[Samba] ADS mode - differences between W2K and 2003?

lists at feilner-it.net lists at feilner-it.net
Thu Jul 21 21:58:16 GMT 2005


Am Donnerstag, 21. Juli 2005 21:36 schrieb smc+samba at dogphilosophy.net:
> I'm having a bizarre problem doing authentication via winbind against a
> Windows 2003 server.
>
> Aside from changing the hostname information, etc. as appropriate for
> krb5.conf and smb.conf, the configuration I'm using is one that I copied
> from another server that is successfully authenticating against ads.
>
> The two systems I'm having trouble with are running Suse Linux Enterprise
> Server 9 and Suse Linux Professional 9.3, respectively.  Both have the same
> odd problem:
>
> As configured, everything seems like it should work.  I kinit'd as
> administrator to the Windows 2003 server successfully.  "net ads join"
> appears to have joined the computers to the domain successfully.  "getent
> passwd" and "wbinfo -u" both give me listings of the "domain users" on the
> Windows 2003 server.  "wbinfo -U (domain user UID)" does give me the SID
> of the domain user in question (domain users mapped as UID 15000-30000).
>
> However, "getent passwd (domain user name)" doesn't work at all.  It gives
> no response (no errors, just drops back to command line).  'strace getent
> passwd (user)' doesn't even show that libnss_winbind.so is being opened
> (even though "getent passwd" to get the list is.)
>
> Is this a Windows 2003 issue?  I've seen mention of winbind doing "funny
> things" like this before on the mailing list, but don't recall any firm
> resolutions.  Any help would be appreciated.  Thanks.
>
> (These symptoms appear to happen with both 3.0.14a from Suse and the
> 3.0.20pre2 rpm's from the Samba server).

Hi, I seem to have a similar, if not the same problem. 
On one system (debian 3.1) everything works fine.
On the other (same config) ads integration does not work.
- getent does not work
- wbinfo -t fails 
on the other hand, i can get kerberos tickets with kinit and the same auth 
data for Administrator and net ads join works fine ...
This problem appears under samba 3.0.14a on debian. 

Furthermore: I found that in the winbind logfile strange errors appear, when a 
ads user tries to acces a share:
log.winbindd:  ads_krb5_mk_req: krb5_get_credentials failed for xxxx$@yyyy.DE 
(Server not found in Kerberos database)

with xxx being an old hostname, yyyy an old domainname.
Botgh are not used anymore and are definitely not stored in any file on the 
linux system (grep -r ...)
???
Thanks!
-- 
Mit freundlichen Grüßen
Markus Feilner

--------------------------
Feilner IT Linux & GIS 
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 
skype ID: mfeilner mail: mfeilner at feilner-it.net


More information about the samba mailing list