[Samba] winbind problems
Brian Kesting
bkesting at cityofwayne.org
Tue Dec 21 04:29:53 GMT 2004
Ok, I will set that up tomorrow. I had it setup at one time, but thought that if I didn't have local users logging into the local system I didn't need it.
I really appreciate your quick and informative responses to my questions Thomas and everyone else....I really appreciate it.
---------- Original Message ----------------------------------
From: "Thomas M. Skeren III" <tms3 at fskklaw.com>
Date: Mon, 20 Dec 2004 20:12:05 -0800
Brian Kesting wrote:
>Even if I do not have users logging into this samba box locally, i still need to edit /etc/pam.d/login?
>
>
Yes
>
>---------- Original Message ----------------------------------
>From: "Thomas M. Skeren III" <tms3 at fskklaw.com>
>Date: Mon, 20 Dec 2004 18:31:53 -0800
>
>Brian Kesting wrote:
>
>
>
>>When I made those changes to krb5.conf I got the following in my smb log
>>and I could not access my samba share...
>>
>>[2004/12/20 20:13:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>> Failed to verify incoming ticket!
>>[2004/12/20 20:13:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>> Failed to verify incoming ticket!
>>[2004/12/20 20:14:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>> Failed to verify incoming ticket!
>>[2004/12/20 20:14:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>> Failed to verify incoming ticket!
>>
>>Not sure what I am missing, I may just start this whole project over from scratch and see if I have better luck.
>>
>>
>>
>>
>As I stated in my guide,
>
>Note: If you have a server and it isn't a production server, has
>nothing of value on it, and you have been stuffing programs on it to get
>Samba to work with ADS , but failed, put that 5.3 Release install cd
>into the cdrom drive, and reinstall FBSD 5.3 formatting the drives along
>the way. Don't bug me if you didn't start with a nice clean install.
>
>Make sure you have the pam.d/login stuff done. Without it pam can't
>authenticate non local users.
>
>
>
>>---------- Original Message ----------------------------------
>>From: "Thomas M. Skeren III" <tms3 at fskklaw.com>
>>Date: Mon, 20 Dec 2004 17:50:47 -0800
>>
>>Brian Kesting wrote:
>>
>>
>>
>>
>>
>>>I am using Suse 9.2 and heimdal 0.6.2
>>>
>>>
>>>
>>>
>>>
>>>
>>In that case you need:
>>
>> default_etypes = des-cbc-crc des-cbc-md5
>>default_etypes_des = des-cbc-crc des-cbc-md5
>>
>>In libdefaults. Read my whole response as I made changes throughout
>>your krb5.conf file. You may also need a keytab file, but I doubt it.
>>
>>
>>
>>
>>
>>>---------- Original Message ----------------------------------
>>>From: "Thomas M. Skeren III" <tms3 at fskklaw.com>
>>>Date: Mon, 20 Dec 2004 17:43:07 -0800
>>>
>>>Brian Kesting wrote:
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>
>>>
>>>
>>>
>>>>My setup looks about identical to the setup you have listed in the link you provided.
>>>>
>>>>Since this line:
>>>>libsmb/clikrb5.c:ads_krb5_mk_req(313)
>>>>krb5_cc_get_principal failed (No such file or directory)
>>>>
>>>>keeps appearing in my winbind log file, I am thinking it is a kerberos problem too. Do you see anything wrong with my /etc/krb5.conf file?
>>>>
>>>>[libdefaults]
>>>> default_realm = WAYNE.LOCAL
>>>> clockskew = 300
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Try adding :
>>>
>>>dns_lookup_realm = false
>>>dns_lookup_kdc = false
>>>
>>>Also which OS are you using? What Kerberos? The default etypes lines
>>>are necessary for Heimdal, but I don't think they are necessary for MIT.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>[realms]
>>>>WAYNE.LOCAL = {
>>>> kdc = police.wayne.local
>>>> default_domain = WAYNE.LOCAL
>>>> kpasswd_server = police.wayne.local
>>>>}
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Try:
>>>
>>>kdc = KERBEROS.WAYNE.LOCAL
>>>admin_server = police.wayne.local
>>>default_domain = wayne.local
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>[domain_realm]
>>>> .WAYNE.LOCAL = WAYNE.LOCAL
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Probably not enough info here. Try: (Remember caps must be in caps).
>>>
>>>.wayne.local = WAYNE.LOCAL
>>>wayne.local = WAYNE.LOCAL
>>>.WAYNE.LOCAL = WAYNE.LOCAL
>>>kerberos.server = KERBEROS.WAYNE.LOCAL
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>[appdefaults]
>>>>pam = {
>>>> ticket_lifetime = 365d
>>>> renew_lifetime = 365d
>>>> forwardable = true
>>>> proxiable = false
>>>> retain_after_close = true
>>>> minimum_uid = 0
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Pam stuff is more OS dependent, so I have no suggestions here. MAKE
>>>SURE THAT YOU SAMBA SERVER IS USING THE W2K ADS SERVER AS DNS----THIS IS
>>>ABSOLUTELY CRITICAL.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>---------- Original Message ----------------------------------
>>>>From: "Thomas M. Skeren III" <tms3 at fskklaw.com>
>>>>Date: Mon, 20 Dec 2004 17:16:38 -0800
>>>>
>>>>Brian Kesting wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Someone told me once to try to remove the Samba server from the domain, rename it, and rejoin the domain......would that solve any problems in your opinion?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>That is an odd solution, unless AD is mangled with respect to the samba
>>>>server name. Methinks you have a kerberos problem. My servers are
>>>>FreeBSD, but I do have a bare bones guide for setting up samba as an AD
>>>>member server in FreeBSD. If you use Linux it can only be a reference,
>>>>but it's an easy read.
>>>>
>>>><http://www.fsklaw.com/fbsdconfig.html>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>---------- Original Message ----------------------------------
>>>>>From: "Brian Kesting" <bkesting at cityofwayne.org>
>>>>>Reply-To: bkesting at cityofwayne.org
>>>>>Date: Mon, 20 Dec 2004 18:05:47 -0600
>>>>>
>>>>>I read something about nscd causing problems before I even installed the system, so I never even installed that service.
>>>>>
>>>>>Here is an updated /var/log/samba/log.winbindd file.....btw, thanks for the quick help and tips so far, I appreciate it.
>>>>>
>>>>>[2004/12/20 17:33:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
>>>>>krb5_cc_get_principal failed (No such file or directory)
>>>>>[2004/12/20 17:38:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>>[2004/12/20 17:43:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>>[2004/12/20 17:45:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
>>>>>user 'root' does not exist
>>>>>[2004/12/20 17:49:01, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>>[2004/12/20 17:52:26, 1] libads/ldap_utils.c:ads_do_search_retry(77)
>>>>>ads_search_retry: failed to reconnect (Invalid credentials)
>>>>>
>>>>>
>>>>>---------- Original Message ----------------------------------
>>>>>From: Brett Stevens <brett.stevens at hubbub.com.au>
>>>>>Date: Tue, 21 Dec 2004 10:33:30 +1100
>>>>>
>>>>>One thing I moticed when having simmilar problems is that for some reason
>>>>>nscd seems to be a problem stop this service and restart all samba services
>>>>>including smbd nmbd and winbind
>>>>>
>>>>>Let us know how it goes.
>>>>>
>>>>>Brett Stevens
>>>>>
>>>>>-----Original Message-----
>>>>>From: Brian Kesting [mailto:bkesting at cityofwayne.org]
>>>>>Sent: Tuesday, December 21, 2004 10:29 AM
>>>>>To: samba at lists.samba.org
>>>>>Subject: [Samba] winbind problems
>>>>>
>>>>>
>>>>>Hello,
>>>>>
>>>>>I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected
>>>>>this server successfully to a Windows 2000 Active Directory (mixed mode). I
>>>>>have nsswitch.conf, krb5.conf configured and winbind seems to be running
>>>>>properly for the most part. With wbinfo I can get all of my user and group
>>>>>information. Problem is, it seems that at random times, the samba server
>>>>>just stops authenticating the windows user names and accounts. If I restart
>>>>>the winbind or smb service, then all seems to be well again for a while.
>>>>>Right now the only way I can keep this running is to run a cron job that
>>>>>restartes the samba and winbind services every hour. This is really bugging
>>>>>me as I cannot figure out what is going on. Can anyone help me? I have
>>>>>included some of my configuration and log files below. Thanks in advance.
>>>>>
>>>>>---------/etc/samba/smb.conf----------
>>>>># Samba Configuration File
>>>>>
>>>>>[global]
>>>>> workgroup = WAYNE
>>>>> realm = WAYNE.LOCAL
>>>>> server string = Samba Server
>>>>> security = ADS
>>>>> password server = adserver.wayne.local
>>>>> encrypt passwords = yes
>>>>> idmap uid = 10000-20000
>>>>> idmap gid = 10000-20000
>>>>> template shell = /bin/bash
>>>>> winbind use default domain = no
>>>>> winbind separator = /
>>>>>
>>>>>[users]
>>>>> comment = Users on Linux
>>>>> path = /home/WAYNE
>>>>> read only = No
>>>>> browseable = Yes
>>>>>
>>>>>---------/etc/nsswitch.conf-------
>>>>>passwd: files winbind
>>>>>group: files winbind
>>>>>hosts: files dns wins winbind
>>>>>networks: files dns
>>>>>
>>>>>---------/etc/krb5.conf-----------
>>>>>[libdefaults]
>>>>> default_realm = WAYNE.LOCAL
>>>>> clockskew = 300
>>>>>
>>>>>[realms]
>>>>>WAYNE.LOCAL = {
>>>>> kdc = police.wayne.local
>>>>> default_domain = WAYNE.LOCAL
>>>>> kpasswd_server = adserver.wayne.local
>>>>>}
>>>>>[domain_realm]
>>>>> .WAYNE.LOCAL = WAYNE.LOCAL
>>>>>[appdefaults]
>>>>>pam = {
>>>>> ticket_lifetime = 365d
>>>>> renew_lifetime = 365d
>>>>> forwardable = true
>>>>> proxiable = false
>>>>> retain_after_close = true
>>>>> minimum_uid = 0
>>>>>}
>>>>>
>>>>>----------/var/log/samba/log.smbd--------
>>>>>[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
>>>>>15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
>>>>>15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
>>>
>>>>>15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system
>>>>>.
>>>>>.
>>>>>.
>>>>>[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20
>>>>>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20
>>>>>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>>>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system
>>>>>
>>>>>----------/var/log/samba/log.winbindd-------------------
>>>>>[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>>[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
>>>>>krb5_cc_get_principal failed (No such file or directory) [2004/12/20
>>>>>16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>>[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
>>>>>user 'root' does not exist
>>>>>[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
>>>>>user 'root' does not exist
>>>>>[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>>[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>>[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
>>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command
>>>>>[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
>>>>>
>>>>>????
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>
More information about the samba
mailing list