wbinfo fails to enumerate users and groups
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: winbind
Running off the Ubuntu 8.04 Beta livecd and when installed to the local computer, I try to join the computer to an existing Windows Server 2003 Active Directory using Kerberos, Winbind, and Samba. I discovered errors, so I tested the same steps against a Debian stable server, a server that had no problems joining the domain. Here are the exact steps I took:
$ sudo su
# gedit /etc/hosts
[here are the contents of the file:
127.0.0.1 localhost
127.0.1.1 ubuntu
127.0.0.1 ubuntu.domainname localhost ubuntu
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
]
# cat /etc/resolv.conf
[here are the contents of the file:
search domainname
nameserver 192.168.1.2
]
# apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config
[ installs these versions:
samba: 3.0.28a-1ubuntu4
smbclient: 3.0.28a-1ubuntu4
winbind: 3.0.28a-1ubuntu4
krb5-doc: 1.6.dfsg.
krb5-user: 1.6.dfsg.
krb5-config: 1.17
]
# sudo gedit /etc/krb5.conf
[here are the contents of the file:
[libdefaults]
default_realm = DOMAINNAME
[realms]
DOMAINNAME = {
kdc = adserver
admin_server = adserver
}
[domain_realm]
.domainname = DOMAINNAME
domainname = DOMAINNAME
]
# kinit Administrator
# klist
# kdestroy
# apt-get install ntpdate
[installs these versions:
ntpdate: 1:4.2.4p4+
]
# gedit /etc/default/
[here are the contents of the file:
NTPDATE_
NTPSERVERS=
NTPOPTIONS="-u"
]
# gedit /etc/samba/smb.conf
[here are the contents of the file:
[global]
security = ads
password server = adserver
encrypt passwords = yes
workgroup = DOMAINNAME
realm = DOMAINNAME
netbios name = ubuntu
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
]
# /etc/init.d/winbind stop
# /etc/init.d/samba restart
# /etc/init.d/winbind start
# kinit Administrator
# klist
[returns this information:
Ticket cache: FILE:/tmp/
Default principal: Administrator@
Valid starting Expires Service principal
04/23/08 00:47:19 04/23/08 10:47:23 krbtgt/
renew until 04/24/08 00:47:19
Kerberos 4 ticket cache: /tmp/tkt999
klist: You have no tickets cached
]
# net ads join -U Administrator
[returns this information:
Administrator's password:
Using short domain name -- DOMAINNAME
Joined 'UBUNTU' to realm 'DOMAINNAME'
]
# wbinfo -u
[returns this information:
Error looking up domain users
]
# wbinfo -g
[returns this information:
Error looking up domain groups
]
# wbinfo -a Administrator
[returns this information: (sic)
plaintext password authentication failed
error code was NT_STATUS_
error messsage was: No such user
Could not authenticate user Administrator with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_
error messsage was: Invalid handle
Could not authenticate user Administrator with challenge/response
]
getent passwd contains only local users, not remote users.
I've discovered what's happening here. On the Debian etch development box that these steps worked, the IP address is set statically, outside the normal DHCP range. On the Ubuntu 8.04 workstation that I performed the above, the IP address was set dynamically.
I discovered that I could work around this problem by giving the workstation a manual IP address and registering it with DNS. If I then re-join the domain, I can properly enumerate users and groups and log in. This seems to either be a bug or by design, but something is definitely wrong if I have to set a static IP by hand in Linux but not in Windows.