[Samba] Joined 2 samba servers to ADS but kinit in winbindd failedfor one of them!

Ephi Dror ephi at agami.com
Fri Aug 25 19:31:02 GMT 2006 

Hi Howard and everyone,

As I promised, here is in update.

I was doing some ldapsearch on the computer objects and found out that
both of the SAMBA systems, despite successful join domain according to
net command, were having info missing in the computer object.

Below is the list of what SAMBA does when it add the machine account and
it looks like not all the info was correctly put and therefore later
when wbinfo was invoked, kinit was failing since on the "bad" system,
the userPrincipalName was not fully added.

My question is, why SAMBA des not have a check in ads_add_machine_acct()
to verify that all the minimum required info is there. 

In particular, of course is the "userPrincipalName" which is used by
winbindd.

As you can see below, one system missing some info and the other system
missing other info.

I quickly used ldapmodify command to add the missing info that I
expected SAMBA to do when it joined the domain and things started to
work as a Swiss Watch.

I would appreciate if anyone have any idea for the following:
1. Why not all attributes SAMBA wanted to add at ads_add_machine_acct()
was actually added? Was it something wrong with my AD?
2. Why I did not get any warning that things were not fully written to
AD or not fully at the AD already?
3. Why not failing the join domain if the info is not there, I mean
winbindd can't possibly continue without for example having
"userPrincipalName" in the computer object.

I expected "net ads join" to verify it. Of course, someone can go later
and further modify the computer object but this is a different story.

Thanks,
Ephi

Here is my little table:
                           good     bad

cn                         y         y                     

sAMAccountName             y         y

userAccountControl         y         y

objectClass                y         y

Always set by samba:

dNSHostName                y         y

userPrincipalName          y         N

servicePrincipalName       N         y

operatingSystem            y         N

operatingSystemVersion     y         N


-----Original Message-----
From: Howard Wilkinson [mailto:howard at cohtech.com] 
Sent: Thursday, August 24, 2006 2:51 PM
To: Ephi Dror; samba at lists.samba.org
Subject: RE: [Samba] Joined 2 samba servers to ADS but kinit in winbindd
failedfor one of them!

Ephi,

Can you please supply the smb.conf and krb5.conf from both machines,
this looks like a Unix end (i.e. client of AD) problem at first glance.
Also, if you have an LDAP browser see what has been set on the computer
accounts objects in the AD, rather than the sanitised version you see
through ADUC.

Howard.

-----Original Message-----
From: samba-bounces+howard=cohtech.com at lists.samba.org
[mailto:samba-bounces+howard=cohtech.com at lists.samba.org] On Behalf Of
Ephi Dror
Sent: 24 August 2006 20:25
To: samba at lists.samba.org
Subject: [Samba] Joined 2 samba servers to ADS but kinit in winbindd
failedfor one of them!

Hi All,
 
I have strange situation in which two systems running SAMBA (same
version) have successfully joined an ADS.
 
However one has no problem using wimbindd/ wbinfo to communicate with
the domain and kinit in winbindd works fine.
 
But the other is failing with a kinit problem as following:
 
2006/08/21 20:15:56, 0, pid=19247]
libads/kerberos.c:ads_kinit_password(146) 

kerberos_kinit_password host/XXX at YYY.NET <mailto:host/XXX at YYY.NET>
failed: Client not found in Kerberos database

[2006/08/21 20:15:56, 1, pid=19247]
nsswitch/winbindd_ads.c:ads_cached_connection(81)

ads_connect for domain YYY failed: Client not found in Kerberos database

[2006/08/21 20:15:56, 5, pid=19247]
nsswitch/winbindd_util.c:add_trusted_domains(202)

Now, when I issue "net ads status" on both SAMBA systems I see the
following.
 
On the Machine that has no problem with kinit winbindd:
userPrincipalName: HOST/banpfs01 at YYY.NET <mailto:HOST/banpfs01 at YYY.NET>
And
operatingSystem: Samba
 
On the Machine that has problem with kinit in winbindd:
servicePrincipalName: HOST/sjcpnas03.yyy.net
servicePrincipalName: HOST/SJCPNAS03
No info on operatingSystem.
 
So I underhand why kinit is failing, (because there is no
userPrincipalName) but why?
Why net ads join was successful and on the other hand there is no
userPrincipalName.
Where servicePrincipalName are coming from?
 
I would appreciate if anyone has an idea how two identical system comes
up on the AD differently.
 
In both systems, the computer account was created on the AD at the same
OU.
 
I'll be happy to update you if I find any answer.
 
 
Cheers,
Ephi
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list