FW: [Samba] Samba requesting nonexistent keytab type?

Brian Spiegel BSpiegel at Matchnet.com
Thu Jan 8 02:42:23 GMT 2004 

Hi all,

I've downloaded and installed the 3.0.2pre1 package.  However, I've not
managed to get winbindd working.  I've run into a credentials cache problem
(so I haven't been able to even get to the point I was at before).

My krb5.conf and pam settings haven't changed and I'm using the same
smb.conf as before.  I'm using MIT Kerberos 1.3.1 (in /usr/kerberos/).  Here
are some excerpts from the winbindd log file (at debug level 10).


[2004/01/07 16:15:34, 3] libsmb/cliconnect.c:cli_session_setup_spnego(705)
  got principal=dc01$@DOMAIN.COM
[2004/01/07 16:15:34, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(509)
  Doing kerberos session setup
[2004/01/07 16:15:34, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)
[2004/01/07 16:15:34, 4] nsswitch/winbindd_cm.c:cm_open_connection(186)
  failed kerberos session setup with NT_STATUS_UNSUCCESSFUL
[2004/01/07 16:15:34, 5] nsswitch/winbindd_cm.c:cm_open_connection(218)
  anonymous connection attempt to DC01 from SOME-SERVER

... a bunch of data for pipe/connection (I think)...

[2004/01/07 16:15:34, 3] nsswitch/winbindd_util.c:add_trusted_domain(142)
  add_trusted_domain: DOMAIN is a native mode domain
[2004/01/07 16:15:34, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
  Added domain DOMAIN DOMAIN.COM
[2004/01/07 16:15:34, 10] nsswitch/winbindd_cache.c:wcache_flush_cache(66)
  wcache_flush_cache success
[2004/01/07 16:15:34, 10] nsswitch/winbindd_cache.c:alternate_name(1306)
  alternate_name: [Cached] - doing backend query for info for domain DOMAIN
[2004/01/07 16:15:34, 3] nsswitch/winbindd_ads.c:alternate_name(952)
  ads: alternate_name
[2004/01/07 16:15:34, 6] libads/ldap.c:ads_find_dc(147)
  ads_find_dc: looking for realm 'DOMAIN.COM'
[2004/01/07 16:15:34, 8] libsmb/namequery.c:get_sorted_dc_list(1215)
  get_sorted_dc_list: attempting lookup using [hosts]
[2004/01/07 16:15:34, 10] libsmb/namequery.c:remove_duplicate_addrs2(312)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2004/01/07 16:15:34, 4] libsmb/namequery.c:get_dc_list(1350)
  get_dc_list: returning 1 ip addresses in an ordered list
[2004/01/07 16:15:34, 4] libsmb/namequery.c:get_dc_list(1351)
  get_dc_list: 192.168.3.2:389
[2004/01/07 16:15:34, 5] libads/ldap.c:ads_try_connect(56)
  ads_try_connect: trying ldap server '192.168.3.2' port 389
[2004/01/07 16:15:34, 3] libads/ldap.c:ads_connect(218)
  Connected to LDAP server 192.168.3.2
[2004/01/07 16:15:34, 3] libads/ldap.c:ads_server_info(2030)
  got ldap server name dc01 at DOMAIN.COM, using bind path: dc=DOMAIN,dc=COM

... some more junk...

[2004/01/07 16:15:34, 3] libads/sasl.c:ads_sasl_spnego_bind(191)
  got principal=dc01$@DOMAIN.COM
[2004/01/07 16:15:34, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)
[2004/01/07 16:15:34, 1] nsswitch/winbindd_ads.c:ads_cached_connection(65)
  ads_connect for domain DOMAIN failed: Operations error
[2004/01/07 16:15:34, 1] nsswitch/winbindd_util.c:init_domain_list(284)
  Could not fetch sid for our domain DOMAIN
[2004/01/07 16:15:34, 0]
nsswitch/winbindd_util.c:rescan_trusted_domains(170)
  rescan_trusted_domains: Can't find my own domain!

The machine had been joined to the AD domain some time back (IP share access
was working yesterday) and a kinit gets my principal.

  $ klist -e
  Ticket cache: FILE:/tmp/krb5cc_501
  Default principal: username at DOMAIN.COM
 
  Valid starting     Expires            Service principal
  01/07/04 15:47:17  01/08/04 01:45:18  krbtgt/DOMAIN.COM at DOMAIN.COM
        renew until 01/08/04 15:47:17, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
  01/07/04 15:50:02  01/08/04 01:45:18  dc01$@DOMAIN.COM
        renew until 01/08/04 15:47:17, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5


Is there something I'm missing with my setup?  Where does winbindd look for
the credentials cache by default?  

Below is my smb.conf.  The pam settings for samba and login are identical to
that in the HOW-TO at samba.org.  Same with the krb5.conf file.

Any ideas?  I've got a deadline approaching and I'm really in a crunch.  Any
help is appreciated.

Thanks,
Brian


smb.conf:
[global]
; smbd settings
    log level = 3
    log file = /var/log/samba/log.%m
    server string = %u [Samba Server %v]
; Active Directory settings
    workgroup = DOMAIN
    security = ADS
    realm = DOMAIN.COM
    client use spnego = yes
    use spnego = yes
    local master = no
    domain master = no
    preferred master = no
    domain logons = no
    os level = 0
; winbind stuff
    winbind separator = +
    allow trusted domains = no
    obey pam restrictions = yes
    winbind enum users = yes
    idmap uid = 10000-20000
    winbind enum groups = yes
    idmap gid = 10000-20000
    password server = 192.168.3.2
    encrypt passwords = yes
    template homedir = /home/%D/%U
    template shell = /bin/bash

More information about the samba mailing list