winbind/kerberos with multiple DCs fail to authenticate
Adrian Chung
adrian at enfusion-group.com
Sun Jul 27 00:20:37 GMT 2003
On Fri, Jul 25, 2003 at 05:19:04PM -0400, Adrian Chung wrote:
> On Fri, Jul 25, 2003 at 03:40:25PM -0500, Gerald (Jerry) Carter wrote:
> [...]
> > > I apologize for the interruption. I've been having intermittent
> > > trouble with winbindd just suddenly refusing to authenticate AD users
> > > until it's restarted, but I'm going to try and collect a level 3 log
> > > to see if it will shed more light on the situation. I notice that
> > > when it happens, wbinfo --sequence says "DOMAIN: disconnected" instead
> > > of a sequence number, although it can still query either the users or
> > > groups in the domain, but usually not both, and wbinfo -t works fine.
> >
> > Are you working out of the 3.0 CVS code tree? I'm cleaning up small
> > things as I find them and there were a couple related to winbindd and AD
> > recently. Mostly with locating domain controllers for trusted doamins.
>
> I'm not currently, I'm running beta2 and beta3 on two boxes. But I'll
> checkout the CVS tree, and see what happens.
I checked out the SAMBA_3_0 tree as of today, and built a new RPM
based on the CVS source.
Using the exact same config as before, I can no longer look up domain
users or groups, even though 'winfo -t' still succeeds. I get the
following messages in /var/log/samba/log.winbindd:
[2003/07/26 20:13:11, 1] nsswitch/winbindd.c:main(832)
winbindd version 3.0.0rc1 started.
Copyright The Samba Team 2000-2003
[2003/07/26 20:13:11, 3] param/loadparm.c:lp_load(3898)
lp_load: refreshing parameters
[2003/07/26 20:13:11, 3] param/loadparm.c:init_globals(1296)
Initialising global parameters
[2003/07/26 20:13:11, 3] param/params.c:pm_process(566)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2003/07/26 20:13:11, 3] param/loadparm.c:do_section(3401)
Processing section "[global]"
[2003/07/26 20:13:11, 2] param/loadparm.c:do_section(3418)
Processing section "[homes]"
[2003/07/26 20:13:11, 2] param/loadparm.c:do_section(3418)
Processing section "[incoming]"
[2003/07/26 20:13:11, 2] param/loadparm.c:do_section(3418)
Processing section "[tmp]"
[2003/07/26 20:13:11, 2] param/loadparm.c:do_section(3418)
Processing section "[shared]"
[2003/07/26 20:13:11, 3] param/loadparm.c:lp_add_ipc(2351)
adding IPC service
[2003/07/26 20:13:11, 3] param/loadparm.c:lp_add_ipc(2351)
adding IPC service
[2003/07/26 20:13:11, 2] lib/interface.c:add_interface(79)
added interface ip=192.168.100.10 bcast=192.168.100.255
nmask=255.255.255.0
[2003/07/26 20:13:11, 2] lib/interface.c:add_interface(79)
added interface ip=192.168.100.10 bcast=192.168.100.255
nmask=255.255.255.0
[2003/07/26 20:13:11, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
Registered MSG_REQ_POOL_USAGE
[2003/07/26 20:13:11, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2003/07/26 20:13:11, 1]
nsswitch/winbindd_util.c:rescan_trusted_domains(167)
scanning trusted domain list
[2003/07/26 20:13:15, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(207)
[17121]: request interface version
[2003/07/26 20:13:15, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(243)
[17121]: request location of privileged pipe
[2003/07/26 20:13:15, 3]
nsswitch/winbindd_user.c:winbindd_list_users(584)
[17121]: list users
[2003/07/26 20:13:15, 3] libads/ldap.c:ads_connect(218)
Connected to LDAP server 192.168.100.6
[2003/07/26 20:13:15, 3] libads/ldap.c:ads_server_info(1877)
got ldap server name beast at GENOSHA.ENFUSION-GROUP.COM, using bind
path: dc=GENOSHA,dc=ENFUSION-GROUP
,dc=COM
[2003/07/26 20:13:15, 3]
nsswitch/winbindd_cm.c:cm_get_ipc_userpass(106)
IPC$ connections done anonymously
[2003/07/26 20:13:15, 3] libsmb/cliconnect.c:cli_full_connection(1297)
Connecting to host=BEAST share=IPC$
[2003/07/26 20:13:15, 3] lib/util_sock.c:open_socket_out(690)
Connecting to 192.168.100.6 at port 445
[2003/07/26 20:13:15, 3]
nsswitch/winbindd_util.c:add_trusted_domain(132)
add_trusted_domain: GENOSHA is a native mode domain
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_util.c:add_trusted_domain(139)
Added domain GENOSHA
[2003/07/26 20:13:15, 3] nsswitch/winbindd_ads.c:alternate_name(860)
ads: alternate_name
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(70)
ads_connect for domain GENOSHA failed: No such file or directory
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_util.c:rescan_trusted_domains(167)
scanning trusted domain list
[2003/07/26 20:13:15, 3] nsswitch/winbindd_ads.c:trusted_domains(807)
ads: alternate_name
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(70)
ads_connect for domain GENOSHA failed: No such file or directory
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_util.c:rescan_trusted_domains(167)
scanning trusted domain list
[2003/07/26 20:13:15, 3] nsswitch/winbindd_ads.c:trusted_domains(807)
ads: trusted_domains
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(70)
ads_connect for domain GENOSHA failed: No such file or directory
[2003/07/26 20:13:15, 3] nsswitch/winbindd_ads.c:sequence_number(776)
ads: fetch sequence_number for GENOSHA
[2003/07/26 20:13:15, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(70)
ads_connect for domain GENOSHA failed: No such file or directory
[2003/07/26 20:13:17, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(207)
[17122]: request interface version
[2003/07/26 20:13:17, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(243)
[17122]: request location of privileged pipe
[2003/07/26 20:13:17, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(38)
[17122]: check machine account
[2003/07/26 20:13:17, 3] libads/ldap.c:ads_connect(218)
Connected to LDAP server 192.168.100.6
[2003/07/26 20:13:17, 3] libads/ldap.c:ads_server_info(1877)
got ldap server name beast at GENOSHA.ENFUSION-GROUP.COM, using bind
path: dc=GENOSHA,dc=ENFUSION-GROUP
,dc=COM
[2003/07/26 20:13:17, 3]
nsswitch/winbindd_cm.c:cm_get_ipc_userpass(106)
IPC$ connections done anonymously
[2003/07/26 20:13:17, 3] libsmb/cliconnect.c:cli_full_connection(1297)
Connecting to host=BEAST share=IPC$
[2003/07/26 20:13:17, 3] lib/util_sock.c:open_socket_out(690)
Connecting to 192.168.100.6 at port 445
[2003/07/26 20:13:17, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(77)
secret is good
--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian/
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[xavier] up 2 days, 39 min, 10 users
More information about the samba-technical
mailing list