I have an OpenSuSe 11.3 server running DNS and Samba services (with LDAP) in a network 172.22.110.0/24
I managed to configure a hybrid environment with Windows 7 and other OpenSuSe clients authenticating in the server´s Samba and it all works perfectly (cups, shares, logon scripts, etc).
My problem is that in the company we have subnets and VLANs that require to also authenticate in the Samba PDC.
For example, I have an OpenSuSe client in the network 172.22.4.0/22 that needs to authenticate. When I try to setup the client settings in the Windows Domain Membership, I get an error saying that the domain is not valid.
Note: Both server and client can ping each other, so it´s not a routing problem
I believe this happens because the client is trying to send a broadcast to find out who the server is, and the router won´t let broadcasts pass through.
Is there a way to bypass this, by “forcing” a direct request to the server by IP or Name?
(smbpasswd works like a charm, and I was able to join the domain using:
net join -w Domain -S Servername -I IP -U Administrator - but when I reboot, I can´t select the domain from the logon menu or even login with a domain user)
>
> Dear All,
>
> I have an OpenSuSe 11.3 server running DNS and Samba services (with
> LDAP) in a network 172.22.110.0/24
>
> I managed to configure a hybrid environment with Windows 7 and other
> OpenSuSe clients authenticating in the server´s Samba and it all works
> perfectly (cups, shares, logon scripts, etc).
>
> My problem is that in the company we have subnets and VLANs that
> require to also authenticate in the Samba PDC.
>
> For example, I have an OpenSuSe client in the network 172.22.4.0/22
> that needs to authenticate. When I try to setup the client settings in
> the Windows Domain Membership, I get an error saying that the domain is
> not valid.
>
> Note: Both server and client can ping each other, so it´s not a routing
> problem
>
> I believe this happens because the client is trying to send a broadcast
> to find out who the server is, and the router won´t let broadcasts pass
> through.
>
> Is there a way to bypass this, by “forcing” a direct request to the
> server by IP or Name?
>
> (smbpasswd works like a charm, and I was able to join the domain
> using:
>
> net join -w Domain -S Servername -I IP -U Administrator - but when
> I reboot, I can´t select the domain from the logon menu or even login
> with a domain user)
>
> Any thoughts?
>
> Thanks in advance
>
>
Mytho;
Have you tried configuring Samba as a WINS server? Just add to
your /etc/samba/smb.conf the following parameters:
wins support = yes
Now point the Windows clients to the IP of the wins server. This can be done
by dhcp or manually in the network configuration. For nix clients set the
wins server parameter of their smb.conf to point to the wins server and set
wins name resolution first:
wins server = <IP of wins server>
name resolve order = wins bcast lmhosts host
On the wins server itself do NOT set the wins server parameter but set the
name resolve order parameter as above. The WINS server could be the PDC or
another Samba server.
It is also advisable to edit /etc/nsswitch.conf, on nix machines, to read:
hosts: dns wins files
–
P. V.
“We’re all in this together, I’m pulling for you.” Red Green
Thanks for your answer. I tried as you said and still the same error:
"Cannot use the workgroup ‘teste.local’ for Linux authentication.
Enter a domain or disable using SMB for Linux authentication."
However, I got more messages at the server side:
Nov 3 13:59:14 servidor named[5504]: client 172.22.5.22#39825: RFC 1918 response from Internet for 69.6.22.172.in-addr.arpa
Nov 3 13:59:17 servidor named[5504]: client 172.22.5.22#46256: RFC 1918 response from Internet for 19.6.22.172.in-addr.arpa
Nov 3 13:59:23 servidor named[5504]: client 172.22.5.22#36378: RFC 1918 response from Internet for 74.6.22.172.in-addr.arpa
Nov 3 13:59:26 servidor named[5504]: client 172.22.5.22#47303: RFC 1918 response from Internet for 62.6.22.172.in-addr.arpa
Nov 3 13:59:33 servidor named[5504]: client 172.22.5.22#44326: RFC 1918 response from Internet for 89.6.22.172.in-addr.arpa
Nov 3 13:59:36 servidor named[5504]: client 172.22.5.22#41194: RFC 1918 response from Internet for 63.6.22.172.in-addr.arpa
Nov 3 13:59:41 servidor named[5504]: client 172.22.110.100#13562: RFC 1918 response from Internet for 17.6.22.172.in-addr.arpa
Nov 3 13:59:41 servidor named[5504]: client 172.22.5.22#56529: RFC 1918 response from Internet for 17.6.22.172.in-addr.arpa
Nov 3 13:59:42 servidor named[5504]: client 172.22.5.22#37140: RFC 1918 response from Internet for 87.6.22.172.in-addr.arpa
Nov 3 13:59:49 servidor named[5504]: client 172.22.5.22#57536: RFC 1918 response from Internet for 65.6.22.172.in-addr.arpa
Nov 3 13:59:53 servidor named[5504]: client 172.22.5.22#34031: RFC 1918 response from Internet for 12.6.22.172.in-addr.arpa
Nov 3 14:00:00 servidor named[5504]: client 172.22.5.22#52811: RFC 1918 response from Internet for 70.6.22.172.in-addr.arpa
Nov 3 14:00:03 servidor named[5504]: client 172.22.5.22#54605: RFC 1918 response from Internet for 33.6.22.172.in-addr.arpa
Nov 3 14:00:06 servidor named[5504]: client 172.22.5.22#42683: RFC 1918 response from Internet for 23.6.22.172.in-addr.arpa
Nov 3 14:00:10 servidor named[5504]: client 172.22.5.22#49605: RFC 1918 response from Internet for 250.6.22.172.in-addr.arpa
Nov 3 14:00:13 servidor named[5504]: client 172.22.5.22#45808: RFC 1918 response from Internet for 31.6.22.172.in-addr.arpa
Nov 3 14:00:17 servidor named[5504]: client 172.22.5.22#56325: RFC 1918 response from Internet for 96.6.22.172.in-addr.arpa
Nov 3 14:00:20 servidor named[5504]: client 172.22.5.22#46019: RFC 1918 response from Internet for 50.6.22.172.in-addr.arpa
Nov 3 14:00:27 servidor named[5504]: client 172.22.5.22#37822: RFC 1918 response from Internet for 13.6.22.172.in-addr.arpa
being 172.22.5.22 the IP of the client that I am trying to connect to the samba server.
I don’t know about the PDC but those RFC1918 messages mean you are forwarding your reverse lookups for private IP addresses to the Internet. You should not do that, you should set up some reverse zones in your DNS server.
I believe that happens because my PDC server is also a DNS server, and it is accepting requests from the internet, as in the beggining I thought it would help to get the clients to join the domain. But I still don´t think this is the issue, and it still must have something to do with the broadcasts that the client sends off to try to find the server.
My nsswitch.conf:
passwd: files winbind
group: files winbind
hosts: dns wins files
networks: files dns
(all rest: files)
And do you think I should change anything in my PAM files?
Both those IP networks you see in the messages are not on the same network as the server. The server is configured to 172.22.110.100/24, so it will consider all 172.22.5/6.x as Internet.
But anyway, do you think this mught be causing the Samba problem? I don´t think it is related, imho.
I believe the problem here is to get the client to make the auth request to the server (that is in a diff network) at each login.
If I read your posts correctly, you might benefit by reading up on “Split DNS” – Where you name your private Domain the same as your public Domain. Although not always an intentional configuration, this can simplify addresses and routing if you expose private LAN resources to the public Internet, but the downside can be exposure to public hacking.
If this is your situation, you should know that since you can install only one DNS instance on a machine, you can’t serve both public and private zones with the same name at the same time.
My personal workaround to get the benefits of split DNS while avoiding the public/private zone issue is to name the private Domain as a sub-domain of the public Domain.
Again, if you’re running a Split DNS and have done extensive work already configuring your private network using the namespace, probably the simplest solution is to just create and register a new public DNS server which holds only the public records.
I read a little bit about it and in the named wiki says I can either ignore the messages or create the reverse zones to empy files. I made the second and it worked ok.
Now I need help with the samba (if that scenario is possible at all).
Can you repost the specific Wiki you’re using as a reference? I can’t seem to locate it in the prior posts in this thread.
Whatever you’re reading (and I’m guessing since I haven’t read your reference), I’m not sure how your DNS can serve separate reverse lookup zones for external and internal addresses… If I’m right, then you may fix your external reverse lookup problem at the expense of creating a similar problem for private network access.
If this turns out to be the case and to date you haven’t had other public reverse lookup problems (eg If you deploy a public mailserver, other mailservers often require reverse lookup as one anti-spam measure), you might consider VPN as a solution where you can expose internal, private addressing including reverse lookups safely to external network clients.
>
> tsu2;2247857 Wrote:
>> If I read your posts correctly, you might benefit by reading up on
<snip>
>>
>> HTH,
>> Tony
>
<snip>
> Now I need help with the samba (if that scenario is possible at all).
>
>
Mytho;
Could you post the [global] section of /etc/samba/smb.conf from both the
server and the client. You can use substitute values for any sensitive
values such as public domains or IPs etc.
P. V.
“We’re all in this together, I’m pulling for you.” Red Green
[global]
workgroup = teste.local
realm = teste.local
passdb backend = ldapsam:ldap://127.0.0.1
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \%L\profiles.msprofile
logon home = \%L%U.9xprofile
logon drive = P:
logon script = logon.bat
usershare allow guests = Yes
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
client ntlmv2 auth = yes
domain logons = Yes
domain master = Yes
lanman auth = Yes
local master = Yes
log level = 2
name resolve order = wins bcast host lmhosts
netbios name = servidor
ntlm auth = Yes
os level = 65
preferred master = Yes
security = user
wins proxy = No
wins support = Yes
idmap backend = ldap:ldap://127.0.0.1
ldap admin dn = cn=Administrator,dc=teste,dc=local
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = Yes
ldap ssl = Off
ldap suffix = dc=teste,dc=local
ldap user suffix = ou=Users
hosts allow = ALL
CLIENT:
[global]
workgroup = WORKGROUP
wins server = 172.22.110.100
name resolve order = wins bcast host lmhosts
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \%L\profiles.msprofile
logon home = \%L%U.9xprofile
logon drive = P:
usershare allow guests = Yes
Note: I reinstalled the client, because I had so many modifications done to it that I was starting to loose the track of it. At the client, the workgroup is still “WORKGROUP” because I was trying to set it up with the Windows Domain Membership tool, and I assume it would change that value by itself.
It seems the “wins server” setting did not work as well.
>
> venzkep;2248073 Wrote:
>> On Wed November 3 2010 11:36 am, Mytho wrote:
>>
>> >
>> > tsu2;2247857 Wrote:
>> >> If I read your posts correctly, you might benefit by reading up on
>> <snip>
>> >>
>> >> HTH,
>> >> Tony
>> >
>> <snip>
>> > Now I need help with the samba (if that scenario is possible at
>> all).
>> >
>> >
>> Mytho;
>> Could you post the [global] section of /etc/samba/smb.conf from both
>> the
>> server and the client. You can use substitute values for any
>> sensitive
>> values such as public domains or IPs etc.
>> –
>> P. V.
>> “We’re all in this together, I’m pulling for you.” Red Green
>
>
>
> SERVER:
>
>> [global]
>> workgroup = teste.local
>> realm = teste.local
>> passdb backend = ldapsam:ldap://127.0.0.1
>> printing = cups
>> printcap name = cups
>> printcap cache time = 750
>> cups options = raw
>> map to guest = Bad User
>> include = /etc/samba/dhcp.conf
>> logon path = \%L\profiles.msprofile
>> logon home = \%L%U.9xprofile
>> logon drive = P:
>> logon script = logon.bat
>> usershare allow guests = Yes
>> add machine script = /usr/sbin/useradd -c Machine -d
>> /var/lib/nobody -s /bin/false %m$
>> client ntlmv2 auth = yes
>> domain logons = Yes
>> domain master = Yes
>> lanman auth = Yes
>> local master = Yes
>> log level = 2
>> name resolve order = wins bcast host lmhosts
>> netbios name = servidor
>> ntlm auth = Yes
>> os level = 65
>> preferred master = Yes
>> security = user
>> wins proxy = No
>> wins support = Yes
>> idmap backend = ldap:ldap://127.0.0.1
>> ldap admin dn = cn=Administrator,dc=teste,dc=local
>> ldap group suffix = ou=Groups
>> ldap idmap suffix = ou=Idmap
>> ldap machine suffix = ou=Machines
>> ldap passwd sync = Yes
>> ldap ssl = Off
>> ldap suffix = dc=teste,dc=local
>> ldap user suffix = ou=Users
>> hosts allow = ALL
>
>
> CLIENT:
>
>> [global]
>> workgroup = WORKGROUP
>> wins server = 172.22.110.100
>> name resolve order = wins bcast host lmhosts
>> passdb backend = tdbsam
>> printing = cups
>> printcap name = cups
>> printcap cache time = 750
>> cups options = raw
>> map to guest = Bad User
>> include = /etc/samba/dhcp.conf
>> logon path = \%L\profiles.msprofile
>> logon home = \%L%U.9xprofile
>> logon drive = P:
>> usershare allow guests = Yes
>
> Note: I reinstalled the client, because I had so many modifications
> done to it that I was starting to loose the track of it. At the client,
> the workgroup is still “WORKGROUP” because I was trying to set it up
> with the Windows Domain Membership tool, and I assume it would change
> that value by itself.
> It seems the “wins server” setting did not work as well.
>
> Thanks for your time looking into this.
>
>
Mytho;
Just at a first glance, I see the following problems:
In order to join the domain “teste.local” the Workgroup name on the client
needs to be teste.local not “WORKGROUP”. The net join is looking for a
domain called WORKGROUP, so change that first.
A member server (not a DC) of an NT or Samba domain needs to have this
parameter:
security = domain
(Note: the above is never used in a workgroup environment or on a DC)
Since authentication of users should occur on the DC and not on the client
remove the parameter: passdb backend = tdbsam, on the client. Instead use
password server = <IP of PDC>
Make sure that both smb and nmb are running on both the server and client:
su
rcnmb status
rcsmb status
Also verify that Samba Server and Netbios Server are allowed services through
the firewall.
Once you have gone through this and joined the domain you should be able to
check if the client is accessing the WINS server by looking on the server at:
/var/lib/samba/wins.dat
This is a text file and will contain all the registered machines and their
IPs.
Just as an aside, if you really have “.local” in your domain name, make sure
that /etc/host.conf contains the parameter “mdns off”, otherwise .local is
treated as a link-local address ( see: man host.conf for details)
P. V.
“We’re all in this together, I’m pulling for you.” Red Green
linux-y98w:~ # net rpc join
Enter root's password:
Joined domain TESTE.LOCAL.
Now I guess I need to make the changes to the PAM files in order to get it authenticating on logon.
I tried to add winbind.so to common-session/auth/account and I could see it made the right request to the server and it returned “succeeded”, but the connectin was denied for some reason in the client, and on top of that, I couldn´t log in anymore locally.
>
> venzkep;2248585 Wrote:
>> On Thu November 4 2010 04:36 am, Mytho wrote:
>>
>> >
<snip>
>
> Now I guess I need to make the changes to the PAM files in order to get
> it authenticating on logon.
> I tried to add winbind.so to common-session/auth/account and I could
> see it made the right request to the server and it returned “succeeded”,
> but the connectin was denied for some reason in the client, and on top
> of that, I couldn´t log in anymore locally.
>
> Good thing I had a snapshot of it right before
>
> Any suggestions for PAM correct setup?
>
> Thanks in advance
>
Mytho;
Here I am on fairly shaky ground, hopefully someone else will jump in. With
this said, I would try using YaST and configure the LDAP Client under Network
services. You can specify the IP of your LDAP and allow logins via LDAP.
This should set all the needed PAM changes.
–
P. V.
“We’re all in this together, I’m pulling for you.” Red Green
> On Fri November 5 2010 10:36 am, Mytho wrote:
>
>>
>> venzkep;2248585 Wrote:
>>> On Thu November 4 2010 04:36 am, Mytho wrote:
>>>
>>> >
> <snip>
>>
>> Now I guess I need to make the changes to the PAM files in order to get
>> it authenticating on logon.
>> I tried to add winbind.so to common-session/auth/account and I could
>> see it made the right request to the server and it returned “succeeded”,
>> but the connectin was denied for some reason in the client, and on top
>> of that, I couldn´t log in anymore locally.
>>
>> Good thing I had a snapshot of it right before
>>
>> Any suggestions for PAM correct setup?
>>
>> Thanks in advance
>>
> Mytho;
>
> Here I am on fairly shaky ground, hopefully someone else will jump in. With
> this said, I would try using YaST and configure the LDAP Client under
Network
> services. You can specify the IP of your LDAP and allow logins via LDAP.
> This should set all the needed PAM changes.
>
Mytho;
As usual I posted too soon. The LDAP client module for YaST may not be
installed by default. It may be necessary to install that module if you did
not do it when you installed OpenSuse.
P. V.
“We’re all in this together, I’m pulling for you.” Red Green
Again, thanks for your input. The problem here is that I need to have a centralized admin service. My network has Windows and Linux clients, and Windows must be handled by Samba, so I need the Linux clients to authenticate on Samba as well, otherwise, users would need to login (again) to have access to their shares. Initially I made the test with LDAP only, and it did work, unfortunately, I can´t go ahead with it due to the problems I referred earlier.
I am, however, making a few progresses. Here is the actual status:
workgroup = teste.local
realm = TEST.LOCAL
netbios name = remcli
wins server = 172.22.110.100
password server = 172.22.110.100
security = domain
encrypt passwords = Yes
domain logons = No
domain master = No
preferred master = Yes
local master = Yes
wins support = No
wins proxy = No
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = Yes
os level = 33
name resolve order = wins bcast lmhosts host
Client NSSWITCH.CONF:
passwd: winbind dns files
group: winbind dns files
hosts: dns files mdns4_minimal [NOTFOUND=return]
networks: wins dns files
services: files wins
protocols: files
rpc: wins winbind files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files
aliases: files
For PAM, I executed
pam-config -a --winbind
and it added winbind to the 4 relevant files (common-session/auth/account/password)
So at this point, when I boot the client, I get the login panel and I click on “Other” to login in domain. Then I type in “teste.local\jleal”, being “jleal” a valid domain user.
Right after pressing Return, server logs show:
>
> venzkep;2248958 Wrote:
>> On Fri November 5 2010 06:02 pm, PV wrote:
>>
>> > On Fri November 5 2010 10:36 am, Mytho wrote:
>> >
>> >>
>> >> venzkep;2248585 Wrote:
>> >>> On Thu November 4 2010 04:36 am, Mytho wrote:
>> >>>
>> >>> >
>> > <snip>
>> >>
>> >> Now I guess I need to make the changes to the PAM files in order to
>> get
>> >> it authenticating on logon.
>> >> I tried to add winbind.so to common-session/auth/account and I
>> could
>> >> see it made the right request to the server and it returned
>> “succeeded”,
>> >> but the connectin was denied for some reason in the client, and on
>> top
>> >> of that, I couldn´t log in anymore locally.
>> >>
>> >> Good thing I had a snapshot of it right before
>> >>
>> >> Any suggestions for PAM correct setup?
>> >>
>> >> Thanks in advance
>> >>
>> > Mytho;
>> >
>> > Here I am on fairly shaky ground, hopefully someone else will jump
>> in. With
>> > this said, I would try using YaST and configure the LDAP Client
>> under
>> Network
>> > services. You can specify the IP of your LDAP and allow logins via
>> LDAP.
>> > This should set all the needed PAM changes.
>> >
>> Mytho;
>>
>> As usual I posted too soon. The LDAP client module for YaST may not
>> be
>> installed by default. It may be necessary to install that module if
>> you did
>> not do it when you installed OpenSuse.
>> –
>> P. V.
>> “We’re all in this together, I’m pulling for you.” Red Green
>
>
>
> PV,
>
> Again, thanks for your input. The problem here is that I need to have a
> centralized admin service. My network has Windows and Linux clients, and
> Windows must be handled by Samba, so I need the Linux clients to
> authenticate on Samba as well, otherwise, users would need to login
> (again) to have access to their shares. Initially I made the test with
> LDAP only, and it did work, unfortunately, I can´t go ahead with it due
> to the problems I referred earlier.
>
> I am, however, making a few progresses. Here is the actual status:
>
> Server SMB.CONF (only Globals):
>
>
> Code:
> --------------------
>
> workgroup = teste.local
> realm = teste.local
> passdb backend = ldapsam:ldap://127.0.0.1
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw
> map to guest = Bad User
> logon path = \%L\profiles.msprofile
> logon home = \%L%U.9xprofile
> logon drive = P:
> logon script = logon.bat
> usershare allow guests = Yes
> add machine script = /usr/sbin/useradd -c
Machine -d /var/lib/nobody -s /bin/false %m$
> client ntlmv2 auth = yes
> domain logons = Yes
> domain master = Yes
> lanman auth = Yes
> local master = Yes
> log level = 2
> name resolve order = wins bcast host lmhosts
> netbios name = servidor
> ntlm auth = Yes
> os level = 65
> preferred master = Yes
> security = domain
> wins proxy = Yes
> wins support = Yes
> idmap backend = ldap:ldap://127.0.0.1
> ldap admin dn = cn=Administrator,dc=teste,dc=local
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Machines
> ldap passwd sync = Yes
> ldap ssl = Off
> ldap suffix = dc=teste,dc=local
> ldap user suffix = ou=Users
> encrypt passwords = Yes
> interfaces = 172.22.4.0/255.255.252.0 172.22.110.0/255.255.255.0
> remote announce = 172.22.7.255/TESTE.LOCAL 172.22.110.255/TESTE.LOCAL
172.22.110.100/TESTE.LOCAL
> remote browse sync = 172.22.110.255 172.22.7.255
> public = Yes
> browseable = Yes
> lm announce = Yes
> browse list = Yes
> auto services = Yes
> --------------------
>
>
> Client SMB.CON (Global):
>
>
> Code:
> --------------------
> workgroup = teste.local
> realm = TEST.LOCAL
> netbios name = remcli
> wins server = 172.22.110.100
> password server = 172.22.110.100
> security = domain
> encrypt passwords = Yes
> domain logons = No
> domain master = No
> preferred master = Yes
> local master = Yes
> wins support = No
> wins proxy = No
> passdb backend = tdbsam
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw
> map to guest = Bad User
> logon path = \%L\profiles.msprofile
> logon home = \%L%U.9xprofile
> logon drive = P:
> usershare allow guests = Yes
> os level = 33
> name resolve order = wins bcast lmhosts host
>
> --------------------
>
>
> Client NSSWITCH.CONF:
>
>
> Code:
> --------------------
> passwd: winbind dns files
> group: winbind dns files
>
> hosts: dns files mdns4_minimal [NOTFOUND=return]
> networks: wins dns files
>
> services: files wins
> protocols: files
> rpc: wins winbind files
> ethers: files
> netmasks: files
> netgroup: files
> publickey: files
>
> bootparams: files
> automount: files
> aliases: files
> --------------------
>
>
> For PAM, I executed
>
>
> Code:
> --------------------
> pam-config -a --winbind
> --------------------
>
>
> and it added winbind to the 4 relevant files
> (common-session/auth/account/password)
>
> So at this point, when I boot the client, I get the login panel and I
> click on “Other” to login in domain. Then I type in “teste.local\jleal”,
> being “jleal” a valid domain user.
> Right after pressing Return, server logs show:
>
>> [2010/11/08 10:43:45.725320, 0]
>> winbindd/idmap.c:201(smb_register_idmap_alloc)
>> idmap_alloc module tdb already registered!
>> [2010/11/08 10:43:45.725407, 0]
>> winbindd/idmap.c:149(smb_register_idmap)
>> Idmap module passdb already registered!
>> [2010/11/08 10:43:45.725439, 0]
>> winbindd/idmap.c:149(smb_register_idmap)
>> Idmap module nss already registered!
>> [2010/11/08 10:43:45.725470, 1]
>> winbindd/idmap_ldap.c:268(idmap_ldap_alloc_init)
>> idmap uid or idmap gid missing
>> [2010/11/08 10:43:45.725488, 0]
>> winbindd/idmap.c:589(idmap_alloc_init)
>> ERROR: Initialization failed for alloc backend, deferred!
>> [2010/11/08 10:43:45.785681, 0]
>> winbindd/idmap.c:201(smb_register_idmap_alloc)
>> idmap_alloc module tdb already registered!
>> [2010/11/08 10:43:45.785736, 0]
>> winbindd/idmap.c:149(smb_register_idmap)
>> Idmap module passdb already registered!
>> [2010/11/08 10:43:45.785758, 0]
>> winbindd/idmap.c:149(smb_register_idmap)
>> Idmap module nss already registered!
>> [2010/11/08 10:43:45.785784, 1]
>> winbindd/idmap_ldap.c:268(idmap_ldap_alloc_init)
>> idmap uid or idmap gid missing
>> [2010/11/08 10:43:45.785796, 0]
>> winbindd/idmap.c:589(idmap_alloc_init)
>> ERROR: Initialization failed for alloc backend, deferred!
>> [2010/11/08 10:43:45.786887, 0]
>> winbindd/idmap.c:201(smb_register_idmap_alloc)
>> idmap_alloc module tdb already registered!
>> [2010/11/08 10:43:45.786930, 0]
>> winbindd/idmap.c:149(smb_register_idmap)
>> Idmap module passdb already registered!
>> [2010/11/08 10:43:45.786952, 0]
>> winbindd/idmap.c:149(smb_register_idmap)
>> Idmap module nss already registered!
>> [2010/11/08 10:43:45.786976, 1]
>> winbindd/idmap_ldap.c:268(idmap_ldap_alloc_init)
>> idmap uid or idmap gid missing
>> [2010/11/08 10:43:45.786987, 0]
>> winbindd/idmap.c:589(idmap_alloc_init)
>> ERROR: Initialization failed for alloc backend, deferred!
>> [2010/11/08 10:43:45.787904, 0]
>> winbindd/idmap.c:201(smb_register_idmap_alloc)
>> idmap_alloc module tdb already registered!
>> [2010/11/08 10:43:45.787969, 0]
>> winbindd/idmap.c:149(smb_register_idmap)
>> Idmap module passdb already registered!
>> [2010/11/08 10:43:45.787992, 0]
>> winbindd/idmap.c:149(smb_register_idmap)
>> Idmap module nss already registered!
>> [2010/11/08 10:43:45.788016, 1]
>> winbindd/idmap_ldap.c:268(idmap_ldap_alloc_init)
>> idmap uid or idmap gid missing
>> [2010/11/08 10:43:45.788026, 0]
>> winbindd/idmap.c:589(idmap_alloc_init)
>> ERROR: Initialization failed for alloc backend, deferred!
>> [2010/11/08 10:43:45.788966, 0]
>> winbindd/idmap.c:201(smb_register_idmap_alloc)
>> idmap_alloc module tdb already registered!
>> [2010/11/08 10:43:45.789005, 0]
>> winbindd/idmap.c:149(smb_register_idmap)
>> Idmap module passdb already registered!
>> [2010/11/08 10:43:45.789026, 0]
>> winbindd/idmap.c:149(smb_register_idmap)
>> Idmap module nss already registered!
>> [2010/11/08 10:43:45.789049, 1]
>> winbindd/idmap_ldap.c:268(idmap_ldap_alloc_init)
>> idmap uid or idmap gid missing
>> [2010/11/08 10:43:45.789060, 0]
>> winbindd/idmap.c:589(idmap_alloc_init)
>> ERROR: Initialization failed for alloc backend, deferred!
>
> Then it asks me for the password. I type it and server shows:
>
>> [2010/11/08 10:49:45.850606, 2]
>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>> init_sam_from_ldap: Entry found for user: jleal
>> [2010/11/08 10:49:45.852016, 2] auth/auth.c:304(check_ntlm_password)
>> check_ntlm_password: authentication for user [jleal] → [jleal] →
>> [jleal] succeeded
>
> It seems it succeeds, but I get in the client screen this message:
>
>> User not known to the underlying authentication module.
>
> Thanks for reading all this. Any ideas?
>
>
Mytho;
Have you read Chapter 7 of Samba-3 by Example that I mentioned in an
earlier post? In particular your client smb.conf needs a number of LDAP
entries. The sections to read carefully are titled “Unix/Linux Client
Domain Members” and “NT4/Samba Domain with Samba Domain Member Server: Using
NSS and Winbind”. Notice that the instructions for NT4 also apply to
Samba-3.
P. V.
“We’re all in this together, I’m pulling for you.” Red Green
