Re: [Samba] Re : Problem with Winbind
Hi Robert; Exactly my Suse Linux server it sync with a time server (221.128.17.234) : # /etc/init.d/ntp restart Shutting down network time protocol daemon (NTPD) done Try to get initial date and time via NTP from 221.128.17.234 done Starting network time protocol daemon (NTPD) When I execute the date/time are correct : # date Fri Nov 18 09:59:07 CET 2011 My Windows 2008 R2 server its also sync with the same time server (221.128.17.234) : #w32tm /query /configuration EventLogFlags: 1 (Locale) LargeSampleSkew: 3 (Locale) SpecialPollInterval: 3600 (Locale) Type: NTP (Locale) NtpServer: 221.128.17.234 (Locale) The time showing with net is the time on the windows server ? # net ads info - U administrateur .. Server time: Thu, 01 Jan 1970 01:00:00 CET How resolve this time problem ? Regards --- En date de : Jeu 17.11.11, Robert Freeman-Day pres...@gmail.com a écrit : De: Robert Freeman-Day pres...@gmail.com Objet: Re: [Samba] Re : Problem with Winbind À: samba@lists.samba.org Date: Jeudi 17 novembre 2011, 17h46 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/17/2011 06:09 AM, djamel boussebha wrote: Hi; I would like to set the file /etc/krb5.keytab for apache : # net ads keytab add HTTP -U compte_admin_dom1 Processing principals to add... Enter administrateur's password: # ktutil ktutil: l slot KVNO Principal - ktutil: The file is empty ? May be that this problem is linked to the command net ads ? because when I try to join the AD : # net ads join -U administrat...@p9bis.neoplus.laposte.poc Enter administrat...@p9bis.neoplus.laposte.poc's password: Failed to join domain: failed to find DC for domain P9BIS.NEOPLUS.LAPOSTE.POC But with rpc it works : # net rpc join -U administrat...@p9bis.neoplus.laposte.poc Enter administrat...@p9bis.neoplus.laposte.poc's password: Joined domain P9BIS. When I execute : # net ads info - U administrateur Failed to get server's current time! LDAP server: 187.0.17.104 LDAP server name: CINVW067.p9bis.neoplus.laposte.poc Realm: P9BIS.NEOPLUS.LAPOSTE.POC Bind Path: dc=P9BIS,dc=NEOPLUS,dc=LAPOSTE,dc=POC LDAP port: 389 Server time: Thu, 01 Jan 1970 01:00:00 CET KDC server: 187.0.17.104 And # net rpc info -U administrateur Enter administrateur's password: Domain Name: P9BIS Domain SID: S-1-5-21-254703050-2859693384-3493432365 Sequence number: 1 Num users: 50 Num domain groups: 0 Num local groups: 12 The 2 commands # wbinfo -u and wbinfo -g no returns any values for users/groups ? The kinit works fine : # kinit administrat...@p9bis.neoplus.laposte.poc Password for administrat...@p9bis.neoplus.laposte.poc: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrat...@p9bis.neoplus.laposte.poc Valid starting Expires Service principal 11/17/11 12:05:00 11/17/11 22:05:03 krbtgt/p9bis.neoplus.laposte@p9bis.neoplus.laposte.poc renew until 11/18/11 12:05:00 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Impossible to join the AD serveur with ads : # net ads testjoin Join to domain is not valid: Operations error # net rpc testjoin Join to 'P9BIS' is OK How make work correctly the ads and how get the list of users of the AD domain ? Any help would be very appreciated. Regards --- En date de : Mer 16.11.11, djamel boussebha dbousse...@yahoo.fr a écrit : De: djamel boussebha dbousse...@yahoo.fr Objet: Problem with Winbind À: samba@lists.samba.org samba@lists.samba.org, foedi...@eva.mpg.de foedi...@eva.mpg.de, AndrewPhilipoff aphilip...@medicine.ucsf.edu Date: Mercredi 16 novembre 2011, 17h24 Hi; wbinfo can not get the user names and group names of my AD domain (Windows 2008 SP2) The result for wbinfo -t is ok : checking the trust secret for domain P9BIS via RPC calls succeeded But when i try to get wbinfo -n USER1 or wbinfo -r USER1 it shows this error message: Could not lookup name USER1 I use Samba version : 3.5.12. Any help would be very appreciated... thanks to anyone! I noticed the server time has the year 1970. The ads methods use kerberos and that is time sensitive. Get the accurate date/time and things should start working for you. Perhaps have it sync with a time server. Robert - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7FOnEACgkQup357T5MfTZ5IgCg0kqoEoWaDT2ayt2XjKW5RJs0 +LEAnAgyCHQw5JtlXHxrX6EuZ2VHaBbC =tSUp -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman
Re: [Samba] Re : Problem with Winbind
Hi; I have modify my /etc/hosts in adding a entry and ads works fine but when I try to join AD, I have the following error message : # net ads join -S 221.221.17.104 -U administrateur Enter administrateur's password: [2011/11/18 11:06:09.010144, 0] libads/sasl.c:823(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database Failed to join domain: failed to connect to AD: Server not found in Kerberos database May be I use a old Kerberos version ? Any idea ? Regards; --- En date de : Ven 18.11.11, djamel boussebha dbousse...@yahoo.fr a écrit : De: djamel boussebha dbousse...@yahoo.fr Objet: Re: [Samba] Re : Problem with Winbind À: samba@lists.samba.org, Robert Freeman-Day pres...@gmail.com Date: Vendredi 18 novembre 2011, 10h02 Hi Robert; Exactly my Suse Linux server it sync with a time server (221.128.17.234) : # /etc/init.d/ntp restart Shutting down network time protocol daemon (NTPD) done Try to get initial date and time via NTP from 221.128.17.234 done Starting network time protocol daemon (NTPD) When I execute the date/time are correct : # date Fri Nov 18 09:59:07 CET 2011 My Windows 2008 R2 server its also sync with the same time server (221.128.17.234) : #w32tm /query /configuration EventLogFlags: 1 (Locale) LargeSampleSkew: 3 (Locale) SpecialPollInterval: 3600 (Locale) Type: NTP (Locale) NtpServer: 221.128.17.234 (Locale) The time showing with net is the time on the windows server ? # net ads info - U administrateur .. Server time: Thu, 01 Jan 1970 01:00:00 CET How resolve this time problem ? Regards --- En date de : Jeu 17.11.11, Robert Freeman-Day pres...@gmail.com a écrit : De: Robert Freeman-Day pres...@gmail.com Objet: Re: [Samba] Re : Problem with Winbind À: samba@lists.samba.org Date: Jeudi 17 novembre 2011, 17h46 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/17/2011 06:09 AM, djamel boussebha wrote: Hi; I would like to set the file /etc/krb5.keytab for apache : # net ads keytab add HTTP -U compte_admin_dom1 Processing principals to add... Enter administrateur's password: # ktutil ktutil: l slot KVNO Principal - ktutil: The file is empty ? May be that this problem is linked to the command net ads ? because when I try to join the AD : # net ads join -U administrat...@p9bis.neoplus.laposte.poc Enter administrat...@p9bis.neoplus.laposte.poc's password: Failed to join domain: failed to find DC for domain P9BIS.NEOPLUS.LAPOSTE.POC But with rpc it works : # net rpc join -U administrat...@p9bis.neoplus.laposte.poc Enter administrat...@p9bis.neoplus.laposte.poc's password: Joined domain P9BIS. When I execute : # net ads info - U administrateur Failed to get server's current time! LDAP server: 187.0.17.104 LDAP server name: CINVW067.p9bis.neoplus.laposte.poc Realm: P9BIS.NEOPLUS.LAPOSTE.POC Bind Path: dc=P9BIS,dc=NEOPLUS,dc=LAPOSTE,dc=POC LDAP port: 389 Server time: Thu, 01 Jan 1970 01:00:00 CET KDC server: 187.0.17.104 And # net rpc info -U administrateur Enter administrateur's password: Domain Name: P9BIS Domain SID: S-1-5-21-254703050-2859693384-3493432365 Sequence number: 1 Num users: 50 Num domain groups: 0 Num local groups: 12 The 2 commands # wbinfo -u and wbinfo -g no returns any values for users/groups ? The kinit works fine : # kinit administrat...@p9bis.neoplus.laposte.poc Password for administrat...@p9bis.neoplus.laposte.poc: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrat...@p9bis.neoplus.laposte.poc Valid starting Expires Service principal 11/17/11 12:05:00 11/17/11 22:05:03 krbtgt/p9bis.neoplus.laposte@p9bis.neoplus.laposte.poc renew until 11/18/11 12:05:00 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Impossible to join the AD serveur with ads : # net ads testjoin Join to domain is not valid: Operations error # net rpc testjoin Join to 'P9BIS' is OK How make work correctly the ads and how get the list of users of the AD domain ? Any help would be very appreciated. Regards --- En date de : Mer 16.11.11, djamel boussebha dbousse...@yahoo.fr a écrit : De: djamel boussebha dbousse...@yahoo.fr Objet: Problem with Winbind À: samba@lists.samba.org samba@lists.samba.org, foedi...@eva.mpg.de foedi...@eva.mpg.de, AndrewPhilipoff aphilip...@medicine.ucsf.edu Date: Mercredi 16 novembre 2011, 17h24 Hi; wbinfo can not get the user names and group names of my AD domain (Windows 2008 SP2) The result for wbinfo -t is ok : checking the trust secret for domain P9BIS via RPC calls succeeded But when i try to get wbinfo -n USER1 or wbinfo -r USER1 it shows this error message: Could not lookup name USER1 I use Samba version : 3.5.12. Any help
Re: [Samba] Re : Problem with Winbind
) ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 [2011/11/18 16:38:45.708475, 3] libads/sasl.c:784(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 [2011/11/18 16:38:45.708488, 3] libads/sasl.c:784(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 [2011/11/18 16:38:45.708501, 3] libads/sasl.c:784(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 [2011/11/18 16:38:45.708514, 3] libads/sasl.c:793(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore [2011/11/18 16:38:45.709568, 3] libsmb/clikrb5.c:777(ads_krb5_mk_req) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2011/11/18 16:38:45.741849, 3] libsmb/clikrb5.c:622(ads_cleanup_expired_creds) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Fri, 18 Nov 2011 23:18:45 CET [2011/11/18 16:38:45.741987, 3] libsmb/clikrb5.c:830(ads_krb5_mk_req) ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT [2011/11/18 16:38:45.748606, 3] libads/ldap.c:2910(ads_domain_func_level) ads_domain_func_level: 4 [2011/11/18 16:38:45.748700, 3] libads/kerberos.c:445(kerberos_secrets_store_des_salt) kerberos_secrets_store_des_salt: Storing salt host/cilvs049.p9bis.neoplus.laposte@p9bis.neoplus.laposte.poc [2011/11/18 16:38:45.751892, 3] libads/kerberos_keytab.c:64(smb_krb5_kt_add_entry_ext) smb_krb5_kt_add_entry_ext: Will try to delete old keytab entries Segmentation fault With RPC protocol it works but I have the error : NT_STATUS_ACCESS_DENIED ? # net rpc join -S CINVW067 -U administrateur%XXX -d3 [2011/11/18 16:36:08, 3] param/loadparm.c:9180(lp_load_ex) lp_load_ex: refreshing parameters [2011/11/18 16:36:08, 3] param/loadparm.c:4948(init_globals) Initialising global parameters [2011/11/18 16:36:08, 2] param/loadparm.c:4807(max_open_files) rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) [2011/11/18 16:36:08.913273, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2011/11/18 16:36:08.913340, 3] param/loadparm.c:7864(do_section) Processing section [global] [2011/11/18 16:36:08.915286, 2] lib/interface.c:340(add_interface) added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 [2011/11/18 16:36:08.915361, 2] lib/interface.c:340(add_interface) added interface eth0 ip=fe80::250:56ff:fea4:39b6%eth0 bcast=fe80:::::%eth0 netmask=::::: [2011/11/18 16:36:08.915421, 2] lib/interface.c:340(add_interface) added interface eth0 ip=187.0.22.177 bcast=187.0.23.255 netmask=255.255.248.0 lp_load_ex: refreshing parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added interface eth0 ip=fe80::250:56ff:fea4:39b6%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=187.0.22.177 bcast=187.0.23.255 netmask=255.255.248.0 Connecting to host=CINVW067 Connecting to 187.0.17.104 at port 445 rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)! rpc command function failed! (NT_STATUS_ACCESS_DENIED) Connecting to host=CINVW067 Connecting to 187.0.17.104 at port 445 Doing spnego session setup (blob length=136) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 Connecting to host=CINVW067 Connecting to 187.0.17.104 at port 445 Doing spnego session setup (blob length=136) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 Joined domain P9BIS. return code = 0 I don't know its OK or not ? Regards --- En date de : Ven 18.11.11, djamel boussebha dbousse...@yahoo.fr a écrit : De: djamel boussebha dbousse...@yahoo.fr Objet: Re: [Samba] Re : Problem with Winbind À: samba@lists.samba.org, Robert Freeman-Day pres...@gmail.com Date: Vendredi 18 novembre 2011, 11h20 Hi; I have modify my /etc/hosts in adding a entry and ads works fine but when I try to join AD, I have the following error message : # net ads join -S 221.221.17.104 -U administrateur Enter administrateur's password: [2011/11/18 11:06:09.010144, 0] libads/sasl.c:823
Re: [Samba] Re : Problem with Winbind
My hosts file is as follows on the linux server : # cat /etc/hosts 127.0.0.1 local.localdomain localhost CILVS049 187.0.22.177 CILVS049.p9bis.neoplus.laposte.poc CILVS049 187.0.17.104 CINVW067.p9bis.neoplus.laposte.poc CINVW067 Windows server with AD LDAP is : 187.0.17.104 (CINVW067) Linux server with Samba/Winbind : 187.0.22.177 (CILVS049) --- En date de : Ven 18.11.11, djamel boussebha dbousse...@yahoo.fr a écrit : De: djamel boussebha dbousse...@yahoo.fr Objet: Re: [Samba] Re : Problem with Winbind À: samba@lists.samba.org, Robert Freeman-Day pres...@gmail.com Date: Vendredi 18 novembre 2011, 16h53 Hi Robert; Its OK i have resolved the time problem between linux and Windows servers. But I have strange behavior when I join the AD server with ADS protocol : a Segmentation fault : # net ads join -S CINVW067 -U administrateur%XXX -d3 [2011/11/18 16:38:45, 3] param/loadparm.c:9180(lp_load_ex) lp_load_ex: refreshing parameters [2011/11/18 16:38:45, 3] param/loadparm.c:4948(init_globals) Initialising global parameters [2011/11/18 16:38:45, 2] param/loadparm.c:4807(max_open_files) rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) [2011/11/18 16:38:45.611969, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2011/11/18 16:38:45.612040, 3] param/loadparm.c:7864(do_section) Processing section [global] [2011/11/18 16:38:45.613778, 2] lib/interface.c:340(add_interface) added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 [2011/11/18 16:38:45.613832, 2] lib/interface.c:340(add_interface) added interface eth0 ip=fe80::250:56ff:fea4:39b6%eth0 bcast=fe80:::::%eth0 netmask=::::: [2011/11/18 16:38:45.613891, 2] lib/interface.c:340(add_interface) added interface eth0 ip=187.0.22.177 bcast=187.0.23.255 netmask=255.255.248.0 [2011/11/18 16:38:45.614224, 1] libnet/libnet_join.c:1924(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : 'CINVW067' machine_name : 'CILVS049' domain_name : * domain_name : 'P9BIS.NEOPLUS.LAPOSTE.POC' account_ou : NULL admin_account : 'administrateur' admin_password : * machine_password : NULL join_flags : 0x0023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) [2011/11/18 16:38:45.614849, 3] libsmb/cliconnect.c:2212(cli_start_connection) Connecting to host=CINVW067 [2011/11/18 16:38:45.615392, 3] lib/util_sock.c:979(open_socket_out_send) Connecting to 187.0.17.104 at port 445 [2011/11/18 16:38:45.619155, 3] lib/util_sock.c:979(open_socket_out_send) Connecting to 187.0.17.104 at port 139 [2011/11/18 16:38:45.620528, 3] libsmb/cliconnect.c:991(cli_session_setup_spnego) Doing spnego session setup (blob length=136) [2011/11/18 16:38:45.620675, 3] libsmb/cliconnect.c:1020(cli_session_setup_spnego) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 [2011/11/18 16:38:45.620725, 3] libsmb/cliconnect.c:1030(cli_session_setup_spnego) got principal=not_defined_in_RFC4178@please_ignore [2011/11/18 16:38:45.621464, 3] libsmb/ntlmssp.c:1101(ntlmssp_client_challenge) Got challenge flags: [2011/11/18 16:38:45.621508, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62898215 [2011/11/18 16:38:45.621526, 3] libsmb/ntlmssp.c:1123(ntlmssp_client_challenge) NTLMSSP: Set final flags: [2011/11/18 16:38:45.621537, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088215 [2011/11/18 16:38:45.621668, 3] libsmb/ntlmssp_sign.c
[Samba] Re : Problem with Winbind
Hi; I would like to set the file /etc/krb5.keytab for apache : # net ads keytab add HTTP -U compte_admin_dom1 Processing principals to add... Enter administrateur's password: # ktutil ktutil: l slot KVNO Principal - ktutil: The file is empty ? May be that this problem is linked to the command net ads ? because when I try to join the AD : # net ads join -U administrat...@p9bis.neoplus.laposte.poc Enter administrat...@p9bis.neoplus.laposte.poc's password: Failed to join domain: failed to find DC for domain P9BIS.NEOPLUS.LAPOSTE.POC But with rpc it works : # net rpc join -U administrat...@p9bis.neoplus.laposte.poc Enter administrat...@p9bis.neoplus.laposte.poc's password: Joined domain P9BIS. When I execute : # net ads info - U administrateur Failed to get server's current time! LDAP server: 187.0.17.104 LDAP server name: CINVW067.p9bis.neoplus.laposte.poc Realm: P9BIS.NEOPLUS.LAPOSTE.POC Bind Path: dc=P9BIS,dc=NEOPLUS,dc=LAPOSTE,dc=POC LDAP port: 389 Server time: Thu, 01 Jan 1970 01:00:00 CET KDC server: 187.0.17.104 And # net rpc info -U administrateur Enter administrateur's password: Domain Name: P9BIS Domain SID: S-1-5-21-254703050-2859693384-3493432365 Sequence number: 1 Num users: 50 Num domain groups: 0 Num local groups: 12 The 2 commands # wbinfo -u and wbinfo -g no returns any values for users/groups ? The kinit works fine : # kinit administrat...@p9bis.neoplus.laposte.poc Password for administrat...@p9bis.neoplus.laposte.poc: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrat...@p9bis.neoplus.laposte.poc Valid starting Expires Service principal 11/17/11 12:05:00 11/17/11 22:05:03 krbtgt/p9bis.neoplus.laposte@p9bis.neoplus.laposte.poc renew until 11/18/11 12:05:00 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Impossible to join the AD serveur with ads : # net ads testjoin Join to domain is not valid: Operations error # net rpc testjoin Join to 'P9BIS' is OK How make work correctly the ads and how get the list of users of the AD domain ? Any help would be very appreciated. Regards --- En date de : Mer 16.11.11, djamel boussebha dbousse...@yahoo.fr a écrit : De: djamel boussebha dbousse...@yahoo.fr Objet: Problem with Winbind À: samba@lists.samba.org samba@lists.samba.org, foedi...@eva.mpg.de foedi...@eva.mpg.de, AndrewPhilipoff aphilip...@medicine.ucsf.edu Date: Mercredi 16 novembre 2011, 17h24 Hi; wbinfo can not get the user names and group names of my AD domain (Windows 2008 SP2) The result for wbinfo -t is ok : checking the trust secret for domain P9BIS via RPC calls succeeded But when i try to get wbinfo -n USER1 or wbinfo -r USER1 it shows this error message: Could not lookup name USER1 I use Samba version : 3.5.12. Any help would be very appreciated... thanks to anyone! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re : Problem with Winbind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/17/2011 06:09 AM, djamel boussebha wrote: Hi; I would like to set the file /etc/krb5.keytab for apache : # net ads keytab add HTTP -U compte_admin_dom1 Processing principals to add... Enter administrateur's password: # ktutil ktutil: l slot KVNO Principal - ktutil: The file is empty ? May be that this problem is linked to the command net ads ? because when I try to join the AD : # net ads join -U administrat...@p9bis.neoplus.laposte.poc Enter administrat...@p9bis.neoplus.laposte.poc's password: Failed to join domain: failed to find DC for domain P9BIS.NEOPLUS.LAPOSTE.POC But with rpc it works : # net rpc join -U administrat...@p9bis.neoplus.laposte.poc Enter administrat...@p9bis.neoplus.laposte.poc's password: Joined domain P9BIS. When I execute : # net ads info - U administrateur Failed to get server's current time! LDAP server: 187.0.17.104 LDAP server name: CINVW067.p9bis.neoplus.laposte.poc Realm: P9BIS.NEOPLUS.LAPOSTE.POC Bind Path: dc=P9BIS,dc=NEOPLUS,dc=LAPOSTE,dc=POC LDAP port: 389 Server time: Thu, 01 Jan 1970 01:00:00 CET KDC server: 187.0.17.104 And # net rpc info -U administrateur Enter administrateur's password: Domain Name: P9BIS Domain SID: S-1-5-21-254703050-2859693384-3493432365 Sequence number: 1 Num users: 50 Num domain groups: 0 Num local groups: 12 The 2 commands # wbinfo -u and wbinfo -g no returns any values for users/groups ? The kinit works fine : # kinit administrat...@p9bis.neoplus.laposte.poc Password for administrat...@p9bis.neoplus.laposte.poc: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrat...@p9bis.neoplus.laposte.poc Valid starting ExpiresService principal 11/17/11 12:05:00 11/17/11 22:05:03 krbtgt/p9bis.neoplus.laposte@p9bis.neoplus.laposte.poc renew until 11/18/11 12:05:00 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Impossible to join the AD serveur with ads : # net ads testjoin Join to domain is not valid: Operations error # net rpc testjoin Join to 'P9BIS' is OK How make work correctly the ads and how get the list of users of the AD domain ? Any help would be very appreciated. Regards --- En date de : Mer 16.11.11, djamel boussebha dbousse...@yahoo.fr a écrit : De: djamel boussebha dbousse...@yahoo.fr Objet: Problem with Winbind À: samba@lists.samba.org samba@lists.samba.org, foedi...@eva.mpg.de foedi...@eva.mpg.de, AndrewPhilipoff aphilip...@medicine.ucsf.edu Date: Mercredi 16 novembre 2011, 17h24 Hi; wbinfo can not get the user names and group names of my AD domain (Windows 2008 SP2) The result for wbinfo -t is ok : checking the trust secret for domain P9BIS via RPC calls succeeded But when i try to get wbinfo -n USER1 or wbinfo -r USER1 it shows this error message: Could not lookup name USER1 I use Samba version : 3.5.12. Any help would be very appreciated... thanks to anyone! I noticed the server time has the year 1970. The ads methods use kerberos and that is time sensitive. Get the accurate date/time and things should start working for you. Perhaps have it sync with a time server. Robert - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7FOnEACgkQup357T5MfTZ5IgCg0kqoEoWaDT2ayt2XjKW5RJs0 +LEAnAgyCHQw5JtlXHxrX6EuZ2VHaBbC =tSUp -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Problem with winbind not seeing a user as part of a group
Trimble, Ronald D wrote: That may be possible, but like I said, sometimes it works and sometimes it doesn't. Sometimes the span between the two is only a few seconds. From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 10:05 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: I have never explored those options. We have auth fall through turned off. If the authentication fails, they get a 401 message indicating they don't have permissions. Here is an example from our vhosts.conf... Location /scm/spar/svn DAV svn SVNPATH /scm/spar/svn SVNPathAuthz off AuthPAM_Enabled on AuthPAM_FallThrough off AuthType Basic AuthName SPAR Subversion require group NA\USTR-LINUX-1-SPAR LimitExcept GET PROPFIND OPTIONS REPORT require group NA\USTR-LINUX-1-SPAR /LimitExcept /Location Location /scm/spar/trac SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnv /scm/spar/trac PythonOption TracUriRoot /scm/spar/trac AuthPAM_Enabled on AuthPAM_FallThrough off AuthType Basic AuthName SPAR Trac require group NA\USTR-LINUX-1-SPAR /Location From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 9:27 PM To: Trimble, Ronald D Cc: samba@lists.samba.orgmailto:samba@lists.samba.org Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: It looks like it is only happening when apache2 is involved. Although, other login methods are far less common. I have a suspicion it may be related to the mod_auth_pam module but what I don't understand is why it is happening. Mod_auth_pam makes dozens of requests to winbind for each session. Why do some work and others don't? Could it be that winbind is overwhelmed and thus doesn't return anything? -Original Message- From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 9:09 PM To: Trimble, Ronald D Cc: samba@lists.samba.orgmailto:samba@lists.samba.org Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: Everyone, Here is a challenge for all of you samba experts! Lately I have been seeing a problem where winbind is not correctly identifying a user as a member of a group he most certainly belong to. This is with a Domain Local group so I know samba should support it. Users access a HTTPS (SSL) webpage that is secured by a Domain Local group. Sometimes they get in, others they don't. Here are some examples from the logs. /var/log/apache2/error_log [Tue Feb 12 18:54:52 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls [Tue Feb 12 18:55:00 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls [Tue Feb 12 18:56:12 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls However a little later it is mysteriously working again... /var/log/apache2/access_log 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/trac.css HTTP/1.1 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/browser.css HTTP/1.1 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/diff.css HTTP/1.1 304 - Now obviously my example doesn't have the user accessing the same link, but it doesn't matter. Winbind went from identifying the user as not in the group to then identifying him as in the group and nothing changed! This is happening several times a day and is driving us insane. What can I do to figure this out? Has anyone else seen this? Here is what is going on in the /var/log/samba/log.wb-NA (our domain) log at that time for that user. [2008/02/12 18:54:52, 10] nsswitch/winbindd_dual.c:child_process_request(479) process_request: request fn PAM_AUTH [2008/02/12 18:54:52, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341) [10824]: dual pam auth NA\selltc [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1364) winbindd_dual_pam_auth: domain: NA last was online [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_samlogon
RE: [Samba] RE: problem with winbind
Upgrading krb5 seems to solve the problem. No more errors and wbinfo does not seg fault winbind. krb-1.5.1 Toan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ngo, Toan Sent: Wednesday, July 12, 2006 1:58 PM To: samba@lists.samba.org Subject: RE: [Samba] RE: problem with winbind I increased the log level and got this from winbindd.log [2006/07/12 13:54:00, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine MYDOMAIN-DC1 pipe \NETLOGON fnum 0x800e bind request returned ok. [2006/07/12 13:54:00, 5] rpc_parse/parse_prs.c:prs_debug(84) 00 smb_io_rpc_hdr hdr [2006/07/12 13:54:00, 5] rpc_parse/parse_prs.c:prs_uint8(615) winbindd.log 605L, 25945C smb_vwv[12]=59479 (0xE857) smb_vwv[13]=62763 (0xF52B) smb_vwv[14]=50853 (0xC6A5) smb_vwv[15]=11265 (0x2C01) smb_vwv[16]=1 (0x1) smb_bcc=119 [2006/07/12 13:54:04, 5] nsswitch/winbindd_cm.c:cm_prepare_connection(272) connecting to MY_OTHER_DOMAIN-DC1 from TEST-SERVER with kerberos principal [EMAIL PROTECTED] [2006/07/12 13:54:04, 3] libsmb/cliconnect.c:cli_session_setup_spnego(723) Doing spnego session setup (blob length=119) [2006/07/12 13:54:04, 3] libsmb/cliconnect.c:cli_session_setup_spnego(748) got OID=1 2 840 48018 1 2 2 [2006/07/12 13:54:04, 3] libsmb/cliconnect.c:cli_session_setup_spnego(748) got OID=1 2 840 113554 1 2 2 [2006/07/12 13:54:04, 3] libsmb/cliconnect.c:cli_session_setup_spnego(748) got OID=1 2 840 113554 1 2 2 3 [2006/07/12 13:54:04, 3] libsmb/cliconnect.c:cli_session_setup_spnego(748) got OID=1 3 6 1 4 1 311 2 2 10 [2006/07/12 13:54:04, 3] libsmb/cliconnect.c:cli_session_setup_spnego(757) got [EMAIL PROTECTED] [2006/07/12 13:54:04, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos session setup [2006/07/12 13:54:04, 0] lib/fault.c:fault_report(41) === [2006/07/12 13:54:04, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 1963 (3.0.23) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/07/12 13:54:04, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/07/12 13:54:04, 0] lib/fault.c:fault_report(45) I have several different domain so it's trying to query them to get a list of users and faults. Any ideas? Toan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ngo, Toan Sent: Wednesday, July 12, 2006 11:33 AM To: samba@lists.samba.org Subject: [Samba] RE: problem with winbind I am having the exact same problem this morning. I have the latest krb5 libs according to yum krb5-libs-1.4.3-4.1 krb5-workstation-1.4.3-4.1 krb5-devel-1.4.3-4.1 Running FC5 with samba 3.0.23 rpms off samba.org Same panic: [2006/07/12 11:04:17, 1] nsswitch/winbindd_ads.c:query_user_list(218) Not a user account? atype=0x3000 [2006/07/12 11:04:17, 1] nsswitch/winbindd_ads.c:query_user_list(218) Not a user account? atype=0x3000 [2006/07/12 11:04:17, 1] nsswitch/winbindd_ads.c:query_user_list(218) Not a user account? atype=0x3000 [2006/07/12 11:04:21, 0] lib/fault.c:fault_report(41) === [2006/07/12 11:04:21, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 1898 (3.0.23) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/07/12 11:04:21, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/07/12 11:04:21, 0] lib/fault.c:fault_report(45) === [2006/07/12 11:04:21, 0] lib/util.c:smb_panic(1592) PANIC (pid 1898): internal error [2006/07/12 11:04:21, 0] lib/util.c:log_stack_trace(1699) BACKTRACE: 22 stack frames: #0 winbindd(log_stack_trace+0x2d) [0x9de81d] #1 winbindd(smb_panic+0x5d) [0x9de94d] #2 winbindd [0x9ca30a] #3 [0x110420] #4 /lib/libc.so.6(__libc_free+0x3e) [0x2023b5] #5 /usr/lib/libkrb5.so.3(krb5_free_principal+0x76) [0x3f8906] #6 /usr/lib/libkrb5.so.3(krb5_free_cred_contents+0x2d) [0x3f9c1d] #7 /usr/lib/libkrb5.so.3(krb5_free_creds+0x29) [0x3f9d09] #8 /usr/lib/libkrb5.so.3(krb5_free_tgt_creds+0x2e) [0x3f9d4e] #9 /usr/lib/libkrb5.so.3(krb5_get_credentials+0x1dc) [0x3f447c] #10 winbindd(cli_krb5_get_ticket+0x4b9) [0xa07ed9] #11 winbindd(spnego_gen_negTokenTarg+0x62) [0xa08ef2] #12 winbindd(cli_session_setup_spnego+0x6b6) [0xa000b6] #13 winbindd [0x970d1d] #14 winbindd(set_dc_type_and_flags+0x9c) [0x97225c] #15 winbindd(find_domain_from_name+0x48) [0x95d498] #16 winbindd(winbindd_getpwent+0x397) [0x9559a7] #17 winbindd [0x9535d7] #18 winbindd [0x954ca8] #19 winbindd(main+0x8e9) [0x954129] #20 /lib/libc.so.6(__libc_start_main+0xdc) [0x1b0724] #21 winbindd [0x9527b1] [2006/07/12 11:04:22, 0] lib/fault.c:dump_core(173) dumping core in /var/log/samba/cores/winbindd Toan Gerald (Jerry
[Samba] RE: problem with winbind
I am having the exact same problem this morning. I have the latest krb5 libs according to yum krb5-libs-1.4.3-4.1 krb5-workstation-1.4.3-4.1 krb5-devel-1.4.3-4.1 Running FC5 with samba 3.0.23 rpms off samba.org Same panic: [2006/07/12 11:04:17, 1] nsswitch/winbindd_ads.c:query_user_list(218) Not a user account? atype=0x3000 [2006/07/12 11:04:17, 1] nsswitch/winbindd_ads.c:query_user_list(218) Not a user account? atype=0x3000 [2006/07/12 11:04:17, 1] nsswitch/winbindd_ads.c:query_user_list(218) Not a user account? atype=0x3000 [2006/07/12 11:04:21, 0] lib/fault.c:fault_report(41) === [2006/07/12 11:04:21, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 1898 (3.0.23) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/07/12 11:04:21, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/07/12 11:04:21, 0] lib/fault.c:fault_report(45) === [2006/07/12 11:04:21, 0] lib/util.c:smb_panic(1592) PANIC (pid 1898): internal error [2006/07/12 11:04:21, 0] lib/util.c:log_stack_trace(1699) BACKTRACE: 22 stack frames: #0 winbindd(log_stack_trace+0x2d) [0x9de81d] #1 winbindd(smb_panic+0x5d) [0x9de94d] #2 winbindd [0x9ca30a] #3 [0x110420] #4 /lib/libc.so.6(__libc_free+0x3e) [0x2023b5] #5 /usr/lib/libkrb5.so.3(krb5_free_principal+0x76) [0x3f8906] #6 /usr/lib/libkrb5.so.3(krb5_free_cred_contents+0x2d) [0x3f9c1d] #7 /usr/lib/libkrb5.so.3(krb5_free_creds+0x29) [0x3f9d09] #8 /usr/lib/libkrb5.so.3(krb5_free_tgt_creds+0x2e) [0x3f9d4e] #9 /usr/lib/libkrb5.so.3(krb5_get_credentials+0x1dc) [0x3f447c] #10 winbindd(cli_krb5_get_ticket+0x4b9) [0xa07ed9] #11 winbindd(spnego_gen_negTokenTarg+0x62) [0xa08ef2] #12 winbindd(cli_session_setup_spnego+0x6b6) [0xa000b6] #13 winbindd [0x970d1d] #14 winbindd(set_dc_type_and_flags+0x9c) [0x97225c] #15 winbindd(find_domain_from_name+0x48) [0x95d498] #16 winbindd(winbindd_getpwent+0x397) [0x9559a7] #17 winbindd [0x9535d7] #18 winbindd [0x954ca8] #19 winbindd(main+0x8e9) [0x954129] #20 /lib/libc.so.6(__libc_start_main+0xdc) [0x1b0724] #21 winbindd [0x9527b1] [2006/07/12 11:04:22, 0] lib/fault.c:dump_core(173) dumping core in /var/log/samba/cores/winbindd Toan Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Heyrendt, Jean-Marc wrote: Since 1 month, I tried without any success to configure Samba. My problem is that winbind crashes when I list users and groups. And I think that it is linked to my trusted domains (wbinfo -domain=myADdomain -u works well). BACKTRACE: 23 stack frames: #0 winbindd(log_stack_trace+0x2d) [0x50081d] #1 winbindd(smb_panic+0x5d) [0x50094d] #2 winbindd [0x4ec30a] #3 [0x297420] #4 /lib/libc.so.6(memcpy+0x1c) [0x18464c] #5 /usr/lib/libkrb5.so.3(krb5_copy_principal+0x115) [0xb90ea5] #6 /usr/lib/libkrb5.so.3(krb5_copy_creds+0x64) [0xb90a04] #7 /usr/lib/libkrb5.so.3 [0xb86feb] #8 /usr/lib/libkrb5.so.3(krb5_cc_store_cred+0x20) [0xb87b90] #9 /usr/lib/libkrb5.so.3(krb5_get_credentials+0x1c3) [0xb94463] #10 winbindd(cli_krb5_get_ticket+0x4b9) [0x529ed9] #11 winbindd(spnego_gen_negTokenTarg+0x62) [0x52aef2] I run samba 3.023 on a Fedora Core 5 server. My AD domain is in a large forest. My AD domain controller is running Windows 2003 sp1. Other trusted domains are not in the same subnet. I've not seen that particular backtrace but its pretty apparent there's have a bug in your krb5 libs. Make sure to get the latest krb5-libs rpm via yum. Several questions. Is winbind needed in my configuration ? There's no hard and fast rule but in your case I would recommend it. How to limit the usage of Samba to my domain (how to remove trusted domains scans)? Read smb.conf(5). You must set 'allow trusted domains = no'. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEtN+hIR7qMdg1EfYRAg3cAJ43DbXD6rav8g93Ro+Brx/ltnSeYACg3F91 FsA9FYQbkihoZ4fnK9Q3NSw= =FfpN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Problem with winbind an samba Domain
Hello, Jun 24 16:02:23 bagheera winbindd[28278]: BAD auth level 6 (should be 5) The Domaincontroller is a Samba 3.0.2 on a Redhat 7.3 machine. winbind from samba 3.0.2 works. Is there any problem known between samba 3.0.2 and higher versions? Will it help to upgrade the domain controller also to 3.0.4? An upgrade of the domain controller to 3.0.4 solved the problem. Sincerly, Klaus -- Klaus Steinberger Maier-Leibnitz Labor Phone: (+49 89)289 14287 Am Coulombwall 6, D-85748 Garching, Germany FAX: (+49 89)289 14280 EMail: [EMAIL PROTECTED] URL: http://www.physik.uni-muenchen.de/~k2/ In a world without Walls and Fences, who needs Windows and Gates -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
