[Samba] Issue with joing to ADS2003 domain
I have set up LDAP/KRB5 access to my active directory network. If I do a getent passwd, I see the users with a unix UID/GID. If use kinit, I can get a token. If I su to a user, it creates a home folder, and shows correct IDs etc. However the machine will not log in via ssh or the GUI. In secure I see: Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: ccache dir: /tmp Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: keytab: FILE:/etc/krb5.keytab Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: called to authenticate 'ipillion', realm 'MYDOMAIN.COM' Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating 'ipill...@mydomain.com' Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: trying previously-entered password for 'ipillion', allowing libkrb5 to prompt for more Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating 'ipill...@mydomain.com' to 'krbtgt/mydomain@mydomain.com' Oct 27 11:14:56 rhelads sshd[4190]: pam_krb5[4190]: krb5_get_init_creds_password(krbtgt/mydomain@mydomain.com) returned 0 (Success) Oct 27 11:14:56 rhelads sshd[4190]: pam_krb5[4190]: validating credentials Oct 27 11:15:16 rhelads sshd[4190]: pam_krb5[4190]: error guessing name of local host principal Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: TGT failed verification using keytab: Hostname cannot be canonicalized Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: got result 0 (Success) Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: authentication fails for 'ipillion' (ipill...@mydomain.com): Authentication failure (Success) Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: pam_authenticate returning 7 (Authentication failure) Oct 27 11:15:38 rhelads sshd[4190]: Failed password for ipillion from 172.16.165.122 port 57518 ssh2 Oct 27 11:15:40 rhelads sshd[4193]: Connection closed by 172.16.165.122 So I try to join the machine to the domain: libads/sasl.c:ads_sasl_spengo_bind(819) kinit suceeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Failed to join domain: failed to connect to AD: Invalid credentials My smb.conf is here: [global] workgroup = ITD2 realm = mydomain.com security = ads user kerberos keytab = true The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Issue with joing to ADS2003 domain
I forgot to mention I am using RHEL 5.6 I was using Samba3.0 (installed by default) but I removed this and installed Samba 3.3 from the DVD. Regards B From: Brian O'Mahony Sent: 27 October 2011 16:16 To: samba@lists.samba.org Subject: Issue with joing to ADS2003 domain I have set up LDAP/KRB5 access to my active directory network. If I do a getent passwd, I see the users with a unix UID/GID. If use kinit, I can get a token. If I su to a user, it creates a home folder, and shows correct IDs etc. However the machine will not log in via ssh or the GUI. In secure I see: Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: ccache dir: /tmp Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: keytab: FILE:/etc/krb5.keytab Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: called to authenticate 'ipillion', realm 'MYDOMAIN.COM' Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating 'ipill...@mydomain.com' Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: trying previously-entered password for 'ipillion', allowing libkrb5 to prompt for more Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating 'ipill...@mydomain.com' to 'krbtgt/mydomain@mydomain.com' Oct 27 11:14:56 rhelads sshd[4190]: pam_krb5[4190]: krb5_get_init_creds_password(krbtgt/mydomain@mydomain.commailto:krbtgt/mydomain@mydomain.com) returned 0 (Success) Oct 27 11:14:56 rhelads sshd[4190]: pam_krb5[4190]: validating credentials Oct 27 11:15:16 rhelads sshd[4190]: pam_krb5[4190]: error guessing name of local host principal Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: TGT failed verification using keytab: Hostname cannot be canonicalized Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: got result 0 (Success) Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: authentication fails for 'ipillion' (ipill...@mydomain.commailto:ipill...@mydomain.com): Authentication failure (Success) Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: pam_authenticate returning 7 (Authentication failure) Oct 27 11:15:38 rhelads sshd[4190]: Failed password for ipillion from 172.16.165.122 port 57518 ssh2 Oct 27 11:15:40 rhelads sshd[4193]: Connection closed by 172.16.165.122 So I try to join the machine to the domain: libads/sasl.c:ads_sasl_spengo_bind(819) kinit suceeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Failed to join domain: failed to connect to AD: Invalid credentials My smb.conf is here: [global] workgroup = ITD2 realm = mydomain.com security = ads user kerberos keytab = true The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication wrecking my head [ADS]
The is no /var/cache/samba folder. Any idea what files im looking for? -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Wednesday, March 30, 2011 7:50 PM To: Brian O'Mahony Cc: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] Also check /var/cache/samba Dale On 03/30/2011 11:48 AM, Brian O'Mahony wrote: samba3-3.4.11-42.el5 However I have moved to using idmap_rid, as I will have cold standbys of machines that I want to be able to access SAN data, with the same IDs. So how does one go about clearing the samba user cache? I had it set up with users starting at 1. With RID I have now brought this down to 500 (so I can easily see the difference). I deleted the winbindd_* files folder in /var/lib/samba, but when I use a getent passwd brian.omahony its showing the id as 10 Thanks B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, March 30, 2011 4:28 PM To: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth
Re: [Samba] Samba Authentication wrecking my head [ADS]
I deleted *everything* in /var/lib/samba and it worked. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Thursday, March 31, 2011 10:03 AM To: 'Dale Schroeder' Cc: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] The is no /var/cache/samba folder. Any idea what files im looking for? -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Wednesday, March 30, 2011 7:50 PM To: Brian O'Mahony Cc: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] Also check /var/cache/samba Dale On 03/30/2011 11:48 AM, Brian O'Mahony wrote: samba3-3.4.11-42.el5 However I have moved to using idmap_rid, as I will have cold standbys of machines that I want to be able to access SAN data, with the same IDs. So how does one go about clearing the samba user cache? I had it set up with users starting at 1. With RID I have now brought this down to 500 (so I can easily see the difference). I deleted the winbindd_* files folder in /var/lib/samba, but when I use a getent passwd brian.omahony its showing the id as 10 Thanks B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, March 30, 2011 4:28 PM To: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14
[Samba] Samba Authentication wrecking my head [ADS]
Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth) [ 7381]: pam auth ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm Secure log: Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=galvatron.MYDOMAIN.com Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): getting password (0x0010) Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): pam_get_item returned a password Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password [I know the pass is right here. It works elsewhere] Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): user 'ccadm' denied access (incorrect password or invalid membership) Mar 30 14:29:05 akbartrap sshd[7381]: pam_succeed_if(sshd:auth): error retrieving information about user ccadm Mar 30 14:29:07 akbartrap sshd[7381]: Failed password for invalid user ccadm from 172.16.165.248 port 39699 ssh2 # Global parameters [global] workgroup = GROUP realm = MYDOMAIN.COM security = ads idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = Yes winbind separator = / encrypt passwords = Yes log level = 3 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 preferred master = No dns proxy = No wins server = 172.16.164.100 template homedir = /home/%U template shell = /bin/bash authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authsufficientpam_winbind.so use_first_pass authrequisite pam_succeed_if.so uid = 500 quiet
Re: [Samba] Samba Authentication wrecking my head [ADS]
After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth) [ 7381]: pam auth ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm Secure log: Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=galvatron.MYDOMAIN.com Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): getting password (0x0010) Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): pam_get_item returned a password Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password [I know the pass is right here. It works elsewhere] Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): user 'ccadm' denied access (incorrect password or invalid membership) Mar 30 14:29:05 ak bartrap sshd[7381]: pam_succeed_if(sshd:auth): error retrieving information about user ccadm Mar 30 14:29:07 akbartrap sshd[7381]: Failed password for invalid user ccadm from 172.16.165.248 port 39699 ssh2 # Global parameters [global] workgroup = GROUP realm = MYDOMAIN.COM security = ads idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = Yes winbind separator = / encrypt passwords = Yes log level = 3 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
Re: [Samba] Samba Authentication wrecking my head [ADS]
samba3-3.4.11-42.el5 However I have moved to using idmap_rid, as I will have cold standbys of machines that I want to be able to access SAN data, with the same IDs. So how does one go about clearing the samba user cache? I had it set up with users starting at 1. With RID I have now brought this down to 500 (so I can easily see the difference). I deleted the winbindd_* files folder in /var/lib/samba, but when I use a getent passwd brian.omahony its showing the id as 10 Thanks B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, March 30, 2011 4:28 PM To: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth) [ 7381]: pam auth ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm Secure log: Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14:29:05 akbartrap
Re: [Samba] Help with ADS authentication and Samba
So can anyone help me find where this cache is stored? I can log in from any machine with a username that previously worked, and is therefore cached somewhere on the samba server. However every other account does not work. Thanks B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Friday, March 11, 2011 5:26 PM To: samba Subject: Re: [Samba] Help with ADS authentication and Samba After a bit more investigation it seems my issue on the working server is a bit more complex. If I use any of the three usernames that had previously worked, they work in the login prompt. However if I use any other user, it fails to log in. There is obviously a cache of users somewhere, but I cannot find it. Has anyone an idea where this cache is? Regards B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Friday, March 11, 2011 5:05 PM To: 'Geoff Winkless'; samba Subject: Re: [Samba] Help with ADS authentication and Samba Geoff, did you do the steps below? Was there anything else required? B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Geoff Winkless Sent: Friday, March 11, 2011 4:59 PM To: samba Subject: Re: [Samba] Help with ADS authentication and Samba Well I changed the server name and it resolved my problem, so I'm guessing something was left over from the old install. No idea where though, anyone any clue? On 11 March 2011 16:47, Brian O'Mahony brian.omah...@curamsoftware.com wrote: I only installed this server with Base RHEL5.5 last week, got samba working on Monday with ADS. By today (probably yesterday or wed) it was now popping up the login box. When you change the name, what is entailed? Change the name in RHEL. Change the name in DNS (windows server) Rejoin the ads network using net ads join -U Sounds about it. I ran net ads leave first, then changed samba and /etc/hosts and reran kinit too before rejoining, I dunno if that's required. Thanks for the help so far. Not sure how much help I'm being, it's nice to know I'm not the only one. Did you try the testparm thing? Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Help with ADS authentication and Samba
Hi there, just recently joined this list as I seem to be having a little trouble that I am hoping someone can help with. I recently installed a RHEL5.5 server and updated samba to samba3-3.4.11-42.el5.x86_64.rpm. I had never set up samba to authenticate with ADS so I read a little bit and dove right in. The server now works fine, so when I browse to \\machinenamefile:///\\machinename no login box pops up, and I see the shares, and every user in the domain can write to them. So far so good. I then try to replicate this on another server and then the problems started. Here is the procedure I followed: I copied smb.conf, krb5.conf over to the new server from the working copy. Edited nsswitch.conf to add winbind to the end of passwd, group and shadow. I then ran kinit admin. This worked. I than ran kdestroy to destroy the token. [root@rhel5u5live ~]# net ads join -U ictadmin Enter ictadmin's password: Using short domain name -- XXX Joined 'RHEL5U5LIVE' to realm 'xxx.com' [root@rhel5u5live ~]# net ads testjoin Join is OK [root@rhel5u5live ~]# wbinfo -u | grep brian.om XXX/brian.omahony So it seems to be able to look up users etc on the Domain controller. How ever when I browse to \\machinenamefile:///\\machinename a login box pops up. I *know* I must have forgotten something, but cant figure out what. Could someone please help? Thanx b The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help with ADS authentication and Samba
It is XP. When I ran net use \\rhel5u5\tmp /USER:DOMAIN\brian.omahony I get: The password or user name is invalid for \\rhel5u5live\tmp. Enter the password for 'ITDESIGN2\brian.omahony' to connect to 'rhel5u5live': System error 1326 has occurred. Logon failure: unknown user name or bad password. Obviously I entered my windows password when I was prompted. The working server does NOT have entries in the hosts file, and this server DOES. However both can dig the DC successfully. Here is the machine log: [root@rhel5u5live samba]# cat log.soundwave [2011/03/11 13:25:31, 6] param/loadparm.c:7028(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Fri Mar 11 13:21:32 2011 [2011/03/11 13:25:31, 5] smbd/reply.c:503(reply_special) init msg_type=0x81 msg_flags=0x0 [2011/03/11 13:25:31, 5] lib/util_sock.c:528(read_fd_with_timeout) read_fd_with_timeout: blocking read. EOF from client. [2011/03/11 13:25:31, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/03/11 13:25:31, 5] auth/token_util.c:522(debug_nt_user_token) NT user token: (NULL) [2011/03/11 13:25:31, 5] auth/token_util.c:548(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2011/03/11 13:25:31, 5] smbd/uid.c:368(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2011/03/11 13:25:31, 3] smbd/connection.c:31(yield_connection) Yielding connection to [2011/03/11 13:25:31, 3] smbd/connection.c:42(yield_connection) deleting connection record returned NT_STATUS_NOT_FOUND [2011/03/11 13:25:31, 3] smbd/server.c:845(exit_server_common) Server exit (failed to receive smb request) -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Geoff Winkless Sent: Friday, March 11, 2011 11:49 AM To: samba Subject: Re: [Samba] Help with ADS authentication and Samba 2011/3/11 Brian O'Mahony brian.omah...@curamsoftware.com: Hi there, just recently joined this list as I seem to be having a little trouble that I am hoping someone can help with. I recently installed a RHEL5.5 server and updated samba to samba3-3.4.11-42.el5.x86_64.rpm. I had never set up samba to authenticate with ADS so I read a little bit and dove right in. The server now works fine, so when I browse to \\machinenamefile:///\\machinename no login box pops up, and I see the shares, and every user in the domain can write to them. So far so good. I then try to replicate this on another server and then the problems started. Here is the procedure I followed: I copied smb.conf, krb5.conf over to the new server from the working copy. Edited nsswitch.conf to add winbind to the end of passwd, group and shadow. I then ran kinit admin. This worked. I than ran kdestroy to destroy the token. [root@rhel5u5live ~]# net ads join -U ictadmin Enter ictadmin's password: Using short domain name -- XXX Joined 'RHEL5U5LIVE' to realm 'xxx.com' [root@rhel5u5live ~]# net ads testjoin Join is OK [root@rhel5u5live ~]# wbinfo -u | grep brian.om XXX/brian.omahony So it seems to be able to look up users etc on the Domain controller. How ever when I browse to \\machinenamefile:///\\machinename a login box pops up. I *know* I must have forgotten something, but cant figure out what. Welcome to my world. I have exactly the same issue - one server works fine, the other doesn't, even though all the wb tests seem to be fine. Is it an XP client, by any chance? I've narrowed it down to a kerberos issue, I believe. If you run net use \\servername\share /user:XXX/brian.omahony does it work correctly without asking for a password? This seems to be NTLM vs Kerberos auth, but I can't get any further than that. One thing to check, make sure that you have FQDN entries in the server's /etc/hosts (or as reverse entries in DNS) for your dc and the server itself. ie when you do dig -x 192.168.6.10 (the ip address of the server, obviously) from the server, do you get the full domain name or just the hostname? Various pages suggest that might be the cause of the problem, although it doesn't help me. Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help with ADS authentication and Samba
When I dig the RHEL server, it actually returns the DC: 160.16.172.in-addr.arpa. 3600 IN SOA animal.XXX.com. hostmaster.XXX.com. 77337 900 600 86400 3600 The system that is working returns its correct name (ccdubrep.XXX.com) I added the server to the windows DNS table, and the dig now shows correctly. However it is still popping up a login box. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Geoff Winkless Sent: Friday, March 11, 2011 3:34 PM To: samba Subject: Re: [Samba] Help with ADS authentication and Samba On 11 March 2011 13:27, Brian O'Mahony brian.omah...@curamsoftware.com wrote: When I ran net use \\rhel5u5\tmp /USER:DOMAIN\brian.omahony I get: The password or user name is invalid for \\rhel5u5live\tmp. Not the same problem I have then. Shame. I can force the domain and it works. The working server does NOT have entries in the hosts file, and this server DOES. However both can dig the DC successfully. Apologies, I meant dig -x rhel5u5's IP, not that of the DC. dig should return the FQDN, not just rhel5u5. Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help with ADS authentication and Samba
Turns out something else has gone wrong on me. The system that previously worked without a login box, now requires it. I didn't notice this as my machine obviously is cahed. If I put my credentials in (DOMAIN\user and password), it logs in. Still need to fix that The system that has the same confirguration, pops the login box, but I cannot log in using the same credentials. This is starting to boggle me. I don't know why all of a sudden, the first machine is throwing up a login box, and secondly why the second one wont authenticate. B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Friday, March 11, 2011 4:02 PM To: samba Subject: Re: [Samba] Help with ADS authentication and Samba When I dig the RHEL server, it actually returns the DC: 160.16.172.in-addr.arpa. 3600 IN SOA animal.XXX.com. hostmaster.XXX.com. 77337 900 600 86400 3600 The system that is working returns its correct name (ccdubrep.XXX.com) I added the server to the windows DNS table, and the dig now shows correctly. However it is still popping up a login box. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Geoff Winkless Sent: Friday, March 11, 2011 3:34 PM To: samba Subject: Re: [Samba] Help with ADS authentication and Samba On 11 March 2011 13:27, Brian O'Mahony brian.omah...@curamsoftware.com wrote: When I ran net use \\rhel5u5\tmp /USER:DOMAIN\brian.omahony I get: The password or user name is invalid for \\rhel5u5live\tmp. Not the same problem I have then. Shame. I can force the domain and it works. The working server does NOT have entries in the hosts file, and this server DOES. However both can dig the DC successfully. Apologies, I meant dig -x rhel5u5's IP, not that of the DC. dig should return the FQDN, not just rhel5u5. Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help with ADS authentication and Samba
Restarted services. Restarted servers. Recopied smb and krb5 conf files to the server that is not working. I have increased log level to 9 to see what is going on. Black are is right. The fact that one system was working without the login prompt and now doesn't is starting to fry my brains. Especially on a Friday B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Geoff Winkless Sent: Friday, March 11, 2011 4:22 PM To: samba Subject: Re: [Samba] Help with ADS authentication and Samba On 11 March 2011 16:02, Brian O'Mahony brian.omah...@curamsoftware.com wrote: When I dig the RHEL server, it actually returns the DC: 160.16.172.in-addr.arpa. 3600 IN SOA animal.XXX.com. hostmaster.XXX.com. 77337 900 600 86400 3600 The system that is working returns its correct name (ccdubrep.XXX.com) I added the server to the windows DNS table, and the dig now shows correctly. However it is still popping up a login box. Even after restarting both smb and winbind? Then I dunno. I'm beginning to feel like the ADS stuff is a bit like a black art - did you remember to sacrifice a goat and turn three times widdershins before you started? Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help with ADS authentication and Samba
Yep that works. Looks like I have the same issue as you on one server, and the other is just hosed. Did yours ever work? Mine worked on Wednesday before I tried to figure out why the second one didn't work, and broke the original in the process. Arg. B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Geoff Winkless Sent: Friday, March 11, 2011 4:28 PM To: samba Subject: Re: [Samba] Help with ADS authentication and Samba On 11 March 2011 16:06, Brian O'Mahony brian.omah...@curamsoftware.com wrote: Turns out something else has gone wrong on me. The system that previously worked without a login box, now requires it. I didn't notice this as my machine obviously is cahed. If I put my credentials in (DOMAIN\user and password), it logs in. Still need to fix that That sounds more like my problem. If you do the net use command specifying the domain\user does it still ask for password or does it go with it from there? The system that has the same confirguration, pops the login box, but I cannot log in using the same credentials. Are they running the same samba version? Have you run a diff on the output from testparm -v on both boxes? What does wbinfo -k DOMAIN\\brian.omahoney return? (or DOMAIN+brian.omahoney if you're using + as a winbind separator) G -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help with ADS authentication and Samba
I only installed this server with Base RHEL5.5 last week, got samba working on Monday with ADS. By today (probably yesterday or wed) it was now popping up the login box. When you change the name, what is entailed? Change the name in RHEL. Change the name in DNS (windows server) Rejoin the ads network using net ads join -U Anything else? Thanks for the help so far. B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Geoff Winkless Sent: Friday, March 11, 2011 4:40 PM To: samba Subject: Re: [Samba] Help with ADS authentication and Samba On 11 March 2011 16:33, Brian O'Mahony brian.omah...@curamsoftware.com wrote: Yep that works. Looks like I have the same issue as you on one server, and the other is just hosed. Did yours ever work? Mine worked on Wednesday before I tried to figure out why the second one didn't work, and broke the original in the process. Mine used to work with identical config before I upgraded it from Redhat 9. I have a feeling it's related to that - perhaps there's a cache of some sort somewhere that remembers the IP/domain name and doesn't like the fact that something about the server (the SID?) has changed. I reset the netbios cache on the XP client but it made no difference. I might try changing the server name and see if it helps. I have no idea where to start looking, unfortunately, so it makes it a bit like looking for a needle in a haystack at midnight. Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help with ADS authentication and Samba
Geoff, did you do the steps below? Was there anything else required? B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Geoff Winkless Sent: Friday, March 11, 2011 4:59 PM To: samba Subject: Re: [Samba] Help with ADS authentication and Samba Well I changed the server name and it resolved my problem, so I'm guessing something was left over from the old install. No idea where though, anyone any clue? On 11 March 2011 16:47, Brian O'Mahony brian.omah...@curamsoftware.com wrote: I only installed this server with Base RHEL5.5 last week, got samba working on Monday with ADS. By today (probably yesterday or wed) it was now popping up the login box. When you change the name, what is entailed? Change the name in RHEL. Change the name in DNS (windows server) Rejoin the ads network using net ads join -U Sounds about it. I ran net ads leave first, then changed samba and /etc/hosts and reran kinit too before rejoining, I dunno if that's required. Thanks for the help so far. Not sure how much help I'm being, it's nice to know I'm not the only one. Did you try the testparm thing? Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help with ADS authentication and Samba
After a bit more investigation it seems my issue on the working server is a bit more complex. If I use any of the three usernames that had previously worked, they work in the login prompt. However if I use any other user, it fails to log in. There is obviously a cache of users somewhere, but I cannot find it. Has anyone an idea where this cache is? Regards B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Friday, March 11, 2011 5:05 PM To: 'Geoff Winkless'; samba Subject: Re: [Samba] Help with ADS authentication and Samba Geoff, did you do the steps below? Was there anything else required? B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Geoff Winkless Sent: Friday, March 11, 2011 4:59 PM To: samba Subject: Re: [Samba] Help with ADS authentication and Samba Well I changed the server name and it resolved my problem, so I'm guessing something was left over from the old install. No idea where though, anyone any clue? On 11 March 2011 16:47, Brian O'Mahony brian.omah...@curamsoftware.com wrote: I only installed this server with Base RHEL5.5 last week, got samba working on Monday with ADS. By today (probably yesterday or wed) it was now popping up the login box. When you change the name, what is entailed? Change the name in RHEL. Change the name in DNS (windows server) Rejoin the ads network using net ads join -U Sounds about it. I ran net ads leave first, then changed samba and /etc/hosts and reran kinit too before rejoining, I dunno if that's required. Thanks for the help so far. Not sure how much help I'm being, it's nice to know I'm not the only one. Did you try the testparm thing? Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba