Re: [Samba] Samba Authentication wrecking my head [ADS]
The is no /var/cache/samba folder. Any idea what files im looking for? -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Wednesday, March 30, 2011 7:50 PM To: Brian O'Mahony Cc: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] Also check /var/cache/samba Dale On 03/30/2011 11:48 AM, Brian O'Mahony wrote: samba3-3.4.11-42.el5 However I have moved to using idmap_rid, as I will have cold standbys of machines that I want to be able to access SAN data, with the same IDs. So how does one go about clearing the samba user cache? I had it set up with users starting at 1. With RID I have now brought this down to 500 (so I can easily see the difference). I deleted the winbindd_* files folder in /var/lib/samba, but when I use a getent passwd brian.omahony its showing the id as 10 Thanks B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, March 30, 2011 4:28 PM To: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth
Re: [Samba] Samba Authentication wrecking my head [ADS]
I deleted *everything* in /var/lib/samba and it worked. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Thursday, March 31, 2011 10:03 AM To: 'Dale Schroeder' Cc: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] The is no /var/cache/samba folder. Any idea what files im looking for? -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Wednesday, March 30, 2011 7:50 PM To: Brian O'Mahony Cc: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] Also check /var/cache/samba Dale On 03/30/2011 11:48 AM, Brian O'Mahony wrote: samba3-3.4.11-42.el5 However I have moved to using idmap_rid, as I will have cold standbys of machines that I want to be able to access SAN data, with the same IDs. So how does one go about clearing the samba user cache? I had it set up with users starting at 1. With RID I have now brought this down to 500 (so I can easily see the difference). I deleted the winbindd_* files folder in /var/lib/samba, but when I use a getent passwd brian.omahony its showing the id as 10 Thanks B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, March 30, 2011 4:28 PM To: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14
[Samba] Samba Authentication wrecking my head [ADS]
Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth) [ 7381]: pam auth ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm Secure log: Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=galvatron.MYDOMAIN.com Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): getting password (0x0010) Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): pam_get_item returned a password Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password [I know the pass is right here. It works elsewhere] Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): user 'ccadm' denied access (incorrect password or invalid membership) Mar 30 14:29:05 akbartrap sshd[7381]: pam_succeed_if(sshd:auth): error retrieving information about user ccadm Mar 30 14:29:07 akbartrap sshd[7381]: Failed password for invalid user ccadm from 172.16.165.248 port 39699 ssh2 # Global parameters [global] workgroup = GROUP realm = MYDOMAIN.COM security = ads idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = Yes winbind separator = / encrypt passwords = Yes log level = 3 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 preferred master = No dns proxy = No wins server = 172.16.164.100 template homedir = /home/%U template shell = /bin/bash authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authsufficientpam_winbind.so use_first_pass authrequisite pam_succeed_if.so uid = 500 quiet
Re: [Samba] Samba Authentication wrecking my head [ADS]
After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth) [ 7381]: pam auth ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm Secure log: Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=galvatron.MYDOMAIN.com Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): getting password (0x0010) Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): pam_get_item returned a password Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password [I know the pass is right here. It works elsewhere] Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): user 'ccadm' denied access (incorrect password or invalid membership) Mar 30 14:29:05 ak bartrap sshd[7381]: pam_succeed_if(sshd:auth): error retrieving information about user ccadm Mar 30 14:29:07 akbartrap sshd[7381]: Failed password for invalid user ccadm from 172.16.165.248 port 39699 ssh2 # Global parameters [global] workgroup = GROUP realm = MYDOMAIN.COM security = ads idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = Yes winbind separator = / encrypt passwords = Yes log level = 3 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
Re: [Samba] Samba Authentication wrecking my head [ADS]
What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth) [ 7381]: pam auth ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm Secure log: Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=galvatron.MYDOMAIN.com Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): getting password (0x0010) Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): pam_get_item returned a password Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password [I know the pass is right here. It works elsewhere] Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): user 'ccadm' denied access (incorrect password or invalid membership) Mar 30 14:29:05 ak bartrap sshd[7381]: pam_succeed_if(sshd:auth): error retrieving information about user
Re: [Samba] Samba Authentication wrecking my head [ADS]
samba3-3.4.11-42.el5 However I have moved to using idmap_rid, as I will have cold standbys of machines that I want to be able to access SAN data, with the same IDs. So how does one go about clearing the samba user cache? I had it set up with users starting at 1. With RID I have now brought this down to 500 (so I can easily see the difference). I deleted the winbindd_* files folder in /var/lib/samba, but when I use a getent passwd brian.omahony its showing the id as 10 Thanks B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, March 30, 2011 4:28 PM To: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth) [ 7381]: pam auth ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm Secure log: Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14:29:05 akbartrap
Re: [Samba] Samba Authentication wrecking my head [ADS]
Also check /var/cache/samba Dale On 03/30/2011 11:48 AM, Brian O'Mahony wrote: samba3-3.4.11-42.el5 However I have moved to using idmap_rid, as I will have cold standbys of machines that I want to be able to access SAN data, with the same IDs. So how does one go about clearing the samba user cache? I had it set up with users starting at 1. With RID I have now brought this down to 500 (so I can easily see the difference). I deleted the winbindd_* files folder in /var/lib/samba, but when I use a getent passwd brian.omahony its showing the id as 10 Thanks B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, March 30, 2011 4:28 PM To: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth) [ 7381]: pam auth ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm Secure log: Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14
