winbind is half working: can't auth but can do everything else!
adp
dap99 at i-55.com
Sun May 2 23:12:11 GMT 2004
I made some interesting but disappointing progress. This was all in a test
env., so I took down the AD, brought up a fresh Win2k Server, and built a
new AD. It all works now. Any ideas on this? It makes me nervous since I'm
not sure what happened. I still have the old DC/AD and can bring it up for
additional testing.
----- Original Message -----
From: "adp" <dap99 at i-55.com>
To: <samba-technical at lists.samba.org>
Sent: Sunday, May 02, 2004 9:46 AM
Subject: Re: winbind is half working: can't auth but can do everything else!
> I just noticed that the 'net rpc user' command works while 'net rpc join'
> does not. Is this related to the auth. issues?
>
> # net rpc user -S thedc -U Administrator%secret
> A22E8A7E-F67F-4F1C-A
> Administrator
> bob
> f
> Guest
> krbtgt
> TsInternetUser
> # net rpc user -S thedc -U Administrator%polaris -d 3
> [2004/05/02 09:38:05, 3] param/loadparm.c:lp_load(3819)
> lp_load: refreshing parameters
> [2004/05/02 09:38:05, 3] param/loadparm.c:init_globals(1300)
> Initialising global parameters
> [2004/05/02 09:38:05, 3] param/params.c:pm_process(566)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2004/05/02 09:38:05, 3] param/loadparm.c:do_section(3331)
> Processing section "[global]"
> [2004/05/02 09:38:05, 2] lib/interface.c:add_interface(79)
> added interface ip=192.168.1.33 bcast=192.168.1.255 nmask=255.255.255.0
> [2004/05/02 09:38:05, 3] libsmb/cliconnect.c:cli_start_connection(1337)
> Connecting to host=thedc
> [2004/05/02 09:38:05, 3] lib/util_sock.c:open_socket_out(710)
> Connecting to 192.168.1.146 at port 445
> [2004/05/02 09:38:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(676)
> Doing spnego session setup (blob length=111)
> [2004/05/02 09:38:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)
> got OID=1 2 840 48018 1 2 2
> [2004/05/02 09:38:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)
> got OID=1 2 840 113554 1 2 2
> [2004/05/02 09:38:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)
> got OID=1 2 840 113554 1 2 2 3
> [2004/05/02 09:38:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)
> got OID=1 3 6 1 4 1 311 2 2 10
> [2004/05/02 09:38:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
> got principal=thedc$@MYDOM.COM
> [2004/05/02 09:38:05, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(879)
> Got challenge flags:
> [2004/05/02 09:38:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x60890215
> [2004/05/02 09:38:05, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(901)
> NTLMSSP: Set final flags:
> [2004/05/02 09:38:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x60080215
> [2004/05/02 09:38:05, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2004/05/02 09:38:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x60080215
> A22E8A7E-F67F-4F1C-A
> Administrator
> bob
> f
> Guest
> krbtgt
> TsInternetUser
> [2004/05/02 09:38:05, 2] utils/net.c:main(767)
> return code = 0
>
> And yet net rpc join continues to fail:
>
> # net rpc join -S thedc -U Administrator%secret -d 3
> [2004/05/02 09:40:23, 3] param/loadparm.c:lp_load(3819)
> lp_load: refreshing parameters
> [2004/05/02 09:40:23, 3] param/loadparm.c:init_globals(1300)
> Initialising global parameters
> [2004/05/02 09:40:23, 3] param/params.c:pm_process(566)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2004/05/02 09:40:23, 3] param/loadparm.c:do_section(3331)
> Processing section "[global]"
> [2004/05/02 09:40:23, 2] lib/interface.c:add_interface(79)
> added interface ip=192.168.1.33 bcast=192.168.1.255 nmask=255.255.255.0
> [2004/05/02 09:40:23, 3] libsmb/cliconnect.c:cli_start_connection(1337)
> Connecting to host=thedc
> [2004/05/02 09:40:23, 3] lib/util_sock.c:open_socket_out(710)
> Connecting to 192.168.1.146 at port 445
> [2004/05/02 09:40:33, 0] rpc_client/cli_pipe.c:rpc_api_pipe(424)
> cli_pipe: return critical error. Error was Call timed out: server did
not
> respond after 10000 milliseconds
> ...
>
> I also noticed some past mailing list traffic re: changing the
Administrator
> password. I changed the password and get the same error:
>
> # net rpc join -S thedc -d 3 -U Administrator%secret2
> [2004/05/02 09:42:41, 3] param/loadparm.c:lp_load(3819)
> lp_load: refreshing parameters
> [2004/05/02 09:42:41, 3] param/loadparm.c:init_globals(1300)
> Initialising global parameters
> [2004/05/02 09:42:41, 3] param/params.c:pm_process(566)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2004/05/02 09:42:41, 3] param/loadparm.c:do_section(3331)
> Processing section "[global]"
> [2004/05/02 09:42:41, 2] lib/interface.c:add_interface(79)
> added interface ip=192.168.1.33 bcast=192.168.1.255 nmask=255.255.255.0
> [2004/05/02 09:42:41, 3] libsmb/cliconnect.c:cli_start_connection(1337)
> Connecting to host=thedc
> [2004/05/02 09:42:41, 3] lib/util_sock.c:open_socket_out(710)
> Connecting to 192.168.1.146 at port 445
> [2004/05/02 09:42:51, 0] rpc_client/cli_pipe.c:rpc_api_pipe(424)
> cli_pipe: return critical error. Error was Call timed out: server did
not
> respond after 10000 milliseconds
> [2004/05/02 09:42:51, 0] rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
> cli_nt_setup_creds: request challenge failed
> ...
>
>
>
> ----- Original Message -----
> From: "adp" <dap99 at i-55.com>
> To: <samba-technical at lists.samba.org>
> Sent: Sunday, May 02, 2004 9:35 AM
> Subject: Re: winbind is half working: can't auth but can do everything
else!
>
>
> > I forgot to mention that I can connect to the 445/tcp port on the DC:
> >
> > # telnet 192.168.1.146 445
> > Trying 192.168.1.146...
> > Connected to 192.168.1.146 (192.168.1.146).
> > Escape character is '^]'.
> > lksdjf
> > ^]quit
> >
> > Connection closed.
> > # telnet 192.168.1.146 3389
> > Trying 192.168.1.146...
> > Connected to 192.168.1.146 (192.168.1.146).
> > Escape character is '^]'.
> > lksjdf
> > ^]quit
> >
> > Connection closed.
> >
> > ----- Original Message -----
> > From: "adp" <dap99 at i-55.com>
> > To: <samba-technical at lists.samba.org>
> > Sent: Sunday, May 02, 2004 9:30 AM
> > Subject: winbind is half working: can't auth but can do everything else!
> >
> >
> > > I am using Red Hat ES 3 with Samba 3.0.2-6.3E. I have a weird problem
> with
> > > Samba, and I'm sure I'm doing something wrong. I hope someone can give
> me
> > a
> > > pointer.
> > >
> > > Problem: When I try to use winbind for authentication I get the
> following
> > > error message:
> > >
> > > May 2 02:33:46 myserv winbindd[2953]: [2004/05/02 02:33:46, 0]
> > > rpc_client/cli_pipe.c:rpc_api_pipe(424)
> > > May 2 02:33:46 myserv winbindd[2953]: cli_pipe: return critical
> error.
> > > Error was Call timed out: server did not respond after 10000
> milliseconds
> > > May 2 02:33:46 myserv winbindd[2953]: [2004/05/02 02:33:46, 0]
> > > rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
> > > May 2 02:33:46 myserv winbindd[2953]: cli_nt_setup_creds: request
> > > challenge failed
> > >
> > > I had authentication (ssh specifically) working on another test
server,
> > but
> > > I can't seem to get this working on two new servers. Not sure what is
> > wrong!
> > >
> > > I will go through a few things that I am doing, but first here is
> smb.conf
> > > and krb5.conf:
> > >
> > > # cat smb.conf
> > > [global]
> > > netbios name = myserv
> > > workgroup = MYDOM
> > > encrypt passwords = yes
> > > realm = MYDOM.COM
> > > password server = *
> > > security = ADS
> > > winbind separator = -
> > > idmap uid = 10000-20000
> > > idmap gid = 10000-20000
> > > winbind enum users = yes
> > > winbind enum groups = yes
> > > template homedir = /home/%U
> > > template shell = /bin/bash
> > > winbind use default domain = yes
> > >
> > > # cat /etc/krb5.conf
> > > [logging]
> > > default = FILE:/var/log/krb5libs.log
> > > kdc = FILE:/var/log/krb5kdc.log
> > > admin_server = FILE:/var/log/kadmind.log
> > >
> > > [libdefaults]
> > > ticket_lifetime = 24000
> > > default_realm = MYDOM.COM
> > > dns_lookup_realm = true
> > > dns_lookup_kdc = true
> > >
> > > [realms]
> > > MYDOM.COM= {
> > > kdc = dc.mydom.com:88
> > > admin_server = dc.mydom.com:749
> > > default_domain = mydom.com
> > > }
> > >
> > > [domain_realm]
> > > .mydom.com= MYDOM.COM
> > > mydom.com= MYDOM.COM
> > >
> > > [kdc]
> > > profile = /var/kerberos/krb5kdc/kdc.conf
> > >
> > > [appdefaults]
> > > pam = {
> > > debug = false
> > > ticket_lifetime = 36000
> > > renew_lifetime = 36000
> > > forwardable = true
> > > krb4_convert = false
> > > }
> > >
> > > (I also have /etc/pam.d/system-auth and /etc/nsswitch.conf configured
> for
> > > winbind.)
> > >
> > >
> > > Okay, let's first check out Kerb:
> > >
> > > [root at myserv samba]# klist
> > > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> > >
> > >
> > > Kerberos 4 ticket cache: /tmp/tkt0
> > > klist: You have no tickets cached
> > > [root at myserv samba]# kinit Administrator
> > > Password for Administrator at MY.DOM:
> > > [root at myserv samba]# klist
> > > Ticket cache: FILE:/tmp/krb5cc_0
> > > Default principal: Administrator at MY.DOM
> > >
> > > Valid starting Expires Service principal
> > > 05/02/04 02:43:30 05/02/04 12:43:30 krbtgt/MY.DOM at MY.DOM
> > >
> > >
> > > Kerberos 4 ticket cache: /tmp/tkt0
> > > klist: You have no tickets cached
> > >
> > > That works. Now let's try an ADS join:
> > >
> > > [root at myserv samba]# net ads join
> > > Using short domain name -- MYDOM
> > > Joined 'MYSERV' to realm MY.DOM
> > > [root at myserv samba]# net ads testjoin
> > > Join is OK
> > >
> > > Great!
> > >
> > > Now list some home directories on this box for ADS users:
> > >
> > > # ll /home/
> > > total 24
> > > drwxr-xr-x 2 bob Domain Users 4096 May 2 01:41 bob
> > > drwxr-xr-x 2 f Domain Users 4096 May 2 02:32 f
> > > drwxr-xr-x 2 root root 16384 May 1 23:24 lost+found
> > >
> > > Now ssh:
> > >
> > > # ssh bob at localhost
> > >
> > > May 2 02:45:38 myserv winbindd[3127]: [2004/05/02 02:45:38, 0]
> > > rpc_client/cli_pipe.c:rpc_api_pipe(424)
> > > May 2 02:45:38 myserv winbindd[3127]: cli_pipe: return critical
> error.
> > > Error was Call timed out: server did not respond after 10000
> milliseconds
> > > May 2 02:45:38 myserv winbindd[3127]: [2004/05/02 02:45:38, 0]
> > > rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
> > > May 2 02:45:38 myserv winbindd[3127]: cli_nt_setup_creds: request
> > > challenge failed
> > > May 2 02:45:38 myserv pam_winbind[3162]: request failed: No logon
> > servers,
> > > PAM error was 4, NT error was NT_STATUS_NO_LOGON_SERVERS
> > > May 2 02:45:38 myserv pam_winbind[3162]: internal module error
(retval
> =
> > 4,
> > > user = `bob'
> > > May 2 02:45:38 myserv sshd(pam_unix)[3162]: check pass; user unknown
> > >
> > > Weird. ???? What's the problem here? The kinit worked earlier! It
seems
> > like
> > > it can't find the DC, even though I have this all specified in
> krb5.conf.
> > >
> > > Let's try rpc instead. Maybe that is what winbind is trying to use?
> > >
> > > # net rpc join -U Administrator
> > >
> > > Unable to find a suitable server
> > >
> > > Unable to find a suitable server
> > >
> > > # net rpc join -U Administrator -d 3
> > > [2004/05/02 02:47:50, 3] param/loadparm.c:lp_load(3819)
> > > lp_load: refreshing parameters
> > > [2004/05/02 02:47:50, 3] param/loadparm.c:init_globals(1300)
> > > Initialising global parameters
> > > [2004/05/02 02:47:50, 3] param/params.c:pm_process(566)
> > > params.c:pm_process() - Processing configuration file
> > > "/etc/samba/smb.conf"
> > > [2004/05/02 02:47:50, 3] param/loadparm.c:do_section(3331)
> > > Processing section "[global]"
> > > [2004/05/02 02:47:50, 2] lib/interface.c:add_interface(79)
> > > added interface ip=192.168.1.33 bcast=192.168.1.255
> nmask=255.255.255.0
> > > [2004/05/02 02:47:50, 3] libsmb/namequery.c:resolve_lmhosts(850)
> > > resolve_lmhosts: Attempting lmhosts lookup for name MYDOM<0x1b>
> > > [2004/05/02 02:47:50, 3] libsmb/namequery.c:resolve_wins(748)
> > > resolve_wins: Attempting wins lookup for name MYDOM<0x1b>
> > > [2004/05/02 02:47:50, 3] libsmb/namequery.c:resolve_wins(751)
> > > resolve_wins: WINS server resolution selected and no WINS servers
> > listed.
> > > [2004/05/02 02:47:50, 3] libsmb/namequery.c:name_resolve_bcast(690)
> > > name_resolve_bcast: Attempting broadcast lookup for name MYDOM<0x1b>
> > > [2004/05/02 02:47:51, 1] utils/net.c:net_find_server(274)
> > > no server to connect to
> > >
> > > Unable to find a suitable server
> > > [2004/05/02 02:47:51, 3] libsmb/namequery.c:resolve_lmhosts(850)
> > > resolve_lmhosts: Attempting lmhosts lookup for name MYDOM<0x1b>
> > > [2004/05/02 02:47:51, 3] libsmb/namequery.c:resolve_wins(748)
> > > resolve_wins: Attempting wins lookup for name MYDOM<0x1b>
> > > [2004/05/02 02:47:51, 3] libsmb/namequery.c:resolve_wins(751)
> > > resolve_wins: WINS server resolution selected and no WINS servers
> > listed.
> > > [2004/05/02 02:47:51, 3] libsmb/namequery.c:name_resolve_bcast(690)
> > > name_resolve_bcast: Attempting broadcast lookup for name MYDOM<0x1b>
> > > [2004/05/02 02:47:51, 1] utils/net.c:net_find_server(274)
> > > no server to connect to
> > >
> > > Unable to find a suitable server
> > > [2004/05/02 02:47:51, 2] utils/net.c:main(767)
> > > return code = 1
> > >
> > > Now watch if I specify a DC:
> > >
> > > # net rpc join -S thedc -d 3
> > > [2004/05/02 09:14:32, 3] param/loadparm.c:lp_load(3819)
> > > lp_load: refreshing parameters
> > > [2004/05/02 09:14:32, 3] param/loadparm.c:init_globals(1300)
> > > Initialising global parameters
> > > [2004/05/02 09:14:32, 3] param/params.c:pm_process(566)
> > > params.c:pm_process() - Processing configuration file
> > > "/etc/samba/smb.conf"
> > > [2004/05/02 09:14:32, 3] param/loadparm.c:do_section(3331)
> > > Processing section "[global]"
> > > [2004/05/02 09:14:32, 2] lib/interface.c:add_interface(79)
> > > added interface ip=192.168.1.33 bcast=192.168.1.255
> nmask=255.255.255.0
> > > [2004/05/02 09:14:32, 3] libsmb/namequery.c:resolve_lmhosts(850)
> > > resolve_lmhosts: Attempting lmhosts lookup for name thedc<0x20>
> > > [2004/05/02 09:14:32, 3]
libsmb/cliconnect.c:cli_start_connection(1337)
> > > Connecting to host=thedc
> > > [2004/05/02 09:14:32, 3] lib/util_sock.c:open_socket_out(710)
> > > Connecting to 192.168.1.146 at port 445
> > > [2004/05/02 09:14:43, 0] rpc_client/cli_pipe.c:rpc_api_pipe(424)
> > > cli_pipe: return critical error. Error was Call timed out: server
did
> > not
> > > respond after 10000 milliseconds
> > > [2004/05/02 09:14:43, 0]
> rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
> > > cli_nt_setup_creds: request challenge failed
> > > [2004/05/02 09:14:43, 3]
> libsmb/trusts_util.c:just_change_the_password(43)
> > > just_change_the_password: unable to setup creds
> > (NT_STATUS_UNSUCCESSFUL)!
> > > [2004/05/02 09:14:43, 1] utils/net_rpc.c:run_rpc_command(138)
> > > rpc command function failed! (NT_STATUS_UNSUCCESSFUL)
> > > [2004/05/02 09:14:43, 1] utils/net_rpc.c:run_rpc_command(138)
> > > rpc command function failed! (NT_STATUS_UNSUCCESSFUL)
> > > Password:
> > > [Control-C]
> > > Interupted by signal.
> > >
> > > Notice the 11 second pause at 'Connecting to 192.168.1.146 at port
445'!
> > >
> > > I did just now add thedc to my /etc/samba/lmhosts file:
> > >
> > > # cat lmhosts
> > > 127.0.0.1 localhost
> > > 192.168.1.146 THEDC#20
> > >
> > > But this same thing was happening before I did anything to lmhosts.
> > >
> > > I have no firewall up on my Linux machine:
> > >
> > > # iptables -L -n
> > > Chain INPUT (policy ACCEPT)
> > > target prot opt source destination
> > >
> > > Chain FORWARD (policy ACCEPT)
> > > target prot opt source destination
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target prot opt source destination
> > >
> > > Nor am I running nscd:
> > >
> > > # ps auxww|grep nscd
> > > root 16739 0.0 0.0 3676 660 pts/1 S 09:21 0:00 grep
nscd
> > >
> > > The above is from a real server running RHES. I have an older server
> that
> > I
> > > initially worked on that is running under VMware that has RHES, and is
> > > working:
> > >
> > > old# ll -d /home/bob/
> > > drwx------ 3 bob Domain Users 4096 May 1 13:08 /home/bob/
> > >
> > > old# ssh bob at localhost
> > > bob at localhost's password: MYDOMPASSWORD
> > > bob$
> > >
> > > What!?
> > >
> > > old# klist
> > > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> > >
> > >
> > > Kerberos 4 ticket cache: /tmp/tkt0
> > > klist: You have no tickets cached
> > >
> > > old# net rpc testjoin
> > > Join to 'MYDOM' is OK
> > > [root at smb1 root]# net rpc testjoin -d 1
> > > Join to 'MYDOM' is OK
> > > old# net rpc testjoin -d 3
> > > [2004/05/02 09:27:00, 3] param/loadparm.c:lp_load(3926)
> > > lp_load: refreshing parameters
> > > [2004/05/02 09:27:00, 3] param/loadparm.c:init_globals(1303)
> > > Initialising global parameters
> > > [2004/05/02 09:27:00, 3] param/params.c:pm_process(566)
> > > params.c:pm_process() - Processing configuration file
> > > "/etc/samba/smb.conf"
> > > [2004/05/02 09:27:00, 3] param/loadparm.c:do_section(3429)
> > > Processing section "[global]"
> > > [2004/05/02 09:27:00, 2] lib/interface.c:add_interface(79)
> > > added interface ip=192.168.1.104 bcast=192.168.1.255
> nmask=255.255.255.0
> > > [2004/05/02 09:27:00, 3]
libsmb/cliconnect.c:cli_start_connection(1290)
> > > Connecting to host=THEDC
> > > [2004/05/02 09:27:00, 3] lib/util_sock.c:open_socket_out(690)
> > > Connecting to 192.168.1.146 at port 445
> > > Join to 'MYDOM' is OK
> > > [2004/05/02 09:27:00, 2] utils/net.c:main(758)
> > > return code = 0
> > >
> > > This machine is configured the same other than having a different
> 'netbios
> > > name' in smb.conf. Hmm, also it has samba-3.0.0-14 instead of 3.0.2.
(I
> > > tested the other machine with 3.0.0-14 and 3.0.2.)
> > >
> > > I'm not sure what is happening here.
> > >
> > >
> >
>
>
More information about the samba-technical
mailing list