winbind is half working: can't auth but can do everything else!

adp dap99 at i-55.com
Sun May 2 14:35:18 GMT 2004 

I forgot to mention that I can connect to the 445/tcp port on the DC:

# telnet 192.168.1.146 445
Trying 192.168.1.146...
Connected to 192.168.1.146 (192.168.1.146).
Escape character is '^]'.
lksdjf
^]quit

Connection closed.
# telnet 192.168.1.146 3389
Trying 192.168.1.146...
Connected to 192.168.1.146 (192.168.1.146).
Escape character is '^]'.
lksjdf
^]quit

Connection closed.

----- Original Message -----
From: "adp" <dap99 at i-55.com>
To: <samba-technical at lists.samba.org>
Sent: Sunday, May 02, 2004 9:30 AM
Subject: winbind is half working: can't auth but can do everything else!


> I am using Red Hat ES 3 with Samba 3.0.2-6.3E. I have a weird problem with
> Samba, and I'm sure I'm doing something wrong. I hope someone can give me
a
> pointer.
>
> Problem: When I try to use winbind for authentication I get the following
> error message:
>
> May  2 02:33:46 myserv winbindd[2953]: [2004/05/02 02:33:46, 0]
> rpc_client/cli_pipe.c:rpc_api_pipe(424)
> May  2 02:33:46 myserv winbindd[2953]:   cli_pipe: return critical error.
> Error was Call timed out: server did not respond after 10000 milliseconds
> May  2 02:33:46 myserv winbindd[2953]: [2004/05/02 02:33:46, 0]
> rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
> May  2 02:33:46 myserv winbindd[2953]:   cli_nt_setup_creds: request
> challenge failed
>
> I had authentication (ssh specifically) working on another test server,
but
> I can't seem to get this working on two new servers. Not sure what is
wrong!
>
> I will go through a few things that I am doing, but first here is smb.conf
> and krb5.conf:
>
> # cat smb.conf
> [global]
>         netbios name = myserv
>         workgroup = MYDOM
>         encrypt passwords = yes
>         realm = MYDOM.COM
>         password server = *
>         security = ADS
>         winbind separator = -
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         winbind enum users = yes
>         winbind enum groups = yes
>         template homedir = /home/%U
>         template shell = /bin/bash
>         winbind use default domain = yes
>
> # cat /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = MYDOM.COM
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>
> [realms]
>  MYDOM.COM= {
>   kdc = dc.mydom.com:88
>   admin_server = dc.mydom.com:749
>   default_domain = mydom.com
>  }
>
> [domain_realm]
>  .mydom.com= MYDOM.COM
>  mydom.com= MYDOM.COM
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
>
> (I also have /etc/pam.d/system-auth and /etc/nsswitch.conf configured for
> winbind.)
>
>
> Okay, let's first check out Kerb:
>
> [root at myserv samba]# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [root at myserv samba]# kinit Administrator
> Password for Administrator at MY.DOM:
> [root at myserv samba]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at MY.DOM
>
> Valid starting     Expires            Service principal
> 05/02/04 02:43:30  05/02/04 12:43:30  krbtgt/MY.DOM at MY.DOM
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> That works. Now let's try an ADS join:
>
> [root at myserv samba]# net ads join
> Using short domain name -- MYDOM
> Joined 'MYSERV' to realm MY.DOM
> [root at myserv samba]# net ads testjoin
> Join is OK
>
> Great!
>
> Now list some home directories on this box for ADS users:
>
> # ll /home/
> total 24
> drwxr-xr-x    2 bob      Domain Users     4096 May  2 01:41 bob
> drwxr-xr-x    2 f        Domain Users     4096 May  2 02:32 f
> drwxr-xr-x    2 root     root        16384 May  1 23:24 lost+found
>
> Now ssh:
>
> # ssh bob at localhost
>
> May  2 02:45:38 myserv winbindd[3127]: [2004/05/02 02:45:38, 0]
> rpc_client/cli_pipe.c:rpc_api_pipe(424)
> May  2 02:45:38 myserv winbindd[3127]:   cli_pipe: return critical error.
> Error was Call timed out: server did not respond after 10000 milliseconds
> May  2 02:45:38 myserv winbindd[3127]: [2004/05/02 02:45:38, 0]
> rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
> May  2 02:45:38 myserv winbindd[3127]:   cli_nt_setup_creds: request
> challenge failed
> May  2 02:45:38 myserv pam_winbind[3162]: request failed: No logon
servers,
> PAM error was 4, NT error was NT_STATUS_NO_LOGON_SERVERS
> May  2 02:45:38 myserv pam_winbind[3162]: internal module error (retval =
4,
> user = `bob'
> May  2 02:45:38 myserv sshd(pam_unix)[3162]: check pass; user unknown
>
> Weird. ???? What's the problem here? The kinit worked earlier! It seems
like
> it can't find the DC, even though I have this all specified in krb5.conf.
>
> Let's try rpc instead. Maybe that is what winbind is trying to use?
>
> # net rpc join -U Administrator
>
> Unable to find a suitable server
>
> Unable to find a suitable server
>
> # net rpc join -U Administrator -d 3
> [2004/05/02 02:47:50, 3] param/loadparm.c:lp_load(3819)
>   lp_load: refreshing parameters
> [2004/05/02 02:47:50, 3] param/loadparm.c:init_globals(1300)
>   Initialising global parameters
> [2004/05/02 02:47:50, 3] param/params.c:pm_process(566)
>   params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2004/05/02 02:47:50, 3] param/loadparm.c:do_section(3331)
>   Processing section "[global]"
> [2004/05/02 02:47:50, 2] lib/interface.c:add_interface(79)
>   added interface ip=192.168.1.33 bcast=192.168.1.255 nmask=255.255.255.0
> [2004/05/02 02:47:50, 3] libsmb/namequery.c:resolve_lmhosts(850)
>   resolve_lmhosts: Attempting lmhosts lookup for name MYDOM<0x1b>
> [2004/05/02 02:47:50, 3] libsmb/namequery.c:resolve_wins(748)
>   resolve_wins: Attempting wins lookup for name MYDOM<0x1b>
> [2004/05/02 02:47:50, 3] libsmb/namequery.c:resolve_wins(751)
>   resolve_wins: WINS server resolution selected and no WINS servers
listed.
> [2004/05/02 02:47:50, 3] libsmb/namequery.c:name_resolve_bcast(690)
>   name_resolve_bcast: Attempting broadcast lookup for name MYDOM<0x1b>
> [2004/05/02 02:47:51, 1] utils/net.c:net_find_server(274)
>   no server to connect to
>
> Unable to find a suitable server
> [2004/05/02 02:47:51, 3] libsmb/namequery.c:resolve_lmhosts(850)
>   resolve_lmhosts: Attempting lmhosts lookup for name MYDOM<0x1b>
> [2004/05/02 02:47:51, 3] libsmb/namequery.c:resolve_wins(748)
>   resolve_wins: Attempting wins lookup for name MYDOM<0x1b>
> [2004/05/02 02:47:51, 3] libsmb/namequery.c:resolve_wins(751)
>   resolve_wins: WINS server resolution selected and no WINS servers
listed.
> [2004/05/02 02:47:51, 3] libsmb/namequery.c:name_resolve_bcast(690)
>   name_resolve_bcast: Attempting broadcast lookup for name MYDOM<0x1b>
> [2004/05/02 02:47:51, 1] utils/net.c:net_find_server(274)
>   no server to connect to
>
> Unable to find a suitable server
> [2004/05/02 02:47:51, 2] utils/net.c:main(767)
>   return code = 1
>
> Now watch if I specify a DC:
>
> # net rpc join -S thedc -d 3
> [2004/05/02 09:14:32, 3] param/loadparm.c:lp_load(3819)
>   lp_load: refreshing parameters
> [2004/05/02 09:14:32, 3] param/loadparm.c:init_globals(1300)
>   Initialising global parameters
> [2004/05/02 09:14:32, 3] param/params.c:pm_process(566)
>   params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2004/05/02 09:14:32, 3] param/loadparm.c:do_section(3331)
>   Processing section "[global]"
> [2004/05/02 09:14:32, 2] lib/interface.c:add_interface(79)
>   added interface ip=192.168.1.33 bcast=192.168.1.255 nmask=255.255.255.0
> [2004/05/02 09:14:32, 3] libsmb/namequery.c:resolve_lmhosts(850)
>   resolve_lmhosts: Attempting lmhosts lookup for name thedc<0x20>
> [2004/05/02 09:14:32, 3] libsmb/cliconnect.c:cli_start_connection(1337)
>   Connecting to host=thedc
> [2004/05/02 09:14:32, 3] lib/util_sock.c:open_socket_out(710)
>   Connecting to 192.168.1.146 at port 445
> [2004/05/02 09:14:43, 0] rpc_client/cli_pipe.c:rpc_api_pipe(424)
>   cli_pipe: return critical error. Error was Call timed out: server did
not
> respond after 10000 milliseconds
> [2004/05/02 09:14:43, 0] rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
>   cli_nt_setup_creds: request challenge failed
> [2004/05/02 09:14:43, 3] libsmb/trusts_util.c:just_change_the_password(43)
>   just_change_the_password: unable to setup creds
(NT_STATUS_UNSUCCESSFUL)!
> [2004/05/02 09:14:43, 1] utils/net_rpc.c:run_rpc_command(138)
>   rpc command function failed! (NT_STATUS_UNSUCCESSFUL)
> [2004/05/02 09:14:43, 1] utils/net_rpc.c:run_rpc_command(138)
>   rpc command function failed! (NT_STATUS_UNSUCCESSFUL)
> Password:
> [Control-C]
> Interupted by signal.
>
> Notice the 11 second pause at 'Connecting to 192.168.1.146 at port 445'!
>
> I did just now add thedc to my /etc/samba/lmhosts file:
>
> # cat lmhosts
> 127.0.0.1 localhost
> 192.168.1.146   THEDC#20
>
> But this same thing was happening before I did anything to lmhosts.
>
> I have no firewall up on my Linux machine:
>
> # iptables -L -n
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Nor am I running nscd:
>
> # ps auxww|grep nscd
> root     16739  0.0  0.0  3676  660 pts/1    S    09:21   0:00 grep nscd
>
> The above is from a real server running RHES. I have an older server that
I
> initially worked on that is running under VMware that has RHES, and is
> working:
>
> old# ll -d /home/bob/
> drwx------    3 bob Domain Users     4096 May  1 13:08 /home/bob/
>
> old# ssh bob at localhost
> bob at localhost's password: MYDOMPASSWORD
> bob$
>
> What!?
>
> old# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> old# net rpc testjoin
> Join to 'MYDOM' is OK
> [root at smb1 root]# net rpc testjoin -d 1
> Join to 'MYDOM' is OK
> old# net rpc testjoin -d 3
> [2004/05/02 09:27:00, 3] param/loadparm.c:lp_load(3926)
>   lp_load: refreshing parameters
> [2004/05/02 09:27:00, 3] param/loadparm.c:init_globals(1303)
>   Initialising global parameters
> [2004/05/02 09:27:00, 3] param/params.c:pm_process(566)
>   params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2004/05/02 09:27:00, 3] param/loadparm.c:do_section(3429)
>   Processing section "[global]"
> [2004/05/02 09:27:00, 2] lib/interface.c:add_interface(79)
>   added interface ip=192.168.1.104 bcast=192.168.1.255 nmask=255.255.255.0
> [2004/05/02 09:27:00, 3] libsmb/cliconnect.c:cli_start_connection(1290)
>   Connecting to host=THEDC
> [2004/05/02 09:27:00, 3] lib/util_sock.c:open_socket_out(690)
>   Connecting to 192.168.1.146 at port 445
> Join to 'MYDOM' is OK
> [2004/05/02 09:27:00, 2] utils/net.c:main(758)
>   return code = 0
>
> This machine is configured the same other than having a different 'netbios
> name' in smb.conf. Hmm, also it has samba-3.0.0-14 instead of 3.0.2. (I
> tested the other machine with 3.0.0-14 and 3.0.2.)
>
> I'm not sure what is happening here.
>
>

More information about the samba-technical mailing list