The doc is here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html
The short answer: 1. not reading this doc will "cause pain, agony, and desperation." 2. 'net' map domain-to-unix ID's and interacts with domain security. net rpc = for Windows Group Management operations. net ads = for ADS operations. net rap = for RAP (IBM OS/2 and samba <3) operations. net will automatically fall back via the ads, rpc, and rap modes. On Fri, 2010-11-19 at 16:58 +0530, Vivekanandan Nataraj wrote: > Hi John, > > The same smb and winbind configuration ( same SUSE box ) works good > other Windows AD servers. > > "#wbinfo -u" and "#wbinfo -g" returns the users and groups > respectively. > > Thanks for your great help !!! > > what is the difference between "#net rpc" and "#net ads" ?..if you > have time, give some explanation.. > > Regards, > Vivek > > > On Mon, Nov 15, 2010 at 6:56 PM, Vivekanandan Nataraj > <[email protected]> wrote: > Hi John, > > Thanks for your reply. > > > # net ads testjoin > > [2010/11/15 06:40:27, 0] > libads/sasl.c:819(ads_sasl_spnego_bind) > > kinit succeeded but ads_sasl_spnego_krb5_bind failed: > Invalid credentials > > [2010/11/15 06:40:29, 0] > libads/sasl.c:819(ads_sasl_spnego_bind) > > kinit succeeded but ads_sasl_spnego_krb5_bind failed: > Invalid credentials > > Join to domain is not valid: Invalid credentials > > but, > > # net rpc testjoin > Join to 'SQUID' is OK > > # net ads info -U Administrator > > Enter Administrator's password: > LDAP server: 172.16.1.33 > LDAP server name: EIS.squid.biz > Realm: SQUID.BIZ > Bind Path: dc=SQUID,dc=BIZ > LDAP port: 389 > Server time: Mon, 15 Nov 2010 06:45:33 IST > KDC server: 172.16.1.33 > Server time offset: 43 > > # net rpc info -U Administrator > > Enter Administrator's password: > Domain Name: SQUID > Domain SID: S-1-5-21-419217316-27721265-2755569738 > Sequence number: 548 > Num users: 29 > Num domain groups: 10 > Num local groups: 39 > > # wbinfo -a 'vivek%vivek' > > plaintext password authentication succeeded > > challenge/response password authentication succeeded > > > # wbinfo -K 'vivek%vivek' > plaintext kerberos password authentication for [vivek%vivek] > failed (requesting cctype: FILE) > Could not authenticate user [vivek%vivek] with Kerberos > (ccache: FILE) > > # kinit vivek > Password for [email protected]: > # > > Anything need to be modify on the Windows side ??..next step i > will remove the system from the domain and try everything... > > Thanks in advance. > > Regards, > VIvek > > > > > On Mon, Nov 15, 2010 at 8:25 AM, John Stile <[email protected]> > wrote: > "Invalid credentials" points to a problem, thought I'm > guessing, with > the domain membership. > > I'm really not sure what it means. > > Does 'ads testjoin' show anything? > > Would it be too much trouble to remove the system from > the domain and > add it back, assuming that was the the problem? > > 1. remove the machine from the domain (on the AD > server), > 2. stop smbd, nmbd, and winbindd. > 3. find and remove "*.tdb" files. > 4. Check 'date' vs. 'net date' > 5. net ads join -U 'SQUID.BIZ+username'%'passwd' > 6. check 'net ads testjoin' > 7. check 'net ads info' > 8. start daemon: 'winbindd -d 3 -i' > 9. wbinfo -a 'SQUID.BIZ+username'%'password' > 10. wbinfo -K 'SQUID.BIZ+username'%'password' > 11. kinit username > > > On Mon, 2010-11-15 at 00:32 +0530, Vivekanandan > Nataraj wrote: > > Hi John, > > > > > > Thanks for your reply. > > > > > > This is the result :- > > > > > > #wbinfo -u > > > > > > Connected to LDAP server EIS.squid.biz > > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 > > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > > ads_sasl_spnego_bind: got server principal name = > [email protected] > > ads_cleanup_expired_creds: Ticket in > ccache[MEMORY:winbind_ccache] > > expiration Sun, 14 Nov 2010 22:22:14 IST > > ads_cleanup_expired_creds: Ticket in > ccache[MEMORY:winbind_ccache] > > expiration Sun, 14 Nov 2010 22:22:26 IST > > kinit succeeded but ads_sasl_spnego_krb5_bind > failed: Invalid > > credentials > > ads_connect for domain SQUID failed: Invalid > credentials > > final write to client failed: Broken pipe > > > > > > > > > > #wbinfo -g > > > > > > Connected to LDAP server EIS.squid.biz > > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 > > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > > ads_sasl_spnego_bind: got server principal name = > [email protected] > > ads_cleanup_expired_creds: Ticket in > ccache[MEMORY:winbind_ccache] > > expiration Sun, 14 Nov 2010 22:27:10 IST > > ads_cleanup_expired_creds: Ticket in > ccache[MEMORY:winbind_ccache] > > expiration Sun, 14 Nov 2010 22:27:12 IST > > kinit succeeded but ads_sasl_spnego_krb5_bind > failed: Invalid > > credentials > > ads_connect for domain SQUID failed: Invalid > credentials > > final write to client failed: Broken pipe > > > > > > any problem with krb configuration ??? > > > > > > Regards, > > Vivek > > > > > > > > > > On Sun, Nov 14, 2010 at 11:59 PM, John Stile > <[email protected]> wrote: > > You could try to run winbindd manually > (winbindd -d 3 -i), and > > from > > another console run 'wbinfo -u', and see if > any errors present > > them > > selves in the console where you ran > winbindd. First make sure > > no other > > winbind daemon is running, by testing, as > root, with: lsof -i > > tcp -nP | > > grep winbind > > > > > > On Sun, 2010-11-14 at 23:41 +0530, > Vivekanandan Nataraj wrote: > > > Hi John, > > > > > > > > > Thanks for your reply. > > > > > > > > > I have modified the nsswitch.conf file and > smb.conf as per > > your > > > suggestions. > > > > > > > > > Still wbinfo does not list the users... I > have rebooted the > > server > > > after modification. > > > > > > > > > and #rm -rf /var/lib/samba/* and restart > the services and > > joined the > > > domain again. but no luck.. > > > > > > > > > nsswitch.conf > > > [ > > > shadow: files > > > passwd: compat winbind > > > group: compat winbind > > > > > > > > > hosts: files dns wins > > > networks: files dns > > > > > > > > > services: files > > > protocols: files > > > rpc: files > > > ethers: files > > > netmasks: files > > > netgroup: files nis > > > publickey: files > > > > > > > > > bootparams: files > > > automount: files nis > > > aliases: files > > > ] > > > > > > > > > samba > > > [ > > > workgroup = SQUID > > > realm = SQUID.BIZ > > > security = ADS > > > password server = EIS.SQUID.BIZ > > > printcap name = cups > > > idmap uid = 1000-20000000 > > > idmap gid = 1000-20000000 > > > winbind separator = + > > > winbind enum users = Yes > > > winbind enum groups = Yes > > > winbind use default domain = Yes > > > winbind nss info = rfc2307 > > > cups options = raw > > > ] > > > > > > > > > Any thing i missed ? > > > > > > > > > Thanks in advance.. > > > > > > > > > Regards, > > > Vivek > > > > > > On Sun, Nov 14, 2010 at 10:33 PM, John > Stile > > <[email protected]> wrote: > > > Does /etc/nsswitch.conf hold > winbind? > > > Something like this: > > > passwd: compat winbind > > > group: compat winbind > > > > > > Also, > > > your config doesn't show: > > > winbind separator = + > > > > > > your config doesn't have a fully > qualified "password > > server" > > > hostname. > > > > > > > > > > > > On Sun, 2010-11-14 at 11:09 +0530, > Vivekanandan > > Nataraj wrote: > > > > Hi Guys, > > > > > > > > I have configured SAMBA with > Windows 2003 AD. But > > "#wbinfo > > > -u" and > > > > "#wbinfo -g" does not list the > users > > > > > > > > 1. Domain joined successfully. > > > > > > > > # net rpc testjoin -U > Administrator > > > > Join to 'DOMAIN' is OK > > > > > > > > 2. wbinfo -a works ( User > authentication ) > > > > > > > > # wbinfo -a 'DOMAIN\user' > > > > Enter DOMAIN\user's password: > > > > plaintext password > authentication succeeded > > > > Enter DOMAIN\user's password: > > > > challenge/response password > authentication > > succeeded > > > > > > > > 3. wbinfo -u and wbinfo -g does > list nothing > > > > > > > > # wbinfo -u > > > > # wbinfo -g > > > > > > > > # wbinfo -r 'DOMAIN\user' > > > > Could not get groups for user > DOMAIN\user > > > > > > > > SAMBA config : - > > > > > > > > [global] > > > > workgroup = DOMAIN > > > > realm = DOMAIN.BIZ > > > > security = ADS > > > > password server = EIS > > > > printcap name = cups > > > > idmap uid = > 1000-20000000 > > > > idmap gid = > 1000-20000000 > > > > winbind enum users = Yes > > > > winbind enum groups = > Yes > > > > winbind use default > domain = Yes > > > > winbind nss info = > rfc2307 > > > > cups options = raw > > > > > > > > Versions :- > > > > > > > > # smbd -V > > > > Version > 3.4.2-1.1.3.1-2229-SUSE-SL11.2 > > > > > > > > # winbindd -V > > > > Version > 3.4.2-1.1.3.1-2229-SUSE-SL11.2 > > > > > > > > Share your ideas... > > > > > > > > Regards, > > > > Vivek > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
