Hi John, Thanks for your reply.
# net ads testjoin [2010/11/15 06:40:27, 0] libads/sasl.c:819(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials [2010/11/15 06:40:29, 0] libads/sasl.c:819(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Join to domain is not valid: Invalid credentials but, # net rpc testjoin Join to 'SQUID' is OK # net ads info -U Administrator Enter Administrator's password: LDAP server: 172.16.1.33 LDAP server name: EIS.squid.biz Realm: SQUID.BIZ Bind Path: dc=SQUID,dc=BIZ LDAP port: 389 Server time: Mon, 15 Nov 2010 06:45:33 IST KDC server: 172.16.1.33 Server time offset: 43 # net rpc info -U Administrator Enter Administrator's password: Domain Name: SQUID Domain SID: S-1-5-21-419217316-27721265-2755569738 Sequence number: 548 Num users: 29 Num domain groups: 10 Num local groups: 39 # wbinfo -a 'vivek%vivek' plaintext password authentication succeeded challenge/response password authentication succeeded # wbinfo -K 'vivek%vivek' plaintext kerberos password authentication for [vivek%vivek] failed (requesting cctype: FILE) Could not authenticate user [vivek%vivek] with Kerberos (ccache: FILE) # kinit vivek Password for [email protected]: # Anything need to be modify on the Windows side ??..next step i will remove the system from the domain and try everything... Thanks in advance. Regards, VIvek On Mon, Nov 15, 2010 at 8:25 AM, John Stile <[email protected]> wrote: > "Invalid credentials" points to a problem, thought I'm guessing, with > the domain membership. > > I'm really not sure what it means. > > Does 'ads testjoin' show anything? > > Would it be too much trouble to remove the system from the domain and > add it back, assuming that was the the problem? > > 1. remove the machine from the domain (on the AD server), > 2. stop smbd, nmbd, and winbindd. > 3. find and remove "*.tdb" files. > 4. Check 'date' vs. 'net date' > 5. net ads join -U 'SQUID.BIZ+username'%'passwd' > 6. check 'net ads testjoin' > 7. check 'net ads info' > 8. start daemon: 'winbindd -d 3 -i' > 9. wbinfo -a 'SQUID.BIZ+username'%'password' > 10. wbinfo -K 'SQUID.BIZ+username'%'password' > 11. kinit username > > On Mon, 2010-11-15 at 00:32 +0530, Vivekanandan Nataraj wrote: > > Hi John, > > > > > > Thanks for your reply. > > > > > > This is the result :- > > > > > > #wbinfo -u > > > > > > Connected to LDAP server EIS.squid.biz > > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 > > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > > ads_sasl_spnego_bind: got server principal name = [email protected] > > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] > > expiration Sun, 14 Nov 2010 22:22:14 IST > > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] > > expiration Sun, 14 Nov 2010 22:22:26 IST > > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid > > credentials > > ads_connect for domain SQUID failed: Invalid credentials > > final write to client failed: Broken pipe > > > > > > > > > > #wbinfo -g > > > > > > Connected to LDAP server EIS.squid.biz > > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 > > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > > ads_sasl_spnego_bind: got server principal name = [email protected] > > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] > > expiration Sun, 14 Nov 2010 22:27:10 IST > > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] > > expiration Sun, 14 Nov 2010 22:27:12 IST > > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid > > credentials > > ads_connect for domain SQUID failed: Invalid credentials > > final write to client failed: Broken pipe > > > > > > any problem with krb configuration ??? > > > > > > Regards, > > Vivek > > > > > > > > > > On Sun, Nov 14, 2010 at 11:59 PM, John Stile <[email protected]> wrote: > > You could try to run winbindd manually (winbindd -d 3 -i), and > > from > > another console run 'wbinfo -u', and see if any errors present > > them > > selves in the console where you ran winbindd. First make sure > > no other > > winbind daemon is running, by testing, as root, with: lsof -i > > tcp -nP | > > grep winbind > > > > > > On Sun, 2010-11-14 at 23:41 +0530, Vivekanandan Nataraj wrote: > > > Hi John, > > > > > > > > > Thanks for your reply. > > > > > > > > > I have modified the nsswitch.conf file and smb.conf as per > > your > > > suggestions. > > > > > > > > > Still wbinfo does not list the users... I have rebooted the > > server > > > after modification. > > > > > > > > > and #rm -rf /var/lib/samba/* and restart the services and > > joined the > > > domain again. but no luck.. > > > > > > > > > nsswitch.conf > > > [ > > > shadow: files > > > passwd: compat winbind > > > group: compat winbind > > > > > > > > > hosts: files dns wins > > > networks: files dns > > > > > > > > > services: files > > > protocols: files > > > rpc: files > > > ethers: files > > > netmasks: files > > > netgroup: files nis > > > publickey: files > > > > > > > > > bootparams: files > > > automount: files nis > > > aliases: files > > > ] > > > > > > > > > samba > > > [ > > > workgroup = SQUID > > > realm = SQUID.BIZ > > > security = ADS > > > password server = EIS.SQUID.BIZ > > > printcap name = cups > > > idmap uid = 1000-20000000 > > > idmap gid = 1000-20000000 > > > winbind separator = + > > > winbind enum users = Yes > > > winbind enum groups = Yes > > > winbind use default domain = Yes > > > winbind nss info = rfc2307 > > > cups options = raw > > > ] > > > > > > > > > Any thing i missed ? > > > > > > > > > Thanks in advance.. > > > > > > > > > Regards, > > > Vivek > > > > > > On Sun, Nov 14, 2010 at 10:33 PM, John Stile > > <[email protected]> wrote: > > > Does /etc/nsswitch.conf hold winbind? > > > Something like this: > > > passwd: compat winbind > > > group: compat winbind > > > > > > Also, > > > your config doesn't show: > > > winbind separator = + > > > > > > your config doesn't have a fully qualified "password > > server" > > > hostname. > > > > > > > > > > > > On Sun, 2010-11-14 at 11:09 +0530, Vivekanandan > > Nataraj wrote: > > > > Hi Guys, > > > > > > > > I have configured SAMBA with Windows 2003 AD. But > > "#wbinfo > > > -u" and > > > > "#wbinfo -g" does not list the users > > > > > > > > 1. Domain joined successfully. > > > > > > > > # net rpc testjoin -U Administrator > > > > Join to 'DOMAIN' is OK > > > > > > > > 2. wbinfo -a works ( User authentication ) > > > > > > > > # wbinfo -a 'DOMAIN\user' > > > > Enter DOMAIN\user's password: > > > > plaintext password authentication succeeded > > > > Enter DOMAIN\user's password: > > > > challenge/response password authentication > > succeeded > > > > > > > > 3. wbinfo -u and wbinfo -g does list nothing > > > > > > > > # wbinfo -u > > > > # wbinfo -g > > > > > > > > # wbinfo -r 'DOMAIN\user' > > > > Could not get groups for user DOMAIN\user > > > > > > > > SAMBA config : - > > > > > > > > [global] > > > > workgroup = DOMAIN > > > > realm = DOMAIN.BIZ > > > > security = ADS > > > > password server = EIS > > > > printcap name = cups > > > > idmap uid = 1000-20000000 > > > > idmap gid = 1000-20000000 > > > > winbind enum users = Yes > > > > winbind enum groups = Yes > > > > winbind use default domain = Yes > > > > winbind nss info = rfc2307 > > > > cups options = raw > > > > > > > > Versions :- > > > > > > > > # smbd -V > > > > Version 3.4.2-1.1.3.1-2229-SUSE-SL11.2 > > > > > > > > # winbindd -V > > > > Version 3.4.2-1.1.3.1-2229-SUSE-SL11.2 > > > > > > > > Share your ideas... > > > > > > > > Regards, > > > > Vivek > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
