###### Master ##################################################################### root@master:~# univention-install winbind root@master:~# net rpc testjoin Join to 'ARUCS301I9' is OK root@member:~# wbinfo -p Ping to winbindd succeeded root@master:~# wbinfo --ping-dc checking the NETLOGON dc connection succeeded ###### Memberserver ############################################################### root@member:~# net rpc testjoin Join to 'ARUCS301I9' is OK root@member:~# wbinfo -p Ping to winbindd succeeded root@member:~# wbinfo --ping-dc checking the NETLOGON dc connection succeeded ### establish the trust, e.g. on the Memberserver root@member:~# net rpc trustdom establish ARW2K3R2U30 Enter ARUCS301I9$'s password: Could not connect to server W2K3R2-35 Trust to domain ARW2K3R2U30 established root@member:~# net rpc trustdom list -UAdministrator%univention Trusted domains list: ARW2K3R2U30 S-1-5-21-215963510-1792852931-2165353431 Trusting domains list: none ###### Master ##################################################################### root@master:~# net rpc trustdom list -UAdministrator%univention Trusted domains list: ARW2K3R2U30 S-1-5-21-215963510-1792852931-2165353431 Trusting domains list: none ### Lookup fails: root@master:~# wbinfo -n ARW2K3R2U30+Administrator Could not lookup name ARW2K3R2U30+Administrator ### Auth succeeds: root@master:~# wbinfo -a ARW2K3R2U30+Administrator%Univention123 plaintext password authentication succeeded challenge/response password authentication succeeded ###### Memberserver ############################################################### ### Lookup succeeds: root@member:~# wbinfo -n ARW2K3R2U30+Administrator S-1-5-21-3914512823-4150051258-224171578-500 SID_USER (1) ### Auth fails: root@member:~# wbinfo -a ARW2K3R2U30+Administrator%Univention123 plaintext password authentication failed Could not authenticate user ARW2K3R2U30+Administrator%Univention123 with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error messsage was: No logon servers Could not authenticate user ARW2K3R2U30+Administrator with challenge/response ###### Master ##################################################################### root@master:~# echo -e "[global]\n\twinbind rpc only = yes" >> /etc/samba/local.conf root@master:~# /etc/init.d/winbind restart Stopping the Winbind daemon: winbind. Starting the Winbind daemon: winbind. root@master:~# wbinfo -n ARW2K3R2U30+Administrator S-1-5-21-215963510-1792852931-2165353431-500 SID_USER (1) ###### Memberserver ############################################################### ### Auth succeeds: root@member:~# wbinfo -a ARW2K3R2U30+Administrator%Univention123 plaintext password authentication succeeded challenge/response password authentication succeeded ##################### IDmap test ###### Master ########## root@master:~# wbinfo -S S-1-5-21-215963510-1792852931-2165353431-500 55000 ## OK ###### Memberserver #### root@member:~# wbinfo -n ARW2K3R2U30+aduser1 S-1-5-21-215963510-1792852931-2165353431-1107 SID_USER (1) root@member:~# wbinfo -S S-1-5-21-215963510-1792852931-2165353431-1107 55001 ## OK ##################### User enumeration test ### Weird stuff: ####### ###### Master ########## root@master:~# wbinfo -u administrator join-backup join-slave ## Ok, try with explicit auth user, instead of anon or machine connection: root@master:~# net setauthuser -UAdministrator%univention ## univention is the password of ARUCS301I9+Administrator root@master:~# net getauthuser ARUCS301I9+Administrator%univention root@master:~# /etc/init.d/winbind restart Stopping the Winbind daemon: winbind. Starting the Winbind daemon: winbind. root@master:~# wbinfo -u administrator join-backup join-slave ## Now magic happens: root@master:~# net setauthuser -UAdministrator%Univention123 ## Univention123 is the password of ARW2K3R2U30+Administrator root@master:~# net getauthuser ARUCS301I9+Administrator%Univention123 ## OOPS, this is weird. But it works: root@master:~# /etc/init.d/winbind restart Stopping the Winbind daemon: winbind. Starting the Winbind daemon: winbind. root@master:~# wbinfo -u administrator join-backup join-slave ARW2K3R2U30+administrator ARW2K3R2U30+aduser1 ARW2K3R2U30+gast ARW2K3R2U30+krbtgt ARW2K3R2U30+support_388945a0 ## OK by magic ###### Memberserver #### root@member:~# wbinfo -u MEMBER+nobody ARUCS301I9+administrator ARUCS301I9+join-backup ARUCS301I9+join-slave root@member:~# net getauthuser No authorised user configured root@member:~# net setauthuser -UAdministrator%univention root@member:~# net getauthuser ARUCS301I9+Administrator%univention root@member:~# /etc/init.d/winbind restart Stopping the Winbind daemon: winbind. Starting the Winbind daemon: winbind. root@member:~# wbinfo -u MEMBER+nobody ARUCS301I9+administrator ARUCS301I9+join-backup ARUCS301I9+join-slave root@member:~# net setauthuser -UAdministrator%Univention123 root@member:~# net getauthuser ARUCS301I9+Administrator%Univention123 root@member:~# /etc/init.d/winbind restart Stopping the Winbind daemon: winbind. Starting the Winbind daemon: winbind. root@member:~# wbinfo -u MEMBER+nobody ARUCS301I9+administrator ARUCS301I9+join-backup ARUCS301I9+join-slave ## FAIL ###################### NSS test ###### Master ########## root@master:~# getent passwd ARW2K3R2U30+aduser1 || echo unknown unknown root@master:~# ucr set auth/methods="krb5 ldap unix winbind" Setting auth/methods File: /etc/pam.d/common-auth-nowrite File: /etc/nsswitch.conf File: /etc/pam.d/common-password File: /etc/ssh/ssh_config File: /etc/pam.d/common-account Multifile: /etc/pam.d/common-auth Multifile: /etc/pam.d/common-session File: /etc/pam.d/univention-management-console root@master:~# /etc/init.d/nscd restart Restarting NSCD:. root@master:~# getent passwd ARW2K3R2U30+aduser1 || echo unknown ARW2K3R2U30+aduser1:*:55001:55003:aduser1 univention:/home/ARW2K3R2U30-aduser1:/bin/bash ## OK ###### Memberserver #### root@member:~# getent passwd ARW2K3R2U30+aduser1 || echo unknown unknown root@member:~# ucr set auth/methods="krb5 ldap unix winbind" Setting auth/methods File: /etc/pam.d/common-auth-nowrite File: /etc/nsswitch.conf File: /etc/pam.d/common-password File: /etc/ssh/ssh_config File: /etc/pam.d/common-account Multifile: /etc/pam.d/common-auth Multifile: /etc/pam.d/common-session File: /etc/pam.d/univention-management-console root@member:~# /etc/init.d/nscd restart Restarting NSCD:. root@member:~# getent passwd ARW2K3R2U30+aduser1 || echo unknown unknown ## FAIL ###################### First check-winbind-user test ###### Master ########## root@master:~# wget 'https://forge.univention.org/bugzilla/attachment.cgi?id=3986' -O check-winbind-user root@master:~# chmod 755 check-winbind-user root@master:~# ./check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' sid: S-1-5-21-215963510-1792852931-2165353431-1107 username: ARW2K3R2U30+aduser1 uid: 55001 GIDs: 55003 groupsid: S-1-5-21-215963510-1792852931-2165353431-513 groupname: ARW2K3R2U30+Domänen-Benutzer getent passwd: ARW2K3R2U30+aduser1:*:55001:55003:aduser1 univention:/home/ARW2K3R2U30-aduser1:/bin/bash plaintext password authentication succeeded challenge/response password authentication succeeded dcname: w2k3r2-35.arw2k3r2u30.qa Could not lookup WINS by name w2k3r2-35.arw2k3r2u30.qa trying DNS: Host w2k3r2-35.arw2k3r2u30.qa not found: 3(NXDOMAIN) enum users for domain ARW2K3R2U30 successfull enum groups for domain ARW2K3R2U30 successfull ###### Memberserver #### root@member:~# wget 'https://forge.univention.org/bugzilla/attachment.cgi?id=3986' -O check-winbind-user root@member:~# chmod 755 check-winbind-user root@member:~# /check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' -bash: /check-winbind-user: No such file or directory root@member:~# ./check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' sid: S-1-5-21-215963510-1792852931-2165353431-1107 username: ARW2K3R2U30+aduser1 uid: 55001 Could not get groups for user ARW2K3R2U30+aduser1 ERROR: lookup of GIDs for user failed Could not get group SIDs for user SID S-1-5-21-215963510-1792852931-2165353431-1107 ERROR: getent passwd: no entry plaintext password authentication succeeded challenge/response password authentication succeeded dcname: W2K3R2-35 WARNING: enum users failed for domain ARW2K3R2U30 WARNING: enum groups failed for domain ARW2K3R2U30 ## details of group resolution problems: root@member:~# wbinfo --user-groups=ARW2K3R2U30+aduser1 Could not get groups for user ARW2K3R2U30+aduser1 root@member:~# wbinfo --user-sids=S-1-5-21-215963510-1792852931-2165353431-1107 Could not get group SIDs for user SID S-1-5-21-215963510-1792852931-2165353431-1107 root@member:~# wbinfo -Y S-1-5-21-215963510-1792852931-2165353431-513 55003 root@member:~# wbinfo -G 55003 S-1-5-21-215963510-1792852931-2165353431-513 root@member:~# wbinfo -s S-1-5-21-215963510-1792852931-2165353431-513 ARW2K3R2U30+Domänen-Benutzer 2 root@member:~# wbinfo -u --domain=ARW2K3R2U30 root@member:~# wbinfo -g --domain=ARW2K3R2U30 ###################### More group resolution weirdness: ###### Master ########## root@master:~# wbinfo -r 'ARW2K3R2U30\aduser1' Could not get groups for user ARW2K3R2U30\aduser1 ###################### Some resolution: Firewall ###### Master ########## root@master:~# echo "iptables -I INPUT 1 -p udp --sport 137 -j ACCEPT" \ >> /etc/security/packetfilter.d/50_local.sh root@master:~# /etc/init.d/univention-firewall restart root@master:~# net setauthuser delete root@master:~# /etc/init.d/winbind restart Stopping the Winbind daemon: winbind. Starting the Winbind daemon: winbind. root@master:~# wbinfo -a ARW2K3R2U30+aduser1%'Test1234;.' plaintext password authentication succeeded challenge/response password authentication succeeded ### Auth works root@master:~# ./check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' sid: S-1-5-21-215963510-1792852931-2165353431-1107 username: ARW2K3R2U30+aduser1 uid: 55001 GIDs: 55003 groupsid: S-1-5-21-215963510-1792852931-2165353431-513 groupname: ARW2K3R2U30+Domänen-Benutzer getent passwd: ARW2K3R2U30+aduser1:*:55001:55003::/home/ARW2K3R2U30-aduser1:/bin/bash plaintext password authentication succeeded challenge/response password authentication succeeded dcname: w2k3r2-35.arw2k3r2u30.qa Could not lookup WINS by name w2k3r2-35.arw2k3r2u30.qa trying DNS: Host w2k3r2-35.arw2k3r2u30.qa not found: 3(NXDOMAIN) WARNING: enum users failed for domain ARW2K3R2U30 WARNING: enum groups failed for domain ARW2K3R2U30 ###### Memberserver #### root@member:~# net setauthuser delete root@member:~# /etc/init.d/winbind restart Stopping the Winbind daemon: winbind. Starting the Winbind daemon: winbind. root@member:~# wbinfo -a ARW2K3R2U30+aduser1%'Test1234;.' plaintext password authentication succeeded challenge/response password authentication succeeded ### Auth works !! root@member:~# ./check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' sid: S-1-5-21-215963510-1792852931-2165353431-1107 username: ARW2K3R2U30+aduser1 uid: 55001 GIDs: 55003 groupsid: S-1-5-21-215963510-1792852931-2165353431-513 groupname: ARW2K3R2U30+Domänen-Benutzer getent passwd: ARW2K3R2U30+aduser1:*:55001:55003::/home/ARW2K3R2U30-aduser1:/bin/bash plaintext password authentication succeeded challenge/response password authentication succeeded dcname: W2K3R2-35 WARNING: enum users failed for domain ARW2K3R2U30 WARNING: enum groups failed for domain ARW2K3R2U30 ###################### Finally reenable enumeration: ###### Master ########## root@master:~# net setauthuser -UAdministrator%Univention123 root@master:~# net getauthuser ARUCS301I9+Administrator%Univention123 root@master:~# /etc/init.d/winbind restart Stopping the Winbind daemon: winbind. Starting the Winbind daemon: winbind. root@master:~# ./check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' sid: S-1-5-21-215963510-1792852931-2165353431-1107 username: ARW2K3R2U30+aduser1 uid: 55001 GIDs: 55003 groupsid: S-1-5-21-215963510-1792852931-2165353431-513 groupname: ARW2K3R2U30+Domänen-Benutzer getent passwd: ARW2K3R2U30+aduser1:*:55001:55003::/home/ARW2K3R2U30-aduser1:/bin/bash plaintext password authentication succeeded challenge/response password authentication succeeded dcname: w2k3r2-35.arw2k3r2u30.qa Could not lookup WINS by name w2k3r2-35.arw2k3r2u30.qa trying DNS: Host w2k3r2-35.arw2k3r2u30.qa not found: 3(NXDOMAIN) enum users for domain ARW2K3R2U30 successfull enum groups for domain ARW2K3R2U30 successfull ###### Memberserver #### oot@member:~# net setauthuser -UAdministrator%Univention123 root@member:~# net getauthuser ARUCS301I9+Administrator%Univention123 root@member:~# /etc/init.d/winbind restart Stopping the Winbind daemon: winbind. Starting the Winbind daemon: winbind. root@member:~# ./check-winbind-user ARW2K3R2U30+aduser1%'Test1234;.' sid: S-1-5-21-215963510-1792852931-2165353431-1107 username: ARW2K3R2U30+aduser1 uid: 55001 GIDs: 55003 groupsid: S-1-5-21-215963510-1792852931-2165353431-513 groupname: ARW2K3R2U30+Domänen-Benutzer getent passwd: ARW2K3R2U30+aduser1:*:55001:55003::/home/ARW2K3R2U30-aduser1:/bin/bash plaintext password authentication succeeded challenge/response password authentication succeeded dcname: W2K3R2-35 WARNING: enum users failed for domain ARW2K3R2U30 WARNING: enum groups failed for domain ARW2K3R2U30