winbind/kerberos with multiple DCs fail to authenticate

Adrian Chung adrian at enfusion-group.com
Sun Jul 27 00:20:37 GMT 2003 

On Fri, Jul 25, 2003 at 05:19:04PM -0400, Adrian Chung wrote:
> On Fri, Jul 25, 2003 at 03:40:25PM -0500, Gerald (Jerry) Carter wrote:
> [...]
> > > I apologize for the interruption.  I've been having intermittent
> > > trouble with winbindd just suddenly refusing to authenticate AD users
> > > until it's restarted, but I'm going to try and collect a level 3 log
> > > to see if it will shed more light on the situation.  I notice that
> > > when it happens, wbinfo --sequence says "DOMAIN: disconnected" instead
> > > of a sequence number, although it can still query either the users or
> > > groups in the domain, but usually not both, and wbinfo -t works fine.
> > 
> > Are you working out of the 3.0 CVS code tree?  I'm cleaning up small 
> > things as I find them and there were a couple related to winbindd and AD 
> > recently.  Mostly with locating domain controllers for trusted doamins.
> 
> I'm not currently, I'm running beta2 and beta3 on two boxes.  But I'll
> checkout the CVS tree, and see what happens.

I checked out the SAMBA_3_0 tree as of today, and built a new RPM
based on the CVS source.

Using the exact same config as before, I can no longer look up domain
users or groups, even though 'winfo -t' still succeeds.  I get the
following messages in /var/log/samba/log.winbindd:

[2003/07/26 20:13:11, 1] nsswitch/winbindd.c:main(832)
  winbindd version 3.0.0rc1 started.
  Copyright The Samba Team 2000-2003
[2003/07/26 20:13:11, 3] param/loadparm.c:lp_load(3898)
  lp_load: refreshing parameters
[2003/07/26 20:13:11, 3] param/loadparm.c:init_globals(1296)
  Initialising global parameters
[2003/07/26 20:13:11, 3] param/params.c:pm_process(566)
  params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2003/07/26 20:13:11, 3] param/loadparm.c:do_section(3401)
  Processing section "[global]"
[2003/07/26 20:13:11, 2] param/loadparm.c:do_section(3418)
  Processing section "[homes]"
[2003/07/26 20:13:11, 2] param/loadparm.c:do_section(3418)
  Processing section "[incoming]"
[2003/07/26 20:13:11, 2] param/loadparm.c:do_section(3418)
  Processing section "[tmp]"
[2003/07/26 20:13:11, 2] param/loadparm.c:do_section(3418)
  Processing section "[shared]"
[2003/07/26 20:13:11, 3] param/loadparm.c:lp_add_ipc(2351)
  adding IPC service
[2003/07/26 20:13:11, 3] param/loadparm.c:lp_add_ipc(2351)
  adding IPC service
[2003/07/26 20:13:11, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.100.10 bcast=192.168.100.255
nmask=255.255.255.0
[2003/07/26 20:13:11, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.100.10 bcast=192.168.100.255
nmask=255.255.255.0
[2003/07/26 20:13:11, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
  Registered MSG_REQ_POOL_USAGE
[2003/07/26 20:13:11, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2003/07/26 20:13:11, 1]
nsswitch/winbindd_util.c:rescan_trusted_domains(167)
  scanning trusted domain list
[2003/07/26 20:13:15, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(207)
  [17121]: request interface version
[2003/07/26 20:13:15, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(243)
  [17121]: request location of privileged pipe
[2003/07/26 20:13:15, 3]
nsswitch/winbindd_user.c:winbindd_list_users(584)
  [17121]: list users
[2003/07/26 20:13:15, 3] libads/ldap.c:ads_connect(218)
  Connected to LDAP server 192.168.100.6
[2003/07/26 20:13:15, 3] libads/ldap.c:ads_server_info(1877)
  got ldap server name beast at GENOSHA.ENFUSION-GROUP.COM, using bind
path: dc=GENOSHA,dc=ENFUSION-GROUP
,dc=COM
[2003/07/26 20:13:15, 3]
nsswitch/winbindd_cm.c:cm_get_ipc_userpass(106)
  IPC$ connections done anonymously
[2003/07/26 20:13:15, 3] libsmb/cliconnect.c:cli_full_connection(1297)
  Connecting to host=BEAST share=IPC$
[2003/07/26 20:13:15, 3] lib/util_sock.c:open_socket_out(690)
  Connecting to 192.168.100.6 at port 445
[2003/07/26 20:13:15, 3]
nsswitch/winbindd_util.c:add_trusted_domain(132)
  add_trusted_domain: GENOSHA is a native mode domain
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_util.c:add_trusted_domain(139)
  Added domain GENOSHA
[2003/07/26 20:13:15, 3] nsswitch/winbindd_ads.c:alternate_name(860)
  ads: alternate_name
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(70)
  ads_connect for domain GENOSHA failed: No such file or directory
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_util.c:rescan_trusted_domains(167)
  scanning trusted domain list
[2003/07/26 20:13:15, 3] nsswitch/winbindd_ads.c:trusted_domains(807)
  ads: alternate_name
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(70)
  ads_connect for domain GENOSHA failed: No such file or directory
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_util.c:rescan_trusted_domains(167)
  scanning trusted domain list
[2003/07/26 20:13:15, 3] nsswitch/winbindd_ads.c:trusted_domains(807)
  ads: trusted_domains
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(70)
  ads_connect for domain GENOSHA failed: No such file or directory
[2003/07/26 20:13:15, 3] nsswitch/winbindd_ads.c:sequence_number(776)
  ads: fetch sequence_number for GENOSHA
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(70)
  ads_connect for domain GENOSHA failed: No such file or directory
[2003/07/26 20:13:17, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(207)
  [17122]: request interface version
[2003/07/26 20:13:17, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(243)
  [17122]: request location of privileged pipe
[2003/07/26 20:13:17, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(38)
  [17122]: check machine account
[2003/07/26 20:13:17, 3] libads/ldap.c:ads_connect(218)
  Connected to LDAP server 192.168.100.6
[2003/07/26 20:13:17, 3] libads/ldap.c:ads_server_info(1877)
  got ldap server name beast at GENOSHA.ENFUSION-GROUP.COM, using bind
path: dc=GENOSHA,dc=ENFUSION-GROUP
,dc=COM
[2003/07/26 20:13:17, 3]
nsswitch/winbindd_cm.c:cm_get_ipc_userpass(106)
  IPC$ connections done anonymously
[2003/07/26 20:13:17, 3] libsmb/cliconnect.c:cli_full_connection(1297)
  Connecting to host=BEAST share=IPC$
[2003/07/26 20:13:17, 3] lib/util_sock.c:open_socket_out(690)
  Connecting to 192.168.100.6 at port 445
[2003/07/26 20:13:17, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(77)
  secret is good

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian/
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[xavier] up 2 days, 39 min, 10 users

More information about the samba-technical mailing list