[Samba] trouble with winbind

Nico De Wilde nico at openix.be
Fri Feb 3 15:57:23 GMT 2006


Chris,

The following error is repeated multiple times in your winbind.log:

"Client not found in Kerberos database"

Are you joining these machines as a domain admin or as an account with 
domain admin priviliges?

Is your resolving setup correctly?

Are the clocks on your servers synchronized with the DC?

Could you try:

-> kinit ADMINISTRATOR at yourdomain.something
-> net ads join -U ADMINISTRATOR

What output do these two commands generate on your system?

Sample smb.conf for a 'member server' in a 2000/2003 AD domain:

--------------------------------------------------
[global]
server string = somebox
realm = DOM1.JHUAPL.EDU
workgroup = CHOCOWEB
password server = dom1-dc6.dom1.jhuapl.edu
security = ADS
encrypt passwords = true
# winbind configuration
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users=yes
winbind enum groups=yes
-----------------------------------------------------------

Sample krb5.conf
-----------------------------------------------------------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = DOM1.JHUAPL.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 DOM1.JHUAPL.EDU = {
  kdc = the.ip.of.your.dc:88
  admin_server = the.ip.of.your.dc:749
  default_domain = dom1.jhuapl.edu
 }
----------------------------------------------------------
Nsswitch.conf

passwd:     files winbind
shadow:     files
group:      files winbind

hosts:      files dns winbind

--------------------------------------------------------------

This should get you going.

Can you provide additional feedback on this?

Thx.

Regards,

Nico


----- Original Message ----- 
From: "Chris Stone" <chris.stone at jhuapl.edu>
To: "Nico De Wilde" <nico at openix.be>
Sent: Friday, February 03, 2006 4:33 PM
Subject: Re: [Samba] trouble with winbind


> Nico,
>
> I've attached the winbindd log. I manually created the machine
> account, with out the account I can't bind, it's an issue with domain
> privledges. What I don't understand is that I took all of the config
> files, nsswitch, krb5.conf, and others, from a machine that is bound
> and has a working winbind:-(
>
>
> biolinux:/var/log/samba # vi /etc/nsswitch.conf
>
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Legal entries are:
> #
> #       compat                  Use compatibility setup
> #       nisplus                 Use NIS+ (NIS version 3)
> #       nis                     Use NIS (NIS version 2), also called YP
> #       dns                     Use DNS (Domain Name Service)
> #       files                   Use the local files
> #       db                      Use the /var/db databases
> #       [NOTFOUND=return]       Stop searching if not found so far
> #
> # For more information, please read the nsswitch.conf.5 manual page.
>
> passwd: files winbind
> group:  files winbind
> --endsnip
>
>
> Thanks,
> Chris
>
>


--------------------------------------------------------------------------------


>
> On Feb 3, 2006, at 9:50 AM, Nico De Wilde wrote:
>
>> Chris,
>>
>> Can you provide the winbind logs of the machine that does not
>> succeed in joining the domain?
>>
>> Have you checked in your Windows server that machine accounts were
>> created?
>>
>> Is your nsswitch.conf setup properly?
>>
>> Thx,
>>
>> Nico
>> ----- Original Message ----- From: "Chris Stone"
>> <chris.stone at jhuapl.edu>
>> To: <samba at lists.samba.org>
>> Sent: Friday, February 03, 2006 3:10 PM
>> Subject: [Samba] trouble with winbind
>>
>>
>>> Hi,
>>> I'm running samba, V3.0.20b-3.4-SUSE, on suse el9. I've
>>> successfully  bound one machine to active directory, I can login
>>> to the local box  using domain credentials. However, I can't get a
>>> second machine to  the domain, using the exact same procedures.
>>> The machine claims to be  bound,
>>>  wbinfo -t returns "checking the trust secret via RPC calls
>>> succeeded"
>>> But, when I run wbinfo --sequence, it returns,
>>> APL : DISCONNECTED
>>> BIOLINUX : 1
>>> BUILTIN : 1
>>> JHUAPL : DISCONNECTED
>>> Kerberos is working, I can do a kinit user at JHUAPL.EDU, and get a
>>> ticket. My smb.conf is:
>>> [global]
>>>         workgroup = JHUAPL
>>>         server string = edna
>>>         socket options = TCP_NODELAY SO_SNDBUF=8192
>>> SO_RCVBUF=8192  IPTOS_LOWDELAY
>>>         encrypt password = yes
>>>         password server = dom1-dc6.dom1.jhuapl.edu
>>>         realm = DOM1.JHUAPL.EDU
>>>         netbios name = biolinux
>>>         security = ads
>>>         idmap uid = 10000-40000
>>>         idmap gid = 10000-40000
>>>         winbind separator = _
>>>         winbind enum users = yes
>>>         winbind enum groups = yes
>>>         winbind use default domain = yes
>>>         username map = /etc/samba/smbusers
>>>         map to guest = Bad User
>>>         template shell = /bin/bash
>>> Can anyone suggest what I might be doing wrong? I've been
>>> googling  this for a couple of days, and have run out ideas.
>>> Thank You,
>>> Chris
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
> 



More information about the samba mailing list