Bug 3083 - errors winbindd on samba PDC
Summary: errors winbindd on samba PDC
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.20
Hardware: All All
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-10 14:30 UTC by Alex Deiter
Modified: 2005-09-27 12:35 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Deiter 2005-09-10 14:30:54 UTC
We use samba PDC and squid+winbindd+ntlm_auth on the same server. After update
samba from 3.0.14a up to 3.0.20 ntlm_auth does not work. Also wbinfo got error:

# wbinfo -t
checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret

winbindd log:
cm_get_ipc_userpass: No auth-user defined
Serverzone is -14400
Using cleartext machine password
cli_net_req_chal: LSA Request Challenge from SERVER to \\SERVER
cred_session_key
cred_create
cli_net_auth2: srv:\\SERVER acct:WORKGROUP$ sc:6 mc: SERVER neg: 400701ff
could not open handle to NETLOGON pipe
Checking the trust account password returned NT_STATUS_ACCESS_DENIED

Small patch Small patch solves this problem:

--- nsswitch/winbindd_cm.c.orig Sun Sep 11 00:30:27 2005
+++ nsswitch/winbindd_cm.c      Sun Sep 11 00:45:44 2005
@@ -1175,7 +1175,8 @@
        /* if we are a DC and this is a trusted domain, then we need to use our
           domain name in the net_req_auth2() request */

-       if ( IS_DC ) {
+       if ( IS_DC && !strequal(domain->name, lp_workgroup()) &&
+            lp_allow_trusted_domains() ) {
                account_name = talloc_asprintf( mem_ctx, "%s$", lp_workgroup() );
        }
        else {

after that:

# wbinfo -t
checking the trust secret via RPC calls succeeded

winbindd log:
cm_get_ipc_userpass: No auth-user defined
Serverzone is -14400
Using cleartext machine password
cli_net_req_chal: LSA Request Challenge from SERVER to \\SERVER
cred_session_key
cred_create
cli_net_auth2: srv:\\SERVER acct:SERVER$ sc:6 mc: SERVER neg: 400701ff
cred_create
cred_assert
secret is good


Thanks!
Comment 1 Gerald (Jerry) Carter (dead mail address) 2005-09-27 12:35:54 UTC
Yup.  Looks right to me.