[Samba] Kerberos credentials under multiple AD domains

marpon.com.ar at marpon.com.ar marpon.com.ar at marpon.com.ar
Thu Jun 23 13:42:42 GMT 2005 

I 'm having trouble integrating winbind into a multiple active directory
domains environment. 
The machine TCSLSO02 joined successfully the domain BAIRES, realm
BAIRES.TECHINT.NET .

wbinfo -u   works
wbinfo -g   works
net ads testjoin works
wbinfo -t   works

Nevertheless, no command involving others domains works. I can 't list
other domain 's users nor groups. 

wbinfo -m fails with "Could not list trusted domains"
wbinfo --sequence shows: 

TCSLSO02 : 1
BUILTIN : 1
BAIRES : 61248655
XXXXX : DISCONNECTED  (where XXXXX is each of the other domains)


I 've tried to debug the problem up to the point where I can 't go any
deeper. I 'd like to be able to go to the source code but it 's just too
much for me. I 'm not up to that level. 

Here 's a snippet of a level 10 log file of winbind. I 've extracted just
one try of one of the domains. This is repeated for each of the other 15
domains: 

[2005/06/23 07:58:36, 10] nsswitch/winbindd_util.c:add_trusted_domains(226)
  Found domain TECHITA
[2005/06/23 07:58:36, 10] nsswitch/winbindd_cache.c:domain_sid(1322)
  domain_sid: [Cached] - doing backend query for info for domain TECHITA
[2005/06/23 07:58:36, 3] nsswitch/winbindd_ads.c:domain_sid(900)
  ads: domain_sid
[2005/06/23 07:58:37, 3] libads/ldap.c:ads_connect(247)
  Connected to LDAP server 172.28.25.1
[2005/06/23 07:58:37, 3] libads/ldap.c:ads_server_info(2432)
  got ldap server name temgwdc3 at TECHITA.TECHINT.NET, using bind path:
dc=TECHITA,dc=TECHINT,dc=NET
[2005/06/23 07:58:38, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2005/06/23 07:58:38, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2005/06/23 07:58:38, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2005/06/23 07:58:38, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2005/06/23 07:58:38, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
  ads_sasl_spnego_bind: got server principal name
=temgwdc3$@TECHITA.TECHINT.NET
[2005/06/23 07:58:38, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
  ads_krb5_mk_req: krb5_get_credentials failed for
temgwdc3$@TECHITA.TECHINT.NET (Server not found in Kerberos database)
[2005/06/23 07:58:38, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
  ads_krb5_mk_req: krb5_get_credentials failed for
temgwdc3$@TECHITA.TECHINT.NET (Server not found in Kerberos database)
[2005/06/23 07:58:38, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain TECHITA failed: Server not found in Kerberos
database


I don 't fully understand if the message "Server not found in kerberos
database" is meaning the TECHITA server is not recognizing the machine
account TCSLSO02 or if kerberos isn 't able to resolve the
TECHITA.TECHINT.NET realm. I 'm lost. 

This is the environment: 

OS       : Red Hat Enterprise Linux 4
Kerberos : 1.3.4-9  
Samba    : 3.0.10-1.4E

Interesting settings in smb.conf: 

   security = ads
   workgroup = BAIRES
   realm = BAIRES.TECHINT.NET
   password server = *

   dns proxy = no
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   winbind use default domain = no


Interesting settings in krb5.conf: 

[libdefaults]
 default_realm = BAIRES.TECHINT.NET
 dns_lookup_realm = true
 dns_lookup_kdc = true
 forwardable = true
 proxiable = true

[realms]
  # empty (uses dns lookups)

[domain_realm]
  # empty (uses dns lookups)

TIA, 

Martin 





--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .

More information about the samba mailing list