[Samba] authenticating using winbindd against NT4 domain fails

Doug Sampson dougs at dawnsign.com
Wed Sep 6 10:12:37 PDT 2006


Since version 3.0.23b, I have been having trouble getting Windows & OSX
users to access an NT domain member server running FreeBSD 5.4. It is now at
3.0.23c (installed this morning the 5th).

root at aries:/usr/local/lib# net rpc user
Password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_NO_LOGON_SERVERS

root at aries:/usr/local/lib# net rpc user
Password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_NO_LOGON_SERVERS

root at aries:/usr/local/lib# net rpc testjoin -U root
Join to 'DSP' is OK

root at aries:/usr/local/lib# net rpc info
Password:
Domain Name: DSP
Domain SID: S-1-5-21-2008768363-1786319642-1659389152
Sequence number: 16744
Num users: 116
Num domain groups: 16
Num local groups: 1

root at aries:/usr/local/lib# net rpc testjoin
Join to 'DSP' is OK

root at aries:/usr/local/lib# wbinfo -u   >>> works OK
root at aries:/usr/local/lib# wbinfo -g   >>> works OK


root at aries:/usr/local/lib# tail -n 25 /var/log/samba/log.wb-DSP
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error
NT_STATUS_BUFFER_TOO_SMALL
[2006/09/05 20:07:07, 0] nsswitch/winbindd_dual.c:child_read_request(49)
  Got invalid request length: 0
[2006/09/05 20:08:22, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error
NT_STATUS_BUFFER_TOO_SMALL
[2006/09/05 20:23:42, 0] nsswitch/winbindd_dual.c:child_read_request(49)
  Got invalid request length: 0
[2006/09/05 20:25:00, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error
NT_STATUS_BUFFER_TOO_SMALL
[2006/09/05 21:00:06, 0] nsswitch/winbindd_dual.c:child_read_request(49)
  Got invalid request length: 0
[2006/09/05 21:00:06, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error
NT_STATUS_BUFFER_TOO_SMALL
[2006/09/05 21:00:06, 0] lib/util_sock.c:write_data(564)
  write_data: write failure. Error = Broken pipe
[2006/09/05 21:00:06, 0] nsswitch/winbindd_dual.c:fork_domain_child(825)
  Could not write result
[2006/09/05 21:00:06, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error
NT_STATUS_BUFFER_TOO_SMALL
[2006/09/05 21:00:06, 0] lib/util_sock.c:write_data(564)
  write_data: write failure. Error = Broken pipe
[2006/09/05 21:00:06, 0] nsswitch/winbindd_dual.c:fork_domain_child(825)
  Could not write result
[2006/09/05 21:00:06, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error
NT_STATUS_BUFFER_TOO_SMALL

root at aries:/usr/local/lib# tail -n 25 /var/log/messages
Sep  5 20:25:00 aries winbindd[640]: [2006/09/05 20:25:00, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
Sep  5 20:25:00 aries winbindd[640]:   cli_rpc_pipe_open_noauth:
rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL
Sep  5 20:25:11 aries apcupsd[557]: apcupsd 3.12.3 (26 April 2006) freebsd
startup succeeded
Sep  5 21:00:06 aries nmbd[627]: [2006/09/05 21:00:06, 0]
nmbd/nmbd.c:terminate(58)
Sep  5 21:00:06 aries nmbd[627]:   Got SIGTERM: going down...
Sep  5 21:00:06 aries winbindd[640]: [2006/09/05 21:00:06, 0]
nsswitch/winbindd_dual.c:child_read_request(49)
Sep  5 21:00:06 aries winbindd[640]:   Got invalid request length: 0
Sep  5 21:00:06 aries winbindd[862]: [2006/09/05 21:00:06, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
Sep  5 21:00:06 aries winbindd[862]:   cli_rpc_pipe_open_noauth:
rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL
Sep  5 21:00:06 aries nmbd[847]: [2006/09/05 21:00:06, 0]
nmbd/nmbd.c:terminate(58)
Sep  5 21:00:06 aries nmbd[847]:   Got SIGTERM: going down...
Sep  5 21:00:06 aries winbindd[862]: [2006/09/05 21:00:06, 0]
lib/util_sock.c:write_data(564)
Sep  5 21:00:06 aries winbindd[862]:   write_data: write failure. Error =
Broken pipe
Sep  5 21:00:06 aries winbindd[862]: [2006/09/05 21:00:06, 0]
nsswitch/winbindd_dual.c:fork_domain_child(825)
Sep  5 21:00:06 aries winbindd[862]:   Could not write result
Sep  5 21:00:06 aries winbindd[921]: [2006/09/05 21:00:06, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
Sep  5 21:00:06 aries winbindd[921]:   cli_rpc_pipe_open_noauth:
rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL
Sep  5 21:00:06 aries nmbd[906]: [2006/09/05 21:00:06, 0]
nmbd/nmbd.c:terminate(58)
Sep  5 21:00:06 aries nmbd[906]:   Got SIGTERM: going down...
Sep  5 21:00:06 aries winbindd[921]: [2006/09/05 21:00:06, 0]
lib/util_sock.c:write_data(564)
Sep  5 21:00:06 aries winbindd[921]:   write_data: write failure. Error =
Broken pipe
Sep  5 21:00:06 aries winbindd[921]: [2006/09/05 21:00:06, 0]
nsswitch/winbindd_dual.c:fork_domain_child(825)
Sep  5 21:00:06 aries winbindd[921]:   Could not write result
Sep  5 21:00:06 aries winbindd[979]: [2006/09/05 21:00:06, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265)
Sep  5 21:00:06 aries winbindd[979]:   cli_rpc_pipe_open_noauth:
rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL

root at aries:/usr/local/lib# vi /etc/nsswitch.conf
passwd: files winbind
passwd_compat: nis
group: files winbind
group_compat: nis
hosts: files dns winbind
networks: files
shells: files

root at aries:/usr/local/lib# ll *win*
lrwxr-xr-x  1 root  wheel      18 Sep  5 09:28 libnss_winbind.so ->
./nss_winbind.so.1
lrwxr-xr-x  1 root  wheel      18 Sep  5 09:28 libnss_winbind.so.1 ->
./nss_winbind.so.1
lrwxr-xr-x  1 root  wheel      18 Sep  5 09:28 libnss_winbind.so.2 ->
./nss_winbind.so.1
lrwxr-xr-x  1 root  wheel      15 Sep  5 09:25 libnss_wins.so ->
./nss_wins.so.1
lrwxr-xr-x  1 root  wheel      15 Sep  5 09:26 libnss_wins.so.1 ->
./nss_wins.so.1
lrwxr-xr-x  1 root  wheel      15 Sep  5 09:26 libnss_wins.so.2 ->
./nss_wins.so.1
-r-xr-xr-x  1 root  wheel   16696 Jul 14 14:29 nss_winbind.ol1
lrwxr-xr-x  1 root  wheel      18 Sep  5 09:30 nss_winbind.so ->
./nss_winbind.so.1
-r-xr-xr-x  1 root  wheel   18232 Sep  5 09:13 nss_winbind.so.1
lrwxr-xr-x  1 root  wheel      18 Sep  5 09:30 nss_winbind.so.2 ->
./nss_winbind.so.1
-r-xr-xr-x  1 root  wheel   18232 Aug 28 18:23 nss_winbind.so.ol2
-rwxr-xr-x  1 root  wheel   23057 Sep 15  2005 nss_winbind.so.old
lrwxr-xr-x  1 root  wheel      15 Sep  5 09:31 nss_wins.so ->
./nss_wins.so.1
-r-xr-xr-x  1 root  wheel  745440 Sep  5 09:13 nss_wins.so.1
lrwxr-xr-x  1 root  wheel      15 Sep  5 09:31 nss_wins.so.2 ->
./nss_wins.so.1
-r-xr-xr-x  1 root  wheel  745184 Aug 28 20:26 nss_wins.so.bkup
-r-xr-xr-x  1 root  wheel  744448 Jul 14 14:31 nss_wins.so.ol1
-rwxr-xr-x  1 root  wheel  813451 Sep 15  2005 nss_wins.so.old
-r-xr-xr-x  1 root  wheel   33416 Sep  5 09:13 pam_winbind.so

When a Windows attempts to connect to Aries using Windows Explorer and
browsing through the Network Neighborhood, the user receives the following
message:

\\ARIES is not accessible.
There are currently no logon servers available to service the logon request.

root at aries:/usr/local/lib# testparm -s
Load smb config files from /usr/local/etc/smb.conf
Processing section "[homes]"
Processing section "[macdata]"
Processing section "[backup]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
[global]
        workgroup = DSP
        server string = Samba %v
        security = DOMAIN
        password server = altair gemini
        log file = /var/log/samba/log.%m
        max log size = 50
        smb ports = 139
        max xmit = 65535
        deadtime = 15
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
SO_RCVBUF=4096 SO_SNDBUF=4096
        os level = 33
        local master = No
        dns proxy = No
        wins server = 192.168.1.1
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        template homedir = /usr/home/%D/%U
        template shell = /bin/bash
        winbind separator = -
        winbind enum users = Yes
        winbind enum groups = Yes
        hosts allow = 192.168.1., 192.168.2., 127., 10.8.0.

[homes]
        comment = Home Directories
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No

[macdata]
        comment = Production Data
        path = /data
        valid users = DSP-alfredo, DSP-matte, DSP-michaelm, DSP-becky,
DSP-marlah, DSP-doug, @production
        force group = @DSP-production
        read only = No
        create mask = 0770
        force create mode = 0660
        directory mask = 0770
        force directory mode = 02770
        guest ok = Yes
        hide files =
/_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Network Trash
Folder/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary
Items/.DS_Store/
        vfs objects = netatalk

[backup]
        comment = backup volume
        path = /backup
        valid users = "@DSP-domain admins", DSP-doug
        read only = No
        create mask = 0774
        directory mask = 0774
        force directory mode = 0774


I understand that the winbind behavior has changed in 3.0.23x (or 3.0.22?)
but it was my impression that nothing had changed in the way a Samba member
server authenticates against a NT4 PDC using winbindd. What might I be doing
wrong here?

~Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


More information about the freebsd-ports mailing list