Is there some way to force winbindd to use msrpc rather than ads?

Richard Sharpe realrichardsharpe at gmail.com
Tue Jun 4 13:01:21 MDT 2013 

On Tue, Jun 4, 2013 at 1:19 AM, Matthieu Patou <mat at samba.org> wrote:
> On 06/03/2013 09:25 PM, Richard Sharpe wrote:
>> Hi folks,
>>
>> I am having a problem were we cannot use ADS for querying the DCs but
>> winbinds seems to always want to do that. This causes the following
>> problems:
>>
>> [2013/06/04 12:13:40.657627, 10]
>> winbindd/winbindd_dual_ndr.c:315(winbindd_dual_ndrcmd)
>>   winbindd_dual_ndrcmd: Running command WBINT_LOOKUPUSERGROUPS (AYAY)
>> [2013/06/04 12:13:40.657705, 10]
>> winbindd/winbindd_cache.c:461(fetch_cache_seqnum)
>>   fetch_cache_seqnum: success [APAC][4294967295 @ 1370319151]
>> [2013/06/04 12:13:40.657756, 10]
>> winbindd/winbindd_cache.c:4601(wcache_tdc_fetch_domain)
>>   wcache_tdc_fetch_domain: Searching for domain AYAY
>> [2013/06/04 12:13:40.657835, 10]
>> winbindd/winbindd_cache.c:4616(wcache_tdc_fetch_domain)
>>   wcache_tdc_fetch_domain: Found domain AYAY
>> [2013/06/04 12:13:40.657884,  3] winbindd/winbindd_ads.c:1251(sequence_number)
>>   ads: fetch sequence_number for AYAY
>> [2013/06/04 12:13:40.657925, 10]
>> winbindd/winbindd_cache.c:4601(wcache_tdc_fetch_domain)
>>   wcache_tdc_fetch_domain: Searching for domain AYAY
>> [2013/06/04 12:13:40.657994, 10]
>> winbindd/winbindd_cache.c:4616(wcache_tdc_fetch_domain)
>>   wcache_tdc_fetch_domain: Found domain AYAY
>> [2013/06/04 12:13:40.658041, 10]
>> winbindd/winbindd_ads.c:54(ads_cached_connection)
>>   ads_cached_connection
>> [2013/06/04 12:13:42.508853,  0] libads/sasl.c:908(ads_sasl_spnego_bind)
>>   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Decrypt
>> integrity check failed
>
> Would be interesting to understand why the integrity check failed.

The integrity check failed because the SPN attribute has been removed
from the machine account to force the use of NTLM because the customer
has accounts with spaces in their names and we use Heimdal and blah
blah.

The problem with spaces in their names has now been fixed in master
and we have a fix for it as well, but the customer does not want to
deploy that yet.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list