[Samba] trouble with winbind

Dimitri Yioulos dyioulos at firstbhph.com
Fri Feb 3 18:00:36 GMT 2006 

On Friday February 03 2006 12:28 pm, David Shapiro wrote:
> I found mention of how to run net ads join with debugging, which got me
> some good info when I run net ads join with debuglevel=10:
>
>  namecache_store: storing 1 address for adserver.domain.com#20:
> 1.2.3.4:0
> [2006/02/03 12:19:02, 10] ../lib/gencache.c:gencache_set(127)
>   Adding cache entry with key = NBT/ADSSERVER.DOMAIN.COM#20; value =
> 1.2.3.4:0 and timeout = Fri Feb  3 12:30:02 2006
>    (660 seconds ahead)
> [2006/02/03 12:19:02, 10]
> ../libsmb/namequery.c:internal_resolve_name(1145)
>   internal_resolve_name: returning 1 addresses: 10.69.147.110:0
> [2006/02/03 12:19:02, 10]
> ../libsmb/namequery.c:remove_duplicate_addrs2(320)
>   remove_duplicate_addrs2: looking for duplicate address/port pairs
> [2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1406)
>   get_dc_list: returning 1 ip addresses in an ordered list
> [2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1407)
>   get_dc_list: 10.69.147.110:0
> [2006/02/03 12:19:02, 5] ../libads/ldap.c:ads_try_connect(126)
>   ads_try_connect: trying ldap server '1.2.3.4' port 389
> [2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_connect(288)
>   Connected to LDAP server 1.2.3.4
> [2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_server_info(2541)
>   got ldap server name adsserver at DOMAIN.COM, using bind path:
> dc=DOMAIN,dc=COM
> [2006/02/03 12:19:02, 4] ../libads/ldap.c:ads_server_info(2547)
>   time offset is 114 seconds
> [2006/02/03 12:19:02, 4] ../libads/sasl.c:ads_sasl_bind(455)
>   Found SASL mechanism GSS-SPNEGO
> [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
>   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
>   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
>   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
>   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(219)
>   ads_sasl_spnego_bind: got server principal name
> =adsserver$@DOMAIN.COM
> [2006/02/03 12:19:02, 3] ../libsmb/clikrb5.c:ads_krb5_mk_req(478)
>   ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found)
> [2006/02/03 12:19:02, 0] ../libads/kerberos.c:ads_kinit_password(164)
>   kerberos_kinit_password SAMBASERVER$@DOMAIN.COM failed: Cannot
> resolve network address for KDC in requested realm
> [2006/02/03 12:19:02, 0] ../utils/net_ads.c:ads_startup(191)
>   ads_connect: Cannot resolve network address for KDC in requested
> realm
> [2006/02/03 12:19:02, 2] ../utils/net.c:main(876)
>   return code = -1
>
>
> So it looks like it found the adsserver buyt then tried to kinit for
> the samba server I am trying to join and complained about not being able
> to resolve the kdc.  Did it fail to find a credential cache (I thought I
> was trying to get one with the join command, so it shouldn't find one)
> and then tried to get one from the local samba server and is saying it
> is not resolvable?
>
> David Shapiro
> Unix Team Lead
> 919-765-2011
>
> >>> "Nico De Wilde" <nico at openix.be> 2/3/2006 10:57:23 AM >>>
>
> Chris,
>
> The following error is repeated multiple times in your winbind.log:
>
> "Client not found in Kerberos database"
>
> Are you joining these machines as a domain admin or as an account with
>
> domain admin priviliges?
>
> Is your resolving setup correctly?
>
> Are the clocks on your servers synchronized with the DC?
>
> Could you try:
>
> -> kinit ADMINISTRATOR at yourdomain.something
> -> net ads join -U ADMINISTRATOR
>
> What output do these two commands generate on your system?
>
> Sample smb.conf for a 'member server' in a 2000/2003 AD domain:
>
> --------------------------------------------------
> [global]
> server string = somebox
> realm = DOM1.JHUAPL.EDU
> workgroup = CHOCOWEB
> password server = dom1-dc6.dom1.jhuapl.edu
> security = ADS
> encrypt passwords = true
> # winbind configuration
> winbind separator = +
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users=yes
> winbind enum groups=yes
> -----------------------------------------------------------
>
> Sample krb5.conf
> -----------------------------------------------------------
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = DOM1.JHUAPL.EDU
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> [realms]
> DOM1.JHUAPL.EDU = {
>   kdc = the.ip.of.your.dc:88
>   admin_server = the.ip.of.your.dc:749
>   default_domain = dom1.jhuapl.edu
> }
> ----------------------------------------------------------
> Nsswitch.conf
>
> passwd:     files winbind
> shadow:     files
> group:      files winbind
>
> hosts:      files dns winbind
>
> --------------------------------------------------------------
>
> This should get you going.
>
> Can you provide additional feedback on this?
>
> Thx.
>
> Regards,
>
> Nico
>
>
> ----- Original Message -----
> From: "Chris Stone" <chris.stone at jhuapl.edu>
> To: "Nico De Wilde" <nico at openix.be>
> Sent: Friday, February 03, 2006 4:33 PM
> Subject: Re: [Samba] trouble with winbind
>
> > Nico,
> >
> > I've attached the winbindd log. I manually created the machine
> > account, with out the account I can't bind, it's an issue with
>
> domain
>
> > privledges. What I don't understand is that I took all of the config
> > files, nsswitch, krb5.conf, and others, from a machine that is bound
> > and has a working winbind:-(
> >
> >
> > biolinux:/var/log/samba # vi /etc/nsswitch.conf
> >
> > # entry should stop if the search in the previous entry turned
> > # up nothing. Note that if the search failed due to some other
>
> reason
>
> > # (like no NIS server responding) then the search continues with the
> > # next entry.
> > #
> > # Legal entries are:
> > #
> > #       compat                  Use compatibility setup
> > #       nisplus                 Use NIS+ (NIS version 3)
> > #       nis                     Use NIS (NIS version 2), also called
>
> YP
>
> > #       dns                     Use DNS (Domain Name Service)
> > #       files                   Use the local files
> > #       db                      Use the /var/db databases
> > #       [NOTFOUND=return]       Stop searching if not found so far
> > #
> > # For more information, please read the nsswitch.conf.5 manual page.
> >
> > passwd: files winbind
> > group:  files winbind
> > --endsnip
> >
> >
> > Thanks,
> > Chris
>
> ---------------------------------------------------------------------------
>-----
>
> > On Feb 3, 2006, at 9:50 AM, Nico De Wilde wrote:
> >> Chris,
> >>
> >> Can you provide the winbind logs of the machine that does not
> >> succeed in joining the domain?
> >>
> >> Have you checked in your Windows server that machine accounts were
> >> created?
> >>
> >> Is your nsswitch.conf setup properly?
> >>
> >> Thx,
> >>
> >> Nico
> >> ----- Original Message ----- From: "Chris Stone"
> >> <chris.stone at jhuapl.edu>
> >> To: <samba at lists.samba.org>
> >> Sent: Friday, February 03, 2006 3:10 PM
> >> Subject: [Samba] trouble with winbind
> >>
> >>> Hi,
> >>> I'm running samba, V3.0.20b-3.4-SUSE, on suse el9. I've
> >>> successfully  bound one machine to active directory, I can login
> >>> to the local box  using domain credentials. However, I can't get a
> >>> second machine to  the domain, using the exact same procedures.
> >>> The machine claims to be  bound,
> >>>  wbinfo -t returns "checking the trust secret via RPC calls
> >>> succeeded"
> >>> But, when I run wbinfo --sequence, it returns,
> >>> APL : DISCONNECTED
> >>> BIOLINUX : 1
> >>> BUILTIN : 1
> >>> JHUAPL : DISCONNECTED
> >>> Kerberos is working, I can do a kinit user at JHUAPL.EDU, and get a
> >>> ticket. My smb.conf is:
> >>> [global]
> >>>         workgroup = JHUAPL
> >>>         server string = edna
> >>>         socket options = TCP_NODELAY SO_SNDBUF=8192
> >>> SO_RCVBUF=8192  IPTOS_LOWDELAY
> >>>         encrypt password = yes
> >>>         password server = dom1-dc6.dom1.jhuapl.edu
> >>>         realm = DOM1.JHUAPL.EDU
> >>>         netbios name = biolinux
> >>>         security = ads
> >>>         idmap uid = 10000-40000
> >>>         idmap gid = 10000-40000
> >>>         winbind separator = _
> >>>         winbind enum users = yes
> >>>         winbind enum groups = yes
> >>>         winbind use default domain = yes
> >>>         username map = /etc/samba/smbusers
> >>>         map to guest = Bad User
> >>>         template shell = /bin/bash
> >>> Can anyone suggest what I might be doing wrong? I've been
> >>> googling  this for a couple of days, and have run out ideas.
> >>> Thank You,
> >>> Chris
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/listinfo/samba
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list