# Mission critical; I need help with samba-ads,pam,mitkrb5

## mrbassie

Ok, I've edited my thread, previously titled "Audit my smb.conf please"

RECAP/UPDATE:

Ok. Gentoo samba fileserver. It is joined to the windows server 2008 domain. I can use smbclient -L and wbinfo -u and wbinfo -g and I get the expected results. I get a kerberos ticket with kinit.

I created an account on the gentoo box with the same credentials as one of the windows domain admins. That accout can access, read, write and supposedly set permissions on the share, everybody else can see it but not access. It asks for a "network password" (in windows 7).

winbind seems to be working mostly but getent is not. I just get the unix users and groups.

I need to get this box online asap as the current file serve is dying and we need to get as much data onto it as possible, as soon as possible.

I seriously need help urgently, I've been banging my head against a screen for a week. This is a school and it's more important than just me being embarrased.

/etc/samba/smb.conf:

```
[global]

#-------[ Net Hood Settings ]

        workgroup = my-domain-name

        netbios name = Gentoo

        server string = Linux client

        interfaces = eth0, lo

        socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 IPTOS_LOWDELAY

        os level = 0

#-------[ Log Level ]

        log level = 2

#-------[ Server Role Settings ]

        security = ads

        encrypt passwords = yes

#-------[NT ACL Compatability]

        inherit acls = yes

        vfs objects = acl_xattr

        map acl inherit = yes

        map archive = no

        map hidden = no

        map readonly = no

        store dos attributes = yes

        nt acl support = true

        create mode = 0644

        directory mode = 0777

        domain master = no

        local master = no

        preferred master = no

        wins proxy = no

        dns proxy = no

        template homedir = /home/SCHOOL/%U

        template shell = /bin/bash

#----[ Winbind communication ]

       idmap config *:backend = tdb

        idmap config * :range = 10000-20000

       idmap config school:backend = ad

       idmap config school:schema_mode = ad

       idmap config school:range = 500-40000

       winbind nss info = rfc2307

        winbind use default domain = Yes

        winbind enum users = yes

        winbind enum groups = yes

        winbind: rpc only = yes

        winbind refresh tickets = yes

        winbind separator = +

        kerberos method = secrets and keytab

#-------[Realm]

        realm = my-domain-name

#-------[Shares ]

[HOMEWORK SHARE]

        path = /SCHOOL/HomeworkShare

        comment = Homework Share

        browseable = yes

        writeable = yes

        inherit permissions = Yes

        inherit owner = yes

        inherit acls = yes

        guest ok = yes

        security mask = 0777

        security = ads

[PUPIL SHARE]

        path = /SCHOOL/PupilShare

        comment = Pupil Share

        browseable = yes

        writeable = yes

        inherit permissions = yes

        inherit owner =yes

        inherit acls = yes

        create mask = 0644

        guest ok = yes

        security mask = 0777

[STAFF SHARE]

        path = /SCHOOL/StaffShare

        comment = Staff Share

        browseable = yes

        writeable = yes

        inherit permissions = yes

        inherit acls = yes

        inherit owner = yes

        create mask = 0644

        guest ok = yes

        security mask = 0777

        read only = no

```

/etc/nsswitch.conf:

```
# /etc/nsswitch.conf:

# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $

passwd:      compat winbind

shadow:      compat winbind

group:       compat winbind

passwd:      db files nis

shadow:      db files nis

group:       db files nis

hosts:       files wins dns

networks:    files

services:    db files

protocols:   db files

rpc:         db files winbind

ethers:      db files

netmasks:    files

netgroup:    nis

bootparams:  files

automount:   files

aliases:     files

```

/etc/krb5.conf:

```

[libdefaults]

        default_realm = my-domain-name

        kdc_timesync = 1

        ccache_type = 4

        forwardable = true

        proxiable = true

        fcc-mit-ticketflag = true

        default_keytab_name = FILE:/etc/krb5.keytab

```

/etc/conf.d/samba:

```

#add "winbind" to the daemon_list if you also want winbind to start

daemon_list="smbd nmbd winbind"

#----------------------------------------------------------------------------

# Daemons calls: <daemon_name>_<command_option>

#----------------------------------------------------------------------------

my_service_name="samba"

my_service_PRE="unset TMP TMPDIR"

my_service_POST=""

#----------------------------------------------------------------------------

# Daemons calls: <daemon_name>_<command_option>

#----------------------------------------------------------------------------

smbd_start_options="-D"

smbd_start="start-stop-daemon --start --exec /usr/sbin/smbd -- ${smbd_start_options}"

smbd_stop="start-stop-daemon --stop --exec /usr/sbin/smbd"

smbd_reload="killall -HUP smbd"

nmbd_start_options="-D"

nmbd_start="start-stop-daemon --start --exec /usr/sbin/nmbd -- ${nmbd_start_options}"

nmbd_stop="start-stop-daemon --stop --exec /usr/sbin/nmbd"

nmbd_reload="killall -HUP nmbd"

winbind_start_options="-D"

winbind_start="start-stop-daemon --start --exec /usr/sbin/winbindd -- ${winbind_start_options}"

winbind_stop="start-stop-daemon --stop --exec /usr/sbin/winbindd"

winbind_reload="killall -HUP winbindd"

```

use flags for samba:

```
ads aio client ldap ldb netapi pam readline server smbclient smbshares winbind
```

/etc/pam.d/system-auth-winbind:

```

#%PAM-1.0

# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/3.6/system-auth-winbind.pam,v 1.1 2011/06/30 15:50:28 dagger Exp $

auth        required      pam_env.so

auth        sufficient    pam_winbind.so

auth        sufficient    pam_unix.so shadow likeauth nullok use_first_pass

auth        required      pam_deny.so

account     required      pam_unix.so

password    required      pam_cracklib.so retry=3

password    sufficient    pam_winbind.so

password    sufficient    pam_unix.so nullok use_authtok md5 shadow

password    required      pam_deny.so

session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0022

session     required      pam_limits.so

session     required      pam_unix.so

```

What have I missed?

I cannot provide information about the domain setup. The person who did it was fired a couple of years ago (I've been there a couple of months) and none of the IT department have access to the administrator account on the domain controller, they are however domain admins but were also uninvolved in the setup.

----------

## vaxbrat

Can anyone get at the domain security policy?  It's possible that they have hardened the session setup to the point where things stop working.  Turn up the debugging to 5 or so on the winbind daemon and then look at its logs in /var/log/samba to see what it may be whining about when trying to do idmap.  You may want to blast the winbind tdb files in /var/lib/samba before trying again

----------

## vaxbrat

I also do RID instead of AD for the idmap stuff in my smb.conf

----------

## vaxbrat

This sample is sort of oldish as you can tell from the syntax for the idmap stanzas.  Your syntax is good but might want to go to rid instead of ad.

```
[global]

   workgroup = PLAY

   realm = PLAY.COM

   server string = samba on ur linux box

   netbios name = cent62amd64

   security = ADS

   password server = dc-01.play.com

   passdb backend = tdbsam

   #

   #  This backend rule may break depending on samba version installed

   #  This is the new idmap syntax and will break on a 3.0.x (rh/cent5 bog

   #  standard box) even though testparm will pass it

   #

   #  If you are a wan with a "partner" and a domain trust, you need to

   #  rethink the whole winbind implementation and maybe go full ldap

   #

   idmap backend = rid:PLAY=2000-10000

   idmap uid = 2000-10000

   idmap gid = 2000-10000

   cups options = raw

   winbind use default domain = Yes

   #

   #  These enum directives will kill you in a large domain but are

   #  very useful if you can get away with it

   #

   winbind enum users = Yes

   winbind enum groups = Yes

   winbind nested groups = Yes

   template shell = /bin/bash

   #----------------------------------------------------------------

   #  hardening countermeasures

   #

   #  This option is only available for newer samba versions (>=3.4.x)

   #  and matches the DC local security policy:

   #    Domain Controller: LDAP server signing requirments set to "sign"

   #

   #  Like the next setting for ntlmv2, it will generate the same

   #  "stronger authentication required" error as the ntlmv2 un-setting

   #  rhel6/centos6 package samba 3.5.x and thus can support but this

   #  will drag down performance and should be resisted.  Also might

   #  need a CA cert from the dc? and will probably gen additional events

   #  in the dc log over kerberos setup.

   #

   #client ldap sasl wrapping = sign

   #

   #  Needed to avoid the dreaded

   #  "failed to join domain, stronger authentication required

   #  even after you have yanked the ldap server signing requirement

   #

   client ntlmv2 auth = Yes

```

----------

## mrbassie

Thanks, I will try out your suggestions.

----------

## mrbassie

 *vaxbrat wrote:*   

> This sample is sort of oldish as you can tell from the syntax for the idmap stanzas.  Your syntax is good but might want to go to rid instead of ad.
> 
> ```
> 
>    #  These enum directives will kill you in a large domain but are
> ...

 

The domain I am working within has let's say 1000 unique users, most of those are obviously the studdents, will that be a problem? The Gentoo box will not be holding all that much actual data.

----------

## vaxbrat

I first started doing AD integrations some years ago when samba was at 3.0.x, and Fedora 6 was just coming out.  The consensus was that winbind would hit a brick wall when there was thousands of users on the domain.  OTOH that was when AD was just rolling out and most domains were still on NT4 style DC's.  I don't remember when Winbind started caching the idmap in a local tdb file, but it may have taken care of the issue other than that first time when it needs to get populated.

The majority of my rollouts are in air gapped networks where the domain has only hundreds of users at the most and often much less than that.  I couldn't tell you what a modern winbind would do in a Uni or large corporate network where things have been split into separate resource and user domains, and users number in the tens of thousands or more.

----------

## mrbassie

ok, well there are definitely fewer than 2000 users and not all of them will have access.

----------

## mrbassie

Ok I switched ad to rid, deleted all the .tdb's and logs and rejoined the domain and fired up samba.

log.winbindd shows the following 

gid_to_sid: winbind failed to find a sid for gid 0, 1, 2, 3, 4, 6, 10, 11, 26, 27 

all the other logs look fine.

It's still not mapping the users/groups.

Am I being stupid expecting it to just do it, do I have to do it manually?

----------

## vaxbrat

There should be a lot more to the error logging than that.  Edit your /etc/conf.d/samba to change your winbindd debug level to 5 or more:

```
winbind_start_options=""

```

goes to something like

```
winbind_start_options="-d5"

```

Also can anyone with domain admin priv's get into the event logs on the dc when you try to hit the idmaps to see if it shows anything on that side?

----------

## mrbassie

gid_to_sid: winbind failed to find a sid for gid 0

  gid_to_sid: winbind failed to find a sid for gid 1

  gid_to_sid: winbind failed to find a sid for gid 2

  gid_to_sid: winbind failed to find a sid for gid 3

  gid_to_sid: winbind failed to find a sid for gid 4

  gid_to_sid: winbind failed to find a sid for gid 6

  gid_to_sid: winbind failed to find a sid for gid 10

  gid_to_sid: winbind failed to find a sid for gid 11

  gid_to_sid: winbind failed to find a sid for gid 26

  gid_to_sid: winbind failed to find a sid for gid 27

  account_policy_get: tdb_fetch_uint32 failed for type 1 (min password length), returning 0

  account_policy_get: tdb_fetch_uint32 failed for type 2 (password history), returning 0

  account_policy_get: tdb_fetch_uint32 failed for type 3 (user must logon to change password), returning 0

  account_policy_get: tdb_fetch_uint32 failed for type 4 (maximum password age), returning 0

  account_policy_get: tdb_fetch_uint32 failed for type 5 (minimum password age), returning 0

  account_policy_get: tdb_fetch_uint32 failed for type 6 (lockout duration), returning 0

  account_policy_get: tdb_fetch_uint32 failed for type 7 (reset count minutes), returning 0

  account_policy_get: tdb_fetch_uint32 failed for type 8 (bad lockout attempt), returning 0

  account_policy_get: tdb_fetch_uint32 failed for type 9 (disconnect time), returning 0

  account_policy_get: tdb_fetch_uint32 failed for type 10 (refuse machine password change), returning 0

[2014/05/29 10:16:21.412870,  5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam)

  pdb_getsampwnam (TDB): error fetching database.

   Key: USER_root

[2014/05/29 10:16:21.412991,  5] lib/username.c:171(Get_Pwnam_alloc)

  Finding user root

[2014/05/29 10:16:21.413019,  5] lib/username.c:116(Get_Pwnam_internals)

  Trying _Get_Pwnam(), username as lowercase is root

[2014/05/29 10:16:21.413071,  5] lib/username.c:149(Get_Pwnam_internals)

  Get_Pwnam_internals did find user [root]!

[2014/05/29 10:16:21.413228,  5] lib/gencache.c:68(gencache_init)

  Opening cache file at /var/cache/samba/gencache.tdb

[2014/05/29 10:16:21.413312,  5] lib/gencache.c:111(gencache_init)

  Opening cache file at /var/cache/samba/gencache_notrans.tdb

[2014/05/29 10:16:21.413481,  5] passdb/lookup_sid.c:1384(gid_to_sid)

  gid_to_sid: winbind failed to find a sid for gid 0

[2014/05/29 10:16:21.413521,  5] passdb/lookup_sid.c:1384(gid_to_sid)

  gid_to_sid: winbind failed to find a sid for gid 1

[2014/05/29 10:16:21.413555,  5] passdb/lookup_sid.c:1384(gid_to_sid)

  gid_to_sid: winbind failed to find a sid for gid 2

[2014/05/29 10:16:21.413588,  5] passdb/lookup_sid.c:1384(gid_to_sid)

  gid_to_sid: winbind failed to find a sid for gid 3

[2014/05/29 10:16:21.413621,  5] passdb/lookup_sid.c:1384(gid_to_sid)

  gid_to_sid: winbind failed to find a sid for gid 4

[2014/05/29 10:16:21.413655,  5] passdb/lookup_sid.c:1384(gid_to_sid)

  gid_to_sid: winbind failed to find a sid for gid 6

[2014/05/29 10:16:21.413689,  5] passdb/lookup_sid.c:1384(gid_to_sid)

  gid_to_sid: winbind failed to find a sid for gid 10

[2014/05/29 10:16:21.413722,  5] passdb/lookup_sid.c:1384(gid_to_sid)

  gid_to_sid: winbind failed to find a sid for gid 11

[2014/05/29 10:16:21.413755,  5] passdb/lookup_sid.c:1384(gid_to_sid)

  gid_to_sid: winbind failed to find a sid for gid 26

[2014/05/29 10:16:21.413789,  5] passdb/lookup_sid.c:1384(gid_to_sid)

  gid_to_sid: winbind failed to find a sid for gid 27

[2014/05/29 10:16:21.413866,  5] passdb/pdb_util.c:128(create_builtin_administrators)

  create_builtin_administrators: Failed to create Administrators

[2014/05/29 10:16:21.413919,  5] passdb/pdb_util.c:99(create_builtin_users)

  create_builtin_users: Failed to create Users

[2014/05/29 10:16:21.414131,  2] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)

  tdb(/var/lib/samba/account_policy.tdb): tdb_open_ex: could not open file /var/lib/samba/account_policy.tdb: No such file or directory

[2014/05/29 10:16:21.414159,  3] lib/dbwrap_tdb.c:359(db_open_tdb)

  Could not open tdb: No such file or directory

----------

## mrbassie

tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1

[2014/05/29 10:16:21.414332,  1] passdb/account_pol.c:331(account_policy_get)

  account_policy_get: tdb_fetch_uint32 failed for type 2 (password history), returning 0

[2014/05/29 10:16:21.414357,  5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)

  tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1

[2014/05/29 10:16:21.414383,  1] passdb/account_pol.c:331(account_policy_get)

  account_policy_get: tdb_fetch_uint32 failed for type 3 (user must logon to change password), returning 0

[2014/05/29 10:16:21.414408,  5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)

  tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1

[2014/05/29 10:16:21.414434,  1] passdb/account_pol.c:331(account_policy_get)

  account_policy_get: tdb_fetch_uint32 failed for type 4 (maximum password age), returning 0

[2014/05/29 10:16:21.414458,  5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)

  tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1

[2014/05/29 10:16:21.414484,  1] passdb/account_pol.c:331(account_policy_get)

  account_policy_get: tdb_fetch_uint32 failed for type 5 (minimum password age), returning 0

[2014/05/29 10:16:21.414508,  5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)

  tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1

[2014/05/29 10:16:21.414534,  1] passdb/account_pol.c:331(account_policy_get)

  account_policy_get: tdb_fetch_uint32 failed for type 6 (lockout duration), returning 0

[2014/05/29 10:16:21.414558,  5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)

  tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1

[2014/05/29 10:16:21.414583,  1] passdb/account_pol.c:331(account_policy_get)

  account_policy_get: tdb_fetch_uint32 failed for type 7 (reset count minutes), returning 0

[2014/05/29 10:16:21.414608,  5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)

  tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1

[2014/05/29 10:16:21.414633,  1] passdb/account_pol.c:331(account_policy_get)

  account_policy_get: tdb_fetch_uint32 failed for type 8 (bad lockout attempt), returning 0

[2014/05/29 10:16:21.414658,  5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)

  tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1

[2014/05/29 10:16:21.414683,  1] passdb/account_pol.c:331(account_policy_get)

  account_policy_get: tdb_fetch_uint32 failed for type 9 (disconnect time), returning 0

[2014/05/29 10:16:21.414708,  5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)

  tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1

[2014/05/29 10:16:21.414733,  1] passdb/account_pol.c:331(account_policy_get)

  account_policy_get: tdb_fetch_uint32 failed for type 10 (refuse machine password change), returning 0

[2014/05/29 10:16:21.414758,  5] ../li

----------

## vaxbrat

Did any of the tdb files come back in /var/lib/samba after you restarted samba?  Are they non-zero length?  Does "getent passwd" and "getent group" return anything or just the local users and groups?  The concerning thing is those low number group to sid errors are for local stuff so I wonder if something is screwed up with your glibc/coreutils/pam/shadow setup somewhere.

You may have to acquaint yourself with wireshark if you don't already know it in order to see what sort of packet traffic is or isn't happening with the ip address for the domain controller when you try to do getent.

If you do have stuff in the tdb files, use tdbdump.  You should already have the sys-libs/tdb emerged if you have tdb enabled in your use flags.  I don't have this machine I'm posting from joined as an AD member to anything, so this example is probably a default samba install file but here's an example dump of the account_policy.tdb file your logs complain about among other things:

```
# tdbdump /var/lib/samba/account_policy.tdb          

{

key(21) = "minimum password age\00"

data(4) = "\00\00\00\00"

}

{

key(31) = "refuse machine password change\00"

data(4) = "\00\00\00\00"

}

{

key(20) = "reset count minutes\00"

data(4) = "\1E\00\00\00"

}

{

key(18) = "PRIV_S-1-5-32-550\00"

data(16) = "\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"

}

{

key(18) = "PRIV_S-1-5-32-548\00"

data(16) = "\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"

}

{

key(18) = "PRIV_S-1-5-32-551\00"

data(16) = "\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"

}

{

key(18) = "PRIV_S-1-5-32-549\00"

data(16) = "\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"

}

{

key(16) = "disconnect time\00"

data(4) = "\FF\FF\FF\FF"

}

{

key(35) = "user must logon to change password\00"

data(4) = "\00\00\00\00"

}

{

key(17) = "password history\00"

data(4) = "\00\00\00\00"

}

{

key(17) = "lockout duration\00"

data(4) = "\1E\00\00\00"

}

{

key(20) = "min password length\00"

data(4) = "\05\00\00\00"

}

{

key(18) = "PRIV_S-1-5-32-544\00"

data(16) = "\F0\1F\00\00\00\00\00\00\00\00\00\00\00\00\00\00"

}

{

key(13) = "PRIV_S-1-1-0\00"

data(16) = "\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"

}

{

key(21) = "maximum password age\00"

data(4) = "\FF\FF\FF\FF"

}

{

key(20) = "bad lockout attempt\00"

data(4) = "\00\00\00\00"

}

{

key(13) = "INFO/version\00"

data(4) = "\03\00\00\00"
```

----------

## mrbassie

 *vaxbrat wrote:*   

> Did any of the tdb files come back in /var/lib/samba after you restarted samba?  Are they non-zero length?  Does "getent passwd" and "getent group" return anything or just the local users and groups?  The concerning thing is those low number group to sid errors are for local stuff so I wonder if something is screwed up with your glibc/coreutils/pam/shadow setup somewhere.
> 
> You may have to acquaint yourself with wireshark if you don't already know it in order to see what sort of packet traffic is or isn't happening with the ip address for the domain controller when you try to do getent.
> 
> If you do have stuff in the tdb files, use tdbdump.  You should already have the sys-libs/tdb emerged if you have tdb enabled in your use flags.  I don't have this machine I'm posting from joined as an AD member to anything, so this example is probably a default samba install file but here's an example dump of the account_policy.tdb file your logs complain about among other things:
> ...

 

Yes the tdb files came back. They are not zero length however group_mapping.tdb is blank. getent only returns local stuff. my account_policy.tdb looks identical to what you posted.

I haven't touched any configs on this system other than what I posted in the op (other than portage stuff obviously).

It's a clean install, all I've done is emerged samba and zfs.

I had a look at the event logs on the domain controller, there's nothing at all relating to this gentoo box.

I can acccess the shares from a linux machine on the network no problem, whenever one of the windows machines tries to access it's throwing up a username and password prompt.

----------

## vaxbrat

Looks like you are going to have to use wireshark to see what's going on the wire between your linux box and the dc.

I've only had to do that a couple of times, but the last time was when I inherited a badly setup domain.  Thankfully I had authority on the windows side as well and ended up standing up another dc which I migrated the AD database to and then eventually re-built the original to provide redundancy.  My Samba problems magically went away as soon as that second dc was running the show and the original had been removed.

My guess on what happened there was that the Kerberos kdc setup in the original dc was all messed up.  The windows clients were probably falling back to the old NT4 style hashing without any of the IT monkeys knowing what was going on..

----------

## mrbassie

I'll emerge wireshark first thing monday. Thanks for all your help btw. It's very hard to find anything useful on the net about this problem, I've seen loads of threads on various *nix forums but no solution that works.

----------

## mrbassie

Ok so I have wireshark emerged. I've run a simple dumpcap -i eth0 -a duration:60 -w output.pca

I tried getent while doing this on tty2 and I'm getting 95% + of the packets. 

I'm finding the man pages a little cryptic...

could you suggest some things to cap  and post please?

----------

## vaxbrat

Trying running the wireshark gui live and then applying filters.  The most obvious one is to do an ip filter for the ip address of the domain controller.  If you click on the "expression" button in the filtering section it will show you a list of what it knows.  You want to open the IP treeview and pick address and then type in the ip address.  The resulting filter expression will look something like:

```
ip.addr == www.xxx.yyy.zzz
```

Note that you can just type that in without going through all of the popups.  

It's going to be a huge dump no matter what and may involve all sorts of stuff that probably doesn't want to be put into an online paste.  The wireshark gui knows all of the protocols so you can select packets, open them up and inspect the various fields.  The wireshark.org website should be able to lead you through the use of the gui, but the packet stuff is something that you are just going to have to pick up on your own.  You might want to pick up the Samba 3 reference in the Bruce Perens open source series: 

http://www.amazon.com/Official-Samba-3-Reference-Perens-Source/dp/0131453556/ref=sr_1_1?ie=UTF8&qid=1401828533&sr=8-1&keywords=bruce+perens+samba+3

----------

