[Samba] Winbindd startup kerberos fail
Joe
hishadow at netcabo.pt
Sun Aug 15 11:21:11 GMT 2004
I'm trying to learn about the interactions between SAMBA and Win2k
DCs. The eventual goal is to have a Win2k server with ADS working with
a FreeBSD SAMBA server. I've used the setup from
http://oslabs.mikro-net.com/fbsd_samba.html and many other articles as
the basis for what I've done so far. Winbind seems to work and I can
show users and gropus using wbinfo although I see some things in the
logs that I haven't been able to figure out.
I'm using a Win2k native domain, FreeBSD 5.2-RELEASE, and Samba 3.0.4.
The domain is HOME, the win2k server is frosty.home.local and the Samba
machine is kara.home.local.
I'm working my way through the initial startup of winbindd, and have the
following in my logs. I can't figure out what the failure is at the
end, could it be the machine password stored on KARA is wrong?.
I can use kinit and get tickets for users from the kerberos server, and
access user specific shares with smbclient
--------------------
[2004/08/15 08:00:05, 5] nsswitch/winbindd_cm.c:cm_open_connection(256)
connecting to FROSTY from KARA with kerberos principal
[KARA$@HOME.LOCAL]
[2004/08/15 08:00:05, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/08/15 08:00:05, 10]
nsswitch/winbindd_cache.c:wcache_flush_cache(66)
wcache_flush_cache success
[2004/08/15 08:00:05, 10] nsswitch/winbindd_cache.c:alternate_name(1326)
alternate_name: [Cached] - doing backend query for info for domain
HOME
[2004/08/15 08:00:05, 3] nsswitch/winbindd_ads.c:alternate_name(932)
ads: alternate_name
[2004/08/15 08:00:05, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
krb5_cc_get_principal failed (No such file or directory)
-----------------------
If anyone can point me to anything more I can read to help me explain
what's going on I would appreciate it.
I have attached the full log, and smb.conf in case they are useful.
Thanks,
Joe.
-------------- next part --------------
[2004/08/15 08:00:04, 1] nsswitch/winbindd.c:main(843)
winbindd version 3.0.4 started.
Copyright The Samba Team 2000-2004
[2004/08/15 08:00:04, 2] param/loadparm.c:do_section(3392)
Processing section "[homes]"
[2004/08/15 08:00:04, 2] param/loadparm.c:do_section(3392)
Processing section "[storage]"
[2004/08/15 08:00:05, 2] lib/interface.c:add_interface(79)
added interface ip=10.0.0.102 bcast=10.0.0.255 nmask=255.255.255.0
[2004/08/15 08:00:05, 2] lib/interface.c:add_interface(79)
added interface ip=10.0.0.102 bcast=10.0.0.255 nmask=255.255.255.0
[2004/08/15 08:00:05, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
Registered MSG_REQ_POOL_USAGE
[2004/08/15 08:00:05, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2004/08/15 08:00:05, 3] nsswitch/winbindd_util.c:add_trusted_domain(173)
add_trusted_domain: HOME is an NT4 domain
[2004/08/15 08:00:05, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain HOME HOME.LOCAL S-0-0
[2004/08/15 08:00:05, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(110)
IPC$ connections done anonymously
[2004/08/15 08:00:05, 5] nsswitch/winbindd_cm.c:cm_open_connection(256)
connecting to FROSTY from KARA with kerberos principal [KARA$@HOME.LOCAL]
[2004/08/15 08:00:05, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/08/15 08:00:05, 10] nsswitch/winbindd_cache.c:wcache_flush_cache(66)
wcache_flush_cache success
[2004/08/15 08:00:05, 10] nsswitch/winbindd_cache.c:alternate_name(1326)
alternate_name: [Cached] - doing backend query for info for domain HOME
[2004/08/15 08:00:05, 3] nsswitch/winbindd_ads.c:alternate_name(932)
ads: alternate_name
[2004/08/15 08:00:05, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
krb5_cc_get_principal failed (No such file or directory)
[2004/08/15 08:00:05, 5] nsswitch/winbindd_util.c:add_trusted_domains(207)
scanning trusted domain list
[2004/08/15 08:00:05, 10] nsswitch/winbindd_cache.c:trusted_domains(1301)
trusted_domains: [Cached] - doing backend query for info for domain HOME
[2004/08/15 08:00:05, 3] nsswitch/winbindd_ads.c:trusted_domains(832)
ads: trusted_domains
[2004/08/15 08:00:05, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(110)
IPC$ connections done anonymously
[2004/08/15 08:00:05, 5] nsswitch/winbindd_cm.c:cm_open_connection(256)
connecting to FROSTY from KARA with kerberos principal [KARA$@HOME.LOCAL]
[2004/08/15 08:00:05, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/08/15 08:00:05, 10] nsswitch/winbindd_util.c:add_trusted_domains(226)
Found domain HOME
[2004/08/15 08:00:05, 3] nsswitch/winbindd_util.c:add_trusted_domain(173)
add_trusted_domain: BUILTIN is an NT4 domain
[2004/08/15 08:00:05, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain BUILTIN S-1-5-32
[2004/08/15 08:00:05, 3] nsswitch/winbindd_util.c:add_trusted_domain(173)
add_trusted_domain: KARA is an NT4 domain
[2004/08/15 08:00:05, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain KARA S-1-5-21-3424855220-147354258-856157331
[2004/08/15 08:00:05, 5] nsswitch/winbindd_util.c:add_trusted_domains(207)
scanning trusted domain list
[2004/08/15 08:00:05, 10] nsswitch/winbindd_cache.c:trusted_domains(1301)
trusted_domains: [Cached] - doing backend query for info for domain HOME
[2004/08/15 08:00:05, 3] nsswitch/winbindd_ads.c:trusted_domains(832)
ads: trusted_domains
[2004/08/15 08:00:05, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(110)
IPC$ connections done anonymously
[2004/08/15 08:00:05, 5] nsswitch/winbindd_cm.c:cm_open_connection(256)
connecting to FROSTY from KARA with kerberos principal [KARA$@HOME.LOCAL]
[2004/08/15 08:00:05, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/08/15 08:00:05, 10] nsswitch/winbindd_util.c:add_trusted_domains(226)
Found domain HOME
[2004/08/15 08:00:05, 10] nsswitch/winbindd_util.c:open_winbindd_socket(673)
open_winbindd_socket: opened socket fd 15
[2004/08/15 08:00:05, 10] nsswitch/winbindd_util.c:open_winbindd_priv_socket(685)
open_winbindd_priv_socket: opened socket fd 17
************** Start 'wbinfo -g' ********************8
[2004/08/15 08:01:10, 6] nsswitch/winbindd.c:new_connection(343)
accepted socket 18
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 1824 bytes. Need 0 more for a full request.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:process_request(308)
process_request: request fn INTERFACE_VERSION
[2004/08/15 08:01:10, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[37379]: request interface version
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:client_write(512)
client_write: wrote 1300 bytes.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 1824 bytes. Need 0 more for a full request.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:process_request(308)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2004/08/15 08:01:10, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[37379]: request location of privileged pipe
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:client_write(512)
client_write: wrote 1300 bytes.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:client_write(557)
client_write: need to write 34 extra data bytes.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:client_write(512)
client_write: wrote 34 bytes.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:client_write(546)
client_write: client_write: complete response written.
[2004/08/15 08:01:10, 6] nsswitch/winbindd.c:new_connection(343)
accepted socket 19
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 0 bytes. Need 1824 more for a full request.
[2004/08/15 08:01:10, 5] nsswitch/winbindd.c:winbind_client_read(465)
read failed on sock 18, pid 37379: EOF
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 1824 bytes. Need 0 more for a full request.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:process_request(308)
process_request: request fn LIST_GROUPS
[2004/08/15 08:01:10, 3] nsswitch/winbindd_group.c:winbindd_list_groups(848)
[37379]: list groups
[2004/08/15 08:01:10, 4] nsswitch/winbindd_group.c:get_sam_group_entries(564)
get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2004/08/15 08:01:10, 2] lib/smbldap.c:smbldap_search_domain_info(1344)
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=KARA))]
[2004/08/15 08:01:10, 2] lib/smbldap.c:smbldap_open_connection(639)
smbldap_open_connection: connection opened
[2004/08/15 08:01:11, 1] lib/smbldap.c:add_new_domain_info(1314)
failed to add domain dn= sambaDomainName=KARA,dc=home,dc=local with: No such attribute
00000057: LdapErr: DSID-0C09098B, comment: Error in attribute conversion operation, data 0, v893
[2004/08/15 08:01:11, 0] lib/smbldap.c:smbldap_search_domain_info(1363)
Adding domain info for KARA failed with NT_STATUS_UNSUCCESSFUL
[2004/08/15 08:01:11, 2] passdb/pdb_ldap.c:pdb_init_ldapsam(2740)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs
[2004/08/15 08:01:12, 2] passdb/pdb_ldap.c:ldapsam_setsamgrent(2248)
ldapsam_setsampwent: 0 entries in the base!
[2004/08/15 08:01:12, 4] nsswitch/winbindd_group.c:get_sam_group_entries(573)
get_sam_group_entries: Returned 0 local groups
[2004/08/15 08:01:12, 4] nsswitch/winbindd_group.c:get_sam_group_entries(564)
get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2004/08/15 08:01:13, 2] passdb/pdb_ldap.c:ldapsam_setsamgrent(2248)
ldapsam_setsampwent: 0 entries in the base!
[2004/08/15 08:01:13, 4] nsswitch/winbindd_group.c:get_sam_group_entries(573)
get_sam_group_entries: Returned 0 local groups
[2004/08/15 08:01:13, 10] nsswitch/winbindd_cache.c:fetch_cache_seqnum(272)
fetch_cache_seqnum: invalid data size key [SEQNUM/HOME]
[2004/08/15 08:01:13, 3] nsswitch/winbindd_ads.c:sequence_number(792)
ads: fetch sequence_number for HOME
[2004/08/15 08:01:13, 7] nsswitch/winbindd_ads.c:ads_cached_connection(48)
Current tickets expire at 1092589241
, time is now 1092553273
[2004/08/15 08:01:13, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(325)
store_cache_seqnum: success [HOME][245716 @ 1092553273]
[2004/08/15 08:01:13, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(380)
refresh_sequence_number: HOME seq number is now 245716
[2004/08/15 08:01:13, 10] nsswitch/winbindd_cache.c:enum_dom_groups(818)
enum_dom_groups: [Cached] - doing backend query for list for domain HOME
[2004/08/15 08:01:13, 3] nsswitch/winbindd_ads.c:enum_dom_groups(230)
ads: enum_dom_groups
[2004/08/15 08:01:13, 7] nsswitch/winbindd_ads.c:ads_cached_connection(48)
Current tickets expire at 1092589241
, time is now 1092553273
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
No rid for Administrators !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
No rid for Users !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
No rid for Guests !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
No rid for Backup Operators !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
No rid for Replicator !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
No rid for Server Operators !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
No rid for Account Operators !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
No rid for Print Operators !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
No rid for Pre-Windows 2000 Compatible Access !?
[2004/08/15 08:01:13, 3] nsswitch/winbindd_ads.c:enum_dom_groups(296)
ads enum_dom_groups gave 15 entries
[2004/08/15 08:01:13, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(355)
refresh_sequence_number: HOME time ok
[2004/08/15 08:01:13, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(380)
refresh_sequence_number: HOME seq number is now 245716
[2004/08/15 08:01:13, 10] nsswitch/winbindd.c:client_write(512)
client_write: wrote 1300 bytes.
[2004/08/15 08:01:13, 10] nsswitch/winbindd.c:client_write(557)
client_write: need to write 309 extra data bytes.
[2004/08/15 08:01:13, 10] nsswitch/winbindd.c:client_write(512)
client_write: wrote 309 bytes.
[2004/08/15 08:01:13, 10] nsswitch/winbindd.c:client_write(546)
client_write: client_write: complete response written.
[2004/08/15 08:01:13, 10] nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 0 bytes. Need 1824 more for a full request.
[2004/08/15 08:01:13, 5] nsswitch/winbindd.c:winbind_client_read(465)
read failed on sock 19, pid 37379: EOF
[2004/08/15 08:01:30, 10] nsswitch/winbindd.c:winbind_client_read(458)
client_read: read 0 bytes. Need 1824 more for a full request.
[2004/08/15 08:01:30, 5] nsswitch/winbindd.c:winbind_client_read(465)
read failed on sock 8, pid 37374: EOF
-------------- next part --------------
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
security = ADS
realm = home.local
workgroup = HOME
netbios name = KARA
server string = Hi I'm Kara
encrypt passwords = yes
password server = *
passdb backend = ldapsam:ldaps://frosty.home.local
ldap suffix = dc=home,dc=local
ldap admin dn = cn=ldapgoddess,cn=users,dc=home,dc=local
ldap filter = (&(uid=%u)(objectclass=person))
ldap filter = (&(uid=%u)(objectCategory=person)(objectClass=user)(sAMAccountName=*))
ldap server = frosty.home.local
ldap ssl = on
restrict anonymous = 2
; server signing = mandatory
server schannel = yes
; ntlm auth = no
; lm announce = no
; minprotocol = NT1
client schannel = yes
; client signing = mandatory
; client signing = auto
client ntlmv2 auth = yes
;;;;;may be broken according to man page, for win2k3
# client use spnego = yes
winbind separator = +
idmap uid = 10000-11000
idmap gid = 10000-11000
; disable enum to reduce noise in logs
; winbind enum users = Yes
; winbind enum groups = Yes
winbind enum users = no
winbind enum groups = no
template shell = /usr/local/bin/bash
template homedir = /home/%D/%U
log file = /var/log/samba/log.%m
max log size = 100
log level = 2 passdb:2 winbind:10 auth:2
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
[storage]
path = /home/share
readonly = no
guest ok = Yes
More information about the samba
mailing list