We have built Samba 3.5.2 with ADS support on Solaris 10 and joined the server successfully into the domain. kinit, klist, wbinfo -g, wbinfo -u, net ads info are working correctly. Unfortunately whenever we want to access a share on the Solaris server from our Windows XP / Windows 7 clients we get a logon box to specify username and password. smbd log file shows that the logon attempt is made with the correct user (i.e. MYDOMAIN\WKAABC) but winbindd log file shows that the first character of the username is missing (i.e. KAABC). We can not explain that weird behaviour and have not found any hint in the documentation, bug database or newsgroups. log.smbd [2010/05/12 09:14:34.411902, 2] smbd/sesssetup.c:1390(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2010/05/12 09:14:34.411964, 3] smbd/sesssetup.c:1189(reply_sesssetup_and_X_spnego) Doing spnego session setup [2010/05/12 09:14:34.412032, 3] smbd/sesssetup.c:1231(reply_sesssetup_and_X_spnego) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2010/05/12 09:14:34.412309, 5] smbd/sesssetup.c:753(parse_spnego_mechanisms) parse_spnego_mechanisms: Got OID 1.2.840.48018.1.2.2 [2010/05/12 09:14:34.412364, 5] smbd/sesssetup.c:753(parse_spnego_mechanisms) parse_spnego_mechanisms: Got OID 1.2.840.113554.1.2.2 [2010/05/12 09:14:34.412424, 5] smbd/sesssetup.c:753(parse_spnego_mechanisms) parse_spnego_mechanisms: Got OID 1.3.6.1.4.1.311.2.2.10 [2010/05/12 09:14:34.412478, 3] smbd/sesssetup.c:805(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 1483 [2010/05/12 09:14:34.433890, 3] libads/authdata.c:304(decode_pac_data) Found account name from PAC: WKAABC [Limited User] [2010/05/12 09:14:34.434046, 3] smbd/sesssetup.c:338(reply_spnego_kerberos) Ticket name is [wka...@myrealm] [2010/05/12 09:14:34.434550, 5] lib/username.c:133(Get_Pwnam_alloc) Finding user MYDOMAIN\WKAABC [2010/05/12 09:14:34.434609, 5] lib/username.c:77(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is mydomain\wkaabc [2010/05/12 09:14:34.452351, 5] lib/username.c:85(Get_Pwnam_internals) Trying _Get_Pwnam(), username as given is MYDOMAIN\WKAABC [2010/05/12 09:14:34.454281, 5] lib/username.c:104(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in mydomain\wkaabc [2010/05/12 09:14:34.454428, 5] lib/username.c:110(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [MYDOMAIN\WKAABC]! [2010/05/12 09:14:34.454492, 5] lib/username.c:133(Get_Pwnam_alloc) Finding user WKAABC [2010/05/12 09:14:34.454545, 5] lib/username.c:77(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is wkaabc [2010/05/12 09:14:34.455095, 5] lib/username.c:85(Get_Pwnam_internals) Trying _Get_Pwnam(), username as given is WKAABC [2010/05/12 09:14:34.455676, 5] lib/username.c:104(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in wkaabc [2010/05/12 09:14:34.455746, 5] lib/username.c:110(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [WKAABC]! [2010/05/12 09:14:34.456052, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username MYDOMAIN\WKAABC is invalid on this system [2010/05/12 09:14:34.456164, 3] smbd/error.c:80(error_packet_set) error packet at smbd/sesssetup.c(459) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE log.winbindd [2010/05/12 09:14:34.451314, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [17648]: request location of privileged pipe [2010/05/12 09:14:34.452088, 2] winbindd/winbindd.c:826(winbind_client_request_read) Could not read client request from fd 25: I/O error [2010/05/12 09:14:34.452884, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [17648]: request interface version [2010/05/12 09:14:34.453144, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [17648]: request location of privileged pipe [2010/05/12 09:14:34.453926, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam KAABC [2010/05/12 09:14:34.453997, 5] winbindd/winbindd_getpwnam.c:68(winbindd_getpwnam_send) Could not parse domain user: KAABC [2010/05/12 09:14:34.454088, 5] winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv) Could not convert sid S-0-0: NT_STATUS_INVALID_PARAMETER [2010/05/12 09:14:34.454768, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam [2010/05/12 09:14:34.454828, 5] winbindd/winbindd_getpwnam.c:68(winbindd_getpwnam_send) Could not parse domain user: [2010/05/12 09:14:34.454915, 5] winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv) Could not convert sid S-0-0: NT_STATUS_INVALID_PARAMETER [2010/05/12 09:14:34.455334, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam [2010/05/12 09:14:34.455393, 5] winbindd/winbindd_getpwnam.c:68(winbindd_getpwnam_send) Could not parse domain user: [2010/05/12 09:14:34.455487, 5] winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv) Could not convert sid S-0-0: NT_STATUS_INVALID_PARAMETER [2010/05/12 09:14:34.507586, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam kaabc [2010/05/12 09:14:34.507655, 5] winbindd/winbindd_getpwnam.c:68(winbindd_getpwnam_send) Could not parse domain user: kaabc [2010/05/12 09:14:34.507744, 5] winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv) Could not convert sid S-0-0: NT_STATUS_INVALID_PARAMETER smb.conf [global] security = ADS realm = MYREALM password server = adc01,adc02,adc03,adc04 workgroup = MYDOMAIN log level = 5 idmap uid = 10000-100000 idmap gid = 10000-100000 local master = no domain master = no [root-home] path = /root
Have you correctly configured the local system so that winbind users can actually be seen as local users (on linux that would be adding winbind to /etc/nsswitch.conf) ?
(In reply to comment #1) > Have you correctly configured the local system so that winbind users can > actually be seen as local users (on linux that would be adding winbind to > /etc/nsswitch.conf) ? > Yes - we have downgraded Samba to version 3.0.37 on our servers and everything works fine. So I don't think the problem can be related to any server environment settings. On Samba 3.0.37 we see that winbindd receives the full user name MYDOMAIN\wkaabc, with version 3.5.2 it receives only kabc. Please see this line of winbindd daemon log file: winbindd/winbindd_getpwnam.c:68(winbindd_getpwnam_send) Could not parse domain user: KAABC
this is either a long fixed bug or (more likely) some system misconfiguration. I have seem been no such problem with any recent samba release.