[Samba] winbind doing dns on short domain

Jim Kusznir jkusznir at gmail.com
Wed Mar 10 19:19:56 MST 2010 

Hi all:

I'm building an authentication infrastructure for combined windows
plus linux clients.  To that end, I have a Win Server 2008r2 ADS and a
win svr 2008r2 client, and an ubuntu 9.10 client running the default
samba + winbind (whatever is in their production repos).

I had it 95% working this morning...Then all of a sudden, all winbind
queries died.  No idea why.  I spent the entire day debugging it, and
I finally found out what its doing:  Its DNS requests for the
_kerberos... host are using the short domain, not the fqdn:

16:03:37.479967 IP 192.168.3.11.38775 > 192.168.3.16.53: 44000+ SRV?
_kerberos._tcp.CASAS. (38)

(domain is CASAS.WSU.EDU).  I can do a DNS lookup with the fqdn, and
it works fine, but the short name definitely does NOT work.  I've even
modified /etc/resolv.conf to directly query the windows dns server
that is serving up casas.wsu.edu (which the normal production dns
server is set to delegate to).  DNS queries for any of the magic
entries in proper form do work (with exception of reverse resolution
of the linux host itself -- it returns a different domain name when
querying the correct servers).

I've gone through both /etc/krb5.conf and smb.conf; there are now NO
occurrences of the short domain name in there.  (I even changed
"workgroup" in smb.conf to the fqdn, as that was the last remaining
occurrence).  Keep in mind that winbind was working fine with no edits
to either files yesterday and early this morning, no changes had
occurred anywhere on that line...all I did was tweak pam files to try
and correct a different problem).

Here are my config files:

------ smb.conf ------
[global]
   workgroup = CASAS.WSU.EDU
   server string = %h Ubuntu Termserver
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   realm = CASAS.WSU.EDU
   password server = 192.168.3.16
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   idmap backend = rid:CASAS.WSU.EDU=10000-20000
   allow trusted domains = no
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   template homedir = /home/%U
   template shell = /bin/bash
   client use spnego = yes
   client ntlmv2 auth = yes
   restrict anonymous = 2
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
------------------------
/etc/krb5.conf
------------------------
[libdefaults]
	default_realm = CASAS.WSU.EDU
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true
        v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}
	fcc-mit-ticketflags = true

[realms]
	CASAS.WSU.EDU = {
		kdc = ad1.casas.wsu.edu:88
		admin_server = ad1.casas.wsu.edu
		default_domain = casas.wsu.edu
	}

[domain_realm]
	.casas.wsu.edu = CASAS.WSU.EDU
	casas.wsu.edu = CASAS.WSU.EDU
[login]
	krb4_convert = true
	krb4_get_tickets = false
-------------------------
And here's a tcpdump done filtering on port 53 during a winbind restart:
-------------------------
16:03:37.399967 IP 192.168.3.11.49438 > 192.168.3.16.53: 3748+ A?
AD1.CASAS.WSU.EDU. (35)
16:03:37.399967 IP 192.168.3.16.53 > 192.168.3.11.49438: 3748* 1/0/0 A[|domain]
16:03:37.399967 IP 192.168.3.11.43851 > 192.168.3.16.53: 27311+ A?
AD1.CASAS.WSU.EDU. (35)
16:03:37.399967 IP 192.168.3.16.53 > 192.168.3.11.43851: 27311* 1/0/0 A[|domain]
16:03:37.429967 IP 192.168.3.11.40739 > 192.168.3.16.53: 46827+ A?
ad1.casas.wsu.edu. (35)
16:03:37.429967 IP 192.168.3.16.53 > 192.168.3.11.40739: 46827* 1/0/0 A[|domain]
16:03:37.429967 IP 192.168.3.11.54465 > 192.168.3.16.53: 44669+[|domain]
16:03:37.429967 IP 192.168.3.16.53 > 192.168.3.11.54465: 44669
NXDomain*[|domain]
16:03:37.429967 IP 192.168.3.11.57928 > 192.168.3.16.53: 58938+[|domain]
16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.57928: 58938
NXDomain*[|domain]
16:03:37.439967 IP 192.168.3.11.45449 > 192.168.3.16.53: 58085+[|domain]
16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.45449: 58085
NXDomain*[|domain]
16:03:37.439967 IP 192.168.3.11.58599 > 192.168.3.16.53: 64069+[|domain]
16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.58599: 64069
NXDomain*[|domain]
16:03:37.449967 IP 192.168.3.11.35620 > 192.168.3.16.53: 52173+ A?
ad1.casas.wsu.edu. (35)
16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.35620: 52173* 1/0/0 A[|domain]
16:03:37.449967 IP 192.168.3.11.58933 > 192.168.3.16.53: 27556+ A?
ad1.casas.wsu.edu. (35)
16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.58933: 27556* 1/0/0 A[|domain]
16:03:37.449967 IP 192.168.3.11.36892 > 192.168.3.16.53: 12188+[|domain]
16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.36892: 12188
NXDomain*[|domain]
16:03:37.459967 IP 192.168.3.11.59294 > 192.168.3.16.53: 12121+ A?
ad1.casas.wsu.edu. (35)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.59294: 12121* 1/0/0 A[|domain]
16:03:37.469967 IP 192.168.3.11.59240 > 192.168.3.16.53: 54066+ A?
ad1.casas.wsu.edu. (35)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.59240: 54066* 1/0/0 A[|domain]
16:03:37.469967 IP 192.168.3.11.56838 > 192.168.3.16.53: 48561+[|domain]
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.56838: 48561
NXDomain*[|domain]
16:03:37.469967 IP 192.168.3.11.55189 > 192.168.3.16.53: 33246+ A?
ad1.casas.wsu.edu. (35)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.55189: 33246* 1/0/0 A[|domain]
16:03:37.469967 IP 192.168.3.11.52539 > 192.168.3.16.53: 19873+ A?
ad1.casas.wsu.edu. (35)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.52539: 19873* 1/0/0 A[|domain]
16:03:37.469967 IP 192.168.3.11.38806 > 192.168.3.16.53: 15173+[|domain]
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.38806: 15173
NXDomain*[|domain]
16:03:37.469967 IP 192.168.3.11.39860 > 192.168.3.16.53: 19200+ SRV?
_kerberos._udp.CASAS. (38)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.39860: 19200
NXDomain 0/1/0 (113)
16:03:37.469967 IP 192.168.3.11.40215 > 192.168.3.16.53: 12115+ SRV?
_kerberos._tcp.CASAS. (38)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.40215: 12115
NXDomain 0/1/0 (113)
16:03:37.479967 IP 192.168.3.11.42234 > 192.168.3.16.53: 2986+ A?
ad1.casas.wsu.edu. (35)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.42234: 2986* 1/0/0 A[|domain]
16:03:37.479967 IP 192.168.3.11.53553 > 192.168.3.16.53: 13263+ A?
ad1.casas.wsu.edu. (35)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.53553: 13263* 1/0/0 A[|domain]
16:03:37.479967 IP 192.168.3.11.49456 > 192.168.3.16.53: 38656+[|domain]
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.49456: 38656
NXDomain*[|domain]
16:03:37.479967 IP 192.168.3.11.56202 > 192.168.3.16.53: 7957+ SRV?
_kerberos._udp.CASAS. (38)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.56202: 7957 NXDomain
0/1/0 (113)
16:03:37.479967 IP 192.168.3.11.38775 > 192.168.3.16.53: 44000+ SRV?
_kerberos._tcp.CASAS. (38)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.38775: 44000
NXDomain 0/1/0 (113)
--------------------
Here's a chunk from the winbindd log:
--------------------
[2010/03/10 16:04:22,  0] winbindd/winbindd.c:190(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=1)
[2010/03/10 16:04:24,  0] winbindd/winbindd.c:1244(main)
  winbindd version 3.4.0 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/03/10 16:04:24,  0]
winbindd/winbindd_cache.c:2578(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with
version number 1
[2010/03/10 16:04:24,  0] winbindd/winbindd_util.c:782(init_domain_list)
  Could not fetch our SID - did we join?
[2010/03/10 16:04:24,  0] winbindd/winbindd.c:1385(main)
  unable to initialize domain list
-----------------------

Where is the problem / how do I fix this?

Thanks!
--Jim

More information about the samba mailing list