something that has worked for me on occasion with the later samba verisons is to change:
*idmap uid*, and *idmap gid* to *winbind uid*, and *winbind gid* I dont understand why, because the man page says that winbind uid/gid is a wrapper for idmap uid/gid. But maybe that is why. I hope it helps. - Guillermo Gutierrez On Fri, Feb 22, 2008 at 11:43 AM, Walter Huf <[EMAIL PROTECTED]> wrote: > I am using Ubuntu Gutsy, which comes with Winbind 3.0.26a. I am using the > same configuration that worked on Ubuntu Feisty, which uses Winbind 3.0.24 > . > Something changed with Winbind, apparently, to break the configuration > that > was working perfectly. How can I fix my configuration to work with the new > version? > > The symptoms are as follows: > wbinfo -t works > wbinfo can retrieve a list of users > wbinfo can look up a user's SID by it's username > wbinfo can look up a user's username by it's SID > ntlm_auth can authenticate a user. I can not use wbinfo to verify this > because my password has a ! in it. Windows Event Viewer does not show an > event for this. > Logging in fails, generating a Windows Event with error code 0xC000006A. > su username does not work, failing with "Unknown id: username" > > The relevant section of smb.conf: > workgroup = WORKGROUP > realm = WORKGROUP.TLD > security = ADS > winbind enum groups = yes > winbind enum users = yes > winbind cache time = 600 > winbind nested groups = yes > winbind nss info = sfu > winbind separator = + > winbind use default domain = yes > > idmap gid = 500-45000 > idmap uid = 500-45000 > idmap backend = ad > > nsswitch.conf has the following: > passwd: files winbind > group: files winbind > > Pam configuration: > auth requisite pam_nologin.so debug > auth [success=1 default=ignore] pam_localuser.so debug > auth [success=done auth_err=bad] pam_winbind.so debug > auth required pam_unix.so nullok_secure debug > > account sufficient pam_winbind.so debug > account required pam_unix_acct.so debug > > Relevent part of auth.log: > Feb 22 11:25:49 client sshd[4620]: Invalid user username from X.X.X.X > Feb 22 11:25:49 client sshd[4620]: Failed none for invalid user username > from X.X.X.X port 2086 ssh2 > Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): [pamh: > 0x8006e940] > ENTER: pam_sm_authenticate (flags: 0x0001) > Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): getting password > (0x00000001) > Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): Verify user > 'username' > Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): request failed: > Wrong Password, PAM error was Authentication failure (7), NT error was > NT_STATUS_WRONG_PASSWORD > Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): user 'username' > denied access (incorrect password or invalid membership) > Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): [pamh: > 0x8006e940] > LEAVE: pam_sm_authenticate returning 7 > Feb 22 11:25:49 client sshd[4620]: pam_unix(ssh:auth): check pass; user > unknown > Feb 22 11:25:50 client sshd[4620]: pam_unix(ssh:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X > Feb 22 11:25:51 client sshd[4620]: Failed password for invalid user > username > from X.X.X.X port 2086 ssh2 > > klist output: > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 02/22/08 10:51:58 02/22/08 20:51:43 krbtgt/[EMAIL PROTECTED] > renew until 02/23/08 10:51:58 > 02/22/08 11:20:58 02/22/08 20:51:43 [EMAIL PROTECTED] > renew until 02/23/08 10:51:58 > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > > Does anyone have any ways to fix this serious problem? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- Guillermo Gutierrez [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
