Hello everyone,

I have basic knowledge to Linux and I have a very important problem in order to assign privileges of the users to the folders.The problem is with the window binding. More specific when i type the command "wbinfo -u" in order to list the users it displays the following error:
"Error looking up domain users".

The strange think is that the "wbinfo -g" command works as it displays the groups.Moreover, the command "wbinfo -m" gave the following output:
"Ping to winbindd succeeded on fd 4".

I have search the whole internet and i can't find any solution so please could you please provide a solution?


Thank you in advance!

best bet would be post your /etc/krb5.conf here and your /etc/samba/smb.conf here along with your /var/log/samba/winbind log file.

also on my website below i have a how-to writtern for joining a *nix machine to a domain and there is a script that will join it for you. you can look at both of them and see if they help you out.

Hi paul_mat thank you for your reply to my question. I have post the files that you asked me and you can find them below.I would also like to ask you how it is better to have a Domain Member Server where security=domain or Samba ADS Domain where security=ADS.Could you please tell me your opinion.Moreover, if i use Domain Server I will have to use winbind and if i use ADS i will have to use the realm.Or it doens't matter?

krb5.conf

[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = mydomain
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
permitted_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true

[realms]

MYDOMAIN.LOCAL = {
kdc = 192.168.1.1:88
default_domain = mydomain.local
admin_server = server.mydomain.local:749
}

[domain_realm]
.mydomain.local = MYDOMAIN.LOCAL

[kdc]
profile = /etc/kerberos/krb5kdc/kdc.conf

[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

[login]
krb4_convert = false
krb4_get_tickets = false


smb.conf file
[global]
idmap gid = 10000-20000
write list = exleys,@AllUsers
force group = exleys
user = @AllUsers
allow hosts = 192.168.1. 82.110.225.130
dns proxy = no
netbios name = Server
writeable = yes
printing = cups
idmap uid = 10000-20000
default = Publicdrive
workgroup = mydomain
os level = 20
printcap name = cups
security = domain
max log size = 50
winbind separator = \
log file = /var/server/logs/samba/log.%m
guest account = exleys
load printers = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = no
map to guest = bad user
encrypt passwords = yes
winbind trusted domains only = yes
realm = mydomain.local
public = yes
printer admin = @adm
template shell = /bin/bash
server string = Linux Server
template homedir = /home/winnt/%D/%U
force user = exleys
comment = Public Drive
valid users = @AllUsers
winbind cache time = 10
ldap idmap suffix=ou=ldmap,dc=quenya,dc=org
[Website]
comment = Website
user = @ITAdmin,@AllUsers
path = /var/www/html
write list = @AllUsers
allow hosts = 192.168.1. 82.110.225.132

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# to allow user 'guest account' to print.
guest ok = yes
writable = no
printable = yes
create mode = 0700

[print$]
path = /var/lib/samba/printers
browseable = yes
write list = @adm root
guest ok = yes
inherit permissions = yes
# Settings suitable for Winbind:
# write list = @"Domain Admins" root
# force group = +@"Domain Admins"

[pdf-gen]
lpq command = /bin/true
comment = PDF Generator (only valid users)
print command = /usr/share/samba/scripts/print-pdf "%s" "%H" "//%L/%u" "%m" "%I" "%J" &
printing = bsd
printable = Yes
path = /var/tmp

[Cumbria and S Lakes Public]
comment = LakesPublic
valid users = @Lakes
user = @Lakes
write list = @Lakes
path = /var/Lakes/Public
only user = yes

[Clearlydata]
public = yes
path = /home/Shares/Finance

[Publicdrive]
revalidate = yes
valid users = exleys,@AllUsers
user = exleys,@AllUsers
path = /var/Publicdrive
only user = yes
force group = AllUsers

[Lancaster Public]
comment = Lancaster drive
path = /var/Lancaster/publicdrive

[software]
read list = guest
path = /var/software
write list =
comment = software
public = yes
guest only = yes
user =

[C and E Lancs Public]
comment = Preston Public Drive
valid users = @Preston
user = @Preston
path = /var/preston/Public
write list = @Preston

[GM Private]
comment = private drive
valid users = @BoltonAdmin
user = @BoltonAdmin
write list = @BoltonAdmin
only user = yes
path = /var/Bolton/privatedrive

[GM Public]
write list = @Bolton
path = /var/Bolton/publicdrive
force group = Bolton
valid users = @Bolton
user = @Bolton
create mode = 775
directory mode = 775

[C and E Lancs Private]
comment = Central and East Lancs Public Drive
valid users = @PrestonAdmin
user = @PrestonAdmin
path = /var/preston/private
write list = @PrestonAdmin

[Cumbria and S Lakes Private]
comment = LakesPrivate
valid users = @LakesAdmin
user = @LakesAdmin
path = /var/Lakes/Private
write list = @LakesAdmin


[Lancaster Private]
path = /var/Lancaster/privatedrive

[Users]
path = /var/Users


Regarding this file that you asked
"/var/log/samba/winbind log file" i am not sure if this is what you asked,as this path does not exit.I found the winbind log file in the path: "/var/server/logs/samba" and its content was:

[2006/01/26 11:18:05, 0] lib/pidfile. c : pidfile_create(91)
ERROR: winbindd is already running. File /var/run/winbindd.pid exists and process id 17486 is running.
[2006/01/26 12:30:04, 0] lib/pidfile. c : pidfile_create(91)
ERROR: winbindd is already running. File /var/run/winbindd.pid exists and process id 17486 is running.

Sorry for the long code.
Thank you very much,
Xenia

under [libdefaults] in krb5.conf change 'default_realm = mydomain' to 'default_realm = MYDOMAIN'

under [global] in smb.conf change 'realm = mydomain.local' to 'realm = MYDOMAIN.LOCAL'

check the status of your winbind service

/etc/init.d/winbind status

/etc/init.d/winbind restart

a method you also might want to under take it just take it back to basics, backup your smb.conf and krb5.conf file and then try and use the following information to fill in your files and test it out, then if that works, adding in more of your information and restarting the servers everytime until you get the same error again, then you'll know what caused it.

2. edit Kerberos files to have the right configuration

/etc/krb5.conf

[libdefaults]
default_realm = WINDOWS.SERVER.INT

[realms]
WINDOWS.SERVER.INT = {
kdc = mc1.windows.server.int
default_domain = WINDOWS.SERVER.INT
kpasswd_server = mc1.windows.server.int
admin_server = mc1.windows.server.int
}

[domain_realm]
.windows.server.int = WINDOWS.SERVER.INT

3. edit Samba files to have the right configuration

/etc/samba/smb.conf

workgroup = server
security = ads
realm = WINDOWS.SERVER.INT
encrypt passwords = yes

username map = /etc/samba/smbusers

winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

4. now it's time to join the domain

'net ads join -U administrator -S mc1'

This is the status of my winbind service, do you think it is correct?

/etc/init.d/winbind status
/etc/init.d/winbind restart


if [ -f /etc/init.d/functions ] ; then
. /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
. /etc/rc.d/init.d/functions
else
exit 0
fi
# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# Check that smb.conf exists.
[ -f /etc/samba/smb.conf ] || exit 0
RETVAL=0
start() {
gprintf "Starting Winbind services: "
RETVAL=1
if [ "`grep -i -E '(idmap|winbind) uid' /etc/samba/smb.conf | egrep -v [\#\;]`" -a "`grep -i -E '(idmap|winbind) gid' /etc/samba/smb.conf | egrep -v [\#\;]`" ]; then
daemon winbindd
RETVAL=$?
else
gprintf "Winbind is not configured in /etc/samba/smb.conf, not starting\n"
fi
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/winbind || \
RETVAL=1
return $RETVAL
}
stop() {
gprintf "Shutting down Winbind services: "
RETVAL=1
if [ "`grep -i -E '(idmap|winbind) uid' /etc/samba/smb.conf | egrep -v [\#\;]`" -a "`grep -i -E '(idmap|winbind) gid' /etc/samba/smb.conf | egrep -v [\#\;]`" ]; then
killproc winbindd
RETVAL=$?
fi
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/winbind
return $RETVAL
}
restart() {
stop
start
}
reload() {
export TMPDIR="/var/tmp"
gprintf "Checking domain trusts: "
killproc winbindd -HUP
RETVAL=$?
echo
return $RETVAL
}
mdkstatus() {
status winbindd
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
status)
mdkstatus
;;
condrestart)
[ -f /var/lock/subsys/winbindd ] && restart || :
;;
*)
gprintf "Usage: %s {start|stop|restart|status|condrestart}\n" "$0"
exit 1
esac

exit $?


I made all the changes you suggest and then i execute the command to join to the domain and gave this output:

[root@mydomain samba]# net ads join -U Administrator%LNL4941455LNL
[2006/01/27 12:20:14, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for server1 already exists - modifying old account
Using short domain name -- MYDOMAIN
Joined 'SERVER1' to realm 'MYDOMAIN.LOCAL'

I used "getent passwd" to list the users and it gave me the list but i didn't see the domain anywhere for example:

simon:x:517:517:Simon Exley:/home/simon:/bin/bash
as u see is missing the domain.How i can add it?
I think it had to display
simon:x:517:517:Simon Exley:/home/mydomain/simon:/bin/bash
What do you think?

I tryied again the command "wbinfo-u" gave the same error, that "error looking up domain users" also the "wbinf-g" command gave the following results

[root@mydomain samba]# wbinfo -g
BUILTIN System Operators
BUILTIN Replicators
BUILTIN Guests
BUILTIN Power Users
BUILTIN Print Operators
BUILTIN Administrators
BUILTIN Account Operators
BUILTIN Backup Operators
BUILTIN Users


I feel a little bit confused so I would like to ask you the following in order to put the thing in an order. If i have security=domain only then i need to use winbind? and in order to see the list with the users or the groups i execute the command "wbinfo-u" wbinfo-g"?When i use security=ADS i don't need to use winbind i only have to
make the changes to smb.conf and krb5.conf.In order to see the list with either the users or the group i execute the command "getent passwd".


How i can see that i can assign privileges to the folders?
Do i have to use the command net groupmap and if yes for which type of security?

Sorry for the many questions but i am trying to figure out what happening.

Thank you again.

I had the similar happen, and yet "net ads join -U administrator" showed successful, my linux machine showed up in the active directory listing on the pdc win2k3 server, "wbinfo -t" was successful...

...at first, I thought it might be firewall (e.g. had udp 88 and 389 allowed, but tcp was getting blocked, so added those exceptions). Then edited my /etc/krb5.conf and changed the hostnames of my kdcs and admin-servers in my domain realm to IP addresses (and note: you could also add an entry in your /etc/hosts file on your linux machine for your pdc, but I've been told this is not good practice). I also ran "sudo ntpdate pdc.mydomain.com" to sync the time (and actually edited /etc/default/ntpdate). Anway, now it works for me (and I'm inclined to think the time sync was the actually solution).

try chmod 750 /var/cache/samba/winbindd_privileged/


after /etc/init.d/winbind restart

you can see /var/log/messages to check if the problem is this.