Re: [Samba] wbinfo can't list users
Gerald (Jerry) Carter wrote: Connecting to 192.168.100.111 at port 445 cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)! No. Would have to be something different. Can you give me some more information? An ethereal trace perhaps? Sorry, I don't have access to this network. If the user is setting client schannel = no in smb.conf, the log looks like this: [2005/08/03 09:51:59, 3] lib/util_sock.c:open_socket_out(867) Connecting to 192.168.100.111 at port 445 [2005/08/03 09:51:59, 3] libsmb/trusts_util.c:trust_pw_change_and_store_it(83) 2005/08/03 09:51:59 : trust_pw_change_and_store_it: Changed password. Joined domain ***. [2005/08/03 09:51:59, 2] utils/net.c:main(873) return code = 0 But in event viewer of the DC: Die Einrichtung einer Sitzung von Computer EISFAIR ist an der Authentifizierung gescheitert. Der Kontoname in der Sicherheitsdatenbank ist EISFAIR$. Folgender Fehler ist aufgetreten: Zugriff verweigert (authentification failed, access denied) Would joining with debug level of 10 or 'net rpc testjoin' with -d 10 help to track this down? der tom -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] wbinfo can't list users
Thomas Bork wrote: Connecting to 192.168.100.111 at port 445 cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)! No. Would have to be something different. Can you give me some more information? An ethereal trace perhaps? Sorry, I don't have access to this network. The user made a ethereal trace (hope in the right format...). Should I send it per mail to you? der tom -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] wbinfo can't list users
Gerald Carter wrote: You've got Windows 2000 SP4 SR1 installed don't you? The only current fix is to either set 'client schannel = no' in smb.conf or to just disable schannel connections oln the SAMR pipe in nsswitch/winbindd_cm.c. Is it possible, that with 3.0.20rc1 it is necessarily to set 'client schannel = no' in smb.conf to properly join an mixed mode W2K SP4 (not SR1) AD domain with net rpc join even if winbind is not used? A user of 3.0.20rc1 wrote: eisfair # /usr/bin/net rpc join -d 3 -U Administrator%*** -S *** -w *** [2005/08/02 16:27:48, 3] param/loadparm.c:lp_load(4082) lp_load: refreshing parameters [2005/08/02 16:27:48, 3] param/loadparm.c:init_globals(1366) Initialising global parameters [2005/08/02 16:27:48, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file /etc/smb.conf [2005/08/02 16:27:48, 3] param/loadparm.c:do_section(3542) Processing section [global] [2005/08/02 16:27:48, 2] lib/interface.c:add_interface(81) added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 [2005/08/02 16:27:48, 2] lib/interface.c:add_interface(81) added interface ip=192.168.100.253 bcast=192.168.100.255 nmask=255.255.255.0 [2005/08/02 16:27:48, 3] libsmb/namequery.c:resolve_wins(752) resolve_wins: Attempting wins lookup for name Serv010x20 [2005/08/02 16:27:48, 3] libsmb/namequery.c:resolve_wins(791) resolve_wins: using WINS server 192.168.100.1 and tag '*' [2005/08/02 16:27:48, 2] libsmb/namequery.c:name_query(492) Got a positive name query response from 192.168.100.1 ( 192.168.100.111 ) [2005/08/02 16:27:48, 3] libsmb/cliconnect.c:cli_start_connection(1407) Connecting to host=Serv01 [2005/08/02 16:27:48, 3] lib/util_sock.c:open_socket_out(867) Connecting to 192.168.100.111 at port 445 [2005/08/02 16:27:49, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(394) cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED [2005/08/02 16:27:49, 3] libsmb/trusts_util.c:just_change_the_password(43) just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)! [2005/08/02 16:27:49, 1] utils/net_rpc.c:run_rpc_command(140) rpc command function failed! (NT_STATUS_ACCESS_DENIED) [2005/08/02 16:27:49, 3] libsmb/cliconnect.c:cli_start_connection(1407) Connecting to host=Serv01 [2005/08/02 16:27:49, 3] lib/util_sock.c:open_socket_out(867) Connecting to 192.168.100.111 at port 445 [2005/08/02 16:27:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(709) Doing spnego session setup (blob length=109) [2005/08/02 16:27:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(734) got OID=1 2 840 48018 1 2 2 [2005/08/02 16:27:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(734) got OID=1 2 840 113554 1 2 2 [2005/08/02 16:27:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(734) got OID=1 2 840 113554 1 2 2 3 [2005/08/02 16:27:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(734) got OID=1 3 6 1 4 1 311 2 2 10 [2005/08/02 16:27:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(743) got [EMAIL PROTECTED] [2005/08/02 16:27:49, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(869) Got challenge flags: [2005/08/02 16:27:49, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60890215 [2005/08/02 16:27:49, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(891) NTLMSSP: Set final flags: [2005/08/02 16:27:49, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60080215 [2005/08/02 16:27:49, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2005/08/02 16:27:49, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60080215 [2005/08/02 16:27:49, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181) lsa_io_sec_qos: length c does not match size 8 [2005/08/02 16:27:49, 3] rpc_client/cli_pipe.c:rpc_api_pipe(476) Bind NACK received on pipe 4010! [2005/08/02 16:27:49, 2] rpc_client/cli_pipe.c:cli_nt_session_open(1507) cli_nt_session_open: rpc bind to \PIPE\NETLOGON failed [2005/08/02 16:27:49, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(318) Error domain join verification (reused connection): NT_STATUS_UNSUCCESSFUL Unable to join domain ***. [2005/08/02 16:27:49, 2] utils/net.c:main(873) return code = 1 der tom -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] wbinfo can't list users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thomas Bork wrote: Is it possible, that with 3.0.20rc1 it is necessarily to set 'clien schannel = no' in smb.conf to properly join an mixed mode W2K SP4 (not SR1) AD domain with net rpc join even if winbind is not used? A user of 3.0.20rc1 wrote: eisfair # /usr/bin/net rpc join -d 3 -U Administrator%*** -S *** -w *** Connecting to 192.168.100.111 at port 445 cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)! No. Would have to be something different. Can you give me some more information? An ethereal trace perhaps? cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC77BRIR7qMdg1EfYRAjYCAJ43bzONvmUMyeYeSX9Dw42b6vynqQCg0Pck +rTElTa2VYXotWcKbDRPacY= =2nw6 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] wbinfo can't list users
Hi, I'm running debian sarge with kernel 2.6.8-2-sparc64. I'm trying to use winbind to connect to a Windows 2000 server. I can use net rpc join to join the domain, but wbinfo -u returns an error. The trusted domains listed doesn't include the domain. Please see below: cladms003:~# net rpc join -U Administrator Password: Joined domain CYBERLAB. cladms003:~# wbinfo -u Error looking up domain users cladms003:~# wbinfo -g BUILTIN+system operators BUILTIN+replicators BUILTIN+guests BUILTIN+power users BUILTIN+print operators BUILTIN+administrators BUILTIN+account operators BUILTIN+backup operators BUILTIN+users cladms003:~# wbinfo -m CLADMS003 BUILTIN Debug level 3 gives the following info when I try wbinfo after starting winbindd: cladms003:~# winbindd -d 3 -i winbindd version 3.0.14a-Debian started. Copyright The Samba Team 2000-2004 lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] Processing section [homes] Processing section [printers] Processing section [print$] Processing section [Share] adding IPC service adding IPC service added interface ip=172.18.17.2 bcast=172.18.17.255 nmask=255.255.255.0 added interface ip=172.18.17.2 bcast=172.18.17.255 nmask=255.255.255.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Added domain CYBERLAB S-0-0 cm_get_ipc_userpass: No auth-user defined lsa_io_sec_qos: length c does not match size 8 add_trusted_domain: CYBERLAB is an ADS mixed mode domain rpc: trusted_domains cm_get_ipc_userpass: No auth-user defined Added domain BUILTIN S-1-5-32 Added domain CLADMS003 S-1-5-21-3711304764-3117404737-3876783093 rpc: trusted_domains [ 5044]: request interface version [ 5044]: request location of privileged pipe [ 5044]: list users cm_get_ipc_userpass: No auth-user defined The debug level 5 output shows an error of NT_STATUS_INSUFFICIENT_RESOURCES near the end (I can provide the full log on request): ...skipped... rpc_api_pipe: len left: 0 smbtrans read: 96 rpc_auth_pipe: pkt_type: 2 len: 96 auth_len: 32 NTLMSSP No schannel Yes sign Yes seal No 00 smb_io_rpc_hdr_auth auth_hdr auth_type: 44 0001 auth_level : 05 0002 padding : 08 0003 reserved : 00 0004 auth_context : 0001 08 smb_io_rpc_auth_netsec_chk schannel_auth_sign 0008 sig : 77 00 ff ff ff ff 00 00 0010 seq_num: 76 68 2a 4b f3 e0 bc ff 0018 packet_digest: 6c ff 52 eb 48 5c 57 50 0020 confounder: 00 00 00 00 00 00 00 00 18 samr_io_r_connect 0018 data1: 001c data2: 0020 data3: 0022 data4: 0024 data5: 00 00 00 00 00 00 00 00 002c status: NT_STATUS_INSUFFICIENT_RESOURCES -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] wbinfo can't list users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kent Tong wrote: | Hi, | | I'm running debian sarge with kernel 2.6.8-2-sparc64. | I'm trying to use winbind to connect to a Windows | 2000 server. I can use net rpc join to join | the domain, but wbinfo -u returns an error. | The trusted domains listed doesn't include the domain. | Please see below: ... | rpc_api_pipe: len left: 0 smbtrans read: 96 | rpc_auth_pipe: pkt_type: 2 len: 96 auth_len: 32 NTLMSSP No schannel Yes sign Yes | seal No | 00 smb_io_rpc_hdr_auth auth_hdr | auth_type: 44 | 0001 auth_level : 05 | 0002 padding : 08 | 0003 reserved : 00 | 0004 auth_context : 0001 | 08 smb_io_rpc_auth_netsec_chk schannel_auth_sign | 0008 sig : 77 00 ff ff ff ff 00 00 | 0010 seq_num: 76 68 2a 4b f3 e0 bc ff | 0018 packet_digest: 6c ff 52 eb 48 5c 57 50 | 0020 confounder: 00 00 00 00 00 00 00 00 | 18 samr_io_r_connect | 0018 data1: | 001c data2: | 0020 data3: | 0022 data4: | 0024 data5: 00 00 00 00 00 00 00 00 | 002c status: NT_STATUS_INSUFFICIENT_RESOURCES You've got Windows 2000 SP4 SR1 installed don't you? The only current fix is to either set 'client schannel = no' in smb.conf or to just disable schannel connections oln the SAMR pipe in nsswitch/winbindd_cm.c. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC594MIR7qMdg1EfYRAtzFAJ4vcRgve+k5H/hCIZ3Z+IoZSL6DcACdFZqO FaH1fAO/4xuq1+4GeX7+8FE= =v07y -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
