Winbind problem

[bkesting]

Hello,

I am running Suse 9.2 and winbind (Samba 3.0.7-5.2) and am experiencing a strange problem. I am connecting this server to an Active Directory network and everything seems to be working fine for the most part. I can see and resolve Windows user accounts, group accounts and machine accounts. However, after a period of time......when trying to access a samba share from a Windows desktop, my users are prompted with "The password or user name is invalid for \\linux\samba share.....please enter password for \\linux\samba share"

It won't take any password that I can think of. The strange thing is....if I restart the winbind service, everything works fine, for a while. Users are able to access the samba share for a few hours or so, then the problem creeps back up. Again, if I simply restart the winbind service, everything seems to revert back to normal. I have included some of my setup files and log files below, can anyone tell me what is happening...Thanks.

----------/etc/nsswitch.conf--------------
passwd: combat winbind
group: combat winbind
hosts: files host winbind

---------/etc/krb5.conf-------------------
[libdefaults]
default_realm = MYDOMAIN.LOCAL

[realms]
MYDOMAIN.LOCAL = {
kdc = ads-server.mydomain.local
}

------/etc/samba/smb.conf----------------
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
server string = Samba Server
security = ADS
password server = ads-server.mydomain.local
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +

[users]
comment = Users on Linux
path = /home/MYDOMAIN
read only = No
browseable = Yes

-------/var/log/samba/log.smbd (end of file)-------
Username MYDOMAIN+HOST$ is invalid on this system
[2004/12/17 14:01:03, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username MYDOMAIN+user is invalid on this system
[2004/12/17 14:01:04, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username MYDOMAIN+HOST$ is invalid on this system
[2004/12/17 14:01:42, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username MYDOMAIN+HOST$ is invalid on this system
[2004/12/17 14:01:42, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username MYDOMAIN+user is invalid on this system

-------------/var/log/samba/log.winbindd--------
[2004/12/17 14:01:03, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
user 'HOST$' does not exist
[2004/12/17 14:01:03, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
user 'USER' does not exist
[2004/12/17 14:01:03, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
user 'USER' does not exist
[2004/12/17 14:01:03, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
user 'USER' does not exist
[2004/12/17 14:01:04, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
user 'host' does not exist
[2004/12/17 14:01:04, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
user 'HOST$' does not exist
[2004/12/17 14:01:42, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
user 'host' does not exist
[2004/12/17 14:01:42, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
user 'HOST' does not exist
[2004/12/17 14:01:42, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
user 'user' does not exist
[2004/12/17 14:01:42, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
user 'user' does not exist
[2004/12/17 14:01:42, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
user 'USER' does not exist
[2004/12/17 14:25:03, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No such file or directory)



I would appreciate any help.....if you need any more info or files, please let me know. Thanks.

 

[ericbrunson]

I'm no expert in winbind (other than knowing without a doubt that is sucks ;-) but it looks to me from the logs that the client is sending the wrong username. Unless, somehow, the daemons start unpacking the packets from the wrong offset, but that seems unlikely.

 

[bkesting]

I have no idea what is going on with it......like I said before, it works great for a while, and seems to be fixed with a restart of the winbind service.

 

[ericbrunson]

Can you turn up the logging and capture a good login to compare with the failures?

 

[bkesting]

My entire log.winbindd file is filled with entries identical to above.

 

[ericbrunson]

Even when it's working? You don't have any success log messages? I *think* you can turn up the log level on the daemons, but you'd have to break out the man page for smb.conf to be sure.

 

[bkesting]

I will look into it........

one of my friends suggested removing winbind entry from the hosts line in nsswitch.conf saying nsswitch is not used for host resolution....i will try that and see what happens.

 

[bkesting]

Everything seems to be working fine, all Windows user accounts and groups are resolving correctly. However, I am still gettting this one message in my winbind logs that confuses me. I don't know if this is something I should ignore or if it is a sign of a problem to come:

------/var/log/samba/winbind.log----------
[2004/12/26 17:20:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
user 'root' does not exist
[2004/12/26 17:20:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
user 'root' does not exist
[2004/12/26 17:25:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
user 'root' does not exist

Any thoughts?

 

[ned209]

I'm not 100% on this but I think thats because pam is checking pam_winbind.so before the pam_unix.so. Its only a warning though. See if the error msg's line up to root login's that would help narrow it down.

hope that helps,

--ned