[Samba] winbind problems
Brian Kesting
bkesting at cityofwayne.org
Tue Dec 21 04:17:17 GMT 2004
Even if I do not have users logging into this samba box locally, i still need to edit /etc/pam.d/login?
---------- Original Message ----------------------------------
From: "Thomas M. Skeren III" <tms3 at fskklaw.com>
Date: Mon, 20 Dec 2004 18:31:53 -0800
Brian Kesting wrote:
>When I made those changes to krb5.conf I got the following in my smb log
>and I could not access my samba share...
>
>[2004/12/20 20:13:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> Failed to verify incoming ticket!
>[2004/12/20 20:13:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> Failed to verify incoming ticket!
>[2004/12/20 20:14:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> Failed to verify incoming ticket!
>[2004/12/20 20:14:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> Failed to verify incoming ticket!
>
>Not sure what I am missing, I may just start this whole project over from scratch and see if I have better luck.
>
>
As I stated in my guide,
Note: If you have a server and it isn't a production server, has
nothing of value on it, and you have been stuffing programs on it to get
Samba to work with ADS , but failed, put that 5.3 Release install cd
into the cdrom drive, and reinstall FBSD 5.3 formatting the drives along
the way. Don't bug me if you didn't start with a nice clean install.
Make sure you have the pam.d/login stuff done. Without it pam can't
authenticate non local users.
>
>---------- Original Message ----------------------------------
>From: "Thomas M. Skeren III" <tms3 at fskklaw.com>
>Date: Mon, 20 Dec 2004 17:50:47 -0800
>
>Brian Kesting wrote:
>
>
>
>>I am using Suse 9.2 and heimdal 0.6.2
>>
>>
>>
>>
>
>In that case you need:
>
> default_etypes = des-cbc-crc des-cbc-md5
> default_etypes_des = des-cbc-crc des-cbc-md5
>
>In libdefaults. Read my whole response as I made changes throughout
>your krb5.conf file. You may also need a keytab file, but I doubt it.
>
>
>
>>---------- Original Message ----------------------------------
>>From: "Thomas M. Skeren III" <tms3 at fskklaw.com>
>>Date: Mon, 20 Dec 2004 17:43:07 -0800
>>
>>Brian Kesting wrote:
>>
>>
>
>
>
>
>>
>>
>>
>>
>>>My setup looks about identical to the setup you have listed in the link you provided.
>>>
>>>Since this line:
>>>libsmb/clikrb5.c:ads_krb5_mk_req(313)
>>>krb5_cc_get_principal failed (No such file or directory)
>>>
>>>keeps appearing in my winbind log file, I am thinking it is a kerberos problem too. Do you see anything wrong with my /etc/krb5.conf file?
>>>
>>>[libdefaults]
>>> default_realm = WAYNE.LOCAL
>>> clockskew = 300
>>>
>>>
>>>
>>>
>>>
>>>
>>Try adding :
>>
>>dns_lookup_realm = false
>>dns_lookup_kdc = false
>>
>>Also which OS are you using? What Kerberos? The default etypes lines
>>are necessary for Heimdal, but I don't think they are necessary for MIT.
>>
>>
>>
>>
>>
>>>[realms]
>>>WAYNE.LOCAL = {
>>> kdc = police.wayne.local
>>> default_domain = WAYNE.LOCAL
>>> kpasswd_server = police.wayne.local
>>>}
>>>
>>>
>>>
>>>
>>>
>>>
>>Try:
>>
>>kdc = KERBEROS.WAYNE.LOCAL
>>admin_server = police.wayne.local
>>default_domain = wayne.local
>>
>>
>>
>>
>>
>>>[domain_realm]
>>> .WAYNE.LOCAL = WAYNE.LOCAL
>>>
>>>
>>>
>>>
>>>
>>>
>>Probably not enough info here. Try: (Remember caps must be in caps).
>>
>>.wayne.local = WAYNE.LOCAL
>>wayne.local = WAYNE.LOCAL
>>.WAYNE.LOCAL = WAYNE.LOCAL
>>kerberos.server = KERBEROS.WAYNE.LOCAL
>>
>>
>>
>>
>>
>>>[appdefaults]
>>>pam = {
>>> ticket_lifetime = 365d
>>> renew_lifetime = 365d
>>> forwardable = true
>>> proxiable = false
>>> retain_after_close = true
>>> minimum_uid = 0
>>>
>>>
>>>
>>>
>>>
>>>
>>Pam stuff is more OS dependent, so I have no suggestions here. MAKE
>>SURE THAT YOU SAMBA SERVER IS USING THE W2K ADS SERVER AS DNS----THIS IS
>>ABSOLUTELY CRITICAL.
>>
>>
>>
>>
>>
>>>---------- Original Message ----------------------------------
>>>From: "Thomas M. Skeren III" <tms3 at fskklaw.com>
>>>Date: Mon, 20 Dec 2004 17:16:38 -0800
>>>
>>>Brian Kesting wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Someone told me once to try to remove the Samba server from the domain, rename it, and rejoin the domain......would that solve any problems in your opinion?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>That is an odd solution, unless AD is mangled with respect to the samba
>>>server name. Methinks you have a kerberos problem. My servers are
>>>FreeBSD, but I do have a bare bones guide for setting up samba as an AD
>>>member server in FreeBSD. If you use Linux it can only be a reference,
>>>but it's an easy read.
>>>
>>><http://www.fsklaw.com/fbsdconfig.html>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>---------- Original Message ----------------------------------
>>>>From: "Brian Kesting" <bkesting at cityofwayne.org>
>>>>Reply-To: bkesting at cityofwayne.org
>>>>Date: Mon, 20 Dec 2004 18:05:47 -0600
>>>>
>>>>I read something about nscd causing problems before I even installed the system, so I never even installed that service.
>>>>
>>>>Here is an updated /var/log/samba/log.winbindd file.....btw, thanks for the quick help and tips so far, I appreciate it.
>>>>
>>>>[2004/12/20 17:33:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
>>>>krb5_cc_get_principal failed (No such file or directory)
>>>>[2004/12/20 17:38:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>[2004/12/20 17:43:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>[2004/12/20 17:45:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
>>>>user 'root' does not exist
>>>>[2004/12/20 17:49:01, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>[2004/12/20 17:52:26, 1] libads/ldap_utils.c:ads_do_search_retry(77)
>>>>ads_search_retry: failed to reconnect (Invalid credentials)
>>>>
>>>>
>>>>---------- Original Message ----------------------------------
>>>>From: Brett Stevens <brett.stevens at hubbub.com.au>
>>>>Date: Tue, 21 Dec 2004 10:33:30 +1100
>>>>
>>>>One thing I moticed when having simmilar problems is that for some reason
>>>>nscd seems to be a problem stop this service and restart all samba services
>>>>including smbd nmbd and winbind
>>>>
>>>>Let us know how it goes.
>>>>
>>>>Brett Stevens
>>>>
>>>>-----Original Message-----
>>>>From: Brian Kesting [mailto:bkesting at cityofwayne.org]
>>>>Sent: Tuesday, December 21, 2004 10:29 AM
>>>>To: samba at lists.samba.org
>>>>Subject: [Samba] winbind problems
>>>>
>>>>
>>>>Hello,
>>>>
>>>>I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected
>>>>this server successfully to a Windows 2000 Active Directory (mixed mode). I
>>>>have nsswitch.conf, krb5.conf configured and winbind seems to be running
>>>>properly for the most part. With wbinfo I can get all of my user and group
>>>>information. Problem is, it seems that at random times, the samba server
>>>>just stops authenticating the windows user names and accounts. If I restart
>>>>the winbind or smb service, then all seems to be well again for a while.
>>>>Right now the only way I can keep this running is to run a cron job that
>>>>restartes the samba and winbind services every hour. This is really bugging
>>>>me as I cannot figure out what is going on. Can anyone help me? I have
>>>>included some of my configuration and log files below. Thanks in advance.
>>>>
>>>>---------/etc/samba/smb.conf----------
>>>># Samba Configuration File
>>>>
>>>>[global]
>>>> workgroup = WAYNE
>>>> realm = WAYNE.LOCAL
>>>> server string = Samba Server
>>>> security = ADS
>>>> password server = adserver.wayne.local
>>>> encrypt passwords = yes
>>>> idmap uid = 10000-20000
>>>> idmap gid = 10000-20000
>>>> template shell = /bin/bash
>>>> winbind use default domain = no
>>>> winbind separator = /
>>>>
>>>>[users]
>>>> comment = Users on Linux
>>>> path = /home/WAYNE
>>>> read only = No
>>>> browseable = Yes
>>>>
>>>>---------/etc/nsswitch.conf-------
>>>>passwd: files winbind
>>>>group: files winbind
>>>>hosts: files dns wins winbind
>>>>networks: files dns
>>>>
>>>>---------/etc/krb5.conf-----------
>>>>[libdefaults]
>>>> default_realm = WAYNE.LOCAL
>>>> clockskew = 300
>>>>
>>>>[realms]
>>>>WAYNE.LOCAL = {
>>>> kdc = police.wayne.local
>>>> default_domain = WAYNE.LOCAL
>>>> kpasswd_server = adserver.wayne.local
>>>>}
>>>>[domain_realm]
>>>> .WAYNE.LOCAL = WAYNE.LOCAL
>>>>[appdefaults]
>>>>pam = {
>>>> ticket_lifetime = 365d
>>>> renew_lifetime = 365d
>>>> forwardable = true
>>>> proxiable = false
>>>> retain_after_close = true
>>>> minimum_uid = 0
>>>>}
>>>>
>>>>----------/var/log/samba/log.smbd--------
>>>>[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
>>>>15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
>>>>15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>>>15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system
>>>>.
>>>>.
>>>>.
>>>>[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20
>>>>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20
>>>>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system
>>>>
>>>>----------/var/log/samba/log.winbindd-------------------
>>>>[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
>>>>krb5_cc_get_principal failed (No such file or directory) [2004/12/20
>>>>16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
>>>>user 'root' does not exist
>>>>[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
>>>>user 'root' does not exist
>>>>[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
>>>>
>>>>????
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
More information about the samba
mailing list