Re: ntlm_auth NT_STATUS_INVALID_HANDLE with windbind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Thank you very much for your answer; a very detailed answer!
I hope you will find few more minutes to clarify the things I didn't understand... particularly the Fumiyas law :-)


wbinfo should show three domains:
# wbinfo -m
BULITIN
YOUR_DOMAIN
YOUR_SERVER
In my case "MY_SERVER" is missing.

# net getdomainsid
SID for local machine YOUR_SERVER is: LOCAL-SID
SID for domain YOUR_DOMAIN is: DOMAIN-SID
Ok.
In my case local and domain sids are the same


# ldapsearch -xLLL "(&(objectclass=sambaDomain)(sambaDomainName=*))"
I don't use ldap, but the simple tdbsam.
I'm trying to switch to openldap, but I'm in trouble as far as I can't find a working guide. As you can confirm later, for example, smbldaptools has some "bugs" but I have never read about them.



and finally
# wbinfo --ping-dc
MUST succeed
Ok, it succeed


As SATOH Fumiyas tells us, one SHOULD join without a running winbindd
Daemon.
# net rpc join -S localhost -U administrator

One are NOT joining "localhost"! One join $HOSTNAME!!
Sorry, I don't understand..


Verify with
# net rpc testjoin
Join to 'YOUR_DOMAIN' is OK
..but this works :-)


and
# pdbedit -v $HOSTNAME$
Account Flags:        [S          ]
User SID:             "DOMAIN-SID"-"SERVER-RID"
Primary Group SID:    "DOMAIN-SID"-515
Ok, but I have a problem: the PG-SID ends with 3007
Primary Group SID:    "DOMAIN-SID"-3007

All our machines have this issue.. because
#> net groupmap list|grep 3007
Domain Computers ("DOMAIN-SID"-3007) -> msmachines

I don't know why.. I remember it was 515.. I'm confused, it's very strange. How can I have changed it? Many other SID ends in 30xx

I don't know if this can cause the following problem.


# wbinfo -a user%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded

and this fails



It works for me with Samba 3.5.6 and also with 3.5.11 from backports :-)
Perfect, so I'm sure I can make it works :-)
Are you using the windbind.conf workaround?



Step-by-step guide

You should verify these three groups:
# net sam list builtin
administrators
guests
users
For me "guest" is missing

# net sam show administrators
BUILTIN\administrators is a Local Group with SID S-1-5-32-544
# net sam show guests
BUILTIN\guests is a Local Group with SID S-1-5-32-546
# net sam show users
BUILTIN\users is a Local Group with SID S-1-5-32-545
Finally a perfect result! :-)


and verify that these groups have their default members:
# net rpc group members Administrators
YOUR_DOMAIN\Domain Admins
# net rpc group members guests
YOUR_DOMAIN\Domain Guests
# net rpc group members users
YOUR_DOMAIN\Domain Users
Strange, it ask me for root's password, but:

Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE


You must have a valid "idmap alloc setup"
and have stored the secret in secrets.tdb
smb.conf:
I hope "idmap secret" refers to a ldpap password.


will store user and passord in secrets.tdb, so that winbindd has enough
rights to work. If your administrator account has uidnumber=0, you may
use this account.


stop samba, start winbind, start samba
wait some seconds, winbindd will now create the third domain which has
the name of your PDCs hostname.

I lost myself.. because I cant' distinguish the ldap from the tdbsam operations.
In my case, with tdbsam, winbind needs to find a password in secret.tdb?


HINT
when I checked winbindd.conf with testparm, I have get some errors,
until I put an empty or comment line before the line with the include
statement :-) .
Here it doesn't need it :-)


I will try to know how is possible to have Sid ending in 3007, but I'm sure I have some problem in the tdbsam database as far I can't delete some machine accounts. Probably it could be better to solve this problem before all others ("tdbbackup -s" should be enaugh.. ).

Alessandro
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Index of Archives]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [RAID]     [Trinity TED Users]     [Yosemite News]
  Powered by Linux