[Samba] Re: RedHat+Samba+Winbind to ADS

Antón avelo at optaresolutions.com
Mon Feb 21 13:10:43 GMT 2005 

Andrew Bartlett wrote:

> On Wed, 2005-02-16 at 10:09 -0500, Greg Folkert wrote:
>> On Wed, 2005-02-16 at 11:49 +0100, Antón wrote:
>> > Hi,
>> > 
>> > I 've a gateway and I want to use squid authenticated with Windows
>> > 2000 Active Directory users.
>> > 
>> > I've a development platform with Debian/Sarge as gateway, and it
>> > works. (samba 3.0.10-1 and Kerberos 1.3.6-1)
>> > 
>> > On the other side the production platform uses RedHat Enterprise
>> > AS3, initially with Samba 3.0.6 and Kerberos 1.2.7-28. I was not
>> > able to use Active directory groups without get smb panic errors in
>> > winbindd, so I update to Samba 3.0.9-1.3E.2 and Kerberos 1.2.7-38
>> > (last available updates).
>> 
>> You *ABSOLUTELY MUST USE* a version of MIT Kerberos5 v1.3.1 or newer.
> 
> Yes and no.  My understanding is that the issues regarding MIT < 1.3.1
> have been again resolved, in the latest Samba (including what has been
> released for RHEL by RedHat).  Linking to another kerberos
> implementation is a real pain (you would need to statically link to
> even start).
> 
> (Of course, life is much easier with krb5 1.3.1 or later, but I know
> what a pain it is for RHEL users)
> 
> I think the issue here is that the machine must be rejoined to the
> domain, after the upgrade.
> 
> Andrew Bartlett
> 

First of all, sincerely,  thanks a lot for both answers

Upgrade to kerberos5 > 1.3.1 was a pain but now I've 1.3.4 installed.
Now, If I start winbind without specify any encryption it works, but
only parcially.
kinit works.
klist -e returns:
|Ticket cache: FILE:/tmp/krb5cc_0
|Default principal: USER at TEST.COM
|
|Valid starting     Expires            Service principal
|02/21/05 09:11:49  02/21/05 19:11:42  krbtgt/TEST.COM at TEST.COM
|       renew until 02/22/05 09:11:49, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
|
|
|Kerberos 4 ticket cache: /tmp/tkt0
|klist: You have no tickets cached

wbinfo --sequence
|PASARELA : 1
|BUILTIN : 1
|TEST : 2975164

wbinfo -u and -g works

also, if I try a net join, it also works:
net ads join -U user
|users password:
|[2005/02/21 09:14:14, 0] libads/ldap.c:ads_add_machine_acct(1368)
|  ads_add_machine_acct: Host account for pasarela already exists -
modifying old account
|Using short domain name -- TEST
|Joined 'GATEWAY' to realm 'TEST.COM'

but ...
wbinfo -t
|checking the trust secret via RPC calls failed
|error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
|Could not check secret

error in winbind log is

|accepted socket 18
|client_read: read 1824 bytes. Need 0 more for a full request.
|process_request: request fn INTERFACE_VERSION
|[20287]: request interface version
|client_write: wrote 1300 bytes.
|client_read: read 1824 bytes. Need 0 more for a full request.
|process_request: request fn WINBINDD_PRIV_PIPE_DIR
|[20287]: request location of privileged pipe
|client_write: wrote 1300 bytes.
|client_write: need to write 37 extra data bytes.
|client_write: wrote 37 bytes.
|client_write: client_write: complete response written.
|accepted socket 19
|client_read: read 0 bytes. Need 1824 more for a full request.
|read failed on sock 18, pid 20287: EOF
|client_read: read 1824 bytes. Need 0 more for a full request.
|process_request: request fn CHECK_MACHACC
|[20287]: check machine account
|IPC$ connections done anonymously
|connecting to PDC from GATEWAY with kerberos principal
[GATEWAY$@TEST.COM]
|Doing kerberos session setup
|failed tcon_X with NT_STATUS_ACCESS_DENIED
|connecting to PDC from GATEWAY with kerberos principal
[GATEWAY$@TEST.COM]
|Doing kerberos session setup
|failed tcon_X with NT_STATUS_ACCESS_DENIED
|connecting to PDC from GATEWAY with kerberos principal
[GATEWAY$@TEST.COM]
|Doing kerberos session setup
|failed tcon_X with NT_STATUS_ACCESS_DENIED
|Could not open a connection to TEST for \PIPE\NETLOGON
(NT_STATUS_ACCESS_DENIED)
|could not open handle to NETLOGON pipe
|Checking the trust account password returned NT_STATUS_ACCESS_DENIED
|client_write: wrote 1300 bytes.
|client_read: read 0 bytes. Need 1824 more for a full request.
|read failed on sock 19, pid 20287: EOF


Also I've checked permisions (750 root:squid) for
winbindd_privileged directory


I'm completely missed about what happens,
why my debian install works but this not,... 

Anton

More information about the samba mailing list