable = yes
public = yes
create mask = 0777
directory mask = 0777
Here are some diagnostics:
# net ads testjoin
Join is OK
# wbinfo -D JIGSAWHQ
Name : JIGSAWHQ
Alt_Name : jigsawhq.com
SID : S-1-5-21-1085031214-1957994488-1343024091
Active Directory : Yes
Native : No
Primary : Yes
Sequence : 1172959
# wbinfo -u
...list of usernames...
(not prepended by the domains, but neither is it on our Linux servers
either)
# wbinfo -g
...list of groups...
However this command *should* now work, but doesn't:
# pw usershow PaulBarrett
pw: no such user `PaulBarrett'
The output in log.wb-JIGSAWHQ (winbindd -d4) is this:
[2006/10/23 12:35:44, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 12:35:44, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\PaulBarrett
[2006/10/23 12:35:44, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(257)
rpc: name_to_sid name=JIGSAWHQ\PaulBarrett
[2006/10/23 12:35:44, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(265)
name_to_sid [rpc] JIGSAWHQ\PaulBarrett for domain JIGSAWHQ
[2006/10/23 12:35:44, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine JIGSAW-SBS02 pipe \lsarpc fnum
0x4004 bind request returned ok.
[2006/10/23 12:35:44, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(941)
Got challenge flags:
[2006/10/23 12:35:44, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x62890235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_CHAL_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2006/10/23 12:35:44, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(963)
NTLMSSP: Set final flags:
[2006/10/23 12:35:44, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x60080235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2006/10/23 12:35:44, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2006/10/23 12:35:44, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x60080235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2006/10/23 12:35:44, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
lsa_io_sec_qos: length c does not match size 8
[2006/10/23 12:35:44, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 12:35:44, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1171
[2006/10/23 12:35:44, 3] nsswitch/winbindd_ads.c:query_user(478)
ads: query_user
[2006/10/23 12:35:44, 3] nsswitch/winbindd_ads.c:query_user(535)
ads query_user gave PaulBarrett
When I try to log into the server from my mac, I get to choose share
"Share", and enter my credentials, but it says "Could not connect
to
the server because the name or password is not correct".
The same log file spews out the following:
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 13
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_pam.c:winbindd_dual_pam_auth_crap(1460)
[ 6457]: pam auth crap domain: JIGSAWHQ user: ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(257)
rpc: name_to_sid name=JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(265)
name_to_sid [rpc] JIGSAWHQ\ashleymoran for domain JIGSAWHQ
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 3] nsswitch/winbindd_ads.c:query_user(478)
ads: query_user
[2006/10/23 13:04:34, 3] nsswitch/winbindd_ads.c:query_user(535)
ads query_user gave ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 13
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_pam.c:winbindd_dual_pam_auth_crap(1460)
[ 6457]: pam auth crap domain: JIGSAWHQ user: ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 13
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_pam.c:winbindd_dual_pam_auth_crap(1460)
[ 6457]: pam auth crap domain: JIGSAWHQ user: ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ashleymoran
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 20
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_async.c:winbindd_dual_lookupname(709)
[ 6457]: lookupname JIGSAWHQ\ASHLEYMORAN
[2006/10/23 13:04:34, 4] nsswitch/winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2006/10/23 13:04:34, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[ 6457]: lookupsid S-1-5-21-1085031214-1957994488-1343024091-1123
One thing I've noticed is that I've (apparently) not used LDAP
anywhere. One guide I've found ( and based most of my setup on -
http://www.kurai.org/~gdunn/samba3-ad/fbsd_samba.html ) uses LDAP
explicitly, but my current setup is similar to what we've got on our
gentoo systems, and I can't see any explicit LDAP references anywhere
there either.
Can anyone offer any pointers? I tried the FreeBSD list but got
directed here.
Ashley
Dominic Marks
2006-Oct-23 16:29 UTC
[Samba] Getting users and groups through winbind on FreeBSD
Ashley, No time today to look at your problem, but keep working on it as it is usually something silly. We have lots of AD joined FreeBSD boxes. A few things I didn't notice from a brief scan of your info: You've done a kinit? I assume you must have. What does klist return? Is the system is good time sync? Again, this is probably implied from your other results but it is good to check. What does your /etc/krb5.conf look like? Cheers, Dom