[Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
Hi all,
Thus far, I have managed to get wbinfo -[u|g] to display users/group
correctly, and getent passwd/group works. However, wbinfo -t fails to
work, giving me this error:
[EMAIL PROTECTED] samba]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc022)
Could not check secret
Further, this seems to be related to a problem with wbinfo -a:
[EMAIL PROTECTED] samba]# wbinfo -a user%pass
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc022)
error messsage was: Access denied
Could not authenticate user user%pass with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc022)
error messsage was: Access denied
Could not authenticate user user with challenge/response
I was able to join the domain successfully:
[EMAIL PROTECTED] samba]# net ads join
[2005/05/23 10:09:35, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for billing already exists -
modifying old account
Using short domain name -- DOMAIN
Joined 'BILLING' to realm 'DOMAIN.PRI'
At this point, I am at a loss as to what to do further. I don't
understand ADS well enough to know why I can get a list of usernames but
I can't auth with them. That seems to be a big clue to me what's going
on, but I don't understand it well enough to take it. :)
Here is my krb5.conf file:
[logging]
default = FILE:/var/log/krb5libs.log
kdr = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.PRI
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DOMAIN.PRI = {
kdc = dc-1.domain.pri:88
admin_server = dc-1.domain.pri:749
default_domain = domain.PRI
}
[domain_realm]
.domain.pri = DOMAIN.PRI
domain.pri = DOMAIN.PRI
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert= false
And here are the relevant bits of my smb.conf file:
[global]
workgroup = DOMAIN
realm = DOMAIN.PRI
netbios name = BILLING
password server = 192.168.1.3
#domain logons = yes
security = ads
server string = Billing Office File Server
interfaces = 192.168.1.0/24 127.0.0.0/8
bind interfaces only = yes
encrypt passwords = yes
log level = 3
log file =/var/log/samba/%U.log
guest account = nobody
guest ok = no
use spnego = yes
use kerberos keytab = yes
wins server = 192.168.1.3
# Browsing Election options
local master = yes
preferred master = yes
domain master = no
os level = 55
wins support = no
name resolve order = wins hosts bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#domain admin group = @Domain Admins
winbind uid = 1000-5000
winbind gid = 1000-5000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
winbind separator = +
Any help is greatly apprecaited!
Sean
ps: Sorry for the html folks, I'll send this as text too. The html
really helps with the formatting, which is why I use it.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
On Monday 23 May 2005 11:23, Sean Kennedy wrote:
Hi all,
Thus far, I have managed to get wbinfo -[u|g] to display users/group
correctly, and getent passwd/group works. However, wbinfo -t fails to
work, giving me this error:
[EMAIL PROTECTED] samba]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc022)
Could not check secret
Check the security settings on the ADS domain contollers. It looks like it may
have been locked down to prevent remote access.
- John T.
Further, this seems to be related to a problem with wbinfo -a:
[EMAIL PROTECTED] samba]# wbinfo -a user%pass
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc022)
error messsage was: Access denied
Could not authenticate user user%pass with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc022)
error messsage was: Access denied
Could not authenticate user user with challenge/response
I was able to join the domain successfully:
[EMAIL PROTECTED] samba]# net ads join
[2005/05/23 10:09:35, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for billing already exists -
modifying old account
Using short domain name -- DOMAIN
Joined 'BILLING' to realm 'DOMAIN.PRI'
At this point, I am at a loss as to what to do further. I don't
understand ADS well enough to know why I can get a list of usernames but
I can't auth with them. That seems to be a big clue to me what's going
on, but I don't understand it well enough to take it. :)
Here is my krb5.conf file:
[logging]
default = FILE:/var/log/krb5libs.log
kdr = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.PRI
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DOMAIN.PRI = {
kdc = dc-1.domain.pri:88
admin_server = dc-1.domain.pri:749
default_domain = domain.PRI
}
[domain_realm]
domain.pri = DOMAIN.PRI.
domain.pri = DOMAIN.PRI
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert= false
And here are the relevant bits of my smb.conf file:
[global]
workgroup = DOMAIN
realm = DOMAIN.PRI
netbios name = BILLING
password server = 192.168.1.3
#domain logons = yes
security = ads
server string = Billing Office File Server
interfaces = 192.168.1.0/24 127.0.0.0/8
bind interfaces only = yes
encrypt passwords = yes
log level = 3
log file =/var/log/samba/%U.log
guest account = nobody
guest ok = no
use spnego = yes
use kerberos keytab = yes
wins server = 192.168.1.3
# Browsing Election options
local master = yes
preferred master = yes
domain master = no
os level = 55
wins support = no
name resolve order = wins hosts bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#domain admin group = @Domain Admins
winbind uid = 1000-5000
winbind gid = 1000-5000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
winbind separator = +
Any help is greatly apprecaited!
Sean
ps: Sorry for the html folks, I'll send this as text too. The html
really helps with the formatting, which is why I use it.
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
John H Terpstra wrote: On Monday 23 May 2005 11:23, Sean Kennedy wrote: Hi all, Thus far, I have managed to get wbinfo -[u|g] to display users/group correctly, and getent passwd/group works. However, wbinfo -t fails to work, giving me this error: [EMAIL PROTECTED] samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret Check the security settings on the ADS domain contollers. It looks like it may have been locked down to prevent remote access. - John T. I checked, I didn't see that it was. Further, two other linux servers are configured in the same way ( although neither are centOS. One is RH8, the other is Fedora Core 1 ). Would any other info help with debugging? Sean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
John H Terpstra wrote: On Monday 23 May 2005 11:23, Sean Kennedy wrote: Hi all, Thus far, I have managed to get wbinfo -[u|g] to display users/group correctly, and getent passwd/group works. However, wbinfo -t fails to work, giving me this error: [EMAIL PROTECTED] samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret Check the security settings on the ADS domain contollers. It looks like it may have been locked down to prevent remote access. - John T. I don't know if it helps, but when I run winbindd -i -d3 and I do `wbinfo -t`, this is the feedback I get from winbind: [ 1990]: request interface version [ 1990]: request location of privileged pipe [ 1990]: check machine account Connected to LDAP server 192.168.1.3 got ldap server name [EMAIL PROTECTED], using bind path: dc=BOCA,dc=PRI IPC$ connections done anonymously Connecting to host=DC-1 Connecting to 192.168.1.3 at port 445 Doing spnego session setup (blob length=102) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Mon, 23 May 2005 21:57:08 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED Connecting to host=DC-1 Connecting to 192.168.1.3 at port 445 Doing spnego session setup (blob length=102) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Mon, 23 May 2005 21:57:08 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED Connecting to host=DC-1 Connecting to 192.168.1.3 at port 445 Doing spnego session setup (blob length=102) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Mon, 23 May 2005 21:57:08 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED Could not open a connection to BOCA for \PIPE\NETLOGON (NT_STATUS_ACCESS_DENIED) could not open handle to NETLOGON pipe Checking the trust account password returned NT_STATUS_ACCESS_DENIED Don't know if this helps or not, but if it does, here you go. ( Names were not changed to protect the innocent :) ) Sean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
On Monday 23 May 2005 12:59, Sean Kennedy wrote: John H Terpstra wrote: On Monday 23 May 2005 11:23, Sean Kennedy wrote: Hi all, Thus far, I have managed to get wbinfo -[u|g] to display users/group correctly, and getent passwd/group works. However, wbinfo -t fails to work, giving me this error: [EMAIL PROTECTED] samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret Check the security settings on the ADS domain contollers. It looks like it may have been locked down to prevent remote access. - John T. I don't know if it helps, but when I run winbindd -i -d3 and I do `wbinfo -t`, this is the feedback I get from winbind: DC-1 is refusing the connection. The security settings on it need to be opened up. - John T. [ 1990]: request interface version [ 1990]: request location of privileged pipe [ 1990]: check machine account Connected to LDAP server 192.168.1.3 got ldap server name [EMAIL PROTECTED], using bind path: dc=BOCA,dc=PRI IPC$ connections done anonymously Connecting to host=DC-1 Connecting to 192.168.1.3 at port 445 Doing spnego session setup (blob length=102) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Mon, 23 May 2005 21:57:08 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED Connecting to host=DC-1 Connecting to 192.168.1.3 at port 445 Doing spnego session setup (blob length=102) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Mon, 23 May 2005 21:57:08 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED Connecting to host=DC-1 Connecting to 192.168.1.3 at port 445 Doing spnego session setup (blob length=102) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Mon, 23 May 2005 21:57:08 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED Could not open a connection to BOCA for \PIPE\NETLOGON (NT_STATUS_ACCESS_DENIED) could not open handle to NETLOGON pipe Checking the trust account password returned NT_STATUS_ACCESS_DENIED Don't know if this helps or not, but if it does, here you go. ( Names were not changed to protect the innocent :) ) Sean -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
John H Terpstra wrote: On Monday 23 May 2005 12:59, Sean Kennedy wrote: John H Terpstra wrote: On Monday 23 May 2005 11:23, Sean Kennedy wrote: Hi all, Thus far, I have managed to get wbinfo -[u|g] to display users/group correctly, and getent passwd/group works. However, wbinfo -t fails to work, giving me this error: [EMAIL PROTECTED] samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret Check the security settings on the ADS domain contollers. It looks like it may have been locked down to prevent remote access. - John T. I don't know if it helps, but when I run winbindd -i -d3 and I do `wbinfo -t`, this is the feedback I get from winbind: DC-1 is refusing the connection. The security settings on it need to be opened up. - John T. Hi John, I'm sorry John, I'm not seeing the setting you are referring to. Would this setting affect one machine while 2 others are able to communicate fine? After reading through my output, this almost sounds like a signing error on the communications, which leads me to suspect that samba/kerberos doesn't have the require encryption somewhere along the way. The reason I think that is because I see stuff like this in my logs: client_check_incoming_message: BAD SIG: wanted SMB signature of [000] 65 83 B8 05 F9 ED C7 08 e... client_check_incoming_message: BAD SIG: got SMB signature of [000] DA 3C 6A 63 E5 B9 1F 82 .jc And then, further down, this: srv_check_incoming_message: signing negotiated but not required and peer isn't sending correct signatures. Turning off. Could this be caused by what you were mentioning earlier? I'm looking under the GP/Window Settings/Security Settings/Local Policies/Security Options and User Rights. Is that the right place to find what you are referring to? Thanks again for your help Sean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CentOS 3.4 + Samba 3.0.9-1.3E.2, winbind problems
On Monday 23 May 2005 14:03, Sean Kennedy wrote: I don't know if it helps, but when I run winbindd -i -d3 and I do `wbinfo -t`, this is the feedback I get from winbind: DC-1 is refusing the connection. The security settings on it need to be opened up. - John T. Hi John, I'm sorry John, I'm not seeing the setting you are referring to. Would this setting affect one machine while 2 others are able to communicate fine? After reading through my output, this almost sounds like a signing error on the communications, which leads me to suspect that samba/kerberos doesn't have the require encryption somewhere along the way. The reason I think that is because I see stuff like this in my logs: client_check_incoming_message: BAD SIG: wanted SMB signature of [000] 65 83 B8 05 F9 ED C7 08 e... client_check_incoming_message: BAD SIG: got SMB signature of [000] DA 3C 6A 63 E5 B9 1F 82 .jc And then, further down, this: srv_check_incoming_message: signing negotiated but not required and peer isn't sending correct signatures. Turning off. Could this be caused by what you were mentioning earlier? I'm looking under the GP/Window Settings/Security Settings/Local Policies/Security Options and User Rights. Is that the right place to find what you are referring to? Use the Administrator tools. I do not have access to my ADS server right now, so am going from memory. There is a tool called Active Directory Security or something similar. Suggest you check what are the policy settings regarding external access. I may be off beam, but it looks like the ADS server is refusing access for the TCON_X call. That may be due to the Samba client not being able to support the encryption type, but could also be caused by policies in effect that do no permit access. Later today I may be able to access my ADS server. At that time I will check what the admin tool is called. - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
