[Samba] re: Samba + Winbind + SuSE Linux AD auth not working

Dave aixenv at yahoo.com
Fri Mar 23 20:59:53 GMT 2007 

ok here's the situation; i've done this on 7 servers
same either SLES 9 or 10, and all those work. i have a
problem server though which is SLES v9 (same versions
of all daemons/services that would be used) and this
one just wont allow AD auth to work 

i can restart all smb, nmb, winbind, and ssh servers
with no errors 

*Note: all the needed configuratoin file snippets are
at the end of this message: 


Ok when i try and join my domain/workgroup i get the
following output 

SERVER1:/etc/ssh # net join -w WORKGROUP -U USERNAME
-S ADserver.mydomain.net 
USERNAME's password: 
[2007/03/22 13:18:41, 0]
libads/ldap.c:ads_add_machine_acct(1400) 
  ads_add_machine_acct: Host account for server1
already exists - 
modifying old account 
ads_set_machine_password: Message stream modified 
ADS join did not work, falling back to RPC... 
Joined domain WORKGROUP. 

looks to me like it worked , then do the following: 

# wbinfo -t 
checking the trust secret via RPC calls failed 
error code was NT_STATUS_MORE_PROCESSING_REQUIRED
(0xc0000016) 
Could not check secret 

try just doing 

SERVER1:/etc/ssh # net join -U username 
[2007/03/22 13:20:39, 0]
libads/ldap.c:ads_add_machine_acct(1400) 
  ads_add_machine_acct: Host account for server1
already exists - 
modifying old account 
ads_set_machine_password: Message stream modified 
ADS join did not work, falling back to RPC... 

Unable to find a suitable server 

then i try again and get 

SERVER1:/etc/ssh # net join -U username -S
myserver.domain.net 
username's password: 
[2007/03/22 13:24:08, 0]
libads/ldap.c:ads_add_machine_acct(1400) 
  ads_add_machine_acct: Host account for server1
already exists - 
modifying old account 
ads_set_machine_password: Message stream modified 
ADS join did not work, falling back to RPC... 
Joined domain MYDOMAIN. 
SERVER1:/etc/ssh # wbinfo -t 
checking the trust secret via RPC calls succeeded 
SERVER1:/etc/ssh # wbinfo -m 
server1 
BUILTIN 
EXCHREC 
SERVER1:/etc/ssh # wbinfo -u|grep username 
username 
SERVER1:/etc/ssh # wbinfo -g|grep AppDev 
AppDev 
SQLAppDev 
SERVER1:/etc/ssh # 

then a few minutes later do a wbinfo -t and get: 

checking the trust secret via RPC calls failed 
error code was NT_STATUS_MORE_PROCESSING_REQUIRED
(0xc0000016) 
Could not check secret 

ANY IDEAS?, i setup a completely new server to test my
way of setting 
up ADauth/linux and it worked first time off, problem
is this is a 
production server so i cant just restart it, any
ideas/thoughts are 
appreciated thanks 

================================================= 
my smb.conf thats relevant looks like this: 

[global] 
        workgroup = MYWORKGROUP 
        printing = cups 
        printcap name = cups 
        printcap cache time = 750 
        cups options = raw 
        printer admin = @ntadmin, root, administrator 
        username map = /etc/samba/smbusers 
        map to guest = Bad User 
        template shell = /bin/bash 
        template homedir = /home/%D/%U 
        encrypt passwords = yes 
        domain logons = no 
        idmap gid = 10000-200000 
        idmap uid = 10000-200000 
        ldap idmap suffix = ou=Idmap 
        ldap machine suffix = ou=Computers 
        local master = yes 
        domain master = false 
        preferred master = auto 
        ldap suffix = dc=mydomain,dc=net 
        wins server = 1.2.3.4 
        wins support = no 
        netbios name = server1 
        realm = MYDOMAIN.NET 
        security = ADS 
        winbind enum users = yes 
        winbind enum groups = yes 
        password server = my.server.net 
        winbind use default domain = Yes 
        log level = 10 
        log file = /var/log/samba/log.%m 
        obey pam restrictions = Yes 

the krb5.conf, looks like so 

[libdefaults] 
        clockskew = 300 
        default_realm = MYDOMAIN.NET 

[realms] 
MYDOMAIN.NET = { 
        kdc = server.mydomain.net 
        default_domain = mydomain.net 
        kpasswd_server = server.mydomain.net 
        admin_server = server.mydomain.net 
} 

[domain_realm] 
        .MYDOMAIN.NET = MYDOMAIN.NET 
        .mydomain.net = MYDOMAIN.NET 
[logging] 
        default = SYSLOG:NOTICE:DAEMON 
        kdc = FILE:/var/log/kdc.log 
        kadmind = FILE:/var/log/kadmind.log 

[appdefaults] 
pam = { 
        ticket_lifetime = 1d 
        renew_lifetime = 1d 
        forwardable = true 
        proxiable = false 
        retain_after_close = false 
        minimum_uid = 0 
        debug = false 
        try_first_pass = true 


 
____________________________________________________________________________________
Get your own web address.  
Have a HUGE year through Yahoo! Small Business.
http://smallbusiness.yahoo.com/domains/?p=BESTDEAL

More information about the samba mailing list