[Samba] Winbind problem revisited
Brian Kesting
bkesting at cityofwayne.org
Tue Dec 21 19:49:46 GMT 2004
Okay,
I started over from scratch with my samba server rebuild, but I am still
getting some weird issues. Here are my config files of importance:
--------------/etc/samba/smb.conf--------------------
# Samba Configuration File
[global]
workgroup = WAYNE
realm = WAYNE.LOCAL
server string = Samba Server
security = ADS
password server = police.wayne.local
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
client signing = no
client use spnego = no
[users]
comment = Users on Linux
path = /home/WAYNE
read only = No
browseable = Yes
-----------/etc/nsswitch.conf---------------------
passwd: compat winbind
group: files dns compat winbind
shadow: files winbind
hosts: dns winbind files lwres
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files winbind nis
aliases: files winbind
------------/etc/pam.d/login--------------
#%PAM-1.0
auth requisite pam_unix2.so nullok #set_secrpc
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_winbind.so use_first_pass use_authtok
#auth required pam_homecheck.so
auth required pam_env.so
auth required pam_mail.so
account required pam_unix2.so
account sufficient pam_winbind.so use_first_pass use_authtok
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass
use_authtok
password sufficient pam_winbind.so use_first_pass use_authtok
session required pam_unix2.so none # debug or trace
session sufficient pam_winbind.so use_first_pass use_authtok
session required pam_limits.so
session required pam_resmgr.so
------------/etc/krb5.conf---------------
[libdefaults]
default_realm = WAYNE.LOCAL
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = false
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
[realms]
WAYNE.LOCAL = {
kdc = 192.168.1.11
default_domain = WAYNE.LOCAL
admin_server = police.wayne.local
kpasswd_server = police.wayne.local
}
[domain_realm]
.WAYNE.LOCAL = WAYNE.LOCAL
WAYNE.LOCAL = WAYNE.LOCAL
.wayne.local = WAYNE.LOCAL
wayne.local = WAYNE.LOCAL
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
I have joined the AD successfully and have gained a Kerberos ticket. I can
resolve windows user names and groups with the following conditions: If I
leave the "default_etypes" lines in krb5.conf, then I get this in my
/var/log/samba/log.smbd file and I am unable to access the samba shares:
[2004/12/21 13:32:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/12/21 13:32:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/12/21 13:32:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
If I comment the etype lines out, the smb log file looks good and I can
access samba shares, but the /var/log/samba/log.winbind looks like this:
[2004/12/21 12:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/21 13:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
[2004/12/21 13:32:04, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No such file or directory)
I also had this show up in /var/log/samba/log.winbind:
[2004/12/21 13:26:26, 1] libads/ldap_utils.c:ads_do_search_retry(77)
ads_search_retry: failed to reconnect (Invalid credentials)
Any interpretations?
Thanks.
Brian
More information about the samba
mailing list