[Samba] Winbind errors result in no logins!
Everyone, We are currently seeing a very strange problem on our server. Everything will be running along smoothly and then all of a sudden, nobody will be able to login. Looking through the logs reveals the following messages... Apr 24 10:55:15 LINUX-1 httpd2-prefork: pam_winbind(httpd): pam_winbind_request: read from socket failed! Apr 24 10:55:15 LINUX-1 httpd2-prefork: pam_winbind(httpd): internal module error (retval = 3, user = 'NA\nda') Apr 24 10:55:15 LINUX-1 httpd2-prefork: pam_winbind(httpd): [pamh: 0xa0c91c0] LEAVE: pam_sm_authenticate returning 3 Apr 24 10:55:17 LINUX-1 httpd2-prefork: pam_winbind(httpd): pam_winbind_request: read from socket failed! Apr 24 10:55:17 LINUX-1 httpd2-prefork: pam_winbind(httpd): internal module error (retval = 3, user = 'na\sja') Apr 24 10:55:17 LINUX-1 httpd2-prefork: pam_winbind(httpd): [pamh: 0x9c58c68] LEAVE: pam_sm_authenticate returning 3 Apr 24 10:55:31 LINUX-1 httpd2-prefork: pam_winbind(httpd): [pamh: 0x9c58630] ENTER: pam_sm_authenticate (flags: 0x0001) Also, once the problem begins, the CPU goes to 95%+ for winbind! The apache2_error log shows errors like this... [Fri Apr 24 16:08:08 2009] [error] [client 192.xxx.xxx.xxx] PAM: user 'na\\naj' - not authenticated: Error in service module [Fri Apr 24 16:08:15 2009] [error] [client 172.xxx.xxx.xxx] PAM: user 'na\\sja' - not authenticated: Error in service module [Fri Apr 24 16:08:29 2009] [error] [client 192.xxx.xxx.xxx] PAM: user 'na\\nda' - not authenticated: Error in service module [Fri Apr 24 16:09:48 2009] [error] [client 192.xxx.xxx.xxx] PAM: user 'na\\nda' - not authenticated: Error in service module Restarting the winbind and smb services clears up the problem immediately, but we can't seem to figure out what is going on. Does anyone have any suggestions of things to try? Have any of you seen this before? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem with alternate domains and winbind
My apologies for sending this again, but I sent it late last night and was hoping someone from the morning crowd may be able to help. I am seeing a strange problem with my domain controllers as they relate to winbind. From time to time, I lose my connection to the alternate domains. I really need some help figuring this out as I have gone as far as I can. I would be very appreciative of any ideas anyone may have. Our primary domain is NA. I need to also be able to authenticate users in others domains such as EU, LAC, and AP. They are all trusted domains and this has worked in the past. No changes, that I am aware of, have been made to the domains. For background, I am running samba-3.2.7-0.1.135. When I issue to wbinfo -online-status command, I get the following: (truncated to show the relevant portions) USTR-LINUX-1:~ # wbinfo --online-status BUILTIN : online USTR-LINUX-1 : online NA : online AP : online EU : online LAC : online To further investigate those domains, I run the -domain-info switch against the domain and get the following: USTR-LINUX-1:~ # wbinfo --domain-info=NA Name : NA Alt_Name : na.uis.unisys.com SID : S-1-5-21-725345543-2052111302-527237240 Active Directory : Yes Native: Yes Primary : Yes USTR-LINUX-1:~ # wbinfo --domain-info=EU Name : EU Alt_Name : eu.uis.unisys.com SID : S-1-5-21-606747145-879983540-1177238915 Active Directory : Yes Native: No Primary : No USTR-LINUX-1:~ # wbinfo --domain-info=AP Name : AP Alt_Name : ap.uis.unisys.com SID : S-1-5-21-57989841-507921405-527237240 Active Directory : Yes Native: No Primary : No USTR-LINUX-1:~ # wbinfo --domain-info=LAC Name : LAC Alt_Name : lac.uis.unisys.com SID : S-1-5-21-1085031214-1454471165-1644491937 Active Directory : Yes Native: No Primary : No However, when I try to retrieve the DC names, only the NA domain returns anything: USTR-LINUX-1:~ # wbinfo --getdcname=NA USEA-NADC3 USTR-LINUX-1:~ # wbinfo --getdcname=EU Could not get dc name for EU The log.wb-EU shows the following: [2009/01/15 22:11:11, 5] winbindd/winbindd_cache.c:get_cache(178) get_cache: Setting ADS methods for domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:fetch_cache_seqnum(405) fetch_cache_seqnum: invalid data size key [SEQNUM/EU] [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3863) wcache_tdc_fetch_domain: Searching for domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3878) wcache_tdc_fetch_domain: Found domain EU [2009/01/15 22:11:11, 3] winbindd/winbindd_ads.c:sequence_number(1215) ads: fetch sequence_number for EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3863) wcache_tdc_fetch_domain: Searching for domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3878) wcache_tdc_fetch_domain: Found domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_ads.c:ads_cached_connection(45) ads_cached_connection [2009/01/15 22:11:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for usea-eud...@eu.uis.unisys.com (Cannot contact any KDC for requested realm) [2009/01/15 22:11:11, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm [2009/01/15 22:11:11, 1] winbindd/winbindd_ads.c:ads_cached_connection(127) ads_connect for domain EU failed: Cannot contact any KDC for requested realm [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:refresh_sequence_number(526) refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:store_cache_seqnum(456) store_cache_seqnum: success [EU][4294967295 @ 1232075471] [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:refresh_sequence_number(538) refresh_sequence_number: EU seq number is now -1 [2009/01/15 22:11:11, 1] winbindd/winbindd_user.c:winbindd_dual_userinfo(150) error getting user info for sid S-1-5-21-606747145-879983540-1177238915-173280 [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:cache_store_response(2423) Storing response for pid 30838, len 3496 [2009/01/15 22:14:45, 4] winbindd/winbindd_dual.c:fork_domain_child(1238) child daemon request 46 [2009/01/15 22:14:45, 10] winbindd/winbindd_dual.c:child_process_request(453) child_process_request: request fn GETUSERDOMGROUPS [2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:refresh_sequence_number(490) refresh_sequence_number: EU time ok [2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:refresh_sequence_number(538) refresh_sequence_number: EU seq number is now -1 [2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:cache_store_response(2423) Stor
[Samba] Problem with alternate domains and winbind
I am seeing a strange problem with my domain controllers as they relate to winbind. From time to time, I lose my connection to the alternate domains. I really need some help figuring this out as I have gone as far as I can. I would be very appreciative of any ideas anyone may have. Our primary domain is NA. I need to also be able to authenticate users in others domains such as EU, LAC, and AP. They are all trusted domains and this has worked in the past. No changes, that I am aware of, have been made to the domains. For background, I am running samba-3.2.7-0.1.135. When I issue to wbinfo -online-status command, I get the following: (truncated to show the relevant portions) USTR-LINUX-1:~ # wbinfo --online-status BUILTIN : online USTR-LINUX-1 : online NA : online AP : online EU : online LAC : online To further investigate those domains, I run the -domain-info switch against the domain and get the following: USTR-LINUX-1:~ # wbinfo --domain-info=NA Name : NA Alt_Name : na.uis.unisys.com SID : S-1-5-21-725345543-2052111302-527237240 Active Directory : Yes Native: Yes Primary : Yes USTR-LINUX-1:~ # wbinfo --domain-info=EU Name : EU Alt_Name : eu.uis.unisys.com SID : S-1-5-21-606747145-879983540-1177238915 Active Directory : Yes Native: No Primary : No USTR-LINUX-1:~ # wbinfo --domain-info=AP Name : AP Alt_Name : ap.uis.unisys.com SID : S-1-5-21-57989841-507921405-527237240 Active Directory : Yes Native: No Primary : No USTR-LINUX-1:~ # wbinfo --domain-info=LAC Name : LAC Alt_Name : lac.uis.unisys.com SID : S-1-5-21-1085031214-1454471165-1644491937 Active Directory : Yes Native: No Primary : No However, when I try to retrieve the DC names, only the NA domain returns anything: USTR-LINUX-1:~ # wbinfo --getdcname=NA USEA-NADC3 USTR-LINUX-1:~ # wbinfo --getdcname=EU Could not get dc name for EU The log.wb-EU shows the following: [2009/01/15 22:11:11, 5] winbindd/winbindd_cache.c:get_cache(178) get_cache: Setting ADS methods for domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:fetch_cache_seqnum(405) fetch_cache_seqnum: invalid data size key [SEQNUM/EU] [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3863) wcache_tdc_fetch_domain: Searching for domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3878) wcache_tdc_fetch_domain: Found domain EU [2009/01/15 22:11:11, 3] winbindd/winbindd_ads.c:sequence_number(1215) ads: fetch sequence_number for EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3863) wcache_tdc_fetch_domain: Searching for domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3878) wcache_tdc_fetch_domain: Found domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_ads.c:ads_cached_connection(45) ads_cached_connection [2009/01/15 22:11:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for usea-eud...@eu.uis.unisys.com (Cannot contact any KDC for requested realm) [2009/01/15 22:11:11, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm [2009/01/15 22:11:11, 1] winbindd/winbindd_ads.c:ads_cached_connection(127) ads_connect for domain EU failed: Cannot contact any KDC for requested realm [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:refresh_sequence_number(526) refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:store_cache_seqnum(456) store_cache_seqnum: success [EU][4294967295 @ 1232075471] [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:refresh_sequence_number(538) refresh_sequence_number: EU seq number is now -1 [2009/01/15 22:11:11, 1] winbindd/winbindd_user.c:winbindd_dual_userinfo(150) error getting user info for sid S-1-5-21-606747145-879983540-1177238915-173280 [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:cache_store_response(2423) Storing response for pid 30838, len 3496 [2009/01/15 22:14:45, 4] winbindd/winbindd_dual.c:fork_domain_child(1238) child daemon request 46 [2009/01/15 22:14:45, 10] winbindd/winbindd_dual.c:child_process_request(453) child_process_request: request fn GETUSERDOMGROUPS [2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:refresh_sequence_number(490) refresh_sequence_number: EU time ok [2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:refresh_sequence_number(538) refresh_sequence_number: EU seq number is now -1 [2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:cache_store_response(2423) Storing response for pid 30838, len 3496 The logs are similar for the other domains. What can I do to get this working? The linux server
RE: [Samba] Server crash - Is it a Kernel or Samba problem?
Do you have any suggestions on how I may track this down. Obviously, the logs are sparse. Has anyone else reported a similar problem? -Original Message- From: Volker Lendecke [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 3:19 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Server crash - Is it a Kernel or Samba problem? On Fri, Oct 10, 2008 at 11:22:58AM -0500, Trimble, Ronald D wrote: > Oct 9 20:17:26 USTR-LINUX-1 kernel: Call Trace: > Oct 9 20:17:26 USTR-LINUX-1 kernel: [] > __dequeue_signal+0x184/0x1a0 Oct 9 20:17:26 USTR-LINUX-1 kernel: > [] dequeue_signal+0x62/0xa0 Oct 9 20:17:26 USTR-LINUX-1 > kernel: [] get_signal_to_deliver+0x7a/0x3d0 Oct 9 20:17:26 > USTR-LINUX-1 kernel: [] do_signal+0x8a/0x640 Oct 9 > 20:17:26 USTR-LINUX-1 kernel: [] > ckrm_invoke_event_cb_chain+0x24/0x30 > Oct 9 20:17:26 USTR-LINUX-1 kernel: [] > sys_setresuid+0x1dc/0x240 Oct 9 20:17:26 USTR-LINUX-1 kernel: > [] do_notify_resume+0x37/0x40 Oct 9 20:17:26 USTR-LINUX-1 > kernel: [] work_notifysig+0x13/0x15 Oct 9 20:17:26 USTR-LINUX-1 > kernel: > Oct 9 20:17:26 USTR-LINUX-1 kernel: Code: 89 50 04 89 02 89 da c7 43 > 14 00 01 10 00 c7 41 04 00 02 20 Oct 10 00:24:53 USTR-LINUX-1 syslogd 1.4.1: > restart. > > > My question is is this a kernel or a samba problem? Has anyone > experience this before? I do know that the server was under > considerable SMB load (a build was being generated on another computer > and written to this server) when the oops occurred. I am running SUSE > SLES 9 SP4. > Kernel is 2.6.5-7.286-bigsmp. Kernel crashes are a kernel problem, or maybe flaky hardware. Samba might put a load on the kernel that only few other applications do, but it is a kernel problem. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Server crash - Is it a Kernel or Samba problem?
Yesterday I had an unexpected server crash. Here is what appeared in the logs: Oct 9 20:16:21 USTR-LINUX-1 [powersaved][11654]: resmgr: server response code 200 Oct 9 20:16:53 USTR-LINUX-1 last message repeated 19 times Oct 9 20:17:26 USTR-LINUX-1 last message repeated 13 times Oct 9 20:17:26 USTR-LINUX-1 kernel: Unable to handle kernel paging request at virtual address 00100104 Oct 9 20:17:26 USTR-LINUX-1 kernel: printing eip: Oct 9 20:17:26 USTR-LINUX-1 kernel: c0134d50 Oct 9 20:17:26 USTR-LINUX-1 kernel: *pde = 09044001 Oct 9 20:17:26 USTR-LINUX-1 kernel: Oops: 0002 [#1] Oct 9 20:17:26 USTR-LINUX-1 kernel: SMP Oct 9 20:17:26 USTR-LINUX-1 kernel: CPU:2 Oct 9 20:17:26 USTR-LINUX-1 kernel: EIP:0060:[]Tainted: G U Oct 9 20:17:26 USTR-LINUX-1 kernel: EFLAGS: 00010002 (2.6.5-7.286-bigsmp SLES9_SP3_BRANCH-20070531101258) Oct 9 20:17:26 USTR-LINUX-1 kernel: EIP is at free_uid+0x20/0x50 Oct 9 20:17:26 USTR-LINUX-1 kernel: eax: 00100100 ebx: ecd84500 ecx: ecd84514 edx: 00200200 Oct 9 20:17:26 USTR-LINUX-1 kernel: esi: c9460af8 edi: 0009 ebp: 000a esp: cf66beb0 Oct 9 20:17:26 USTR-LINUX-1 kernel: ds: 007b es: 007b ss: 0068 Oct 9 20:17:26 USTR-LINUX-1 kernel: Process smbd (pid: 29272, threadinfo=cf66a000 task=ec3c4010) Oct 9 20:17:26 USTR-LINUX-1 kernel: Stack: c677d708 c0135f64 cf66bf28 cf66bf28 ec3c4010 ec3c4554 Oct 9 20:17:26 USTR-LINUX-1 kernel:c0137c22 cf66a000 083d7520 cf66bfc4 e000 c0137ffa 2411f3bd cf66a000 Oct 9 20:17:26 USTR-LINUX-1 kernel:ec3c4554 cf66bfc4 cf66bf28 cf66a000 083d7520 cf66bfc4 ec3c4554 c010847a Oct 9 20:17:26 USTR-LINUX-1 kernel: Call Trace: Oct 9 20:17:26 USTR-LINUX-1 kernel: [] __dequeue_signal+0x184/0x1a0 Oct 9 20:17:26 USTR-LINUX-1 kernel: [] dequeue_signal+0x62/0xa0 Oct 9 20:17:26 USTR-LINUX-1 kernel: [] get_signal_to_deliver+0x7a/0x3d0 Oct 9 20:17:26 USTR-LINUX-1 kernel: [] do_signal+0x8a/0x640 Oct 9 20:17:26 USTR-LINUX-1 kernel: [] ckrm_invoke_event_cb_chain+0x24/0x30 Oct 9 20:17:26 USTR-LINUX-1 kernel: [] sys_setresuid+0x1dc/0x240 Oct 9 20:17:26 USTR-LINUX-1 kernel: [] do_notify_resume+0x37/0x40 Oct 9 20:17:26 USTR-LINUX-1 kernel: [] work_notifysig+0x13/0x15 Oct 9 20:17:26 USTR-LINUX-1 kernel: Oct 9 20:17:26 USTR-LINUX-1 kernel: Code: 89 50 04 89 02 89 da c7 43 14 00 01 10 00 c7 41 04 00 02 20 Oct 10 00:24:53 USTR-LINUX-1 syslogd 1.4.1: restart. My question is is this a kernel or a samba problem? Has anyone experience this before? I do know that the server was under considerable SMB load (a build was being generated on another computer and written to this server) when the oops occurred. I am running SUSE SLES 9 SP4. Kernel is 2.6.5-7.286-bigsmp. Any help would be appreciated. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
Thanks for all of the helpful advice Ross. I will certainly make some of these changes in the future in a controlled manner. As it turns out, one of our in-house developers has found the problem and submitted a bug against winbind for it. https://bugzilla.samba.org/show_bug.cgi?id=5264 His current patch is against the mod_auth_pam module, which is fine for us. It took the better part of an entire week and many difference debugging builds to figure out exactly what was going on. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 2:26 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: > > Ross, do you have any links to document what you are saying > about the "password server" being set to a domain? I have > found several examples of it listing multiple DCs, but not a > domain name. Well you could read this mind numbing white paper, http://technet2.microsoft.com/windowsserver/en/library/19a63021-cc53-4ded-a7a3-abaf82e7fb7c1033.mspx?mfr=true or just look at your DNS zone, You will notice for each forward zone for each domain that the DCs in those domains acting as DNS servers register their IP addresses under the zone name, like such: IN A X.X.X.X IN A X.X.X.X IN A X.X.X.X This by nature will force a round-robin lookup for all A queries of the domain name. Windows 2000/2003 goes a step further by ordering the results based on the originating IP and the site networks you configured in sites and services, making sure it delivers IP addresses in your subnet first, filtering out any DC that is reported as down. Try it out with nslookup. Now if you have Unix DNS servers this will of course not happen, you will get round-robin without the filtering or ordering. -Ross > -Original Message- > From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] > Sent: Friday, February 15, 2008 12:06 PM > To: Trimble, Ronald D; Herb Lewis > Cc: samba@lists.samba.org > Subject: RE: [Samba] Winbind problem with more details. > > Trimble, Ronald D wrote: > > > > Here you go... > > I forgot to ask which version of samba your now running, but > assuming it is something around '3.0.25', then here is my > suggestion config. If it is an earlier version let me know. > > > [global] > > workgroup = NA > > realm = NA.UIS.UNISYS.COM > > netbios name = ustr-linux-1 > > server string = USTR-LINUX-1 Samba Server > > encrypt passwords = yes > > security = ADS > > password server = 192.xx.xxx.xxx > > I believe for an AD domain, if you set the password server > equal to the local domain name it will round-robin query > the closest domain controller. Test it out, it will eliminate > the single point of failure if it works in your environment. > > > passdb backend = smbpasswd > > I tend to use tdb for my passwd backend, especially if the number > of users is large, tdb can speed lookups tremendously. > > > log level = 2 winbind:10 ads:10 auth:10 > > syslog = 0 > > log file = /var/log/samba/%m.log > > # debug level = 10 > > max log size = 5000 > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > I see no idmap entries here, and don't understand how winbind > is working at all without them, maybe some old compatibility > feature... > > I suggest, and of course I don't know your full topology, so it > will most definitely need adjusting: > > idmap domains = default NA > idmap config default:default = yes > idmap config NA:backend = rid > idmap config NA:range = 16777216 - 33554431 > > Is that id range valid? I have never used anything over 99, it > seems very oddly arbitrary, but I suppose you have a reason... > > Normally I allocate a 10 id range per domain, so NA would have > range 10 - 19, domain NA2 would have 20 - 29 and > so on, makes it easier to determine the RID if the base of the > range is on a power of ten and if you have multiple domains. > > idmap alloc backend = tdb > idmap uid = 9 - 9 > idmap gid = 9 - 9 > > This section here is for local mappings, BUILTINs and such, I > set it as the default, but I'm sure other people will have > their preferences or recommendations. > > > winbind use default domain = no > > winbind enum users = no > > winbind enum groups = no > > template homedir = /home/%D/%U > > template sh
RE: [Samba] Winbind problem with more details.
Yes, I will probably give this a try, but I will have to wait until the weekend to do so. Having to rebuild permissions during production hours would be far too stressful. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 2:29 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: > > You are 100% correct. I did have a situation several weeks > ago where I was forced to delete the cache and as a result I > had to go through the entire file structure to reset all the > ACLs. It was a mess, but thankfully I have a very simple > security model. I would seriously think about using idmap_rid as it will make sure if you need to re-create your maps your UIDs and GIDs will be identical each time and on each server. Of course doing so will force you to have to reset ACLs in your file structure again... :-( -Ross > -Original Message- > From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] > Sent: Friday, February 15, 2008 12:30 PM > To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis > Cc: samba@lists.samba.org > Subject: RE: [Samba] Winbind problem with more details. > > Ross S. W. Walker wrote: > > > > Trimble, Ronald D wrote: > > > > > > Here you go... > > > > I forgot to ask which version of samba your now running, but > > assuming it is something around '3.0.25', then here is my > > suggestion config. If it is an earlier version let me know. > > I just realized that your config is pre-RID mapping so your > uid/gid base is in a single tdb file that if lost or broken > will seriously mess up your user base! > > If that is the case then I suggest this: >idmap domains = default >idmap config default:default = yes >idmap alloc backend = tdb >idmap uid = 16777216 - 33554431 >idmap gid = 16777216 - 33554431 > > Forget this: >idmap config NA:backend = rid >idmap config NA:range = 16777216 - 33554431 > > But remove these: >winbind uid = 16777216-33554431 >winbind gid = 16777216-33554431 > > Backup your tdb cache directory and smb.conf first though to > be on the safe side. > > -Ross > > > > [global] > > > workgroup = NA > > > realm = NA.UIS.UNISYS.COM > > > netbios name = ustr-linux-1 > > > server string = USTR-LINUX-1 Samba Server > > > encrypt passwords = yes > > > security = ADS > > > password server = 192.xx.xxx.xxx > > > > I believe for an AD domain, if you set the password server > > equal to the local domain name it will round-robin query > > the closest domain controller. Test it out, it will eliminate > > the single point of failure if it works in your environment. > > > > > passdb backend = smbpasswd > > > > I tend to use tdb for my passwd backend, especially if the number > > of users is large, tdb can speed lookups tremendously. > > > > > log level = 2 winbind:10 ads:10 auth:10 > > > syslog = 0 > > > log file = /var/log/samba/%m.log > > > # debug level = 10 > > > max log size = 5000 > > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > > > I see no idmap entries here, and don't understand how winbind > > is working at all without them, maybe some old compatibility > > feature... > > > > I suggest, and of course I don't know your full topology, so it > > will most definitely need adjusting: > > > > idmap domains = default NA > > idmap config default:default = yes > > idmap config NA:backend = rid > > idmap config NA:range = 16777216 - 33554431 > > > > Is that id range valid? I have never used anything over 99, it > > seems very oddly arbitrary, but I suppose you have a reason... > > > > Normally I allocate a 10 id range per domain, so NA would have > > range 10 - 19, domain NA2 would have 20 - 29 and > > so on, makes it easier to determine the RID if the base of the > > range is on a power of ten and if you have multiple domains. > > > > idmap alloc backend = tdb > > idmap uid = 9 - 9 > > idmap gid = 9 - 9 > > > > This section here is for local mappings, BUILTINs and such, I > > set it as the default, but I'm sure other people will have > > their preferences or
RE: [Samba] Winbind problem with more details.
Ross, do you have any links to document what you are saying about the "password server" being set to a domain? I have found several examples of it listing multiple DCs, but not a domain name. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:06 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: > > Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. > [global] > workgroup = NA > realm = NA.UIS.UNISYS.COM > netbios name = ustr-linux-1 > server string = USTR-LINUX-1 Samba Server > encrypt passwords = yes > security = ADS > password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. > passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. > log level = 2 winbind:10 ads:10 auth:10 > syslog = 0 > log file = /var/log/samba/%m.log > # debug level = 10 > max log size = 5000 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. > winbind use default domain = no > winbind enum users = no > winbind enum groups = no > template homedir = /home/%D/%U > template shell = /bin/bash > admin users = root, NA\TRIMBLRD, +"NA\EPS Admin" > nt acl support = yes > map acl inherit = yes Notice I removed these lines: > winbind uid = 16777216-33554431 > winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
Just an FYI, we are currently on 3.0.28. This server was built when 3.0 was just coming around. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:30 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: > > Trimble, Ronald D wrote: > > > > Here you go... > > I forgot to ask which version of samba your now running, but > assuming it is something around '3.0.25', then here is my > suggestion config. If it is an earlier version let me know. I just realized that your config is pre-RID mapping so your uid/gid base is in a single tdb file that if lost or broken will seriously mess up your user base! If that is the case then I suggest this: idmap domains = default idmap config default:default = yes idmap alloc backend = tdb idmap uid = 16777216 - 33554431 idmap gid = 16777216 - 33554431 Forget this: idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 But remove these: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 Backup your tdb cache directory and smb.conf first though to be on the safe side. -Ross > > [global] > > workgroup = NA > > realm = NA.UIS.UNISYS.COM > > netbios name = ustr-linux-1 > > server string = USTR-LINUX-1 Samba Server > > encrypt passwords = yes > > security = ADS > > password server = 192.xx.xxx.xxx > > I believe for an AD domain, if you set the password server > equal to the local domain name it will round-robin query > the closest domain controller. Test it out, it will eliminate > the single point of failure if it works in your environment. > > > passdb backend = smbpasswd > > I tend to use tdb for my passwd backend, especially if the number > of users is large, tdb can speed lookups tremendously. > > > log level = 2 winbind:10 ads:10 auth:10 > > syslog = 0 > > log file = /var/log/samba/%m.log > > # debug level = 10 > > max log size = 5000 > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > I see no idmap entries here, and don't understand how winbind > is working at all without them, maybe some old compatibility > feature... > > I suggest, and of course I don't know your full topology, so it > will most definitely need adjusting: > > idmap domains = default NA > idmap config default:default = yes > idmap config NA:backend = rid > idmap config NA:range = 16777216 - 33554431 > > Is that id range valid? I have never used anything over 99, it > seems very oddly arbitrary, but I suppose you have a reason... > > Normally I allocate a 10 id range per domain, so NA would have > range 10 - 19, domain NA2 would have 20 - 29 and > so on, makes it easier to determine the RID if the base of the > range is on a power of ten and if you have multiple domains. > > idmap alloc backend = tdb > idmap uid = 9 - 9 > idmap gid = 9 - 9 > > This section here is for local mappings, BUILTINs and such, I > set it as the default, but I'm sure other people will have > their preferences or recommendations. > > > winbind use default domain = no > > winbind enum users = no > > winbind enum groups = no > > template homedir = /home/%D/%U > > template shell = /bin/bash > > admin users = root, NA\TRIMBLRD, +"NA\EPS Admin" > > nt acl support = yes > > map acl inherit = yes > > Notice I removed these lines: > > winbind uid = 16777216-33554431 > > winbind gid = 16777216-33554431 > > This is old depreciated syntax, the syntax is now 'idmap uid', > and it applies to id domains not explicitly configured with > the 'id config' directive. > > > > Let me know if that helps. > > -Ross > > __ > This e-mail, and any attachments thereto, is intended only for use by > the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient > of this e-mail, you are hereby notified that any dissemination, > distribution or copying of this e-mail, and any attachments thereto, > is strictly prohibited. If you have received this e-mail in error, > please immediately notify the s
RE: [Samba] Winbind problem with more details.
That is a lot of good information... let me give it a shot on a test system to see what happens. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:06 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: > > Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. > [global] > workgroup = NA > realm = NA.UIS.UNISYS.COM > netbios name = ustr-linux-1 > server string = USTR-LINUX-1 Samba Server > encrypt passwords = yes > security = ADS > password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. > passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. > log level = 2 winbind:10 ads:10 auth:10 > syslog = 0 > log file = /var/log/samba/%m.log > # debug level = 10 > max log size = 5000 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. > winbind use default domain = no > winbind enum users = no > winbind enum groups = no > template homedir = /home/%D/%U > template shell = /bin/bash > admin users = root, NA\TRIMBLRD, +"NA\EPS Admin" > nt acl support = yes > map acl inherit = yes Notice I removed these lines: > winbind uid = 16777216-33554431 > winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
You are 100% correct. I did have a situation several weeks ago where I was forced to delete the cache and as a result I had to go through the entire file structure to reset all the ACLs. It was a mess, but thankfully I have a very simple security model. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:30 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: > > Trimble, Ronald D wrote: > > > > Here you go... > > I forgot to ask which version of samba your now running, but > assuming it is something around '3.0.25', then here is my > suggestion config. If it is an earlier version let me know. I just realized that your config is pre-RID mapping so your uid/gid base is in a single tdb file that if lost or broken will seriously mess up your user base! If that is the case then I suggest this: idmap domains = default idmap config default:default = yes idmap alloc backend = tdb idmap uid = 16777216 - 33554431 idmap gid = 16777216 - 33554431 Forget this: idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 But remove these: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 Backup your tdb cache directory and smb.conf first though to be on the safe side. -Ross > > [global] > > workgroup = NA > > realm = NA.UIS.UNISYS.COM > > netbios name = ustr-linux-1 > > server string = USTR-LINUX-1 Samba Server > > encrypt passwords = yes > > security = ADS > > password server = 192.xx.xxx.xxx > > I believe for an AD domain, if you set the password server > equal to the local domain name it will round-robin query > the closest domain controller. Test it out, it will eliminate > the single point of failure if it works in your environment. > > > passdb backend = smbpasswd > > I tend to use tdb for my passwd backend, especially if the number > of users is large, tdb can speed lookups tremendously. > > > log level = 2 winbind:10 ads:10 auth:10 > > syslog = 0 > > log file = /var/log/samba/%m.log > > # debug level = 10 > > max log size = 5000 > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > I see no idmap entries here, and don't understand how winbind > is working at all without them, maybe some old compatibility > feature... > > I suggest, and of course I don't know your full topology, so it > will most definitely need adjusting: > > idmap domains = default NA > idmap config default:default = yes > idmap config NA:backend = rid > idmap config NA:range = 16777216 - 33554431 > > Is that id range valid? I have never used anything over 99, it > seems very oddly arbitrary, but I suppose you have a reason... > > Normally I allocate a 10 id range per domain, so NA would have > range 10 - 19, domain NA2 would have 20 - 29 and > so on, makes it easier to determine the RID if the base of the > range is on a power of ten and if you have multiple domains. > > idmap alloc backend = tdb > idmap uid = 9 - 9 > idmap gid = 9 - 9 > > This section here is for local mappings, BUILTINs and such, I > set it as the default, but I'm sure other people will have > their preferences or recommendations. > > > winbind use default domain = no > > winbind enum users = no > > winbind enum groups = no > > template homedir = /home/%D/%U > > template shell = /bin/bash > > admin users = root, NA\TRIMBLRD, +"NA\EPS Admin" > > nt acl support = yes > > map acl inherit = yes > > Notice I removed these lines: > > winbind uid = 16777216-33554431 > > winbind gid = 16777216-33554431 > > This is old depreciated syntax, the syntax is now 'idmap uid', > and it applies to id domains not explicitly configured with > the 'id config' directive. > > > > Let me know if that helps. > > -Ross > > __ > This e-mail, and any attachments thereto, is intended only for use by > the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient > of this e-mail, you are hereby notified that any
RE: [Samba] Winbind problem with more details.
Here you go... [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx passdb backend = smbpasswd log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 winbind use default domain = no winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +"NA\EPS Admin" nt acl support = yes map acl inherit = yes -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 11:09 AM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: > > The users who are failing are all in the same domain. What > are you referring to in terms of the idmap? Are you using the old 'idmap backend = rid...' or the newer 'idmap domains = ...' and the 'idmap config : backend = ...' setup? Maybe if you can post the [global] section of your smb.conf substituting any proprietary information first of course. -Ross > -Original Message- > From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 14, 2008 4:26 PM > To: Trimble, Ronald D; Herb Lewis > Cc: samba@lists.samba.org > Subject: RE: [Samba] Winbind problem with more details. > > Trimble, Ronald D wrote: > > > > Just an FYI... this is not a local group but an AD Domain > > Local group. We are using Domain Local groups since they can > > contain users from other domains. > > > Are all these users members of the same domain? > > If not, do you have the 'allow trusted domains = yes' option set? > > What does your idmap setup look like? > > > -Ross > > > -Original Message- > > From: Herb Lewis [mailto:[EMAIL PROTECTED] > > Sent: Thursday, February 14, 2008 3:08 PM > > To: Trimble, Ronald D > > Cc: samba@lists.samba.org > > Subject: Re: [Samba] Winbind problem with more details. > > > > you will notice that the SID type for the requested group is > > 4 which we > > see from smb.h is SID_NAME_ALIAS /* local group */ > > > > > > Trimble, Ronald D wrote: > > > Everyone, > > > One of our developers was kind enough to > > insert some bug checking into the mod_auth_pam and > > mod_auth_sys_group so that we could see a little more of what > > was going on with our authentication failures. Here is what > > we just saw. Two of our users NA\connelmp and NA\guminssa > > both started getting messages that they were not part of the > > required group. Here is the log for you all to see... > > > > > >>From /var/log/apache2/error_log > > > > > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > > CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > > CHKAUTH: YES, na\\huynhsv is listed amongst the > > NA\\USTR-LINUX-1-SPAR group members > > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > > CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > > CHKAUTH: YES, na\\huynhsv is listed amongst the > > NA\\USTR-LINUX-1-SPAR group members > > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > > CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > > CHKAUTH: YES, na\\huynhsv is listed amongst the > > NA\\USTR-LINUX-1-SPAR group members > > > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] > > CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > > > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] > > CHKAUTH: NO, NA\\connelmp is NOT a member of > > NA\\USTR-LINUX-1-SPAR group (with 58 members) > > > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] > > CHKAUTH: GROUP: NA\\connelmp not in required group(s). > > > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] > > CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > > > [Thu Feb 14 13:23:46 2008] [err
RE: [Samba] Winbind problem with more details.
-Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 4:37 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: > Trimble, Ronald D wrote: > > > > Just an FYI... this is not a local group but an AD Domain > > Local group. We are using Domain Local groups since they can > > contain users from other domains. > > > Are all these users members of the same domain? > > If not, do you have the 'allow trusted domains = yes' option set? > > What does your idmap setup look like? After reading more carefully I have more questions below... > > -Original Message- > > From: Herb Lewis [mailto:[EMAIL PROTECTED] > > Sent: Thursday, February 14, 2008 3:08 PM > > To: Trimble, Ronald D > > Cc: samba@lists.samba.org > > Subject: Re: [Samba] Winbind problem with more details. > > > > you will notice that the SID type for the requested group is > > 4 which we > > see from smb.h is SID_NAME_ALIAS /* local group */ > > > > > > Trimble, Ronald D wrote: > > > Everyone, > > > One of our developers was kind enough to > > insert some bug checking into the mod_auth_pam and > > mod_auth_sys_group so that we could see a little more of what > > was going on with our authentication failures. Here is what > > we just saw. Two of our users NA\connelmp and NA\guminssa > > both started getting messages that they were not part of the > > required group. Here is the log for you all to see... These users started getting messages, this means it was working correctly for a while? Yes, it was working for quite some time. And throughout any given day it will work and then stop and then begin working again... all without intervention. When did it stop working? We had a system crash several weeks ago. At that point we upgraded to the latest levels of samba as recommended by Novell. It has not been consistent in performance since. Did anything change around that time that could impact this? Yes, we upgraded samba. > > >>From /var/log/apache2/error_log Maybe /var/log/messages, or /var/log/samba/... may have more detail as to why things aren't working. > > > Can anyone shed some light on what is going on here? This > > problem has been driving me crazy for several weeks now and I > > could use all the help I could get. I have a full compliment > > of logs to go along with all the above information if anyone > > would be so kind as to take a look. I can make it worth your > > while... I have a code for two free movie tickets on > > fandango.com if you can help me solve this. Not much, but > > better then an email saying thanks. :) Try running your SID output with nscd shut down and see if that is affecting it, otherwise I would start looking at what changed in your environment that might have caused this. I will look into disabling NSCD as you suggested. Maybe permissions on the AD object? Permissions have not changed. The computer object representing this box has adequate rights to query all group objects in AD? The server is a member of the domain and thus has all the rights it needs to query the domain. Just throwing out some ideas here. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
The users who are failing are all in the same domain. What are you referring to in terms of the idmap? -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 4:26 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: > > Just an FYI... this is not a local group but an AD Domain > Local group. We are using Domain Local groups since they can > contain users from other domains. Are all these users members of the same domain? If not, do you have the 'allow trusted domains = yes' option set? What does your idmap setup look like? -Ross > -Original Message- > From: Herb Lewis [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 14, 2008 3:08 PM > To: Trimble, Ronald D > Cc: samba@lists.samba.org > Subject: Re: [Samba] Winbind problem with more details. > > you will notice that the SID type for the requested group is > 4 which we > see from smb.h is SID_NAME_ALIAS /* local group */ > > > Trimble, Ronald D wrote: > > Everyone, > > One of our developers was kind enough to > insert some bug checking into the mod_auth_pam and > mod_auth_sys_group so that we could see a little more of what > was going on with our authentication failures. Here is what > we just saw. Two of our users NA\connelmp and NA\guminssa > both started getting messages that they were not part of the > required group. Here is the log for you all to see... > > > >>From /var/log/apache2/error_log > > > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > CHKAUTH: YES, na\\huynhsv is listed amongst the > NA\\USTR-LINUX-1-SPAR group members > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > CHKAUTH: YES, na\\huynhsv is listed amongst the > NA\\USTR-LINUX-1-SPAR group members > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > CHKAUTH: YES, na\\huynhsv is listed amongst the > NA\\USTR-LINUX-1-SPAR group members > > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] > CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] > CHKAUTH: NO, NA\\connelmp is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with 58 members) > > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] > CHKAUTH: GROUP: NA\\connelmp not in required group(s). > > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] > CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] > CHKAUTH: NO, NA\\connelmp is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with 58 members) > > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] > CHKAUTH: GROUP: NA\\connelmp not in required group(s). > > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] > CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] > CHKAUTH: NO, na\\connelmp is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] > CHKAUTH: GROUP: na\\connelmp not in required group(s)., > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] > CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] > CHKAUTH: NO, na\\connelmp is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] > CHKAUTH: GROUP: na\\connelmp not in required group(s)., > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] > CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] > CHKAUTH: NO, na\\connelmp is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with
RE: [Samba] Winbind problem with more details.
Just an FYI... this is not a local group but an AD Domain Local group. We are using Domain Local groups since they can contain users from other domains. -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: > Everyone, > One of our developers was kind enough to insert some bug > checking into the mod_auth_pam and mod_auth_sys_group so that we could see a > little more of what was going on with our authentication failures. Here is > what we just saw. Two of our users NA\connelmp and NA\guminssa both started > getting messages that they were not part of the required group. Here is the > log for you all to see... > >>From /var/log/apache2/error_log > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is > na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, > na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is > na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, > na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is > na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, > na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is > NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > NA\\connelmp not in required group(s). > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is > NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > NA\\connelmp not in required group(s). > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is > na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 > members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > na\\connelmp not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is > na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 > members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > na\\connelmp not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is > na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 > members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > na\\connelmp not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is > na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 > members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > na
RE: [Samba] Winbind problem with more details.
So what does that tell me? -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: > Everyone, > One of our developers was kind enough to insert some bug > checking into the mod_auth_pam and mod_auth_sys_group so that we could see a > little more of what was going on with our authentication failures. Here is > what we just saw. Two of our users NA\connelmp and NA\guminssa both started > getting messages that they were not part of the required group. Here is the > log for you all to see... > >>From /var/log/apache2/error_log > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is > na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, > na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is > na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, > na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is > na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, > na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is > NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > NA\\connelmp not in required group(s). > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is > NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > NA\\connelmp not in required group(s). > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is > na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 > members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > na\\connelmp not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is > na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 > members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > na\\connelmp not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is > na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 > members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > na\\connelmp not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is > na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 > members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > na\\connelmp not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:25:25
[Samba] Winbind problem with more details.
Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... >From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: is na\\guminssa a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: NO, na\\guminssa is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: GROUP: na\\guminssa not in required group(s). [Thu Feb
RE: [Samba] Problem with winbind not seeing a user as part of a group
That may be possible, but like I said, sometimes it works and sometimes it doesn't. Sometimes the span between the two is only a few seconds. From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 10:05 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: I have never explored those options. We have auth fall through turned off. If the authentication fails, they get a 401 message indicating they don't have permissions. Here is an example from our vhosts.conf... DAV svn SVNPATH /scm/spar/svn SVNPathAuthz off AuthPAM_Enabled on AuthPAM_FallThrough off AuthType Basic AuthName "SPAR Subversion" require group "NA\USTR-LINUX-1-SPAR" require group "NA\USTR-LINUX-1-SPAR" SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnv /scm/spar/trac PythonOption TracUriRoot /scm/spar/trac AuthPAM_Enabled on AuthPAM_FallThrough off AuthType Basic AuthName "SPAR Trac" require group "NA\USTR-LINUX-1-SPAR" From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 9:27 PM To: Trimble, Ronald D Cc: samba@lists.samba.org<mailto:samba@lists.samba.org> Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: It looks like it is only happening when apache2 is involved. Although, other login methods are far less common. I have a suspicion it may be related to the mod_auth_pam module but what I don't understand is why it is happening. Mod_auth_pam makes dozens of requests to winbind for each session. Why do some work and others don't? Could it be that winbind is overwhelmed and thus doesn't return anything? -Original Message- From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 9:09 PM To: Trimble, Ronald D Cc: samba@lists.samba.org<mailto:samba@lists.samba.org> Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: Everyone, Here is a challenge for all of you samba experts! Lately I have been seeing a problem where winbind is not correctly identifying a user as a member of a group he most certainly belong to. This is with a Domain Local group so I know samba should support it. Users access a HTTPS (SSL) webpage that is secured by a Domain Local group. Sometimes they get in, others they don't. Here are some examples from the logs. /var/log/apache2/error_log [Tue Feb 12 18:54:52 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls [Tue Feb 12 18:55:00 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls [Tue Feb 12 18:56:12 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls However a little later it is mysteriously working again... /var/log/apache2/access_log 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] "GET /scm/spar/trac/chrome/common/css/trac.css HTTP/1.1" 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] "GET /scm/spar/trac/chrome/common/css/browser.css HTTP/1.1" 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] "GET /scm/spar/trac/chrome/common/css/diff.css HTTP/1.1" 304 - Now obviously my example doesn't have the user accessing the same link, but it doesn't matter. Winbind went from identifying the user as not in the group to then identifying him as in the group and nothing changed! This is happening several times a day and is driving us insane. What can I do to figure this out? Has anyone else seen this? Here is what is going on in the /var/log/samba/log.wb-NA (our domain) log at that time for that user. [2008/02/12 18:54:52, 10] nsswitch/winbindd_dual.c:child_process_request(479) process_request: request fn PAM_AUTH [2008/02/12 18:54:52, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341) [10824]: dual pam auth NA\selltc [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1364) winbindd_dual_pam_auth: domain: NA last was online [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_a
RE: [Samba] Problem with winbind not seeing a user as part of a group
I have never explored those options. We have auth fall through turned off. If the authentication fails, they get a 401 message indicating they don't have permissions. Here is an example from our vhosts.conf... DAV svn SVNPATH /scm/spar/svn SVNPathAuthz off AuthPAM_Enabled on AuthPAM_FallThrough off AuthType Basic AuthName "SPAR Subversion" require group "NA\USTR-LINUX-1-SPAR" require group "NA\USTR-LINUX-1-SPAR" SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnv /scm/spar/trac PythonOption TracUriRoot /scm/spar/trac AuthPAM_Enabled on AuthPAM_FallThrough off AuthType Basic AuthName "SPAR Trac" require group "NA\USTR-LINUX-1-SPAR" From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 9:27 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: It looks like it is only happening when apache2 is involved. Although, other login methods are far less common. I have a suspicion it may be related to the mod_auth_pam module but what I don't understand is why it is happening. Mod_auth_pam makes dozens of requests to winbind for each session. Why do some work and others don't? Could it be that winbind is overwhelmed and thus doesn't return anything? -Original Message- From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 9:09 PM To: Trimble, Ronald D Cc: samba@lists.samba.org<mailto:samba@lists.samba.org> Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: Everyone, Here is a challenge for all of you samba experts! Lately I have been seeing a problem where winbind is not correctly identifying a user as a member of a group he most certainly belong to. This is with a Domain Local group so I know samba should support it. Users access a HTTPS (SSL) webpage that is secured by a Domain Local group. Sometimes they get in, others they don't. Here are some examples from the logs. /var/log/apache2/error_log [Tue Feb 12 18:54:52 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls [Tue Feb 12 18:55:00 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls [Tue Feb 12 18:56:12 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls However a little later it is mysteriously working again... /var/log/apache2/access_log 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] "GET /scm/spar/trac/chrome/common/css/trac.css HTTP/1.1" 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] "GET /scm/spar/trac/chrome/common/css/browser.css HTTP/1.1" 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] "GET /scm/spar/trac/chrome/common/css/diff.css HTTP/1.1" 304 - Now obviously my example doesn't have the user accessing the same link, but it doesn't matter. Winbind went from identifying the user as not in the group to then identifying him as in the group and nothing changed! This is happening several times a day and is driving us insane. What can I do to figure this out? Has anyone else seen this? Here is what is going on in the /var/log/samba/log.wb-NA (our domain) log at that time for that user. [2008/02/12 18:54:52, 10] nsswitch/winbindd_dual.c:child_process_request(479) process_request: request fn PAM_AUTH [2008/02/12 18:54:52, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341) [10824]: dual pam auth NA\selltc [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1364) winbindd_dual_pam_auth: domain: NA last was online [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_samlogon(1127) winbindd_dual_pam_auth_samlogon [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1416) winbindd_dual_pam_auth_samlogon succeeded [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(472) refresh_sequence_number: NA time ok [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(506) refresh_sequence_number: NA seq number is n
RE: [Samba] Problem with winbind not seeing a user as part of a group
It looks like it is only happening when apache2 is involved. Although, other login methods are far less common. I have a suspicion it may be related to the mod_auth_pam module but what I don't understand is why it is happening. Mod_auth_pam makes dozens of requests to winbind for each session. Why do some work and others don't? Could it be that winbind is overwhelmed and thus doesn't return anything? -Original Message- From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 9:09 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: > Everyone, > Here is a challenge for all of you samba experts! Lately I > have been seeing a problem where winbind is not correctly identifying a user > as a member of a group he most certainly belong to. This is with a Domain > Local group so I know samba should support it. > Users access a HTTPS (SSL) webpage that is secured by a > Domain Local group. Sometimes they get in, others they don't. Here are some > examples from the logs. > > /var/log/apache2/error_log > > [Tue Feb 12 18:54:52 2008] [error] [client 172.xx.xxx.xxx] GROUP: > NA\\selltc not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe > ls [Tue Feb 12 18:55:00 2008] [error] [client 172.xx.xxx.xxx] GROUP: > NA\\selltc not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe > ls [Tue Feb 12 18:56:12 2008] [error] [client 172.xx.xxx.xxx] GROUP: > NA\\selltc not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe > ls > > However a little later it is mysteriously working again... > > /var/log/apache2/access_log > > 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] "GET > /scm/spar/trac/chrome/common/css/trac.css HTTP/1.1" 304 - > 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] "GET > /scm/spar/trac/chrome/common/css/browser.css HTTP/1.1" 304 - > 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] "GET > /scm/spar/trac/chrome/common/css/diff.css HTTP/1.1" 304 - > > Now obviously my example doesn't have the user accessing the same link, but > it doesn't matter. Winbind went from identifying the user as not in the > group to then identifying him as in the group and nothing changed! This is > happening several times a day and is driving us insane. What can I do to > figure this out? Has anyone else seen this? > > Here is what is going on in the /var/log/samba/log.wb-NA (our domain) log at > that time for that user. > > [2008/02/12 18:54:52, 10] nsswitch/winbindd_dual.c:child_process_request(479) > process_request: request fn PAM_AUTH > [2008/02/12 18:54:52, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341) > [10824]: dual pam auth NA\selltc > [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1364) > winbindd_dual_pam_auth: domain: NA last was online > [2008/02/12 18:54:52, 10] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_samlogon(1127) > winbindd_dual_pam_auth_samlogon > [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1416) > winbindd_dual_pam_auth_samlogon succeeded > [2008/02/12 18:54:52, 10] > nsswitch/winbindd_cache.c:refresh_sequence_number(472) > refresh_sequence_number: NA time ok > [2008/02/12 18:54:52, 10] > nsswitch/winbindd_cache.c:refresh_sequence_number(506) > refresh_sequence_number: NA seq number is now 271835101 > [2008/02/12 18:54:52, 10] > nsswitch/winbindd_cache.c:wcache_save_name_to_sid(823) > wcache_save_name_to_sid: NA\SELLTC -> > S-1-5-21-725345543-2052111302-527237240-26405 (NT_STATUS_OK) > [2008/02/12 18:54:52, 10] > nsswitch/winbindd_cache.c:refresh_sequence_number(472) > refresh_sequence_number: NA time ok > [2008/02/12 18:54:52, 10] > nsswitch/winbindd_cache.c:refresh_sequence_number(506) > refresh_sequence_number: NA seq number is now 271835101 > [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:centry_expired(546) > centry_expired: Key PWD_POL/NA for domain NA is good. > [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:wcache_fetch(630) > wcache_fetch: returning entry PWD_POL/NA for domain NA > [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:password_policy(2108) > lockout_policy: [Cached] - cached info for domain NA status: > NT_STATUS_OK > [2008/02/12 18:54:52, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1546) > Setting unix username to [NA\selltc] > [2008/02/12 18:54:52, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_
[Samba] Problem with winbind not seeing a user as part of a group
Everyone, Here is a challenge for all of you samba experts! Lately I have been seeing a problem where winbind is not correctly identifying a user as a member of a group he most certainly belong to. This is with a Domain Local group so I know samba should support it. Users access a HTTPS (SSL) webpage that is secured by a Domain Local group. Sometimes they get in, others they don't. Here are some examples from the logs. /var/log/apache2/error_log [Tue Feb 12 18:54:52 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channels [Tue Feb 12 18:55:00 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channels [Tue Feb 12 18:56:12 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channels However a little later it is mysteriously working again... /var/log/apache2/access_log 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] "GET /scm/spar/trac/chrome/common/css/trac.css HTTP/1.1" 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] "GET /scm/spar/trac/chrome/common/css/browser.css HTTP/1.1" 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] "GET /scm/spar/trac/chrome/common/css/diff.css HTTP/1.1" 304 - Now obviously my example doesn't have the user accessing the same link, but it doesn't matter. Winbind went from identifying the user as not in the group to then identifying him as in the group and nothing changed! This is happening several times a day and is driving us insane. What can I do to figure this out? Has anyone else seen this? Here is what is going on in the /var/log/samba/log.wb-NA (our domain) log at that time for that user. [2008/02/12 18:54:52, 10] nsswitch/winbindd_dual.c:child_process_request(479) process_request: request fn PAM_AUTH [2008/02/12 18:54:52, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341) [10824]: dual pam auth NA\selltc [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1364) winbindd_dual_pam_auth: domain: NA last was online [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_samlogon(1127) winbindd_dual_pam_auth_samlogon [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1416) winbindd_dual_pam_auth_samlogon succeeded [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(472) refresh_sequence_number: NA time ok [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(506) refresh_sequence_number: NA seq number is now 271835101 [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:wcache_save_name_to_sid(823) wcache_save_name_to_sid: NA\SELLTC -> S-1-5-21-725345543-2052111302-527237240-26405 (NT_STATUS_OK) [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(472) refresh_sequence_number: NA time ok [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(506) refresh_sequence_number: NA seq number is now 271835101 [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:centry_expired(546) centry_expired: Key PWD_POL/NA for domain NA is good. [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:wcache_fetch(630) wcache_fetch: returning entry PWD_POL/NA for domain NA [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:password_policy(2108) lockout_policy: [Cached] - cached info for domain NA status: NT_STATUS_OK [2008/02/12 18:54:52, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1546) Setting unix username to [NA\selltc] [2008/02/12 18:54:52, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1578) Plain-text authentication for user NA\selltc returned NT_STATUS_OK (PAM: 0) Please let me know if you can help me figure this out. Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] KRB KDC problem
Can someone help me figure out what is going on here? For quite some time now, our implementation of Samba has been humming along without problems. Now all of a sudden I am unable to get valid sequence numbers for one of our domains. Here are the details... >From /var/log/samba/log.wb-EU [2008/02/06 10:41:41, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot contact any KDC for requested realm) [2008/02/06 10:41:41, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot contact any KDC for requested realm) [2008/02/06 10:41:41, 1] nsswitch/winbindd_ads.c:ads_cached_connection(128) ads_connect for domain EU failed: Cannot contact any KDC for requested realm [2008/02/06 10:41:41, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(494) refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL [2008/02/06 10:41:41, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(438) store_cache_seqnum: success [EU][4294967295 @ 1202312501] [2008/02/06 10:41:41, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(506) refresh_sequence_number: EU seq number is now -1 [2008/02/06 10:41:41, 10] nsswitch/winbindd_cache.c:cache_store_response(2268) Storing response for pid 29455, len 3240 >From /etc/hosts 192.61.58.35USEA-EUDC2 USEA-EUDC2.eu.uis.unisys.com >From /etc/krb5.conf [libdefaults] default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_realm = NA.UIS.UNISYS.COM dns_lookup_kdc = true [realms] NA.UIS.UNISYS.COM = { kdc = 192.63.225.68:88 admin_server = 192.63.225.68:749 } EU.UIS.UNISYS.COM = { kdc = 192.61.58.35:88 admin_server =192.61.58.35:749 } AP.UIS.UNISYS.COM = { kdc = 192.61.58.61:88 admin_server = 192.61.58.61:749 } LAC.UIS.UNISYS.COM = { kdc = 192.61.146.131:88 admin_server = 192.61.146.131:749 } [domain_realm] .na.uis.unisys.com = NA.UIS.UNISYS.COM na.uis.unisys.com = NA.UIS.UNISYS.COM .eu.uis.unisys.com = EU.UIS.UNISYS.COM eu.uis.unisys.com = EU.UIS.UNISYS.COM .ap.uis.unisys.com = AP.UIS.UNISYS.COM ap.uis.unisys.com = AP.UIS.UNISYS.COM .lac.uis.unisys.com = LAC.UIS.UNISYS.COM lac.uis.unisys.com = LAC.UIS.UNISYS.COM Here is a sample of running the sequence wbinfo command... LINUX-1:/etc/samba # wbinfo --sequence LAC : 2115985 EU : DISCONNECTED AP : DISCONNECTED UIS : 74810628 BUILTIN : 1202313222 USTR-LINUX-1 : 1202313222 NA : 271239463 Any help would be much appreciated. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with SMBFS vs CIFS
Hello, I have the following Samba RPMs installed... samba-client-3.0.26a-0.5 samba-3.0.26a-0.5 samba-pdb-3.0.26a-0.5 yast2-samba-server-2.9.33-0.3 kdebase3-samba-3.2.1-68.62 samba-winbind-3.0.26a-0.5 yast2-samba-client-2.9.18-0.3 samba-python-3.0.26a-0.5 I used to be able to do a mount with -t smbfs, but not I get this message whenever I try it. Version 3.0.26a-0.5-1590-SUSE-SLES9 Please be aware that smbfs is deprecated in favor of cifs How do I get this back to using SMBFS? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How do I force other domains to work?
I am trying to get the other domains in my tree to work with my samba implementation. I have copied all the necessary config files from another samba server that does work. On this server however, I get strange results from the wbinfo -sequence command. linux:/ # wbinfo --sequence LAC : DISCONNECTED EU : DISCONNECTED AP : DISCONNECTED UIS : DISCONNECTED M1016 : 1 BUILTIN : 1 NA : 51137274 All the other domains are Disconnected (-1) if you look in the logs. I desperately need these to get connected so I can authenticate their users. What could be wrong? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cannot connect to other domains...
Everyone, I am trying to connect my server to another AD domain, but it will not make the connection. I have successfully joined it to one domain in AD and I want it to authenticate users from another domain in the same tree. When I run the command wbinfo -sequence, I get disconnected messages for all the domains except my home domain. I have my krb5.conf file configured exactly as I do on another server that works perfectly. Can anyone point me to my problem? Here is a small piece of the log.wb-EU file... [2006/09/27 08:47:37, 5] nsswitch/winbindd_cm.c:set_dc_type_and_flags(870) set_dc_type_and_flags: Could not open a connection to EU: (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) [2006/09/27 08:47:37, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 7561, len 1300 [2006/09/27 08:47:37, 10] nsswitch/winbindd_dual.c:dual_client_read(53) client_read: read 1828 bytes. Need 0 more for a full request. [2006/09/27 08:47:37, 4] nsswitch/winbindd_dual.c:fork_domain_child(479) child daemon request 32 [2006/09/27 08:47:37, 10] nsswitch/winbindd_dual.c:child_process_request(352) process_request: request fn SHOW_SEQUENCE [2006/09/27 08:47:37, 3] nsswitch/winbindd_misc.c:winbindd_dual_show_sequence(331) [ 7556]: show sequence [2006/09/27 08:47:37, 5] nsswitch/winbindd_cache.c:get_cache(137) get_cache: Setting MS-RPC methods for domain EU [2006/09/27 08:47:37, 10] nsswitch/winbindd_cache.c:fetch_cache_seqnum(276) fetch_cache_seqnum: invalid data size key [SEQNUM/EU] [2006/09/27 08:47:37, 10] nsswitch/winbindd_rpc.c:sequence_number(749) rpc: fetch sequence_number for EU [2006/09/27 08:47:37, 8] nsswitch/winbindd_cm.c:connection_ok(806) Connection to for domain EU has NULL cli! [2006/09/27 08:47:39, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(329) store_cache_seqnum: success [EU][4294967295 @ 1159372059] [2006/09/27 08:47:39, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: EU seq number is now -1 [2006/09/27 08:47:39, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 7561, len 1300 [2006/09/27 08:49:52, 10] nsswitch/winbindd_dual.c:dual_client_read(53) client_read: read 1828 bytes. Need 0 more for a full request. [2006/09/27 08:49:52, 4] nsswitch/winbindd_dual.c:fork_domain_child(479) child daemon request 32 [2006/09/27 08:49:52, 10] nsswitch/winbindd_dual.c:child_process_request(352) process_request: request fn SHOW_SEQUENCE [2006/09/27 08:49:52, 3] nsswitch/winbindd_misc.c:winbindd_dual_show_sequence(331) [ 7556]: show sequence [2006/09/27 08:49:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: EU time ok [2006/09/27 08:49:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: EU seq number is now -1 [2006/09/27 08:49:52, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 7561, len 1300 Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Other domain sequence numbers are -1
I posted this yesterday, but didn't get any responses. Can anyone help me out? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Trimble, Ronald D Sent: Thursday, September 21, 2006 9:39 AM To: samba@lists.samba.org Subject: [Samba] Other domain sequence numbers are -1 Everyone, I have configured a new SLES 10 server exactly the same as I had previously configured a SLES 9 server. The only difference is the version of samba. On the SLES 10 server, I am running the 3.0.23c level, the SLES 9 server is behind a little. My problem is with connecting to other AD domains. Only my default domain has a valid sequence number. All the other domains are showing up as a -1. This information was retrieved from the logs since the wbinfo -sequence command times out. Here are the relevant pieces of information. Can someone suggest what I may be doing wrong? This is very confusing to me since it works perfectly on my SLES 9 server and I copied the configuration from there. Thanks, Ron >From krb5.conf: [libdefaults] default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_realm = NA.UIS.UNISYS.COM dns_lookup_kdc = true [realms] NA.UIS.UNISYS.COM = { kdc = 192.63.225.67:88 admin_server = 192.63.225.67:749 } EU.UIS.UNISYS.COM = { kdc = 192.61.146.133:88 admin_server = 192.61.146.133:749 } AP.UIS.UNISYS.COM = { kdc = 192.61.146.132:88 admin_server = 192.61.146.132:749 } LAC.UIS.UNISYS.COM = { kdc = 192.61.146.131:88 admin_server = 192.61.146.131:749 } [domain_realm] .na.uis.unisys.com = NA.UIS.UNISYS.COM na.uis.unisys.com = NA.UIS.UNISYS.COM .eu.uis.unisys.com = EU.UIS.UNISYS.COM eu.uis.unisys.com = EU.UIS.UNISYS.COM .ap.uis.unisys.com = AP.UIS.UNISYS.COM ap.uis.unisys.com = AP.UIS.UNISYS.COM .lac.uis.unisys.com = LAC.UIS.UNISYS.COM lac.uis.unisys.com = LAC.UIS.UNISYS.COM >From smb.conf: [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = M1016 encrypt passwords = yes security = ADS password server = 192.63.225.67 192.63.225.68 passdb backend = smbpasswd log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 winbind use default domain = no winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 winbind enum users = no winbind enum groups = no -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Other domain sequence numbers are -1
Everyone, I have configured a new SLES 10 server exactly the same as I had previously configured a SLES 9 server. The only difference is the version of samba. On the SLES 10 server, I am running the 3.0.23c level, the SLES 9 server is behind a little. My problem is with connecting to other AD domains. Only my default domain has a valid sequence number. All the other domains are showing up as a -1. This information was retrieved from the logs since the wbinfo -sequence command times out. Here are the relevant pieces of information. Can someone suggest what I may be doing wrong? This is very confusing to me since it works perfectly on my SLES 9 server and I copied the configuration from there. Thanks, Ron >From krb5.conf: [libdefaults] default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_realm = NA.UIS.UNISYS.COM dns_lookup_kdc = true [realms] NA.UIS.UNISYS.COM = { kdc = 192.63.225.67:88 admin_server = 192.63.225.67:749 } EU.UIS.UNISYS.COM = { kdc = 192.61.146.133:88 admin_server = 192.61.146.133:749 } AP.UIS.UNISYS.COM = { kdc = 192.61.146.132:88 admin_server = 192.61.146.132:749 } LAC.UIS.UNISYS.COM = { kdc = 192.61.146.131:88 admin_server = 192.61.146.131:749 } [domain_realm] .na.uis.unisys.com = NA.UIS.UNISYS.COM na.uis.unisys.com = NA.UIS.UNISYS.COM .eu.uis.unisys.com = EU.UIS.UNISYS.COM eu.uis.unisys.com = EU.UIS.UNISYS.COM .ap.uis.unisys.com = AP.UIS.UNISYS.COM ap.uis.unisys.com = AP.UIS.UNISYS.COM .lac.uis.unisys.com = LAC.UIS.UNISYS.COM lac.uis.unisys.com = LAC.UIS.UNISYS.COM >From smb.conf: [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = M1016 encrypt passwords = yes security = ADS password server = 192.63.225.67 192.63.225.68 passdb backend = smbpasswd log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 winbind use default domain = no winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 winbind enum users = no winbind enum groups = no -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NET ADS JOIN error
I get the same error either way. -Original Message- From: Howard Wilkinson [mailto:[EMAIL PROTECTED] Sent: Friday, July 14, 2006 11:16 AM To: Trimble, Ronald D; samba@lists.samba.org Subject: RE: [Samba] NET ADS JOIN error Check that the backslashes are not being interpolated by the shell you may want to try. net ads join "United States\\Tredyffrin\\Resource\\Servers" -U trimblrd Howard. Coherent Technology Limited, 23 Northampton Square, Finsbury, London EC1V 0HL, United Kingdom Telephone: +44 20 76907075 Fax: +44 20 79230110 Mobile: +44 7980 639379 Company Email: [EMAIL PROTECTED] Website: http://www.cohtech.com <http://www.cohtech.com/> From: [EMAIL PROTECTED] on behalf of Trimble, Ronald D Sent: Fri 2006-07-14 16:06 To: samba@lists.samba.org Subject: [Samba] NET ADS JOIN error Can anyone shed some light on this error? I can't seem to find any information as to why it is failing. Thanks. USTR-MINT-A-1:~ # net ads join "United States\Tredyffrin\Resources\Servers" -U trimblrd trimblrd's password: Failed to pre-create the machine object in OU United States\Tredyffrin\Resources\Servers. I have tried two different domain admin accounts and I get the same error each time. It strange since the object already exists in AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] NET ADS JOIN error
Can anyone shed some light on this error? I can't seem to find any information as to why it is failing. Thanks. USTR-MINT-A-1:~ # net ads join "United States\Tredyffrin\Resources\Servers" -U trimblrd trimblrd's password: Failed to pre-create the machine object in OU United States\Tredyffrin\Resources\Servers. I have tried two different domain admin accounts and I get the same error each time. It strange since the object already exists in AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
It looks like the latest release does work. Thanks for the help guys! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Trimble, Ronald D Sent: Tuesday, July 11, 2006 3:49 PM To: Gerald (Jerry) Carter Cc: samba@lists.samba.org; [EMAIL PROTECTED] Subject: RE: [Samba] How do I troubleshoot this panic? We most certainly have users with more than 20 to 25 AD groups. I will give the latest release a try. -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 11, 2006 3:49 PM To: Trimble, Ronald D Cc: [EMAIL PROTECTED]; samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: > I tried ext3 on another server... a fresh install of > SUSE Linux 10.1. Another panic. Here are the details... This has got to be the static group list bug. Do you have users in more that say 20 - 25 groups in AD ? Could you try the 3.0.23 SuSE rpms on samba.org ? Thanks. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEtACnIR7qMdg1EfYRAr1YAKDzQI0fSdNe6Hffv7RZSPQSRpZOrACeLDN5 bjddzQCN/5YcP4SrUmwgm6g= =rn0N -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
We most certainly have users with more than 20 to 25 AD groups. I will give the latest release a try. -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 11, 2006 3:49 PM To: Trimble, Ronald D Cc: [EMAIL PROTECTED]; samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: > I tried ext3 on another server... a fresh install of > SUSE Linux 10.1. Another panic. Here are the details... This has got to be the static group list bug. Do you have users in more that say 20 - 25 groups in AD ? Could you try the 3.0.23 SuSE rpms on samba.org ? Thanks. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEtACnIR7qMdg1EfYRAr1YAKDzQI0fSdNe6Hffv7RZSPQSRpZOrACeLDN5 bjddzQCN/5YcP4SrUmwgm6g= =rn0N -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
I tried ext3 on another server... a fresh install of SUSE Linux 10.1. Another panic. Here are the details... === [2006/07/11 15:33:03, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 6 in pid 3586 (3.0.22-11-SUSE-CODE10) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/07/11 15:33:03, 0] lib/fault.c:fault_report(39) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/07/11 15:33:03, 0] lib/fault.c:fault_report(40) === [2006/07/11 15:33:03, 0] lib/util.c:smb_panic2(1554) PANIC: internal error [2006/07/11 15:33:03, 0] lib/util.c:smb_panic2(1562) BACKTRACE: 26 stack frames: #0 /usr/sbin/winbindd(smb_panic2+0x8a) [0x800b699a] #1 /usr/sbin/winbindd(smb_panic+0x19) [0x800b6bf9] #2 /usr/sbin/winbindd [0x800a0f52] #3 [0xe420] #4 /lib/libc.so.6(abort+0x103) [0xb7ca2ea3] #5 /lib/libc.so.6 [0xb7cd6f8b] #6 /lib/libc.so.6(__chk_fail+0x41) [0xb7d48b31] #7 /lib/libc.so.6 [0xb7d48533] #8 /lib/libc.so.6(__snprintf_chk+0x37) [0xb7d48417] #9 /usr/sbin/winbindd [0x8004163a] #10 /usr/sbin/winbindd(tdb_traverse+0xf0) [0x800cdc90] #11 /usr/sbin/winbindd(wcache_flush_cache+0xc0) [0x8003e220] #12 /usr/sbin/winbindd [0x8003e43b] #13 /usr/sbin/winbindd [0x80042eff] #14 /usr/sbin/winbindd [0x80058dc5] #15 /usr/sbin/winbindd(run_events+0x6d) [0x800d15fd] #16 /usr/sbin/winbindd [0x80057f90] #17 /usr/sbin/winbindd(async_domain_request+0x58) [0x80059788] #18 /usr/sbin/winbindd(do_async_domain+0xb0) [0x8005cfe0] #19 /usr/sbin/winbindd(winbindd_lookupname_async+0xe6) [0x8005de76] #20 /usr/sbin/winbindd(winbindd_getpwnam+0x2ad) [0x80035d7d] #21 /usr/sbin/winbindd [0x80032327] #22 /usr/sbin/winbindd [0x80033ab8] #23 /usr/sbin/winbindd(main+0x830) [0x80032dc0] #24 /lib/libc.so.6(__libc_start_main+0xdc) [0xb7c8e87c] #25 /usr/sbin/winbindd [0x80031541] -Original Message- From: Volker Lendecke [mailto:[EMAIL PROTECTED] On Behalf Of Volker Lendecke Sent: Friday, July 07, 2006 10:22 AM To: Trimble, Ronald D Cc: Gerald (Jerry) Carter; samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? On Fri, Jul 07, 2006 at 10:17:13AM -0400, Trimble, Ronald D wrote: > ReiserFS is a problem? It's the default. I would imagine you would be > seeing tons of complaints if it was due to the fs, don't you agree? Just try ext3. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
Sure. I will download it and give it a try. I will let you know what I find out. -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, July 07, 2006 10:27 AM To: Trimble, Ronald D Cc: [EMAIL PROTECTED]; samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Lendecke wrote: > On Fri, Jul 07, 2006 at 10:17:13AM -0400, Trimble, Ronald D wrote: > >> ReiserFS is a problem? It's the default. I >> would imagine you would be seeing tons of complaints >> if it was due to the fs, don't you agree? > > Just try ext3. Although I am not a fan of reiserfs either, this may be a problem related to the number of groups. It depends on what patches SuSE included in their 10.1 samba rpms. Would you mind trying the 3.0.23rc3 release first? cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFErm9HIR7qMdg1EfYRAiurAJ9ScBkZaB8+GL9GbfvMQAokFJwVEQCgioyd G8A8JHTFEsE/LfJBh0i5yfA= =QM74 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
ReiserFS is a problem? It's the default. I would imagine you would be seeing tons of complaints if it was due to the fs, don't you agree? -Original Message- From: Volker Lendecke [mailto:[EMAIL PROTECTED] On Behalf Of Volker Lendecke Sent: Friday, July 07, 2006 10:15 AM To: Trimble, Ronald D Cc: Gerald (Jerry) Carter; samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? On Fri, Jul 07, 2006 at 10:08:24AM -0400, Trimble, Ronald D wrote: > Maybe I jumped the gun a little too soon Jerry. After successfully > logging into the server a few times, it has stopped working again. That > file has been recreated. > > I am using the default SUSE Linux 10.1 install. Any other ideas? This sounds a lot like reiserfs Try to put all the .tdb files on ext3. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
Maybe I jumped the gun a little too soon Jerry. After successfully logging into the server a few times, it has stopped working again. That file has been recreated. I am using the default SUSE Linux 10.1 install. Any other ideas? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Trimble, Ronald D Sent: Friday, July 07, 2006 9:58 AM To: Gerald (Jerry) Carter Cc: samba@lists.samba.org Subject: RE: [Samba] How do I troubleshoot this panic? Deleting that file seemed to have done the trick. What does that file do? What made you suspect this? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, July 07, 2006 7:47 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: > I have a server that has a smb_panic every time > I start/restart the winbind service. How do I go about > fixing this? Here is the output from the winbind log file. > > === > INTERNAL ERROR: Signal 6 in pid 3835 (3.0.22-11-SUSE-CODE10) > Please read the Trouble-Shooting section of the Samba3-HOWTO > From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf > === > > PANIC: internal error > BACKTRACE: 23 stack frames: >#0 /usr/sbin/winbindd(smb_panic2+0x8a) [0x800b699a] >#1 /usr/sbin/winbindd(smb_panic+0x19) [0x800b6bf9] >#2 /usr/sbin/winbindd [0x800a0f52] >#3 [0xe420] >#4 /lib/libc.so.6(abort+0x103) [0xb7d7dea3] >#5 /lib/libc.so.6 [0xb7db1f8b] >#6 /lib/libc.so.6(__chk_fail+0x41) [0xb7e23b31] >#7 /lib/libc.so.6 [0xb7e23533] >#8 /lib/libc.so.6(__snprintf_chk+0x37) [0xb7e23417] >#9 /usr/sbin/winbindd [0x8004163a] >#10 /usr/sbin/winbindd(tdb_traverse+0xf0) [0x800cdc90] >#11 /usr/sbin/winbindd(wcache_flush_cache+0xc0) [0x8003e220] You can recompile with --enable-debug and run "winbindd -d 10 -i" under gdb. Looking at the backtrace, I think if you delete winbindd_cache.tdb, you might be ok. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFErkm2IR7qMdg1EfYRAiriAKDHiDyg0XIDDZzmCuKulBDfiAkLtgCgwQj7 gJgA+cUA0o4LXbJC3AseaZk= =L/DI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
Deleting that file seemed to have done the trick. What does that file do? What made you suspect this? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, July 07, 2006 7:47 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: > I have a server that has a smb_panic every time > I start/restart the winbind service. How do I go about > fixing this? Here is the output from the winbind log file. > > === > INTERNAL ERROR: Signal 6 in pid 3835 (3.0.22-11-SUSE-CODE10) > Please read the Trouble-Shooting section of the Samba3-HOWTO > From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf > === > > PANIC: internal error > BACKTRACE: 23 stack frames: >#0 /usr/sbin/winbindd(smb_panic2+0x8a) [0x800b699a] >#1 /usr/sbin/winbindd(smb_panic+0x19) [0x800b6bf9] >#2 /usr/sbin/winbindd [0x800a0f52] >#3 [0xe420] >#4 /lib/libc.so.6(abort+0x103) [0xb7d7dea3] >#5 /lib/libc.so.6 [0xb7db1f8b] >#6 /lib/libc.so.6(__chk_fail+0x41) [0xb7e23b31] >#7 /lib/libc.so.6 [0xb7e23533] >#8 /lib/libc.so.6(__snprintf_chk+0x37) [0xb7e23417] >#9 /usr/sbin/winbindd [0x8004163a] >#10 /usr/sbin/winbindd(tdb_traverse+0xf0) [0x800cdc90] >#11 /usr/sbin/winbindd(wcache_flush_cache+0xc0) [0x8003e220] You can recompile with --enable-debug and run "winbindd -d 10 -i" under gdb. Looking at the backtrace, I think if you delete winbindd_cache.tdb, you might be ok. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFErkm2IR7qMdg1EfYRAiriAKDHiDyg0XIDDZzmCuKulBDfiAkLtgCgwQj7 gJgA+cUA0o4LXbJC3AseaZk= =L/DI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How do I troubleshoot this panic?
I have a server that has a smb_panic every time I start/restart the winbind service. How do I go about fixing this? Here is the output from the winbind log file. === [2006/07/06 14:04:26, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 6 in pid 3835 (3.0.22-11-SUSE-CODE10) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/07/06 14:04:26, 0] lib/fault.c:fault_report(39) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/07/06 14:04:26, 0] lib/fault.c:fault_report(40) === [2006/07/06 14:04:26, 0] lib/util.c:smb_panic2(1554) PANIC: internal error [2006/07/06 14:04:26, 0] lib/util.c:smb_panic2(1562) BACKTRACE: 23 stack frames: #0 /usr/sbin/winbindd(smb_panic2+0x8a) [0x800b699a] #1 /usr/sbin/winbindd(smb_panic+0x19) [0x800b6bf9] #2 /usr/sbin/winbindd [0x800a0f52] #3 [0xe420] #4 /lib/libc.so.6(abort+0x103) [0xb7d7dea3] #5 /lib/libc.so.6 [0xb7db1f8b] #6 /lib/libc.so.6(__chk_fail+0x41) [0xb7e23b31] #7 /lib/libc.so.6 [0xb7e23533] #8 /lib/libc.so.6(__snprintf_chk+0x37) [0xb7e23417] #9 /usr/sbin/winbindd [0x8004163a] #10 /usr/sbin/winbindd(tdb_traverse+0xf0) [0x800cdc90] #11 /usr/sbin/winbindd(wcache_flush_cache+0xc0) [0x8003e220] #12 /usr/sbin/winbindd [0x8003e43b] #13 /usr/sbin/winbindd [0x80042eff] #14 /usr/sbin/winbindd [0x80058dc5] #15 /usr/sbin/winbindd(run_events+0x6d) [0x800d15fd] #16 /usr/sbin/winbindd [0x80057f90] #17 /usr/sbin/winbindd(init_child_connection+0x2a3) [0x8003c463] #18 /usr/sbin/winbindd(async_domain_request+0xb6) [0x800597e6] #19 /usr/sbin/winbindd(rescan_trusted_domains+0x110) [0x8003cc60] #20 /usr/sbin/winbindd(main+0x66d) [0x80032bfd] #21 /lib/libc.so.6(__libc_start_main+0xdc) [0xb7d6987c] #22 /usr/sbin/winbindd [0x80031541] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD users from different AD domains - update
Volker, I know you and I have been over this in the past, but I have a few questions based on this thread. If winbind does correctly list the groups, why does it not correctly tell you that the user is indeed a member of that group? Are you saying that if you were an admin in all domains it would work? What if the server was not merely a member server? Would it work then? I am not trying to be a pain, I am just looking for solutions to a problem that lots of other Windows admins like myself see as a huge issue. Sincerely, Ron -Original Message- From: Volker Lendecke [mailto:[EMAIL PROTECTED] On Behalf Of Volker Lendecke Sent: Wednesday, May 10, 2006 11:17 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] AD users from different AD domains - update On Wed, May 10, 2006 at 11:00:44AM -0400, Trimble, Ronald D wrote: > In other words, i would like to know if it is possible to > check the membership of a user in a group of another AD > domain ? No, it is not. The only operation regarding group membership that is doable reliably is getting the list of groups a user is member of directly while this user is logging in. Anything beyond that like asking the same question without having logged in, getting a list of members of a group, getting lists of users and groups and so on will sooner or later fail if you are not administrator of all domains in question. Winbind is not made for being admin in all domains, and this is nothing that you _want_ winbind on a member server to be. Please look at the explanations in bug #3530. Don't wait for this to be fixed. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD users from different AD domains - update
I am also waiting for this to be "fixed." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lionel Déruaz Sent: Wednesday, May 10, 2006 9:16 AM To: samba@lists.samba.org Subject: [Samba] AD users from different AD domains - update hello in a previous post, i was describing the behaviour with samba 3.0.21rc1 (winbind in particular) : - We have a single AD forest, whith different domains, A & B. - The group, in domain A, we use for our authentication process contains user from the 2 domains A & B. While using wbinfo, i cannot succeed to get a positive answer when i ask if a user from domain B belongs or not to the group. (but the user belongs to this group) In other words, i would like to know if it is possible to check the membership of a user in a group of another AD domain ? This was supposed to be linked to the bug#3530. Does anyone know if this issue is solved on new version , or if a patch exists ? Thanks in advance -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Excessive traffic causing slow logons
In any event thanks for your help! -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 10:54 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Excessive traffic causing slow logons -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: > Your crystal ball must be pretty good because changing > the winbind enum user and group entries to "no" did > the trick. I thought that might help. Which is why are changing the default in 3.0.23 :-) > The man page isn't very specific about this change. > Are they any downsides to this setting? It disables support for setpwent()/getpwent()/endpwent() functionality. So apps that try to enumerate all users or groups will break. Running 'id user' will fail. But running 'id' as the user will work. Most apps just use getpwnam() or getgrnam() anyways. The NSS interface is a little too narrow for real searching. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEW2cKIR7qMdg1EfYRAvCPAKDQRytsJR4CCgMgjHbRMlcC/csPfQCfZvgV oR/BWRwRwutM63DjfxW2hzE= =9dHG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Excessive traffic causing slow logons
Your crystal ball must be pretty good because changing the winbind enum user and group entries to "no" did the trick. The man page isn't very specific about this change. Are they any downsides to this setting? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Thursday, May 04, 2006 2:05 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Excessive traffic causing slow logons -BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trimble, Ronald D wrote: > I am seeing some extremely slow logons to my SUSE servers. All are > configured exactly the same. When I attempt to log on, I can enter my > domain (AD) account without any problems. I then enter my password and > sit and wait for several minutes until it eventually takes me to my > desktop. In attempting to debug the problem, we have been able to see > millions of calls to the domain controller. They all look similar to > this... > As you can imagine, we see millions of these over the 4 to 5 minutes it > takes to log on. On the Windows side, the domain controller does not > report any errors in the logs. > You mention LDAP traffic but you say nothing about what the traffic is actually doing nor do you give any details of how you server is configured. You could be using nss_ldap for all I know. Just gazing into my crystal ball, I would ask whether or not you have set 'winbind enum users = no' and 'winbind enum groups = no'? If not, then do this first. Then it would helpful to know more about your server. > ... Can anyone help me with this issue? This > issue is very quickly making us think twice about continuing > to use Samba. That's your call. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEWkJUIR7qMdg1EfYRAmwXAJ4sP/Xfo/iVNppMH7LiZDWyWR9ZWQCgzAs1 apb03AgWO5h+/NTuTZy0Bds= =LeHR -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Excessive traffic causing slow logons
I have already gone this route. Our DC is also a DNS server and the entries are all there. What's really interesting that through all of the requests, the DC acks every single one. -Original Message- From: Gerald Drouillard [mailto:[EMAIL PROTECTED] Sent: Thursday, May 04, 2006 12:53 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Excessive traffic causing slow logons Trimble, Ronald D wrote: > I am seeing some extremely slow logons to my SUSE servers. All are > configured exactly the same. When I attempt to log on, I can enter my > domain (AD) account without any problems. I then enter my password and > sit and wait for several minutes until it eventually takes me to my > desktop. In attempting to debug the problem, we have been able to see > millions of calls to the domain controller. They all look similar to > this... > You may want to look at the DNS/DHCP server. If there is a 2003 DC and it is not the DNS/DHCP server then things can slow down. I believe it is a reverse DNS issue. -- Regards -- Gerald Drouillard Technology Architect Drouillard & Associates, Inc. http://www.Drouillard.ca -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Excessive traffic causing slow logons
USTR-MINT-A-2:~ # rpm -qa |grep samba samba-client-3.0.20b-3.4 yast2-samba-server-2.9.33-0.3 samba-3.0.20b-3.4 samba-pdb-3.0.20b-3.4 yast2-samba-client-2.9.17-1.3 samba-winbind-3.0.20b-3.4 kdebase3-samba-3.2.1-68.46 We do have some SuSE support, but I am not sure how far that will get me since they will just point me back to samba. How would you suggest I proceed? -Original Message- From: Jeremy Allison [mailto:[EMAIL PROTECTED] Sent: Thursday, May 04, 2006 10:28 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Excessive traffic causing slow logons On Thu, May 04, 2006 at 10:21:18AM -0400, Trimble, Ronald D wrote: > I am seeing some extremely slow logons to my SUSE servers. All are > configured exactly the same. When I attempt to log on, I can enter my > domain (AD) account without any problems. I then enter my password and > sit and wait for several minutes until it eventually takes me to my > desktop. In attempting to debug the problem, we have been able to see > millions of calls to the domain controller. They all look similar to > this... What version of Samba ? Do you have SuSE support ? This is the sort of thing we track down for customers Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Excessive traffic causing slow logons
I am seeing some extremely slow logons to my SUSE servers. All are configured exactly the same. When I attempt to log on, I can enter my domain (AD) account without any problems. I then enter my password and sit and wait for several minutes until it eventually takes me to my desktop. In attempting to debug the problem, we have been able to see millions of calls to the domain controller. They all look similar to this... 16:19:31.943556 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 6096:6369(273) ack 7014 win 16080 16:19:31.944886 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 7014:7391(377) ack 6369 win 64170 16:19:31.945122 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 6369:6647(278) ack 7391 win 16080 16:19:31.946500 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 7391:7778(387) ack 6647 win 65535 16:19:31.946733 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 6647:6919(272) ack 7778 win 16080 16:19:31.948064 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 7778:8152(374) ack 6919 win 65263 16:19:31.948298 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 6919:7194(275) ack 8152 win 16080 16:19:31.949678 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 8152:8532(380) ack 7194 win 64988 16:19:31.949913 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 7194:7466(272) ack 8532 win 16080 16:19:31.951244 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 8532:8905(373) ack 7466 win 64716 16:19:31.951478 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 7466:7729(263) ack 8905 win 16080 16:19:31.953003 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 8905:9186(281) ack 7729 win 64453 16:19:31.953098 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: P 7729:7736(7) ack 9186 win 16080 16:19:31.953117 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: F 7736:7736(0) ack 9186 win 16080 16:19:31.953252 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696 > ustr-nadc1.na.uis.unisys.com.ldap: S 1051543388:1051543388(0) win 5840 16:19:31.953592 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: . ack 7737 win 64446 16:19:31.954376 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: F 9186:9186(0) ack 7737 win 64446 16:19:31.954391 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 > ustr-nadc1.na.uis.unisys.com.ldap: . ack 9187 win 16080 16:19:31.954817 IP ustr-nadc1.na.uis.unisys.com.ldap > USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696: S 702706062:702706062(0) ack 1051543389 win 16384 16:19:31.954830 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696 > ustr-nadc1.na.uis.unisys.com.ldap: . ack 1 win 5840 16:19:31.954959 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696 > ustr-nadc1.na.uis.unisys.com.ldap: P 1:91(90) ack 1 win 5840 As you can imagine, we see millions of these over the 4 to 5 minutes it takes to log on. On the Windows side, the domain controller does not report any errors in the logs. I have turned the debug level of winbind up to 10 and have some very extensive logs showing what is going on. Unfortunately, I cannot interpret all of this myself. Can anyone help me with this issue? This issue is very quickly making us think twice about continuing to use Samba. Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Slow logon
I have several servers that take an exceptionally long time to sign onto our Windows domain. It is not unheard of for it to take upwards of 3 or 4 minutes. The server is a member of the domain and the users are using an AD account to sign onto the server locally. Were could I being to look to resolve this issue? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Bad Password
Everyone, I am going nuts trying to figure this problem out. I have successfully joined a SUSE 10 server to our domain and configured samba for ADS authentication. This exact setup works on all my other servers. On this one, I keep getting access denied when entering my domain password despite the fact that I have tried it literally dozens of times. I am 100% confident I am entering the password correctly. It appears winbind is not sending the password to the domain in the proper manner. Can anyone help me? Thanks, Ron Here is what is in the log.wb-NA file after I enter my password... [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:child_process_request(359) process_request: request fn LOOKUPNAME [2006/04/26 11:09:15, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupname(695) [ 8465]: lookupname NA\trimblrd [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:centry_expired(416) centry_expired: Key NS/NA/TRIMBLRD for domain NA expired [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_fetch(473) wcache_fetch: entry NS/NA/TRIMBLRD expired for domain NA [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:name_to_sid(975) name_to_sid: [Cached] - doing backend query for name for domain NA [2006/04/26 11:09:15, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(257) rpc: name_to_sid name=NA\trimblrd [2006/04/26 11:09:15, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(265) name_to_sid [rpc] trimblrd for domain NA [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_save_name_to_sid(614) wcache_save_name_to_sid: TRIMBLRD -> S-1-5-21-725345543-2052111302-527237240-26634 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 8466, len 1304 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:dual_client_read(53) client_read: read 1828 bytes. Need 0 more for a full request. [2006/04/26 11:09:15, 4] nsswitch/winbindd_dual.c:fork_domain_child(486) child daemon request 48 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:child_process_request(359) process_request: request fn DUAL_USERINFO [2006/04/26 11:09:15, 3] nsswitch/winbindd_user.c:winbindd_dual_userinfo(146) [ 8465]: lookupsid S-1-5-21-725345543-2052111302-527237240-26634 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:centry_expired(416) centry_expired: Key U/S-1-5-21-725345543-2052111302-527237240-26634 for domain NA expired [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_fetch(473) wcache_fetch: entry U/S-1-5-21-725345543-2052111302-527237240-26634 expired for domain NA [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:query_user(1105) sid_to_name: [Cached] - doing backend query for info for domain NA [2006/04/26 11:09:15, 3] nsswitch/winbindd_ads.c:query_user(396) ads: query_user [2006/04/26 11:09:15, 7] nsswitch/winbindd_ads.c:ads_cached_connection(48) Current tickets expire at 1146099562, time is now 1146064155 [2006/04/26 11:09:15, 3] nsswitch/winbindd_ads.c:query_user(442) ads query_user gave TRIMBLRD [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_save_user(653) wcache_save_user: S-1-5-21-725345543-2052111302-527237240-26634 (acct_name TRIMBLRD) [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 8466, len 1304 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:dual_client_read(53) client_read: read 1828 bytes. Need 0 more for a full request. [2006/04/26 11:09:15, 4] nsswitch/winbindd_dual.c:fork_domain_child(486) child daemon request 18 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:child_process_request(359) process_request: request fn LOOKUPSID [2006/04/26 11:09:15, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupsid(589) [ 8465]: lookupsid S-1-5-21-725345543-2052111302-527237240-26634 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:centry_expired(416)
[Samba] Bad Password
Everyone, I am going nuts trying to figure this problem out. I have successfully joined a SUSE 10 server to our domain and configured samba for ADS authentication. This exact setup works on all my other servers. On this one, I keep getting access denied when entering my domain password despite the fact that I have tried it literally dozens of times. I am 100% confident I am entering the password correctly. It appears winbind is not sending the password to the domain in the proper manner. Can anyone help me? Thanks, Ron Here is what is in the log.wb-NA file after I enter my password... [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:child_process_request(359) process_request: request fn LOOKUPNAME [2006/04/26 11:09:15, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupname(695) [ 8465]: lookupname NA\trimblrd [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:centry_expired(416) centry_expired: Key NS/NA/TRIMBLRD for domain NA expired [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_fetch(473) wcache_fetch: entry NS/NA/TRIMBLRD expired for domain NA [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:name_to_sid(975) name_to_sid: [Cached] - doing backend query for name for domain NA [2006/04/26 11:09:15, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(257) rpc: name_to_sid name=NA\trimblrd [2006/04/26 11:09:15, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(265) name_to_sid [rpc] trimblrd for domain NA [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_save_name_to_sid(614) wcache_save_name_to_sid: TRIMBLRD -> S-1-5-21-725345543-2052111302-527237240-26634 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 8466, len 1304 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:dual_client_read(53) client_read: read 1828 bytes. Need 0 more for a full request. [2006/04/26 11:09:15, 4] nsswitch/winbindd_dual.c:fork_domain_child(486) child daemon request 48 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:child_process_request(359) process_request: request fn DUAL_USERINFO [2006/04/26 11:09:15, 3] nsswitch/winbindd_user.c:winbindd_dual_userinfo(146) [ 8465]: lookupsid S-1-5-21-725345543-2052111302-527237240-26634 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:centry_expired(416) centry_expired: Key U/S-1-5-21-725345543-2052111302-527237240-26634 for domain NA expired [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_fetch(473) wcache_fetch: entry U/S-1-5-21-725345543-2052111302-527237240-26634 expired for domain NA [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:query_user(1105) sid_to_name: [Cached] - doing backend query for info for domain NA [2006/04/26 11:09:15, 3] nsswitch/winbindd_ads.c:query_user(396) ads: query_user [2006/04/26 11:09:15, 7] nsswitch/winbindd_ads.c:ads_cached_connection(48) Current tickets expire at 1146099562, time is now 1146064155 [2006/04/26 11:09:15, 3] nsswitch/winbindd_ads.c:query_user(442) ads query_user gave TRIMBLRD [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_save_user(653) wcache_save_user: S-1-5-21-725345543-2052111302-527237240-26634 (acct_name TRIMBLRD) [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 8466, len 1304 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:dual_client_read(53) client_read: read 1828 bytes. Need 0 more for a full request. [2006/04/26 11:09:15, 4] nsswitch/winbindd_dual.c:fork_domain_child(486) child daemon request 18 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:child_process_request(359) process_request: request fn LOOKUPSID [2006/04/26 11:09:15, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupsid(589) [ 8465]: lookupsid S-1-5-21-725345543-2052111302-527237240-26634 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:centry_expired(416)
[Samba] Bad password when attempting login to SSH with AD account
Everyone, I have several servers set up, all running the same levels of samba and winbind. I am able to see the domain and authenticate users without any trouble. I am attempting to get integrated logins to work with SSH. I have it working on one server, but two others (with the exact same config) do not work. On the box the works, I get the following message in /var/log/messages when I log in with my domain account. Apr 12 15:28:21 ustr-MINT-A-5 sshd[8643]: Accepted keyboard-interactive/pam for root from 192.63.xxx.xxx port 4102 ssh2 Apr 12 15:28:49 ustr-MINT-A-5 pam_winbind[8668]: user 'NA\trimblrd' granted access Apr 12 15:28:49 ustr-MINT-A-5 pam_winbind[8668]: user 'NA\trimblrd' granted access Apr 12 15:28:49 ustr-MINT-A-5 sshd[8666]: Accepted keyboard-interactive/pam for NA\\trimblrd from 192.63.xxx.xxx port 4104 ssh2 Using the same ID, I get the following messages on the two servers that don't work. Apr 12 15:26:27 ustr-MINT-A-2 sshd[9329]: Invalid user NA\\trimblrd from 192.63.xxx.xxx Apr 12 15:26:29 ustr-MINT-A-2 pam_winbind[9331]: request failed: Wrong Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD Apr 12 15:26:29 ustr-MINT-A-2 pam_winbind[9331]: user `NA\trimblrd' denied access (incorrect password) Apr 12 15:26:29 ustr-MINT-A-2 sshd[9329]: error: PAM: User not known to the underlying authentication module for illegal user NA\\trimblrd from ustr-trimblrd.na.uis.unisys.com Apr 12 15:26:29 ustr-MINT-A-2 sshd[9329]: Failed keyboard-interactive/pam for invalid user NA\\trimblrd from 192.63.xxx.xxx port 4096 ssh2 Of course you first thought will be that I am entering the wrong password, but I have ruled that out by repeating this process dozens of times with multiple accounts. The strange thing is that AD thinks I really am sending an incorrect password as an my account shows an invalid password attempt in AD. Has anyone seen this problem? Do you know what I may be missing? Thanks in advance, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Owner changes when modifying Excel & Word files
Those settings would definitely work, but not unless you had a share defined for each group. If that is the case, then it would work just fine. Another potential option is to use default ACLs. My original comments were merely to point out that this is exactly the way Samba was supposed to work. -Original Message- From: marcos rocha [mailto:[EMAIL PROTECTED] Sent: Thursday, March 30, 2006 5:18 PM To: Trimble, Ronald D; Ivan Tadic; samba@lists.samba.org Subject: RE: [Samba] Owner changes when modifying Excel & Word files what about the following settings: - force user - force group []s Marcos --- "Trimble, Ronald D" <[EMAIL PROTECTED]> escreveu: > There is not solution and it is by design. You can > read all about it on > the samba.org page. They have covered it > extensively. > > -Original Message- > From: > [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On > Behalf Of Ivan Tadic > Sent: Tuesday, March 28, 2006 1:46 PM > To: samba@lists.samba.org > Subject: [Samba] Owner changes when modifying Excel > & Word files > > Dear all, > > I am using Samba 3.0.20-4 SUSE. > When a user (under Windows) modifies an Excel or > Word file, he/she > becomes the owner of that file !!! > I have read that this is because Excel & Word delete > the original file > and recreate a new one with the modifications. > But I didn't find a solution to prevent this. > > Thank you in advance for your reply. > > Ivan Tadic > Brussels, Belgium > > -- > To unsubscribe from this list go to the following > URL and read the > instructions: > https://lists.samba.org/mailman/listinfo/samba > -- > To unsubscribe from this list go to the following > URL and read the > instructions: > https://lists.samba.org/mailman/listinfo/samba > ___ Yahoo! doce lar. Faça do Yahoo! sua homepage. http://br.yahoo.com/homepageset.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Owner changes when modifying Excel & Word files
There is not solution and it is by design. You can read all about it on the samba.org page. They have covered it extensively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Tadic Sent: Tuesday, March 28, 2006 1:46 PM To: samba@lists.samba.org Subject: [Samba] Owner changes when modifying Excel & Word files Dear all, I am using Samba 3.0.20-4 SUSE. When a user (under Windows) modifies an Excel or Word file, he/she becomes the owner of that file !!! I have read that this is because Excel & Word delete the original file and recreate a new one with the modifications. But I didn't find a solution to prevent this. Thank you in advance for your reply. Ivan Tadic Brussels, Belgium -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] ACL on groups working half
Is this an AD group? If so, what type? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tjaco Mast Sent: Tuesday, March 28, 2006 10:57 AM To: samba@lists.samba.org Subject: [Samba] ACL on groups working half Hi all Samba users, For some I've got a Samba server running with the following config: Debian Sarge 2.6.8 kernel Samba 3.0.21 with winbind and LDAP as ADS member server A W2K003 PDC Samba's data partition is ext3 + ACL I've migrated my users homedirs and profiledirs from W2K003 to Samba. These each user owns his own homedir and has rwx-- permissions This seems to be working excelent. Then I made a groupshare open for everyone. The directory it points to is closed for all domain users. No one can access this share. As I add domain-user tjaco with rwx by ACL (useing share-properties-security in windows or setfacl on linux) tjaco has instant access to the share. Now I add tjaco to group mygroup useing MMC (tjaco shows up as a groupmember of mygroup doing: getent group) I remove tjaco from the ACL and add mygroup with rwx to ACL Tjaco has NO access anymore As I add group 'domain users' (which tjaco is a member of) with rwx to ACL tjaco has access again. This keeps me baffeled for some weeks now. Furthermore I recall haveing read something about the importance of the SYSTEM group that should be added to the ACL but I don't understand how. SYSTEM is not a normal or builtin ADS group. Who can help? Thanks in advance, Tjaco -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Trouble with Homes
So that every person who uses the server can have a home directory without me having to create it by hand. -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, March 27, 2006 12:54 PM To: Trimble, Ronald D Cc: Guillermo Gutierrez; Daniel Northam; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes get rid of the homes definition...why do you need it on a member server? Craig On Mon, 2006-03-27 at 12:44 -0500, Trimble, Ronald D wrote: > Domain member. > > -Original Message- > From: Guillermo Gutierrez [mailto:[EMAIL PROTECTED] > Sent: Monday, March 27, 2006 12:44 PM > To: Trimble, Ronald D; Daniel Northam; Craig White; > samba@lists.samba.org > Subject: RE: [Samba] Trouble with Homes > > do you have this samba server as a domain member or is it a standalone? > > -Original Message- > From: Trimble, Ronald D [mailto:[EMAIL PROTECTED] > Sent: Monday, March 27, 2006 9:39 AM > To: Daniel Northam; Guillermo Gutierrez; Craig White; > samba@lists.samba.org > Subject: RE: [Samba] Trouble with Homes > > > I am not using LDAP, so the SIDs shouldn't be an issue. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Daniel Northam > Sent: Monday, March 27, 2006 11:49 AM > To: Guillermo Gutierrez; Craig White; samba@lists.samba.org > Subject: RE: [Samba] Trouble with Homes > > Check your SID's I had that same problem and samba was advising Auth > succeeded but it still wouldn't let me in. Checked my SID's and > somewhere down the line I had changed one of my SID's. I corrected that > in LDAP and then I was able to login. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Guillermo Gutierrez > Sent: Monday, March 27, 2006 8:45 AM > To: Craig White; samba@lists.samba.org > Subject: RE: [Samba] Trouble with Homes > > If you are integrating the samba server into a windows domain, you might > want to try setting the valid users line like this: "valid users = > %D\%S" > > that was my problem until I did that. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Behalf Of Craig White > Sent: Monday, March 27, 2006 8:34 AM > To: samba@lists.samba.org > Subject: Re: [Samba] Trouble with Homes > > > On Mon, 2006-03-27 at 11:23 -0500, Trimble, Ronald D wrote: > > I am having trouble with getting my Homes section to work properly. > > When I browse to the server from a Windows client, I can see my home > > directory. However, when I try to access it, it challenges me for a > > userID and password. No matter what I enter, I will not allow me > > access. Can someone point me in the right direction to solve this? > > > > > > > > Here are the errors... > > > > > > > > [2006/03/27 11:19:22, 0] smbd/service.c:make_connection(798) > > > > 192.63.212.176 (192.63.212.176) couldn't find service . > > > > [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) > > > > user 'NA\trimblrd' (from session setup) not permitted to access this > > share (trimblrd) > > > > [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) > > > > user 'NA\trimblrd' (from session setup) not permitted to access this > > share (trimblrd) > > > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > > > user 'NA\trimblrd' (from session setup) not permitted to access this > > share (trimblrd) > > > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > > > user 'NA\trimblrd' (from session setup) not permitted to access this > > share (trimblrd) > > > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > > > user 'NA\trimblrd' (from session setup) not permitted to access this > > share (trimblrd) > > > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > > > user 'NA\trimblrd' (from session setup) not permitted to access this > > share (trimblrd) > > > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > > > user 'NA\trimblrd' (from session setup) not permitted to access this > > share (trimblrd) > > > > [2006/03/27 11:19:32, 2] smbd/service.c:make_connection_snum(318) > > > > user 'NA\trimblrd' (from session setup) not permitted to access this > > share (trimblrd) > > > > > >
RE: [Samba] Trouble with Homes
Domain member. -Original Message- From: Guillermo Gutierrez [mailto:[EMAIL PROTECTED] Sent: Monday, March 27, 2006 12:44 PM To: Trimble, Ronald D; Daniel Northam; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes do you have this samba server as a domain member or is it a standalone? -Original Message- From: Trimble, Ronald D [mailto:[EMAIL PROTECTED] Sent: Monday, March 27, 2006 9:39 AM To: Daniel Northam; Guillermo Gutierrez; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes I am not using LDAP, so the SIDs shouldn't be an issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Northam Sent: Monday, March 27, 2006 11:49 AM To: Guillermo Gutierrez; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes Check your SID's I had that same problem and samba was advising Auth succeeded but it still wouldn't let me in. Checked my SID's and somewhere down the line I had changed one of my SID's. I corrected that in LDAP and then I was able to login. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guillermo Gutierrez Sent: Monday, March 27, 2006 8:45 AM To: Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes If you are integrating the samba server into a windows domain, you might want to try setting the valid users line like this: "valid users = %D\%S" that was my problem until I did that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Craig White Sent: Monday, March 27, 2006 8:34 AM To: samba@lists.samba.org Subject: Re: [Samba] Trouble with Homes On Mon, 2006-03-27 at 11:23 -0500, Trimble, Ronald D wrote: > I am having trouble with getting my Homes section to work properly. > When I browse to the server from a Windows client, I can see my home > directory. However, when I try to access it, it challenges me for a > userID and password. No matter what I enter, I will not allow me > access. Can someone point me in the right direction to solve this? > > > > Here are the errors... > > > > [2006/03/27 11:19:22, 0] smbd/service.c:make_connection(798) > > 192.63.212.176 (192.63.212.176) couldn't find service . > > [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:32, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > > > And here is the relevant section of the smb.conf... > > > > [homes] > > comment = Home Directories > > valid users = %S > > browseable = No > > read only = No > > create mask = 0660 > > directory mask = 0770 try putting a valid path that the users have write access to their home... [homes] comment = Home Directories path = /home/samba/homes browseable = no writable = yes valid users = %S create mask = 600 directory mask = 700 # ls -ld /home/samba/homes drwxrwx--- 2 root dom_users 4096 Jun 23 2003 /home/samba/homes maybe even get crazy enough to create directories in /home/samba/homes for each user... Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Trouble with Homes
I am not using LDAP, so the SIDs shouldn't be an issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Northam Sent: Monday, March 27, 2006 11:49 AM To: Guillermo Gutierrez; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes Check your SID's I had that same problem and samba was advising Auth succeeded but it still wouldn't let me in. Checked my SID's and somewhere down the line I had changed one of my SID's. I corrected that in LDAP and then I was able to login. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guillermo Gutierrez Sent: Monday, March 27, 2006 8:45 AM To: Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes If you are integrating the samba server into a windows domain, you might want to try setting the valid users line like this: "valid users = %D\%S" that was my problem until I did that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Craig White Sent: Monday, March 27, 2006 8:34 AM To: samba@lists.samba.org Subject: Re: [Samba] Trouble with Homes On Mon, 2006-03-27 at 11:23 -0500, Trimble, Ronald D wrote: > I am having trouble with getting my Homes section to work properly. > When I browse to the server from a Windows client, I can see my home > directory. However, when I try to access it, it challenges me for a > userID and password. No matter what I enter, I will not allow me > access. Can someone point me in the right direction to solve this? > > > > Here are the errors... > > > > [2006/03/27 11:19:22, 0] smbd/service.c:make_connection(798) > > 192.63.212.176 (192.63.212.176) couldn't find service . > > [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:32, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > > > And here is the relevant section of the smb.conf... > > > > [homes] > > comment = Home Directories > > valid users = %S > > browseable = No > > read only = No > > create mask = 0660 > > directory mask = 0770 try putting a valid path that the users have write access to their home... [homes] comment = Home Directories path = /home/samba/homes browseable = no writable = yes valid users = %S create mask = 600 directory mask = 700 # ls -ld /home/samba/homes drwxrwx--- 2 root dom_users 4096 Jun 23 2003 /home/samba/homes maybe even get crazy enough to create directories in /home/samba/homes for each user... Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Trouble with Homes
I made the changes to my configuration so that it is now [homes] comment = Home Directories valid users = %D\%S browseable = No read only = No create mask = 0660 directory mask = 0770 However, after a forced reload of smb, I still get the same errors. [2006/03/27 11:52:32, 2] param/loadparm.c:do_section(3681) Processing section "[homes]" [2006/03/27 11:52:32, 2] param/loadparm.c:do_section(3681) Processing section "[samba]" [2006/03/27 11:52:32, 2] param/loadparm.c:do_section(3681) Processing section "[ISOs]" [2006/03/27 11:52:32, 2] param/loadparm.c:do_section(3681) Processing section "[shared]" [2006/03/27 11:52:32, 2] param/loadparm.c:do_section(3681) Processing section "[images]" [2006/03/27 11:52:32, 2] lib/interface.c:add_interface(81) added interface ip=192.63.225.216 bcast=192.63.225.223 nmask=255.255.255.224 [2006/03/27 11:53:07, 0] smbd/service.c:make_connection(798) 192.63.212.176 (192.63.212.176) couldn't find service . [2006/03/27 11:53:09, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:09, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:10, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:10, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:10, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:10, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:10, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:14, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guillermo Gutierrez Sent: Monday, March 27, 2006 11:45 AM To: Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes If you are integrating the samba server into a windows domain, you might want to try setting the valid users line like this: "valid users = %D\%S" that was my problem until I did that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Craig White Sent: Monday, March 27, 2006 8:34 AM To: samba@lists.samba.org Subject: Re: [Samba] Trouble with Homes On Mon, 2006-03-27 at 11:23 -0500, Trimble, Ronald D wrote: > I am having trouble with getting my Homes section to work properly. > When I browse to the server from a Windows client, I can see my home > directory. However, when I try to access it, it challenges me for a > userID and password. No matter what I enter, I will not allow me > access. Can someone point me in the right direction to solve this? > > > > Here are the errors... > > > > [2006/03/27 11:19:22, 0] smbd/service.c:make_connection(798) > > 192.63.212.176 (192.63.212.176) couldn't find service . > > [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) > > [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) > > user 'NA\trimblrd' (from session setup) not permitted to access this > share (trimblrd) >
[Samba] Trouble with Homes
I am having trouble with getting my Homes section to work properly. When I browse to the server from a Windows client, I can see my home directory. However, when I try to access it, it challenges me for a userID and password. No matter what I enter, I will not allow me access. Can someone point me in the right direction to solve this? Here are the errors... [2006/03/27 11:19:22, 0] smbd/service.c:make_connection(798) 192.63.212.176 (192.63.212.176) couldn't find service . [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:32, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) And here is the relevant section of the smb.conf... [homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0660 directory mask = 0770 Thanks for the help!!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain Authentication Problem
Thanks. I did find a solution. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 16, 2006 12:04 PM To: samba@lists.samba.org Subject: RE: [Samba] Domain Authentication Problem Have a look at this, hopefully will explain ur prob cheers Andy. http://lists.samba.org/archive/samba/2004-July/089483.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD users from different AD domains
I second what Don is saying, you most certainly are seeing the same thing we are. I am in the process of building a new test server to try out a patched version of samba to see if it fixes the problem. Stay tuned to the bug Don mentioned. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Meyer Sent: Thursday, March 09, 2006 6:50 PM To: Lionel Déruaz; samba@lists.samba.org Subject: Re: [Samba] AD users from different AD domains At 04:29 PM 3/9/2006, Lionel Déruaz wrote: >i am using samba 3.0.21rc1 (winbind in particular) on RHES server for a >squid project : to authenticate users or check in they are member of some >groups on AD W2K servers. > >We have a single AD forest, whith different domains, A & B. > >The group, in domain A, we use for our authentication process contains >user from the 2 domains A & B. > >While using wbinfo, i cannot succeed to get a positive answer when i >ask if a user from domain B belongs or not to the group. (but the user >belongs to this group) > >i would like to know if it is possible to check the membership of a >user in a group of another AD domain ? > >I hope it is clear enough :) This sounds like the same situation that has been discussed here a bit in the past week or so. You probably want to follow bug#3530 on https://bugzilla.samba.org. Cheers, -D Don Meyer <[EMAIL PROTECTED]> Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety." -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getting samba to authenticate with kerberos/PAM
No problem. Glad I could point you in the tight direction. -Original Message- From: Guillermo Gutierrez [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 08, 2006 10:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM well... after some playing around with the example you provided to me, I finally got it to work. I did have to do things a little different, but I finally got it to work. thank you sooo much for your help, here is how my /etc/pam.d/sshd looks: #%PAM-1.0 auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so use_first_pass likeauth nullok auth required /lib/security/pam_shells.so auth required /lib/security/pam_deny.so auth required /lib/security/pam_nologin.so auth required /lib/security/pam_env.so accountsufficient /lib/security/pam_winbind.so accountrequired /lib/security/pam_unix.so accountrequired /lib/security/pam_nologin.so #password required /lib/security/pam_pwcheck.so password required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_unix.so use_first_pass use_authtok sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0077 I realize that some of these lines might not be needed, I just have to figure out which ones and remove them for clean up. thanks again, Guillermo Gutierrez -Original Message- From: Trimble, Ronald D [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 08, 2006 4:25 PM To: Guillermo Gutierrez Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM Setting up SSH to use AD accounts Follow the directions in the Samba section of this wiki before continuing with these steps since SSH logins will require the use of winbind. Make a backup of all files before editing anything since a mistake in a PAM module could render your machine unuseable. Edit the /etc/pam.d/sshd file. Ours looks like this: #%PAM-1.0 auth required pam_unix2.so # set_secrpc auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix2.so none # trace or debug session required pam_limits.so Next, edit /etc/security/pam_unix2.conf. Ours looks like this: auth: call_modules=winbind account:call_modules=winbind password: blowfish session:none Finally, create the top level home directory and assign the proper permissions. Your default home directories will be created in /home/domain/username. mkdir /home/domain chmod 755 /home/domain When you login via SSH, use your AD account. Remember in Samba we configured the winbind separator to be a '+'. I, for example, would log in as NA+trimblrd and then specify my NA password. Once I do this, a home directory will be created for me. If everything works, your login will look like this. login as: NA+trimblrd Using keyboard-interactive authentication. Password: Last login: Tue Dec 20 12:29:08 2005 from ustr-trimblrd.na.uis.unisys.com [EMAIL PROTECTED]:~> [edit]Logging into the server with an AD account If you want to take this example a step further, you can also configure your server so that you can use your AD account to logon locally of through VNC. To enable this requires modifying only one more file. Edit /etc/pam.d/login. (Remember to make a backup.) Ours looks like this: #%PAM-1.0 auth requisite pam_unix2.sonullok #set_secrpc auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.sonullok use_first_pass use_authtok session optional pam_mkhomedir.soskel=/etc/skel/ umask=0077 session required pam_unix2.sonone # debug or trace session required pam_limits.so session required pam_resmgr.so Now you will be able to log onto the server without the use of a local account. Retrieved from "http://ustr-linux-1/wiki/index.php/SSH"; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 08, 2006 6:14 PM To: samba@lists.samba.org Subject: FW: [Samba] getting samba to authenticate with kerberos/PAM ummmis there certain info that I need to be including the first time through? I have been fighting with this problem fo
RE: [Samba] Problem with Universal Groups
This is exactly what I am seeing. I think this should be reopened as a bug. I could easily provide all of the diagnostics since I have it set up like this right now. The strange thing is, I can get it to work with Domain Global groups, but not Universal groups which shows the SID properly. Domain Local doesn't work at all unless the user is in the same domain as the group. How do we get this escalated? -Original Message- From: Don Meyer [mailto:[EMAIL PROTECTED] Sent: Thursday, March 02, 2006 6:06 PM To: Trimble, Ronald D; samba@lists.samba.org Subject: Re: [Samba] Problem with Universal Groups Check your winbind group memberships -- I'm willing to bet that your winbind will only show group membership for users in the same domain as the group. We are seeing the same mis-behavior here. Group members from other domains are simply not being enumerated by winbind as a group member (getent group), even though the other-domain user itself is properly listed (getent passwd). I tried to report this as a bug, but it was closed/reopened as a feature request. Discussion was left that I had to prove that the other-domain user can successfully connect to a resource with permissions mapped directly to that other-domain user, but fails to connect to the same resource when permissions are mapped to a domain local group in the local server's domain that contains the other-domain user.(I have yet to create this test-case because of unrelated time-constraints...) Cheers, -D At 02:02 PM 3/2/2006, Trimble, Ronald D wrote: >Everyone, > With many thank to Jerry, my cross domain authentication is now >working. This leads to a new problem. I cannot get samba to >authenticate a remote domain user in a Universal group to authenticate >properly. > Here are the details: > >USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ >S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2) > >USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1 >S-1-5-21-606747145-879983540-1177238915-173280 User (1) > >USTR-LINUX-1:~ # wbinfo >--user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280 >S-1-5-21-606747145-879983540-1177238915-513 >. >. >. >S-1-5-21-606747145-879983540-1177238915-79634 >S-1-5-21-606747145-879983540-1177238915-79966 >S-1-5-21-725345543-2052111302-527237240-349134 **Here is the group!!** >S-1-5-21-725345543-2052111302-527237240-177738 >S-1-5-21-725345543-2052111302-527237240-349185 >S-1-5-21-725345543-2052111302-527237240-307510 >S-1-5-21-725345543-2052111302-527237240-177742 >S-1-5-21-606747145-879983540-1177238915-90389 >S-1-5-21-606747145-879983540-1177238915-72164 >S-1-5-21-606747145-879983540-1177238915-91149 >S-1-5-21-606747145-879983540-1177238915-70785 >S-1-5-21-606747145-879983540-1177238915-91412 > >However, when I try to set up a test web page to > require group "NA\USTR-LINUX-1-REDHAT-READ" > >And then attempt to access the page, I get the following error: >error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required >group(s). > >Does anyone else have something like this working? What am I doing >wrong? > >Thanks, >Ron > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/samba Don Meyer <[EMAIL PROTECTED]> Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety." -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] problem with "winbind separator = \"
When I set it up, if you don't use the winbind separator line, it should work with the \. My smb.conf does not have a winbind separator declaration and it works just fine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guillermo Gutierrez Sent: Friday, March 03, 2006 9:25 AM To: David Shapiro; samba@lists.samba.org; Thomas Limoncelli Subject: RE: [Samba] problem with "winbind separator = \" well, I am trying it without the line, I will let you all knowhow it worked. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Shapiro Sent: Friday, March 03, 2006 6:22 AM To: samba@lists.samba.org; Thomas Limoncelli Subject: Re: [Samba] problem with "winbind separator = \" I had no luck with \ too. I ended up going back to using + David David Shapiro Unix Team Lead 919-765-2011 >>> Thomas Limoncelli <[EMAIL PROTECTED]> 3/3/2006 9:10 AM >>> Guillermo Gutierrez wrote: > I just rebuilt the samba server that I was working on and when I try to add the line "winbind separator = \", testparm tells me that its value must be 1 character and then displays its value as the proceeding line. This is the default value, so you may just omit the line altogether. -TL -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with Universal Groups
Everyone, With many thank to Jerry, my cross domain authentication is now working. This leads to a new problem. I cannot get samba to authenticate a remote domain user in a Universal group to authenticate properly. Here are the details: USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2) USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1 S-1-5-21-606747145-879983540-1177238915-173280 User (1) USTR-LINUX-1:~ # wbinfo --user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280 S-1-5-21-606747145-879983540-1177238915-513 . . . S-1-5-21-606747145-879983540-1177238915-79634 S-1-5-21-606747145-879983540-1177238915-79966 S-1-5-21-725345543-2052111302-527237240-349134 **Here is the group!!** S-1-5-21-725345543-2052111302-527237240-177738 S-1-5-21-725345543-2052111302-527237240-349185 S-1-5-21-725345543-2052111302-527237240-307510 S-1-5-21-725345543-2052111302-527237240-177742 S-1-5-21-606747145-879983540-1177238915-90389 S-1-5-21-606747145-879983540-1177238915-72164 S-1-5-21-606747145-879983540-1177238915-91149 S-1-5-21-606747145-879983540-1177238915-70785 S-1-5-21-606747145-879983540-1177238915-91412 However, when I try to set up a test web page to require group "NA\USTR-LINUX-1-REDHAT-READ" And then attempt to access the page, I get the following error: error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required group(s). Does anyone else have something like this working? What am I doing wrong? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Kerberos errors...
I am having issues getting my other domains working on our samba server. They always show up as disconnected when doing a wbinfo -sequence command. If I set up the default realm in krb5.conf to be NA (short for North America), I can authenticate users in NA. If I set is to be EU (Europe) I can authenticate users from Europe. The strange thing is that in either case, I get the following error for the non-default domain: (Cannot contact any KDC for requested realm). This makes no sense to me as I can get it to work as the default realm with the exact same settings. There are no firewalls or anything like that on our domain controllers. Can anyone point me to what I may be doing wrong? This error is absolutely driving me nuts and I would be forever grateful for any assistance. Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Is anyone using Samba in a forest to authenticate multiple domains?
I am struggling to get my samba server in ADS mode to authenticate users from other domains in our forest. Is any currently doing this and willing to help me out or perhaps share your config so that I can figure out what I am doing wrong? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem authenticating another domain
I am trying to authenticate a user in a domain (EU) other than my default domain (NA). I am at a loss as to what may be wrong at this point. When I run a wbinfo -sequence, I see the following: linux:~ # wbinfo --sequence LAC : DISCONNECTED EU : DISCONNECTED AP : DISCONNECTED UIS : 19895750 TRIMBLRDLINUX : 1 BUILTIN : 1 NA : 15410431 If I try a kinit, here is the output: linux:~ # kinit [EMAIL PROTECTED] [EMAIL PROTECTED]'s Password: kinit: krb5_get_init_creds: unable to reach any KDC in realm eu.uis.unisys.com When I look at the logs for this domain, I see the following. Notice that it is correctly identifying a domain controller in that domain, but starts failing after that. [2006/02/22 15:12:51, 10] libsmb/namequery.c:internal_resolve_name(1145) internal_resolve_name: returning 26 addresses: 129.221.252.21:389 129.221.133.22:389 192.39.63.13:389 129.227.66.176:389 129.227.167.210:389 192.39.98.13:389 129.227.145.14:389 129.227.59.14:389 192.39.48.14:389 192.39.178.4:389 129.227.37.30:389 129.227.207.13:389 192.39.193.60:389 192.39.7.11:389 129.221.130.16:389 192.61.146.133:389 129.227.208.15:389 192.39.239.60:389 129.227.196.10:389 192.39.187.7:389 129.227.28.11:389 192.39.248.10:389 129.227.143.60:389 129.221.130.10:389 192.39.239.30:389 192.39.186.45:389 [2006/02/22 15:12:51, 5] libads/ldap.c:ads_try_connect(123) ads_try_connect: trying ldap server '192.61.146.133' port 389 [2006/02/22 15:12:51, 3] libads/ldap.c:ads_connect(285) Connected to LDAP server 192.61.146.133 [2006/02/22 15:12:51, 3] libads/ldap.c:ads_server_info(2514) got ldap server name [EMAIL PROTECTED], using bind path: dc=EU,dc=UIS,dc=UNISYS,dc=COM [2006/02/22 15:12:51, 4] libads/ldap.c:ads_server_info(2520) time offset is 70 seconds [2006/02/22 15:12:52, 4] libads/sasl.c:ads_sasl_bind(451) Found SASL mechanism GSS-SPNEGO [2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(215) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2006/02/22 15:13:04, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot contact any KDC for requested realm) [2006/02/22 15:13:14, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot contact any KDC for requested realm) [2006/02/22 15:13:14, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain EU failed: Cannot contact any KDC for requested realm [2006/02/22 15:13:14, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(329) store_cache_seqnum: success [EU][4294967295 @ 1140639194] [2006/02/22 15:13:14, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: EU seq number is now -1 Does anyone see what may be wrong? This problem is driving me nuts. Thanks in advance, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Authenticating another domain
on this system [2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612) Closing connections [2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263) Username EU\inblr-auth1 is invalid on this system [2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/02/16 14:14:58, 10] auth/auth_util.c:get_user_groups(681) get_user_groups: winbind_getgroups(NA\ustr-netiq$): result = SUCCESS [2006/02/16 14:14:58, 5] auth/auth_util.c:debug_unix_user_token(473) UNIX token of user 16783538 Primary group is 16777671 and contains 1 supplementary groups Group[ 0]: 16777671 [2006/02/16 14:14:58, 10] auth/auth_util.c:debug_nt_user_token(457) NT user token of user S-1-5-21-3294472140-2299987452-2298777348-33568076 contains 6 SIDs SID[ 0]: S-1-5-21-3294472140-2299987452-2298777348-33568076 SID[ 1]: S-1-5-21-3294472140-2299987452-2298777348-33556343 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-725345543-2052111302-527237240-515 SE_PRIV 0x0 0x0 0x0 0x0 [2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263) Username EU\inblr-auth1 is invalid on this system [2006/02/16 14:14:58, 5] auth/auth_util.c:free_server_info(1387) attempting to free (and zero) a server_info structure [2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612) Closing connections [2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263) Username EU\inblr-auth1 is invalid on this system [2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612) Closing connections [2006/02/16 14:15:00, 2] smbd/server.c:exit_server(612) Closing connections My wbinfo --sequence still shows the EU domain as being disconnected. I just found this error in the log.wb-EU file: [2006/02/16 14:51:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot contact any KDC for requested realm) [2006/02/16 14:51:29, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot contact any KDC for requested realm) [2006/02/16 14:51:29, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain EU failed: Cannot contact any KDC for requested realm -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 11:05 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Authenticating another domain -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: > Username EU\inblr-auth1 is invalid on this system figure this out. That is the key. Does "getent passwd 'EU\inblr-auth1'" return anything? What does wbinfo --sequence show? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9KKUIR7qMdg1EfYRApFRAKC2rqZZ3cFZMV5jLfVtON/uD9P5rgCfR5tG fAQ7r9ZXNxRfB1nYcF1qnW0= =oH5D -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Authenticating another domain
Running " getent passwd EU\\inblr-auth1 " doesn't return anything. Although it does work successfully with my NA domain account. The wbinfo --sequence command does reveal a little more information. Here is the output. wbinfo --sequence LAC : DISCONNECTED EU : DISCONNECTED AP : DISCONNECTED UIS : DISCONNECTED USTR-LINUX-1 : 1 BUILTIN : 1 NA : 14462477 How can I get it to connect? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 11:05 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Authenticating another domain -BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trimble, Ronald D wrote: > Username EU\inblr-auth1 is invalid on this system figure this out. That is the key. Does "getent passwd 'EU\inblr-auth1'" return anything? What does wbinfo --sequence show? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9KKUIR7qMdg1EfYRApFRAKC2rqZZ3cFZMV5jLfVtON/uD9P5rgCfR5tG fAQ7r9ZXNxRfB1nYcF1qnW0= =oH5D -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Authenticating another domain
When I attempt to authenticate a user from another domain, I am seeing some strange issues. My winbindd.log shows that I am indeed already trusting the other domain. (I am a member of the na.uis.unisys.com domain.) However, when I try to gain access to a share where the username EU\INBLR-AUTH1 has access, I get prompted for a username and password over and over. Obviously, it can't authenticate the user. I have included the errors from the appropriate log below. Can anyone point me towards a working solution? >From the winbindd.log [2006/02/16 10:18:02, 2] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain EU eu.uis.unisys.com S-1-5-21-606747145-879983540-1177238915 >From the samba log for the machine I am trying to connect from... [2006/02/16 10:26:38, 2] smbd/sesssetup.c:setup_new_vc_session(704) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/02/16 10:26:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(263) Username EU\inblr-auth1 is invalid on this system [2006/02/16 10:26:38, 2] smbd/server.c:exit_server(612) Closing connections My smb.conf [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 encrypt passwords = yes security = ADS password server = 192.63.225.67 passdb backend = smbpasswd log level = 2 syslog = 0 log file = /var/log/samba/%m.log max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # winbind separator = + winbind use default domain = no winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\username, +"NA\groupname" nt acl support = yes map acl inherit = yes # printer setup load printers = yes use client driver = no printing = cups printcap name = cups printer admin = root, NA\TRIMBLRD, +"NA\EPS Admin" server string = USTR-LINUX-1 Samba Server -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] authenticate a share access to win2k3 server
I don't understand why you would want to have the user authenticate again. If they are already signed into your domain and they try to access a resource they have permission to, it should just let them in. If they don't have access, it should prompt them for a valid username and password. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martijn Hazenberg Sent: Thursday, February 16, 2006 6:41 AM To: samba@lists.samba.org Subject: [Samba] authenticate a share access to win2k3 server Hi, I have a samba server sharing some stuff. Now i want to enable access to some share only to SOME users on the domain. this is the smb.conf : [global] netbios name = DATASVR server string = DATASVR socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind gid = 1-2 workgroup = LOKAAL os level = 20 winbind enum groups = yes socket address = 10.0.0.200 password server = * preferred master = no winbind separator = + max log size = 50 log file = /var/log/samba3/log.%m encrypt passwords = yes dns proxy = yes realm = .LOKAAL security = ADS wins server = 10.0.0.201 wins proxy = no [share] comment = stuff path = /raid/stuff writable = yes read only = no valid users = user1 user2 I was hoping that when a user selects the above share, they would get a passwd screen, where they would have to fill in the same passwd as they use for logging in to their xp machines. What would i need to do to accomplish this ? best regards, Martijn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How to Make SMB server authenticate against multiple ADserver
This is from Using Samba... http://www.oreilly.com/catalog/samba/chapter/book/ch06_03.html You can configure Samba to use a separate password server under server-level security with the use of the password server global configuration option, as follows: [global] security = server password server = PHOENIX120 HYDRA134 Note that you can specify more than one machine as the target of the password server ; Samba will move down the list of servers in the event that its first choice is unreachable. The servers identified by the password server option are given as NetBIOS names, not their DNS names or equivalent IP addresses. Also, if any of the servers reject the given password, the connection will automatically fail - Samba will not attempt another server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parker, Michael Sent: Wednesday, February 15, 2006 9:35 AM To: samba@lists.samba.org Subject: [Samba] How to Make SMB server authenticate against multiple ADserver I'm new to samba and I'm still trying to figure out the workings. I currently have a few servers setup to authenticate with AD (2003 domain) with winbind. Right now, I have a line in my smb.conf file that states password server = alg-conyers-ad1. I assume this tells it to authenticate against this server only. How do I make it choose a server from DNS or at the least tell it to use other AD servers if this one is offline? My fear is that we'll rely on these servers more, AD1 will fail, and then I'll have to scramble to point my smb servers to use other AD servers. Thanks in advance for your help. Michael -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] ADS and RPC
I have the same exact problem as Mike, so if anyone has a solution, I too could use the help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Collins, Mike Sent: Wednesday, February 15, 2006 12:31 PM To: samba@lists.samba.org Subject: [Samba] ADS and RPC I have a problem that recently appeared with ADS authentication. I have a samba server that is an AD member on our domain, ourdomain.edu. We are under a domain that is an empty root, call it 'theirdomain.net'. Also under this root is another domain, call it 'theirdomain.edu. I have found that RPC access has been disabled on the DC's in theirdomain.edu and my samba server can no longer authenticate users on theirdomain.edu. Is there some workaround for this? Samba version 3.0.14a -- Mike Collins Sr. Programmer/Analyst TTUHSC Information Technology 806-743-2870 ext. 271 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Autocreate user home directories.
I am trying to set up our samba server to automatically create a users home directory when they browse to it from a Windows computer. Is there a way to do this? I was looking at the root preexec option to try and do this, but I am not sure how to go about it. Has anybody done this? Can someone please help me out? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA netbois lookup issues
Not if they are all in the DNS server and the new samba server is not. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Taylor Sent: Monday, February 06, 2006 2:06 PM To: samba@lists.samba.org Subject: RE: [Samba] SAMBA netbois lookup issues My VPN Address is in a Virtual Pool on the Firewall I am using. I am able to connect to any other server other than a Samba server. If it was a network related issue would it not be having a problem on all the servers? James -Original Message- From: Trimble, Ronald D [mailto:[EMAIL PROTECTED] Sent: Friday, February 03, 2006 5:11 PM To: James Taylor Subject: RE: [Samba] SAMBA netbois lookup issues Is your VPN server on the same segment? I only ask because in our company, our VPN segment is isolated with it's own DNS servers. My guess is that when you come in via VPN, you are using a different DNS server and you are not registered. Instead, you are using NetBIOS for name resolution. Try putting an A host record on the DNS server used by your VPN server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Taylor Sent: Friday, February 03, 2006 6:43 PM To: samba@lists.samba.org Subject: [Samba] SAMBA netbois lookup issues Hi all! I am from the Windows world and am trying to migrate to Linux and have done a fairly good job so far. My recent challenge is that I have built a Samba file/print server that works very well on my internal network but when I VPN into the network remotely I am unable to access the server via it's server name. What is driving me crazy is the fact that the last of my Windows servers is a file/print server as well and I am able to access it without issues. Is this a simple NetBios Port change or is this something else that I am missing? If anyone has some pointers as to what I can do to resolve this issue I would be grateful. Thank you James Taylor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Cross domain and user home questions.
I am desperate here guys... can anyone offer me any advice? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Trimble, Ronald D Sent: Friday, February 03, 2006 10:01 AM To: samba@lists.samba.org Subject: [Samba] Cross domain and user home questions. Thank you in advance for any help anyone may be able to provide with the following issues I am experiencing. The first is authenticating users across domains. I have successfully configured Samba to use an AD domain, but when I try to authenticate another user form another domain in the same tree, I get various errors. Can anyone shed some light on what I may be doing wrong or help me configure this? Here are the important settings from my smb.conf. [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = servername encrypt passwords = yes security = ADS password server = IPaddress passdb backend = smbpasswd log level = 0 syslog = 0 log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # winbind separator = + winbind use default domain = no winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash admin users = root, IDs nt acl support = yes map acl inherit = yes As you can see from the config, I am a member of the NA domain. I have no issues with users in this domain and everything works as it should. The problem comes when I try to authenticate users of our other domains... for example EU. Our tree looks like this: UIS.UNISYS.COM |_> NA.UIS.UNISYS.COM |_> EU.UIS.UNISYS.COM |_> etc.. The second issue I have is related to user home directories. I have it set up so that when a user views the SMB shares on the server, they can see their home directory. The problem is that if the directory is not created ahead of time, what they are seeing is not real. The directory is not being created automatically. How can I set this up? Here is the [homes] section of my smb.conf. [homes] comment = Home Directories (RW) valid users = %D\%S browseable = No read only = No create mask = 0660 directory mask = 0770 Thanks again for any help you may provide. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cross domain and user home questions.
Thank you in advance for any help anyone may be able to provide with the following issues I am experiencing. The first is authenticating users across domains. I have successfully configured Samba to use an AD domain, but when I try to authenticate another user form another domain in the same tree, I get various errors. Can anyone shed some light on what I may be doing wrong or help me configure this? Here are the important settings from my smb.conf. [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = servername encrypt passwords = yes security = ADS password server = IPaddress passdb backend = smbpasswd log level = 0 syslog = 0 log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # winbind separator = + winbind use default domain = no winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash admin users = root, IDs nt acl support = yes map acl inherit = yes As you can see from the config, I am a member of the NA domain. I have no issues with users in this domain and everything works as it should. The problem comes when I try to authenticate users of our other domains... for example EU. Our tree looks like this: UIS.UNISYS.COM |_> NA.UIS.UNISYS.COM |_> EU.UIS.UNISYS.COM |_> etc.. The second issue I have is related to user home directories. I have it set up so that when a user views the SMB shares on the server, they can see their home directory. The problem is that if the directory is not created ahead of time, what they are seeing is not real. The directory is not being created automatically. How can I set this up? Here is the [homes] section of my smb.conf. [homes] comment = Home Directories (RW) valid users = %D\%S browseable = No read only = No create mask = 0660 directory mask = 0770 Thanks again for any help you may provide. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba