Samba: smbpasswd is set to NO PASSWORD

linlu · 06-10-2005, 12:12 PM

I had problems joining the domain when I first setup samba - I didn't realize it at the time. So somehow the domain users were read but they were all setup in smbpasswd with entries like this:
STARWARS\aka-linlu:16777229:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[UN ]:LCT-42A09132:

If I access my shares from a XP machine, I am able to access the share and read/write. If I try to access the machine from NT, I am prompted for the name and password over an over again despite using correct name/password combos (NT domain & unix). Note: My samba server (C3PO) appears in network neighborhood on both XP & the troublesome NT box.

How can I get the correct passwords read from the domain into smbpasswd?
I am running Winbind, and security is set to domain. CentOS 4.0. Samba version 3.0.10-1.4E. Domain is NT 4.0 SP6a.

I have executed this command:
wbinfo --set-auth-user=svc-samba%jediknight

Verified it:
wbinfo --get-auth-user
STARWARS\svc-samba%jediknight

I was able to successfully join the domain using this command.
/usr/bin/net join --user=svc-samba%jediknight --workgroup=STARWARS --long
[2005/06/10 11:37:28, 0] utils/net_ads.c:ads_startup(186)
ads_connect: Transport endpoint is not connected
Joined domain STARWARS.

Here is my smb.conf (trimmed)
# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2005/06/10 10:34:22

# Global parameters
[global]
workgroup = STARWARS
netbios name = C3PO
netbios aliases = c3po
server string = C3PO (192.168.2.205) CS Data Repository II
bind interfaces only = No
security = DOMAIN
encrypt passwords = Yes
allow trusted domains = Yes
min password length = 5
null passwords = Yes
obey pam restrictions = No
password server = 10.0.1.201 10.0.1.206 WATTO3 SHMI
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = smbpasswd
algorithmic rid base = 1000
pam password change = No
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
password level = 0
username level = 0
unix password sync = Yes
restrict anonymous = 0
lanman auth = Yes
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = No
client plaintext auth = No
smb ports = 445 139
max protocol = NT1
min protocol = CORE
disable netbios = No
nt pipe support = Yes
nt status support = Yes
name resolve order = wins host lmhosts bcast
use spnego = Yes
client signing = auto
server signing = auto
client use spnego = Yes
paranoid server security = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
domain logons = No
preferred master = Auto
local master = Yes
domain master = Auto
browse list = Yes
enhanced browsing = Yes
dns proxy = No
wins server = 10.0.1.201, 10.0.1.111, 10.0.1.207
wins support = No
default service = files
enable rid algorithm = Yes
idmap backend =
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind separator = \
winbind cache time = 300
winbind enable local accounts = No
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
winbind trusted domains only = Yes
winbind nested groups = No
admin users = aka-linlu, aka-jim, aka-pat
read only = Yes
guest ok = No
browseable = Yes

[homes]
comment = Home Directories
read only = No
browseable = No
available = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
available = No

[files]
comment = Files on C3PO
path = /shares/files
write list = @share-files
read only = No

[CSDATA]
comment = CSDATA Repository II on C3PO
path = /shares/CSdata
write list = @share-CS
read only = No

Thanks for any assistance.

linlu · 06-10-2005, 12:26 PM

Additional info, here is what I get when I execute this command:
wbinfo --trusted-domains
C3PO
BUILTIN

Shouldn't this list include STARWARS?

How do I add STARWARS domain to this list - am I missing something in wbinfo, or smb.conf?

linlu · 06-10-2005, 03:14 PM

I ran a getent passwd and the only thing listed were my unix accounts, according to the winbind advanced config, I should see my domain accounts after the Unix accounts. I don't. I am not running NSCD which is what that doc states could be the problem.

Is there a way to regen all this stuff? How can I get winbind to reread all the accounts and make them available to samba in the Samba users & passwords (webmin). I also noticed that when I run a wbinfo -u, the domain name is not listed just the username.

E.g, I see for wbinfo -u:
aka-linlu

According to the winbindd doc, I should see this instead:
STARWARS\aka-linlu

But the doc doesn't say what to fix if this is not the case.

** I found this doc referenced in another post here **
I am using this to try to regen the passwords:
http://www.justlinux.com/forum/showt...hreadid=118920

linlu · 06-14-2005, 12:52 PM

I have been going through the winbind chapter in the how to on the samba site. It talks about nsswitch.conf being used for determining how to authenticate various types of requests.

Shouldn't RPC also include winbind as an authenticator service?

Here is my nsswithc.conf:

Code:

passwd:     files winbind
shadow:     files winbind
group:      files winbind

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind

netgroup:   files winbind

publickey:  nisplus

automount:  files winbind
aliases:    files nisplus

How to is at:
http://us3.samba.org/samba/docs/man/...n/winbind.html

linlu · 06-14-2005, 02:32 PM

How to fix a bad join to an NT domain where winbind is used (along with SWAT and webmin).
OS: CentOS 4.0
Domain: NT4

1. I went into webmin and deselected all synch options:

Quote:

Configure automatic Unix and Samba user synchronisation
Configure automatic Unix and Samba group synchronisation

2. I stopped the samba and winbind services via webmin/other/command shell:

Code:

pkill -HUP smbd
pkill -HUP winbindd

3. I followed the instructions in this post to delete the secrets.tdb & smbpasswd from /etc/samba

http://www.justlinux.com/forum/show...threadid=118920

A. I went to /etc/samba and deleted secrets.tdb.

Quote:

Step B. below was missing from the thread above

B. Go to /var/cache/samba and rename or delete the winbindd_idmap.tdb. I actually renamed everything and so far I haven't observed any issues by doing that.

C. I went to server manager on my Windows box (or Hyena) and deleted the account for this linux server.

4. I changed my smb.conf lines:

Code:

winbind trusted domains only = no

Rest of smb.conf is at bottom.

5. I then followed the instructions in the Webmin "How To" to rejoin the domain:
http://us3.samba.org/samba/docs/man/...n/winbind.html

A. Join domain, this is samba 3.x so I used this command:

Code:

net rpc join -S WATTO -Usvc-samba%password

B. Started winbind daemon:

Code:

service winbind start

or

Code:

/usr/sbin/winbindd

C. Followed authors instructions to ensure winbindd was running:

Code:

pgrep winbindd

D. Tested to see if domain users were read.

Code:

wbinfo -u

Ok so far. As I saw all my users in this form scrolled on the screen:

Quote:

STARWARS\User1 ... STARWARS\UserN

E. Tested to see if group from domain were read.

Code:

wbinfo -g

Ok so far. Again I saw my groups in the proper format:

Quote:

STARWARS\Group1 ... STARWARS\GroupN

F. Setup unified passwords & groups so that I could use my NT domain users and groups when assigning share permissions in webmin/swat (samba).

Code:

getent passwd
getent group

When I executed those commands I could clearly see that the descriptions I had listed for my users were scrolled in the output. For the group version, I saw that my group name and the members within them were read. This is looking promising at this point.
Sample from group command.

Quote:

STARWARS\AdminDocAccess:x:16777217:STARWARS\Pam,STARWARS\Jane,STARWARS\Charlena...

6. Next I started the samba service.

Code:

service smb start

7. Then I tested it from the NT box that was giving me problems before.
It worked!

I was not prompted for a password over and over again. Nor did I even have to supply a password, it just displayed the shares I had setup.

Short smb.conf

Code:

# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2005/06/14 15:22:22

# Global parameters
[global]
	workgroup = STARWARS
	netbios aliases = C3PO
	server string = C3PO (10.10.1.205)
	security = DOMAIN
	password server = 10.10.1.201, 10.10.1.106
	client lanman auth = No
	client plaintext auth = No
	log file = /var/log/samba/%m.log
	max log size = 50
	smb ports = 139 445
	name resolve order = wins host lmhosts bcast
	server signing = auto
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	preferred master = No
	local master = No
	domain master = No
	dns proxy = No
	wins server = 10.10.1.201, 10.10.1.207, 10.10.1.111
	ldap ssl = no
	default service = files
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template shell = /bin/bash
	admin users = aka-linlu, aka-pam, aka-jane
	cups options = raw

[homes]
	comment = Home Directories
	read only = No
	browseable = No
	available = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No
	available = No

[files]
	comment = Admin transfer
	path = /shares/files
	read only = No

Unfortunately this is not yet finished, as I can read all I want I just can't write to my files share with an account that is not listed as an admin users in my smb.conf.
I'm getting closer!

See below for fixes.

linlu · 06-14-2005, 03:02 PM

In my last post I stated I could read the share I had all day long, I just couldn't write to it. I figured it out. I had to first change the shared directory's group to the NT domain group I wanted to read/write to it. Then I had to change the permissions to allow the NT domain group to read/write.

Change the group:

Code:

cd /shares
chgrp -R "STARWARS\Share-Files" files
ls -l

The trick is that you have to double quote NT domain groups and prefix them with the domain and the backslash.

The result was this:

Quote:

total 16
drwxrwsr-x 2 root 16777238 4096 Jun 10 11:07 files
drwxr-xr-x 2 root root 4096 Jun 10 09:34 csdata

As you'll notice the Unix GID is listed and not the NT domain group name. I believe this is because Linux only really speaks in IDs and cannot handle spaces.

I don't know why my ID range of 10000-20000 is not being used - as I specified in my smb.conf, instead the old 16777nnn range is being used. I figure this must be left over from my previous attempts at setting this up. I am pretty sure this disconnect between my smb.conf IDs and what is being assigned for IDs will come back to bite me later, but for now it works!

Quote:

It came back and bit me when I added a group to my domain and wanted to use that for my share. In the winbindd log I was getting this error message:
idmap Fatal Error: GID range full!! (max: 20000)
Deleting or renaming winbindd_idmap.tdb in /var/cache/samba solved that problem

Next step would be to assign the read/write permissions for the group and read/execute for all outside the group:

Code:

chmod 775 csdata

BTW: Here is an excellent post with more detail. I found this after I figured it out from the how to:
http://www.justlinux.com/forum/show...threadid=118512

linlu · 06-16-2005, 01:44 PM

I edited the HowTo in post #5. That fix answers the question I asked about old IDs being used vice my new ones....