[Samba] trouble with winbind
Dimitri Yioulos
dyioulos at firstbhph.com
Fri Feb 3 18:05:00 GMT 2006
Top-posting. Eeek.
One thing I think I see is that the system times between the Samba and Ad
servers may be out of sync. I believe that if the time difference is
significant enough, then the krb encryption codes will not match and access
to network resources may be denied. Are both of your servers system times
sync via ntp?
Dimitri
On Friday February 03 2006 12:28 pm, David Shapiro wrote:
> I found mention of how to run net ads join with debugging, which got me
> some good info when I run net ads join with debuglevel=10:
>
> namecache_store: storing 1 address for adserver.domain.com#20:
> 1.2.3.4:0
> [2006/02/03 12:19:02, 10] ../lib/gencache.c:gencache_set(127)
> Adding cache entry with key = NBT/ADSSERVER.DOMAIN.COM#20; value =
> 1.2.3.4:0 and timeout = Fri Feb 3 12:30:02 2006
> (660 seconds ahead)
> [2006/02/03 12:19:02, 10]
> ../libsmb/namequery.c:internal_resolve_name(1145)
> internal_resolve_name: returning 1 addresses: 10.69.147.110:0
> [2006/02/03 12:19:02, 10]
> ../libsmb/namequery.c:remove_duplicate_addrs2(320)
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> [2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1406)
> get_dc_list: returning 1 ip addresses in an ordered list
> [2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1407)
> get_dc_list: 10.69.147.110:0
> [2006/02/03 12:19:02, 5] ../libads/ldap.c:ads_try_connect(126)
> ads_try_connect: trying ldap server '1.2.3.4' port 389
> [2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_connect(288)
> Connected to LDAP server 1.2.3.4
> [2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_server_info(2541)
> got ldap server name adsserver at DOMAIN.COM, using bind path:
> dc=DOMAIN,dc=COM
> [2006/02/03 12:19:02, 4] ../libads/ldap.c:ads_server_info(2547)
> time offset is 114 seconds
> [2006/02/03 12:19:02, 4] ../libads/sasl.c:ads_sasl_bind(455)
> Found SASL mechanism GSS-SPNEGO
> [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(219)
> ads_sasl_spnego_bind: got server principal name
> =adsserver$@DOMAIN.COM
> [2006/02/03 12:19:02, 3] ../libsmb/clikrb5.c:ads_krb5_mk_req(478)
> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found)
> [2006/02/03 12:19:02, 0] ../libads/kerberos.c:ads_kinit_password(164)
> kerberos_kinit_password SAMBASERVER$@DOMAIN.COM failed: Cannot
> resolve network address for KDC in requested realm
> [2006/02/03 12:19:02, 0] ../utils/net_ads.c:ads_startup(191)
> ads_connect: Cannot resolve network address for KDC in requested
> realm
> [2006/02/03 12:19:02, 2] ../utils/net.c:main(876)
> return code = -1
>
>
> So it looks like it found the adsserver buyt then tried to kinit for
> the samba server I am trying to join and complained about not being able
> to resolve the kdc. Did it fail to find a credential cache (I thought I
> was trying to get one with the join command, so it shouldn't find one)
> and then tried to get one from the local samba server and is saying it
> is not resolvable?
>
> David Shapiro
> Unix Team Lead
> 919-765-2011
>
> >>> "Nico De Wilde" <nico at openix.be> 2/3/2006 10:57:23 AM >>>
>
> Chris,
>
> The following error is repeated multiple times in your winbind.log:
>
> "Client not found in Kerberos database"
>
> Are you joining these machines as a domain admin or as an account with
>
> domain admin priviliges?
>
> Is your resolving setup correctly?
>
> Are the clocks on your servers synchronized with the DC?
>
> Could you try:
>
> -> kinit ADMINISTRATOR at yourdomain.something
> -> net ads join -U ADMINISTRATOR
>
> What output do these two commands generate on your system?
>
> Sample smb.conf for a 'member server' in a 2000/2003 AD domain:
>
> --------------------------------------------------
> [global]
> server string = somebox
> realm = DOM1.JHUAPL.EDU
> workgroup = CHOCOWEB
> password server = dom1-dc6.dom1.jhuapl.edu
> security = ADS
> encrypt passwords = true
> # winbind configuration
> winbind separator = +
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users=yes
> winbind enum groups=yes
> -----------------------------------------------------------
>
> Sample krb5.conf
> -----------------------------------------------------------
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = DOM1.JHUAPL.EDU
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> [realms]
> DOM1.JHUAPL.EDU = {
> kdc = the.ip.of.your.dc:88
> admin_server = the.ip.of.your.dc:749
> default_domain = dom1.jhuapl.edu
> }
> ----------------------------------------------------------
> Nsswitch.conf
>
> passwd: files winbind
> shadow: files
> group: files winbind
>
> hosts: files dns winbind
>
> --------------------------------------------------------------
>
> This should get you going.
>
> Can you provide additional feedback on this?
>
> Thx.
>
> Regards,
>
> Nico
>
>
> ----- Original Message -----
> From: "Chris Stone" <chris.stone at jhuapl.edu>
> To: "Nico De Wilde" <nico at openix.be>
> Sent: Friday, February 03, 2006 4:33 PM
> Subject: Re: [Samba] trouble with winbind
>
> > Nico,
> >
> > I've attached the winbindd log. I manually created the machine
> > account, with out the account I can't bind, it's an issue with
>
> domain
>
> > privledges. What I don't understand is that I took all of the config
> > files, nsswitch, krb5.conf, and others, from a machine that is bound
> > and has a working winbind:-(
> >
> >
> > biolinux:/var/log/samba # vi /etc/nsswitch.conf
> >
> > # entry should stop if the search in the previous entry turned
> > # up nothing. Note that if the search failed due to some other
>
> reason
>
> > # (like no NIS server responding) then the search continues with the
> > # next entry.
> > #
> > # Legal entries are:
> > #
> > # compat Use compatibility setup
> > # nisplus Use NIS+ (NIS version 3)
> > # nis Use NIS (NIS version 2), also called
>
> YP
>
> > # dns Use DNS (Domain Name Service)
> > # files Use the local files
> > # db Use the /var/db databases
> > # [NOTFOUND=return] Stop searching if not found so far
> > #
> > # For more information, please read the nsswitch.conf.5 manual page.
> >
> > passwd: files winbind
> > group: files winbind
> > --endsnip
> >
> >
> > Thanks,
> > Chris
>
> ---------------------------------------------------------------------------
>-----
>
> > On Feb 3, 2006, at 9:50 AM, Nico De Wilde wrote:
> >> Chris,
> >>
> >> Can you provide the winbind logs of the machine that does not
> >> succeed in joining the domain?
> >>
> >> Have you checked in your Windows server that machine accounts were
> >> created?
> >>
> >> Is your nsswitch.conf setup properly?
> >>
> >> Thx,
> >>
> >> Nico
> >> ----- Original Message ----- From: "Chris Stone"
> >> <chris.stone at jhuapl.edu>
> >> To: <samba at lists.samba.org>
> >> Sent: Friday, February 03, 2006 3:10 PM
> >> Subject: [Samba] trouble with winbind
> >>
> >>> Hi,
> >>> I'm running samba, V3.0.20b-3.4-SUSE, on suse el9. I've
> >>> successfully bound one machine to active directory, I can login
> >>> to the local box using domain credentials. However, I can't get a
> >>> second machine to the domain, using the exact same procedures.
> >>> The machine claims to be bound,
> >>> wbinfo -t returns "checking the trust secret via RPC calls
> >>> succeeded"
> >>> But, when I run wbinfo --sequence, it returns,
> >>> APL : DISCONNECTED
> >>> BIOLINUX : 1
> >>> BUILTIN : 1
> >>> JHUAPL : DISCONNECTED
> >>> Kerberos is working, I can do a kinit user at JHUAPL.EDU, and get a
> >>> ticket. My smb.conf is:
> >>> [global]
> >>> workgroup = JHUAPL
> >>> server string = edna
> >>> socket options = TCP_NODELAY SO_SNDBUF=8192
> >>> SO_RCVBUF=8192 IPTOS_LOWDELAY
> >>> encrypt password = yes
> >>> password server = dom1-dc6.dom1.jhuapl.edu
> >>> realm = DOM1.JHUAPL.EDU
> >>> netbios name = biolinux
> >>> security = ads
> >>> idmap uid = 10000-40000
> >>> idmap gid = 10000-40000
> >>> winbind separator = _
> >>> winbind enum users = yes
> >>> winbind enum groups = yes
> >>> winbind use default domain = yes
> >>> username map = /etc/samba/smbusers
> >>> map to guest = Bad User
> >>> template shell = /bin/bash
> >>> Can anyone suggest what I might be doing wrong? I've been
> >>> googling this for a couple of days, and have run out ideas.
> >>> Thank You,
> >>> Chris
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/listinfo/samba
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/listinfo/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba
mailing list