[Samba] winbind + ads: only works for 10 hours?

Jon Noack noackjr at alumni.rice.edu
Fri Mar 26 21:42:43 GMT 2004 

I run FreeBSD 5.2.1 and recently configured Samba 3.0.2a (from ports) 
for ADS using the FreeBSD-bundled krb5 (Heimdal 0.6, I believe) and 
OpenLDAP 2.1.28 (from ports).  It is setup to authenticate off a Windows 
2000 Domain Controller and is primarily used to provide proxy 
authentication for Squid.  I will share more about my configuration if 
asked, but as it works flawlessly at first I think it's something minor.

Everything works quite well until 10 hours after winbindd was started. 
Then requests get denied.  I set up a cron job to demonstrate this.  The 
cron job just logs the time and the output of "wbinfo -t" every five 
minutes:

**********************************************************************
<started winbindd>
2004/03/26 02:50:00| checking the trust secret via RPC calls succeeded
2004/03/26 02:55:00| checking the trust secret via RPC calls succeeded
<snip>
2004/03/26 12:45:00| checking the trust secret via RPC calls succeeded
2004/03/26 12:50:00| checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret
2004/03/26 12:55:00| checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret
**********************************************************************

Some research showed this was probably kerberos tickets expiring or not 
being renewed.  I looked up the ticket lifetimes for Windows 2000 and 
plugged those into my krb5.conf (hostnames changed):

**********************************************************************
$ less /etc/krb5.conf
[logging]
         default = FILE:/var/log/krb5.log

[libdefaults]
         default_realm = EXAMPLE.ORG
         default_etypes = des-cbc-crc
         default_etypes_des = des-cbc-crc
         ticket_lifetime = 36000
         renew_lifetime = 604800

[realms]
         EXAMPLE.ORG = {
                 kdc = dc1.example.org
                 kdc = dc2.example.org
                 admin_server = dc1.example.org
                 default_domain = example.org
         }

[domain_realms]
         .example.org = EXAMPLE.ORG
         example.org = EXAMPLE.ORG
**********************************************************************

I then tested whether renewing worked (hostnames changed):

**********************************************************************
$ kinit
noackjr at EXAMPLE.ORG's Password:
$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
         Principal: noackjr at EXAMPLE.ORG
     Cache version: 4

Server: krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
Ticket etype: des-cbc-crc
Auth time:  Mar 26 15:29:19 2004
End time:   Mar 27 01:29:19 2004
Renew till: Apr  2 15:29:19 2004
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:10.0.0.2

$ kinit -R
$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
         Principal: noackjr at EXAMPLE.ORG
     Cache version: 4

Server: krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
Ticket etype: des-cbc-crc
Auth time:  Mar 26 15:29:19 2004
Start time: Mar 26 15:29:26 2004
End time:   Mar 27 01:29:26 2004
Renew till: Apr  2 15:29:19 2004
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:10.0.0.2
**********************************************************************

In any case, I still see the exact same behavior (death after 10 hours). 
  There is nothing in /var/log/krb5.log.  Can anyone shed some light on 
this for me?  I suppose I could restart winbindd every 9 hours...

Thanks,
Jon Noack

More information about the samba mailing list