[Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails

Mark Casey markc at unifiedgroup.com
Sat Mar 21 15:18:45 GMT 2009 


Rob LaRose wrote:
>
> Hi Mark,
>
>     Mind if I ask how you're doing ssh against your Windows AD?  I'm 
> trying to do this now.  I've got a script that joins me to the domain 
> and makes SSH work but not samba.  Then I can do net ads join and 
> samba works but not ssh.  Gotta find the happy medium!
>
>     Are you somehow using samba to auth ssh too?
>
> --Rob LaRose
>    Imaginary Forces
>
>
> On Mar 19, 2009, at 3:19 PM, Mark Casey wrote:
>
>> Hello all,
>>
>> As the subject says, as far as I can tell everything works on my ads 
>> integrated samba server. Domain accounts can be used for ssh, and 
>> accessing shares, I just can't leave the domain. Here is a successful 
>> join command followed by an unsuccessful leave command at debug level 
>> 4. Any ideas?
>>
>> TIA,
>> Mark
>>
>> user at dordal:~$ sudo net ads join -U administrator at MYDOMAIN.COM -d 4
>> [2009/03/19 14:00:07, 3] param/loadparm.c:lp_load(5063)
>> lp_load: refreshing parameters
>> [2009/03/19 14:00:07, 3] param/loadparm.c:init_globals(1448)
>> Initialising global parameters
>> [2009/03/19 14:00:07, 3] param/params.c:pm_process(572)
>> params.c:pm_process() - Processing configuration file 
>> "/etc/samba/smb.conf"
>> [2009/03/19 14:00:07, 3] param/loadparm.c:do_section(3802)
>> Processing section "[global]"
>> doing parameter workgroup = MYDOMAIN
>> doing parameter realm = MYDOMAIN.COM
>> doing parameter security = ADS
>> doing parameter password server = dal-dc1.mydomain.com, 
>> den-dc1.mydomain.com
>> doing parameter client schannel = Yes
>> doing parameter server schannel = Yes
>> doing parameter username map = /etc/samba/smbusers
>> doing parameter obey pam restrictions = Yes
>> doing parameter enable privileges = Yes
>> doing parameter restrict anonymous = 2
>> doing parameter allow trusted domains = No
>> doing parameter lanman auth = No
>> doing parameter ntlm auth = No
>> doing parameter client NTLMv2 auth = Yes
>> doing parameter log level = 1
>> doing parameter syslog = 0
>> doing parameter min protocol = NT1
>> doing parameter client signing = Yes
>> doing parameter server signing = Yes
>> doing parameter load printers = No
>> doing parameter preferred master = No
>> doing parameter local master = No
>> doing parameter domain master = No
>> doing parameter dns proxy = No
>> doing parameter ldap ssl = no
>> doing parameter host msdfs = No
>> doing parameter idmap domains = MYDOMAIN
>> doing parameter idmap alloc backend = ldap
>> doing parameter template shell = /bin/false
>> doing parameter winbind enum users = Yes
>> doing parameter winbind enum groups = Yes
>> doing parameter winbind use default domain = Yes
>> doing parameter winbind refresh tickets = Yes
>> doing parameter idmap alloc config:range = 100000 - 500000
>> doing parameter idmap alloc config:ldap_url = 
>> ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
>> doing parameter idmap alloc config:ldap_user_dn = 
>> cn=idmapmgr,cn=users,dc=mydomain,dc=com
>> doing parameter idmap alloc config:ldap_base_dn = 
>> ou=idmap,dc=sambaidmap,dc=mydomain,dc=com
>> doing parameter idmap config MYDOMAIN:range = 100000 - 500000
>> doing parameter idmap config MYDOMAIN:ldap_url = 
>> ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
>> doing parameter idmap config MYDOMAIN:ldap_user_dn = 
>> cn=idmapmgr,cn=users,dc=mydomain,dc=com
>> doing parameter idmap config MYDOMAIN:ldap_base_dn = 
>> ou=idmap,dc=sambaidmap,dc=mydomain,dc=com
>> doing parameter idmap config MYDOMAIN:backend = ldap
>> doing parameter idmap config MYDOMAIN:default = yes
>> doing parameter hosts allow = 10.0.0.0/255.255.254.0 
>> 10.1.0.0/255.255.254.0
>> doing parameter map acl inherit = No
>> doing parameter hide special files = Yes
>> doing parameter map archive = No
>> doing parameter map readonly = No
>> doing parameter map system = No
>> doing parameter map hidden = No
>> doing parameter ea support = No
>> doing parameter store dos attributes = No
>> doing parameter wide links = No
>> doing parameter follow symlinks = No
>> doing parameter dos filemode = No
>> doing parameter add share command = /etc/samba/command.pl
>> doing parameter delete share command = /etc/samba/command.pl
>> doing parameter change share command = /etc/samba/command.pl
>> [2009/03/19 14:00:07, 4] param/loadparm.c:lp_load(5094)
>> pm_process() returned Yes
>> [2009/03/19 14:00:07, 2] lib/interface.c:add_interface(81)
>> added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
>> [2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(73)
>> ads_dc_name: domain=MYDOMAIN
>> [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
>> den-dc1.mydomain.com"
>> [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:00:07, 3] libads/ldap.c:ads_connect(394)
>> Connected to LDAP server 10.0.1.30
>> [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
>> den-dc1.mydomain.com"
>> [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
>> den-dc1.mydomain.com"
>> [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(139)
>> ads_dc_name: using server='DAL-DC1.MYDOMAIN.COM' IP=10.0.1.30
>> administrator at MYDOMAIN.COM's password:
>> [2009/03/19 14:00:14, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
>> den-dc1.mydomain.com"
>> [2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:00:14, 3] libads/ldap.c:ads_connect(394)
>> Connected to LDAP server 10.0.1.30
>> [2009/03/19 14:00:14, 4] libads/ldap.c:ads_current_time(2414)
>> time offset is 0 seconds
>> [2009/03/19 14:00:14, 4] libads/sasl.c:ads_sasl_bind(587)
>> Found SASL mechanism GSS-SPNEGO
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
>> ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
>> [2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache 
>> found)
>> [2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] 
>> expiration Fri, 20 Mar 2009 00:00:14 CDT
>> [2009/03/19 14:00:14, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
>> den-dc1.mydomain.com"
>> [2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:00:14, 3] libads/ldap.c:ads_connect(394)
>> Connected to LDAP server 10.0.1.30
>> [2009/03/19 14:00:14, 4] libads/ldap.c:ads_current_time(2414)
>> time offset is 0 seconds
>> [2009/03/19 14:00:14, 4] libads/sasl.c:ads_sasl_bind(587)
>> Found SASL mechanism GSS-SPNEGO
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
>> ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
>> [2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] 
>> expiration Fri, 20 Mar 2009 00:00:14 CDT
>> [2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_start_connection(1556)
>> Connecting to host=DAL-DC1.mydomain.com
>> [2009/03/19 14:00:14, 3] lib/util_sock.c:open_socket_out(866)
>> Connecting to 10.0.1.30 at port 445
>> [2009/03/19 14:00:14, 3] 
>> libsmb/cliconnect.c:cli_session_setup_spnego(795)
>> Doing spnego session setup (blob length=113)
>> [2009/03/19 14:00:14, 3] 
>> libsmb/cliconnect.c:cli_session_setup_spnego(820)
>> got OID=1 2 840 48018 1 2 2
>> [2009/03/19 14:00:14, 3] 
>> libsmb/cliconnect.c:cli_session_setup_spnego(820)
>> got OID=1 2 840 113554 1 2 2
>> [2009/03/19 14:00:14, 3] 
>> libsmb/cliconnect.c:cli_session_setup_spnego(820)
>> got OID=1 2 840 113554 1 2 2 3
>> [2009/03/19 14:00:14, 3] 
>> libsmb/cliconnect.c:cli_session_setup_spnego(820)
>> got OID=1 3 6 1 4 1 311 2 2 10
>> [2009/03/19 14:00:14, 3] 
>> libsmb/cliconnect.c:cli_session_setup_spnego(828)
>> got principal=dal-dc1$@MYDOMAIN.COM
>> [2009/03/19 14:00:14, 2] 
>> libsmb/cliconnect.c:cli_session_setup_kerberos(615)
>> Doing kerberos session setup
>> [2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] 
>> expiration Fri, 20 Mar 2009 00:00:14 CDT
>> [2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
>> rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \lsarpc fnum 
>> 0x10 bind request returned ok.
>> [2009/03/19 14:00:14, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
>> lsa_io_sec_qos: length c does not match size 8
>> [2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
>> rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \samr fnum 
>> 0x1e bind request returned ok.
>> Using short domain name -- MYDOMAIN
>> [2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_start_connection(1556)
>> Connecting to host=DAL-DC1.mydomain.com
>> [2009/03/19 14:00:14, 3] lib/util_sock.c:open_socket_out(866)
>> Connecting to 10.0.1.30 at port 445
>> [2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
>> rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \NETLOGON 
>> fnum 0x400a bind request returned ok.
>> [2009/03/19 14:00:14, 4] 
>> rpc_client/cli_netlogon.c:rpccli_net_req_chal(46)
>> cli_net_req_chal: LSA Request Challenge from DORDAL to 
>> \\DAL-DC1.mydomain.com
>> [2009/03/19 14:00:14, 4] rpc_client/cli_netlogon.c:rpccli_net_auth2(170)
>> cli_net_auth2: srv:\\DAL-DC1.mydomain.com acct:DORDAL$ sc:2 mc: 
>> DORDAL neg: 600fffff
>> [2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
>> rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \NETLOGON 
>> fnum 0x400b bind request returned ok.
>> [2009/03/19 14:00:14, 3] libads/ldap.c:ads_domain_func_level(2471)
>> ads_domain_func_level: 2
>> [2009/03/19 14:00:14, 3] 
>> libads/kerberos.c:kerberos_secrets_store_des_salt(337)
>> kerberos_secrets_store_des_salt: Storing salt 
>> "host/dordal.mydomain.com at MYDOMAIN.COM"
>> [2009/03/19 14:00:14, 4] libads/dns.c:ads_dns_lookup_ns(508)
>> ads_dns_lookup_ns: 2 records returned in the answer section.
>> Joined 'DORDAL' to realm 'MYDOMAIN.COM'
>> [2009/03/19 14:00:14, 2] utils/net.c:main(1046)
>> return code = 0
>>
>>
>>
>>
>> user at dordal:~$ sudo net ads leave -U administrator at MYDOMAIN.COM -d 4
>> [2009/03/19 14:02:44, 3] param/loadparm.c:lp_load(5063)
>> lp_load: refreshing parameters
>> [2009/03/19 14:02:44, 3] param/loadparm.c:init_globals(1448)
>> Initialising global parameters
>> [2009/03/19 14:02:44, 3] param/params.c:pm_process(572)
>> params.c:pm_process() - Processing configuration file 
>> "/etc/samba/smb.conf"
>> [2009/03/19 14:02:44, 3] param/loadparm.c:do_section(3802)
>> Processing section "[global]"
>> doing parameter workgroup = MYDOMAIN
>> doing parameter realm = MYDOMAIN.COM
>> doing parameter security = ADS
>> doing parameter password server = dal-dc1.MYDOMAIN.com, 
>> den-dc1.MYDOMAIN.com
>> doing parameter client schannel = Yes
>> doing parameter server schannel = Yes
>> doing parameter username map = /etc/samba/smbusers
>> doing parameter obey pam restrictions = Yes
>> doing parameter enable privileges = Yes
>> doing parameter restrict anonymous = 2
>> doing parameter allow trusted domains = No
>> doing parameter lanman auth = No
>> doing parameter ntlm auth = No
>> doing parameter client NTLMv2 auth = Yes
>> doing parameter log level = 1
>> doing parameter syslog = 0
>> doing parameter min protocol = NT1
>> doing parameter client signing = Yes
>> doing parameter server signing = Yes
>> doing parameter load printers = No
>> doing parameter preferred master = No
>> doing parameter local master = No
>> doing parameter domain master = No
>> doing parameter dns proxy = No
>> doing parameter ldap ssl = no
>> doing parameter host msdfs = No
>> doing parameter idmap domains = MYDOMAIN
>> doing parameter idmap alloc backend = ldap
>> doing parameter template shell = /bin/false
>> doing parameter winbind enum users = Yes
>> doing parameter winbind enum groups = Yes
>> doing parameter winbind use default domain = Yes
>> doing parameter winbind refresh tickets = Yes
>> doing parameter idmap alloc config:range = 100000 - 500000
>> doing parameter idmap alloc config:ldap_url = 
>> ldap://dal-dc1.MYDOMAIN.com ldap://den-dc1.MYDOMAIN.com
>> doing parameter idmap alloc config:ldap_user_dn = 
>> cn=idmapmgr,cn=users,dc=MYDOMAIN,dc=com
>> doing parameter idmap alloc config:ldap_base_dn = 
>> ou=idmap,dc=sambaidmap,dc=MYDOMAIN,dc=com
>> doing parameter idmap config MYDOMAIN:range = 100000 - 500000
>> doing parameter idmap config MYDOMAIN:ldap_url = 
>> ldap://dal-dc1.MYDOMAIN.com ldap://den-dc1.MYDOMAIN.com
>> doing parameter idmap config MYDOMAIN:ldap_user_dn = 
>> cn=idmapmgr,cn=users,dc=MYDOMAIN,dc=com
>> doing parameter idmap config MYDOMAIN:ldap_base_dn = 
>> ou=idmap,dc=sambaidmap,dc=MYDOMAIN,dc=com
>> doing parameter idmap config MYDOMAIN:backend = ldap
>> doing parameter idmap config MYDOMAIN:default = yes
>> doing parameter hosts allow = 10.0.0.0/255.255.254.0 
>> 10.1.0.0/255.255.254.0
>> doing parameter map acl inherit = No
>> doing parameter hide special files = Yes
>> doing parameter map archive = No
>> doing parameter map readonly = No
>> doing parameter map system = No
>> doing parameter map hidden = No
>> doing parameter ea support = No
>> doing parameter store dos attributes = No
>> doing parameter wide links = No
>> doing parameter follow symlinks = No
>> doing parameter dos filemode = No
>> doing parameter add share command = /etc/samba/command.pl
>> doing parameter delete share command = /etc/samba/command.pl
>> doing parameter change share command = /etc/samba/command.pl
>> [2009/03/19 14:02:44, 4] param/loadparm.c:lp_load(5094)
>> pm_process() returned Yes
>> [2009/03/19 14:02:44, 2] lib/interface.c:add_interface(81)
>> added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
>> administrator at MYDOMAIN.COM's password:
>> [2009/03/19 14:02:47, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30, dal-dc1.MYDOMAIN.com, 
>> den-dc1.MYDOMAIN.com"
>> [2009/03/19 14:02:47, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:02:47, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:02:47, 3] libads/ldap.c:ads_connect(394)
>> Connected to LDAP server 10.0.1.30
>> [2009/03/19 14:02:47, 4] libads/ldap.c:ads_current_time(2414)
>> time offset is 0 seconds
>> [2009/03/19 14:02:47, 4] libads/sasl.c:ads_sasl_bind(587)
>> Found SASL mechanism GSS-SPNEGO
>> [2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
>> [2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
>> [2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
>> [2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
>> [2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
>> ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
>> [2009/03/19 14:02:47, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache 
>> found)
>> [2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
>> ads_krb5_mk_req: krb5_get_credentials failed for 
>> dal-dc1$@MYDOMAIN.COM (Ticket not yet valid)
>> [2009/03/19 14:02:48, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet 
>> valid
>> [2009/03/19 14:02:48, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30, dal-dc1.MYDOMAIN.com, 
>> den-dc1.MYDOMAIN.com"
>> [2009/03/19 14:02:48, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:02:48, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:02:48, 3] libads/ldap.c:ads_connect(394)
>> Connected to LDAP server 10.0.1.30
>> [2009/03/19 14:02:48, 4] libads/ldap.c:ads_current_time(2414)
>> time offset is 0 seconds
>> [2009/03/19 14:02:48, 4] libads/sasl.c:ads_sasl_bind(587)
>> Found SASL mechanism GSS-SPNEGO
>> [2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
>> [2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
>> [2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
>> [2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
>> [2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
>> ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
>> [2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
>> ads_krb5_mk_req: krb5_get_credentials failed for 
>> dal-dc1$@MYDOMAIN.COM (Ticket not yet valid)
>> [2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
>> ads_krb5_mk_req: krb5_get_credentials failed for 
>> dal-dc1$@MYDOMAIN.COM (Ticket not yet valid)
>> [2009/03/19 14:02:48, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet 
>> valid
>> [2009/03/19 14:02:48, 2] utils/net.c:main(1046)
>> return code = -1
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>

Rob,

I just added winbind to pam. If you search for "add winbind pam" or 
something like that, you'll probably find it. I'm short on time at the 
moment...but the main things I can remember for this is the parameter 
(something like) "obey pam restrictions=yes", then also setting the 
default shell parameter in smb.conf, and making sure the pam module that 
makes home directories is in place, and maybe add users to sudo if 
needed. Let me know if that isn't enough to get it for you and I can 
send some of what I've got in my configs.

ty,
Mark

More information about the samba mailing list