[Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
Hi all, Thus far, I have managed to get wbinfo -[u|g] to display users/group correctly, and getent passwd/group works. However, wbinfo -t fails to work, giving me this error: [EMAIL PROTECTED] samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret Further, this seems to be related to a problem with wbinfo -a: [EMAIL PROTECTED] samba]# wbinfo -a user%pass plaintext password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: Access denied Could not authenticate user user%pass with plaintext password challenge/response password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: Access denied Could not authenticate user user with challenge/response I was able to join the domain successfully: [EMAIL PROTECTED] samba]# net ads join [2005/05/23 10:09:35, 0] libads/ldap.c:ads_add_machine_acct(1368) ads_add_machine_acct: Host account for billing already exists - modifying old account Using short domain name -- DOMAIN Joined 'BILLING' to realm 'DOMAIN.PRI' At this point, I am at a loss as to what to do further. I don't understand ADS well enough to know why I can get a list of usernames but I can't auth with them. That seems to be a big clue to me what's going on, but I don't understand it well enough to take it. :) Here is my krb5.conf file: [logging] default = FILE:/var/log/krb5libs.log kdr = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.PRI default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc dns_lookup_realm = true dns_lookup_kdc = true [realms] DOMAIN.PRI = { kdc = dc-1.domain.pri:88 admin_server = dc-1.domain.pri:749 default_domain = domain.PRI } [domain_realm] .domain.pri = DOMAIN.PRI domain.pri = DOMAIN.PRI [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert= false And here are the relevant bits of my smb.conf file: [global] workgroup = DOMAIN realm = DOMAIN.PRI netbios name = BILLING password server = 192.168.1.3 #domain logons = yes security = ads server string = Billing Office File Server interfaces = 192.168.1.0/24 127.0.0.0/8 bind interfaces only = yes encrypt passwords = yes log level = 3 log file =/var/log/samba/%U.log guest account = nobody guest ok = no use spnego = yes use kerberos keytab = yes wins server = 192.168.1.3 # Browsing Election options local master = yes preferred master = yes domain master = no os level = 55 wins support = no name resolve order = wins hosts bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 #domain admin group = @Domain Admins winbind uid = 1000-5000 winbind gid = 1000-5000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash winbind use default domain = yes winbind separator = + Any help is greatly apprecaited! Sean ps: Sorry for the html folks, I'll send this as text too. The html really helps with the formatting, which is why I use it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
On Monday 23 May 2005 11:23, Sean Kennedy wrote: Hi all, Thus far, I have managed to get wbinfo -[u|g] to display users/group correctly, and getent passwd/group works. However, wbinfo -t fails to work, giving me this error: [EMAIL PROTECTED] samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret Check the security settings on the ADS domain contollers. It looks like it may have been locked down to prevent remote access. - John T. Further, this seems to be related to a problem with wbinfo -a: [EMAIL PROTECTED] samba]# wbinfo -a user%pass plaintext password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: Access denied Could not authenticate user user%pass with plaintext password challenge/response password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: Access denied Could not authenticate user user with challenge/response I was able to join the domain successfully: [EMAIL PROTECTED] samba]# net ads join [2005/05/23 10:09:35, 0] libads/ldap.c:ads_add_machine_acct(1368) ads_add_machine_acct: Host account for billing already exists - modifying old account Using short domain name -- DOMAIN Joined 'BILLING' to realm 'DOMAIN.PRI' At this point, I am at a loss as to what to do further. I don't understand ADS well enough to know why I can get a list of usernames but I can't auth with them. That seems to be a big clue to me what's going on, but I don't understand it well enough to take it. :) Here is my krb5.conf file: [logging] default = FILE:/var/log/krb5libs.log kdr = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.PRI default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc dns_lookup_realm = true dns_lookup_kdc = true [realms] DOMAIN.PRI = { kdc = dc-1.domain.pri:88 admin_server = dc-1.domain.pri:749 default_domain = domain.PRI } [domain_realm] domain.pri = DOMAIN.PRI. domain.pri = DOMAIN.PRI [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert= false And here are the relevant bits of my smb.conf file: [global] workgroup = DOMAIN realm = DOMAIN.PRI netbios name = BILLING password server = 192.168.1.3 #domain logons = yes security = ads server string = Billing Office File Server interfaces = 192.168.1.0/24 127.0.0.0/8 bind interfaces only = yes encrypt passwords = yes log level = 3 log file =/var/log/samba/%U.log guest account = nobody guest ok = no use spnego = yes use kerberos keytab = yes wins server = 192.168.1.3 # Browsing Election options local master = yes preferred master = yes domain master = no os level = 55 wins support = no name resolve order = wins hosts bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 #domain admin group = @Domain Admins winbind uid = 1000-5000 winbind gid = 1000-5000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash winbind use default domain = yes winbind separator = + Any help is greatly apprecaited! Sean ps: Sorry for the html folks, I'll send this as text too. The html really helps with the formatting, which is why I use it. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
John H Terpstra wrote: On Monday 23 May 2005 11:23, Sean Kennedy wrote: Hi all, Thus far, I have managed to get wbinfo -[u|g] to display users/group correctly, and getent passwd/group works. However, wbinfo -t fails to work, giving me this error: [EMAIL PROTECTED] samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret Check the security settings on the ADS domain contollers. It looks like it may have been locked down to prevent remote access. - John T. I checked, I didn't see that it was. Further, two other linux servers are configured in the same way ( although neither are centOS. One is RH8, the other is Fedora Core 1 ). Would any other info help with debugging? Sean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
John H Terpstra wrote: On Monday 23 May 2005 11:23, Sean Kennedy wrote: Hi all, Thus far, I have managed to get wbinfo -[u|g] to display users/group correctly, and getent passwd/group works. However, wbinfo -t fails to work, giving me this error: [EMAIL PROTECTED] samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret Check the security settings on the ADS domain contollers. It looks like it may have been locked down to prevent remote access. - John T. I don't know if it helps, but when I run winbindd -i -d3 and I do `wbinfo -t`, this is the feedback I get from winbind: [ 1990]: request interface version [ 1990]: request location of privileged pipe [ 1990]: check machine account Connected to LDAP server 192.168.1.3 got ldap server name [EMAIL PROTECTED], using bind path: dc=BOCA,dc=PRI IPC$ connections done anonymously Connecting to host=DC-1 Connecting to 192.168.1.3 at port 445 Doing spnego session setup (blob length=102) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Mon, 23 May 2005 21:57:08 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED Connecting to host=DC-1 Connecting to 192.168.1.3 at port 445 Doing spnego session setup (blob length=102) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Mon, 23 May 2005 21:57:08 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED Connecting to host=DC-1 Connecting to 192.168.1.3 at port 445 Doing spnego session setup (blob length=102) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Mon, 23 May 2005 21:57:08 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED Could not open a connection to BOCA for \PIPE\NETLOGON (NT_STATUS_ACCESS_DENIED) could not open handle to NETLOGON pipe Checking the trust account password returned NT_STATUS_ACCESS_DENIED Don't know if this helps or not, but if it does, here you go. ( Names were not changed to protect the innocent :) ) Sean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
On Monday 23 May 2005 12:59, Sean Kennedy wrote: John H Terpstra wrote: On Monday 23 May 2005 11:23, Sean Kennedy wrote: Hi all, Thus far, I have managed to get wbinfo -[u|g] to display users/group correctly, and getent passwd/group works. However, wbinfo -t fails to work, giving me this error: [EMAIL PROTECTED] samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret Check the security settings on the ADS domain contollers. It looks like it may have been locked down to prevent remote access. - John T. I don't know if it helps, but when I run winbindd -i -d3 and I do `wbinfo -t`, this is the feedback I get from winbind: DC-1 is refusing the connection. The security settings on it need to be opened up. - John T. [ 1990]: request interface version [ 1990]: request location of privileged pipe [ 1990]: check machine account Connected to LDAP server 192.168.1.3 got ldap server name [EMAIL PROTECTED], using bind path: dc=BOCA,dc=PRI IPC$ connections done anonymously Connecting to host=DC-1 Connecting to 192.168.1.3 at port 445 Doing spnego session setup (blob length=102) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Mon, 23 May 2005 21:57:08 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED Connecting to host=DC-1 Connecting to 192.168.1.3 at port 445 Doing spnego session setup (blob length=102) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Mon, 23 May 2005 21:57:08 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED Connecting to host=DC-1 Connecting to 192.168.1.3 at port 445 Doing spnego session setup (blob length=102) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Mon, 23 May 2005 21:57:08 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED Could not open a connection to BOCA for \PIPE\NETLOGON (NT_STATUS_ACCESS_DENIED) could not open handle to NETLOGON pipe Checking the trust account password returned NT_STATUS_ACCESS_DENIED Don't know if this helps or not, but if it does, here you go. ( Names were not changed to protect the innocent :) ) Sean -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
John H Terpstra wrote: On Monday 23 May 2005 12:59, Sean Kennedy wrote: John H Terpstra wrote: On Monday 23 May 2005 11:23, Sean Kennedy wrote: Hi all, Thus far, I have managed to get wbinfo -[u|g] to display users/group correctly, and getent passwd/group works. However, wbinfo -t fails to work, giving me this error: [EMAIL PROTECTED] samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret Check the security settings on the ADS domain contollers. It looks like it may have been locked down to prevent remote access. - John T. I don't know if it helps, but when I run winbindd -i -d3 and I do `wbinfo -t`, this is the feedback I get from winbind: DC-1 is refusing the connection. The security settings on it need to be opened up. - John T. Hi John, I'm sorry John, I'm not seeing the setting you are referring to. Would this setting affect one machine while 2 others are able to communicate fine? After reading through my output, this almost sounds like a signing error on the communications, which leads me to suspect that samba/kerberos doesn't have the require encryption somewhere along the way. The reason I think that is because I see stuff like this in my logs: client_check_incoming_message: BAD SIG: wanted SMB signature of [000] 65 83 B8 05 F9 ED C7 08 e... client_check_incoming_message: BAD SIG: got SMB signature of [000] DA 3C 6A 63 E5 B9 1F 82 .jc And then, further down, this: srv_check_incoming_message: signing negotiated but not required and peer isn't sending correct signatures. Turning off. Could this be caused by what you were mentioning earlier? I'm looking under the GP/Window Settings/Security Settings/Local Policies/Security Options and User Rights. Is that the right place to find what you are referring to? Thanks again for your help Sean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
On Monday 23 May 2005 14:03, Sean Kennedy wrote: I don't know if it helps, but when I run winbindd -i -d3 and I do `wbinfo -t`, this is the feedback I get from winbind: DC-1 is refusing the connection. The security settings on it need to be opened up. - John T. Hi John, I'm sorry John, I'm not seeing the setting you are referring to. Would this setting affect one machine while 2 others are able to communicate fine? After reading through my output, this almost sounds like a signing error on the communications, which leads me to suspect that samba/kerberos doesn't have the require encryption somewhere along the way. The reason I think that is because I see stuff like this in my logs: client_check_incoming_message: BAD SIG: wanted SMB signature of [000] 65 83 B8 05 F9 ED C7 08 e... client_check_incoming_message: BAD SIG: got SMB signature of [000] DA 3C 6A 63 E5 B9 1F 82 .jc And then, further down, this: srv_check_incoming_message: signing negotiated but not required and peer isn't sending correct signatures. Turning off. Could this be caused by what you were mentioning earlier? I'm looking under the GP/Window Settings/Security Settings/Local Policies/Security Options and User Rights. Is that the right place to find what you are referring to? Use the Administrator tools. I do not have access to my ADS server right now, so am going from memory. There is a tool called Active Directory Security or something similar. Suggest you check what are the policy settings regarding external access. I may be off beam, but it looks like the ADS server is refusing access for the TCON_X call. That may be due to the Samba client not being able to support the encryption type, but could also be caused by policies in effect that do no permit access. Later today I may be able to access my ADS server. At that time I will check what the admin tool is called. - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba