[Samba] RedHat+Samba+Winbind to ADS

Anton Velo avelo at optaresolutions.com
Mon Feb 21 13:14:50 GMT 2005 

On Friday 18 February 2005 23:28, Andrew Bartlett wrote:
AB> On Wed, 2005-02-16 at 10:09 -0500, Greg Folkert wrote:
AB> > On Wed, 2005-02-16 at 11:49 +0100, Antón wrote:
AB> > > Hi,
AB> > > 
AB> > > I 've a gateway and I want to use squid authenticated with Windows 2000
AB> > > Active Directory users.
AB> > > 
AB> > > I've a development platform with Debian/Sarge as gateway, and it works.
AB> > > (samba 3.0.10-1 and Kerberos 1.3.6-1)
AB> > > 
AB> > > On the other side the production platform uses RedHat Enterprise AS3,
AB> > > initially with Samba 3.0.6 and Kerberos 1.2.7-28. I was not able to use
AB> > > Active directory groups without get smb panic errors in winbindd, so I
AB> > > update to Samba 3.0.9-1.3E.2 and Kerberos 1.2.7-38 (last available
AB> > > updates).
AB> > 
AB> > You *ABSOLUTELY MUST USE* a version of MIT Kerberos5 v1.3.1 or newer.
AB> 
AB> Yes and no.  My understanding is that the issues regarding MIT < 1.3.1
AB> have been again resolved, in the latest Samba (including what has been
AB> released for RHEL by RedHat).  Linking to another kerberos
AB> implementation is a real pain (you would need to statically link to even
AB> start).
AB> 
AB> (Of course, life is much easier with krb5 1.3.1 or later, but I know
AB> what a pain it is for RHEL users)
AB> 
AB> I think the issue here is that the machine must be rejoined to the
AB> domain, after the upgrade.
AB> 
AB> Andrew Bartlett
AB> 

First of all, sincerely,  thanks a lot for both answers

Upgrade to kerberos5 > 1.3.1 was a pain but now I've 1.3.4 installed.
Now, If I start winbind without specify any encryption it works, but only parcially.
kinit works.
klist -e returns:
|Ticket cache: FILE:/tmp/krb5cc_0
|Default principal: USER at TEST.COM
|
|Valid starting     Expires            Service principal
|02/21/05 09:11:49  02/21/05 19:11:42  krbtgt/TEST.COM at TEST.COM
|       renew until 02/22/05 09:11:49, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
|
|
|Kerberos 4 ticket cache: /tmp/tkt0
|klist: You have no tickets cached

wbinfo --sequence
|PASARELA : 1
|BUILTIN : 1
|TEST : 2975164

wbinfo -u and -g works

but ...
wbinfo -t
|checking the trust secret via RPC calls failed
|error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
|Could not check secret

error in winbind log is

|accepted socket 18
|client_read: read 1824 bytes. Need 0 more for a full request.
|process_request: request fn INTERFACE_VERSION
|[20287]: request interface version
|client_write: wrote 1300 bytes.
|client_read: read 1824 bytes. Need 0 more for a full request.
|process_request: request fn WINBINDD_PRIV_PIPE_DIR
|[20287]: request location of privileged pipe
|client_write: wrote 1300 bytes.
|client_write: need to write 37 extra data bytes.
|client_write: wrote 37 bytes.
|client_write: client_write: complete response written.
|accepted socket 19
|client_read: read 0 bytes. Need 1824 more for a full request.
|read failed on sock 18, pid 20287: EOF
|client_read: read 1824 bytes. Need 0 more for a full request.
|process_request: request fn CHECK_MACHACC
|[20287]: check machine account
|IPC$ connections done anonymously
|connecting to PDC from GATEWAY with kerberos principal [GATEWAY$@TEST.COM]
|Doing kerberos session setup
|failed tcon_X with NT_STATUS_ACCESS_DENIED
|connecting to PDC from GATEWAY with kerberos principal [GATEWAY$@TEST.COM]
|Doing kerberos session setup
|failed tcon_X with NT_STATUS_ACCESS_DENIED
|connecting to PDC from GATEWAY with kerberos principal [GATEWAY$@TEST.COM]
|Doing kerberos session setup
|failed tcon_X with NT_STATUS_ACCESS_DENIED
|Could not open a connection to TEST for \PIPE\NETLOGON (NT_STATUS_ACCESS_DENIED)
|could not open handle to NETLOGON pipe
|Checking the trust account password returned NT_STATUS_ACCESS_DENIED
|client_write: wrote 1300 bytes.
|client_read: read 0 bytes. Need 1824 more for a full request.
|read failed on sock 19, pid 20287: EOF

also, if I try a net join, it works:
net ads join -U user
|users password:
|[2005/02/21 09:14:14, 0] libads/ldap.c:ads_add_machine_acct(1368)
|  ads_add_machine_acct: Host account for pasarela already exists - modifying old account
|Using short domain name -- TEST
|Joined 'GATEWAY' to realm 'TEST.COM'

Also I've checked permisions (750 root:squid) for
winbindd_privileged directory


I'm completely missed about what happens

Anton

More information about the samba mailing list