[Samba] trouble with winbind

David Shapiro David.Shapiro at bcbsnc.com
Fri Feb 3 17:28:39 GMT 2006


I found mention of how to run net ads join with debugging, which got me
some good info when I run net ads join with debuglevel=10:
 
 namecache_store: storing 1 address for adserver.domain.com#20:
1.2.3.4:0
[2006/02/03 12:19:02, 10] ../lib/gencache.c:gencache_set(127)
  Adding cache entry with key = NBT/ADSSERVER.DOMAIN.COM#20; value =
1.2.3.4:0 and timeout = Fri Feb  3 12:30:02 2006
   (660 seconds ahead)
[2006/02/03 12:19:02, 10]
../libsmb/namequery.c:internal_resolve_name(1145)
  internal_resolve_name: returning 1 addresses: 10.69.147.110:0
[2006/02/03 12:19:02, 10]
../libsmb/namequery.c:remove_duplicate_addrs2(320)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1406)
  get_dc_list: returning 1 ip addresses in an ordered list
[2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1407)
  get_dc_list: 10.69.147.110:0
[2006/02/03 12:19:02, 5] ../libads/ldap.c:ads_try_connect(126)
  ads_try_connect: trying ldap server '1.2.3.4' port 389
[2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_connect(288)
  Connected to LDAP server 1.2.3.4
[2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_server_info(2541)
  got ldap server name adsserver at DOMAIN.COM, using bind path:
dc=DOMAIN,dc=COM
[2006/02/03 12:19:02, 4] ../libads/ldap.c:ads_server_info(2547)
  time offset is 114 seconds
[2006/02/03 12:19:02, 4] ../libads/sasl.c:ads_sasl_bind(455)
  Found SASL mechanism GSS-SPNEGO
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(219)
  ads_sasl_spnego_bind: got server principal name
=adsserver$@DOMAIN.COM
[2006/02/03 12:19:02, 3] ../libsmb/clikrb5.c:ads_krb5_mk_req(478)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found)
[2006/02/03 12:19:02, 0] ../libads/kerberos.c:ads_kinit_password(164)
  kerberos_kinit_password SAMBASERVER$@DOMAIN.COM failed: Cannot
resolve network address for KDC in requested realm
[2006/02/03 12:19:02, 0] ../utils/net_ads.c:ads_startup(191)
  ads_connect: Cannot resolve network address for KDC in requested
realm
[2006/02/03 12:19:02, 2] ../utils/net.c:main(876)
  return code = -1

 
So it looks like it found the adsserver buyt then tried to kinit for
the samba server I am trying to join and complained about not being able
to resolve the kdc.  Did it fail to find a credential cache (I thought I
was trying to get one with the join command, so it shouldn't find one)
and then tried to get one from the local samba server and is saying it
is not resolvable?
 
David Shapiro
Unix Team Lead
919-765-2011

>>> "Nico De Wilde" <nico at openix.be> 2/3/2006 10:57:23 AM >>>

Chris,

The following error is repeated multiple times in your winbind.log:

"Client not found in Kerberos database"

Are you joining these machines as a domain admin or as an account with

domain admin priviliges?

Is your resolving setup correctly?

Are the clocks on your servers synchronized with the DC?

Could you try:

-> kinit ADMINISTRATOR at yourdomain.something
-> net ads join -U ADMINISTRATOR

What output do these two commands generate on your system?

Sample smb.conf for a 'member server' in a 2000/2003 AD domain:

--------------------------------------------------
[global]
server string = somebox
realm = DOM1.JHUAPL.EDU
workgroup = CHOCOWEB
password server = dom1-dc6.dom1.jhuapl.edu
security = ADS
encrypt passwords = true
# winbind configuration
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users=yes
winbind enum groups=yes
-----------------------------------------------------------

Sample krb5.conf
-----------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = DOM1.JHUAPL.EDU
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
DOM1.JHUAPL.EDU = {
  kdc = the.ip.of.your.dc:88
  admin_server = the.ip.of.your.dc:749
  default_domain = dom1.jhuapl.edu
}
----------------------------------------------------------
Nsswitch.conf

passwd:     files winbind
shadow:     files
group:      files winbind

hosts:      files dns winbind

--------------------------------------------------------------

This should get you going.

Can you provide additional feedback on this?

Thx.

Regards,

Nico


----- Original Message ----- 
From: "Chris Stone" <chris.stone at jhuapl.edu>
To: "Nico De Wilde" <nico at openix.be>
Sent: Friday, February 03, 2006 4:33 PM
Subject: Re: [Samba] trouble with winbind


> Nico,
>
> I've attached the winbindd log. I manually created the machine
> account, with out the account I can't bind, it's an issue with
domain
> privledges. What I don't understand is that I took all of the config
> files, nsswitch, krb5.conf, and others, from a machine that is bound
> and has a working winbind:-(
>
>
> biolinux:/var/log/samba # vi /etc/nsswitch.conf
>
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other
reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Legal entries are:
> #
> #       compat                  Use compatibility setup
> #       nisplus                 Use NIS+ (NIS version 3)
> #       nis                     Use NIS (NIS version 2), also called
YP
> #       dns                     Use DNS (Domain Name Service)
> #       files                   Use the local files
> #       db                      Use the /var/db databases
> #       [NOTFOUND=return]       Stop searching if not found so far
> #
> # For more information, please read the nsswitch.conf.5 manual page.
>
> passwd: files winbind
> group:  files winbind
> --endsnip
>
>
> Thanks,
> Chris
>
>


--------------------------------------------------------------------------------


>
> On Feb 3, 2006, at 9:50 AM, Nico De Wilde wrote:
>
>> Chris,
>>
>> Can you provide the winbind logs of the machine that does not
>> succeed in joining the domain?
>>
>> Have you checked in your Windows server that machine accounts were
>> created?
>>
>> Is your nsswitch.conf setup properly?
>>
>> Thx,
>>
>> Nico
>> ----- Original Message ----- From: "Chris Stone"
>> <chris.stone at jhuapl.edu>
>> To: <samba at lists.samba.org>
>> Sent: Friday, February 03, 2006 3:10 PM
>> Subject: [Samba] trouble with winbind
>>
>>
>>> Hi,
>>> I'm running samba, V3.0.20b-3.4-SUSE, on suse el9. I've
>>> successfully  bound one machine to active directory, I can login
>>> to the local box  using domain credentials. However, I can't get a
>>> second machine to  the domain, using the exact same procedures.
>>> The machine claims to be  bound,
>>>  wbinfo -t returns "checking the trust secret via RPC calls
>>> succeeded"
>>> But, when I run wbinfo --sequence, it returns,
>>> APL : DISCONNECTED
>>> BIOLINUX : 1
>>> BUILTIN : 1
>>> JHUAPL : DISCONNECTED
>>> Kerberos is working, I can do a kinit user at JHUAPL.EDU, and get a
>>> ticket. My smb.conf is:
>>> [global]
>>>         workgroup = JHUAPL
>>>         server string = edna
>>>         socket options = TCP_NODELAY SO_SNDBUF=8192
>>> SO_RCVBUF=8192  IPTOS_LOWDELAY
>>>         encrypt password = yes
>>>         password server = dom1-dc6.dom1.jhuapl.edu
>>>         realm = DOM1.JHUAPL.EDU
>>>         netbios name = biolinux
>>>         security = ads
>>>         idmap uid = 10000-40000
>>>         idmap gid = 10000-40000
>>>         winbind separator = _
>>>         winbind enum users = yes
>>>         winbind enum groups = yes
>>>         winbind use default domain = yes
>>>         username map = /etc/samba/smbusers
>>>         map to guest = Bad User
>>>         template shell = /bin/bash
>>> Can anyone suggest what I might be doing wrong? I've been
>>> googling  this for a couple of days, and have run out ideas.
>>> Thank You,
>>> Chris
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba



More information about the samba mailing list