winbind is half working: can't auth but can do everything else!
adp
dap99 at i-55.com
Sun May 2 14:30:02 GMT 2004
I am using Red Hat ES 3 with Samba 3.0.2-6.3E. I have a weird problem with
Samba, and I'm sure I'm doing something wrong. I hope someone can give me a
pointer.
Problem: When I try to use winbind for authentication I get the following
error message:
May 2 02:33:46 myserv winbindd[2953]: [2004/05/02 02:33:46, 0]
rpc_client/cli_pipe.c:rpc_api_pipe(424)
May 2 02:33:46 myserv winbindd[2953]: cli_pipe: return critical error.
Error was Call timed out: server did not respond after 10000 milliseconds
May 2 02:33:46 myserv winbindd[2953]: [2004/05/02 02:33:46, 0]
rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
May 2 02:33:46 myserv winbindd[2953]: cli_nt_setup_creds: request
challenge failed
I had authentication (ssh specifically) working on another test server, but
I can't seem to get this working on two new servers. Not sure what is wrong!
I will go through a few things that I am doing, but first here is smb.conf
and krb5.conf:
# cat smb.conf
[global]
netbios name = myserv
workgroup = MYDOM
encrypt passwords = yes
realm = MYDOM.COM
password server = *
security = ADS
winbind separator = -
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MYDOM.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
MYDOM.COM= {
kdc = dc.mydom.com:88
admin_server = dc.mydom.com:749
default_domain = mydom.com
}
[domain_realm]
.mydom.com= MYDOM.COM
mydom.com= MYDOM.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
(I also have /etc/pam.d/system-auth and /etc/nsswitch.conf configured for
winbind.)
Okay, let's first check out Kerb:
[root at myserv samba]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at myserv samba]# kinit Administrator
Password for Administrator at MY.DOM:
[root at myserv samba]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at MY.DOM
Valid starting Expires Service principal
05/02/04 02:43:30 05/02/04 12:43:30 krbtgt/MY.DOM at MY.DOM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
That works. Now let's try an ADS join:
[root at myserv samba]# net ads join
Using short domain name -- MYDOM
Joined 'MYSERV' to realm MY.DOM
[root at myserv samba]# net ads testjoin
Join is OK
Great!
Now list some home directories on this box for ADS users:
# ll /home/
total 24
drwxr-xr-x 2 bob Domain Users 4096 May 2 01:41 bob
drwxr-xr-x 2 f Domain Users 4096 May 2 02:32 f
drwxr-xr-x 2 root root 16384 May 1 23:24 lost+found
Now ssh:
# ssh bob at localhost
May 2 02:45:38 myserv winbindd[3127]: [2004/05/02 02:45:38, 0]
rpc_client/cli_pipe.c:rpc_api_pipe(424)
May 2 02:45:38 myserv winbindd[3127]: cli_pipe: return critical error.
Error was Call timed out: server did not respond after 10000 milliseconds
May 2 02:45:38 myserv winbindd[3127]: [2004/05/02 02:45:38, 0]
rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
May 2 02:45:38 myserv winbindd[3127]: cli_nt_setup_creds: request
challenge failed
May 2 02:45:38 myserv pam_winbind[3162]: request failed: No logon servers,
PAM error was 4, NT error was NT_STATUS_NO_LOGON_SERVERS
May 2 02:45:38 myserv pam_winbind[3162]: internal module error (retval = 4,
user = `bob'
May 2 02:45:38 myserv sshd(pam_unix)[3162]: check pass; user unknown
Weird. ???? What's the problem here? The kinit worked earlier! It seems like
it can't find the DC, even though I have this all specified in krb5.conf.
Let's try rpc instead. Maybe that is what winbind is trying to use?
# net rpc join -U Administrator
Unable to find a suitable server
Unable to find a suitable server
# net rpc join -U Administrator -d 3
[2004/05/02 02:47:50, 3] param/loadparm.c:lp_load(3819)
lp_load: refreshing parameters
[2004/05/02 02:47:50, 3] param/loadparm.c:init_globals(1300)
Initialising global parameters
[2004/05/02 02:47:50, 3] param/params.c:pm_process(566)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2004/05/02 02:47:50, 3] param/loadparm.c:do_section(3331)
Processing section "[global]"
[2004/05/02 02:47:50, 2] lib/interface.c:add_interface(79)
added interface ip=192.168.1.33 bcast=192.168.1.255 nmask=255.255.255.0
[2004/05/02 02:47:50, 3] libsmb/namequery.c:resolve_lmhosts(850)
resolve_lmhosts: Attempting lmhosts lookup for name MYDOM<0x1b>
[2004/05/02 02:47:50, 3] libsmb/namequery.c:resolve_wins(748)
resolve_wins: Attempting wins lookup for name MYDOM<0x1b>
[2004/05/02 02:47:50, 3] libsmb/namequery.c:resolve_wins(751)
resolve_wins: WINS server resolution selected and no WINS servers listed.
[2004/05/02 02:47:50, 3] libsmb/namequery.c:name_resolve_bcast(690)
name_resolve_bcast: Attempting broadcast lookup for name MYDOM<0x1b>
[2004/05/02 02:47:51, 1] utils/net.c:net_find_server(274)
no server to connect to
Unable to find a suitable server
[2004/05/02 02:47:51, 3] libsmb/namequery.c:resolve_lmhosts(850)
resolve_lmhosts: Attempting lmhosts lookup for name MYDOM<0x1b>
[2004/05/02 02:47:51, 3] libsmb/namequery.c:resolve_wins(748)
resolve_wins: Attempting wins lookup for name MYDOM<0x1b>
[2004/05/02 02:47:51, 3] libsmb/namequery.c:resolve_wins(751)
resolve_wins: WINS server resolution selected and no WINS servers listed.
[2004/05/02 02:47:51, 3] libsmb/namequery.c:name_resolve_bcast(690)
name_resolve_bcast: Attempting broadcast lookup for name MYDOM<0x1b>
[2004/05/02 02:47:51, 1] utils/net.c:net_find_server(274)
no server to connect to
Unable to find a suitable server
[2004/05/02 02:47:51, 2] utils/net.c:main(767)
return code = 1
Now watch if I specify a DC:
# net rpc join -S thedc -d 3
[2004/05/02 09:14:32, 3] param/loadparm.c:lp_load(3819)
lp_load: refreshing parameters
[2004/05/02 09:14:32, 3] param/loadparm.c:init_globals(1300)
Initialising global parameters
[2004/05/02 09:14:32, 3] param/params.c:pm_process(566)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2004/05/02 09:14:32, 3] param/loadparm.c:do_section(3331)
Processing section "[global]"
[2004/05/02 09:14:32, 2] lib/interface.c:add_interface(79)
added interface ip=192.168.1.33 bcast=192.168.1.255 nmask=255.255.255.0
[2004/05/02 09:14:32, 3] libsmb/namequery.c:resolve_lmhosts(850)
resolve_lmhosts: Attempting lmhosts lookup for name thedc<0x20>
[2004/05/02 09:14:32, 3] libsmb/cliconnect.c:cli_start_connection(1337)
Connecting to host=thedc
[2004/05/02 09:14:32, 3] lib/util_sock.c:open_socket_out(710)
Connecting to 192.168.1.146 at port 445
[2004/05/02 09:14:43, 0] rpc_client/cli_pipe.c:rpc_api_pipe(424)
cli_pipe: return critical error. Error was Call timed out: server did not
respond after 10000 milliseconds
[2004/05/02 09:14:43, 0] rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
cli_nt_setup_creds: request challenge failed
[2004/05/02 09:14:43, 3] libsmb/trusts_util.c:just_change_the_password(43)
just_change_the_password: unable to setup creds (NT_STATUS_UNSUCCESSFUL)!
[2004/05/02 09:14:43, 1] utils/net_rpc.c:run_rpc_command(138)
rpc command function failed! (NT_STATUS_UNSUCCESSFUL)
[2004/05/02 09:14:43, 1] utils/net_rpc.c:run_rpc_command(138)
rpc command function failed! (NT_STATUS_UNSUCCESSFUL)
Password:
[Control-C]
Interupted by signal.
Notice the 11 second pause at 'Connecting to 192.168.1.146 at port 445'!
I did just now add thedc to my /etc/samba/lmhosts file:
# cat lmhosts
127.0.0.1 localhost
192.168.1.146 THEDC#20
But this same thing was happening before I did anything to lmhosts.
I have no firewall up on my Linux machine:
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Nor am I running nscd:
# ps auxww|grep nscd
root 16739 0.0 0.0 3676 660 pts/1 S 09:21 0:00 grep nscd
The above is from a real server running RHES. I have an older server that I
initially worked on that is running under VMware that has RHES, and is
working:
old# ll -d /home/bob/
drwx------ 3 bob Domain Users 4096 May 1 13:08 /home/bob/
old# ssh bob at localhost
bob at localhost's password: MYDOMPASSWORD
bob$
What!?
old# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
old# net rpc testjoin
Join to 'MYDOM' is OK
[root at smb1 root]# net rpc testjoin -d 1
Join to 'MYDOM' is OK
old# net rpc testjoin -d 3
[2004/05/02 09:27:00, 3] param/loadparm.c:lp_load(3926)
lp_load: refreshing parameters
[2004/05/02 09:27:00, 3] param/loadparm.c:init_globals(1303)
Initialising global parameters
[2004/05/02 09:27:00, 3] param/params.c:pm_process(566)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2004/05/02 09:27:00, 3] param/loadparm.c:do_section(3429)
Processing section "[global]"
[2004/05/02 09:27:00, 2] lib/interface.c:add_interface(79)
added interface ip=192.168.1.104 bcast=192.168.1.255 nmask=255.255.255.0
[2004/05/02 09:27:00, 3] libsmb/cliconnect.c:cli_start_connection(1290)
Connecting to host=THEDC
[2004/05/02 09:27:00, 3] lib/util_sock.c:open_socket_out(690)
Connecting to 192.168.1.146 at port 445
Join to 'MYDOM' is OK
[2004/05/02 09:27:00, 2] utils/net.c:main(758)
return code = 0
This machine is configured the same other than having a different 'netbios
name' in smb.conf. Hmm, also it has samba-3.0.0-14 instead of 3.0.2. (I
tested the other machine with 3.0.0-14 and 3.0.2.)
I'm not sure what is happening here.
More information about the samba-technical
mailing list