[Samba] Help w/ winbind & re-bind after error Referral

Scott Chapin schapin at anim.dreamworks.com
Thu Feb 9 23:08:19 GMT 2006


Hi, we've got a samba-3.0.21a-1 systems that's set up w/ winbind to 
query AD to authenticate users w/out Unix accts.  The system is also set 
up to support our LDAP'd UNIX accts.

After setting the [global] section like this:

[global]
    realm = WIN.OURDOMAIN.COM
    security = ads
    password server = thebes balsam
    encrypt passwords = yes
    log file = /var/log/samba/log.%m
    log level = 5
    max log size = 300
    debug level = 3
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    idmap uid = 15000-35000
    idmap gid = 15000-35000
    winbind separator = \\
    winbind use default domain = no
    netbios name = SLOCOMBE
    workgroup = OURDOMAIN

... /etc/nsswitch edited like this:

passwd:     files ldap winbind
group:      files ldap winbind

...and /etc/pam.d/system-auth edited like this:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        optional      /lib/security/$ISA/pam_krb5.so use_first_pass 
minimum_uid=1 ticket_lifetime=90000 renew_lifetime=630000 forwardable
auth        required      /lib/security/$ISA/pam_ldap.so use_first_pass
auth        sufficient    /lib/security/pam_winbind.so use_first_pass

account     sufficient    /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore 
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
account     sufficient    /lib/security/pam_winbind.so

... and turned OFF the nscd service...

... we can join the AD domain correctly via 'net join', and all appears 
to work:  'wbinfo -u' and 'wbinfo -g' show users & groups in all three 
of our AD domains. 'wbinfo -t' succeeds as well.  SAMBA shares map 
correctly on our XP systems for users who only have AD accts., and those 
w/ LDAP accts.  So far, so good.

But now, when you run 'id <user>' or 'groups <user>', the systems gets 
fairly catatonic, and smb / winbind must be restarted to regain sanity.

 From log.winbindd (these type of messages repeat over and over):

    [2006/02/09 13:53:59, 3] libads/ldap.c:ads_server_info(2541)
   got ldap server name thebes at WIN.OURDOMAIN.COM, using bind path: 
dc=WIN,dc=OURDOMAIN,dc=COM
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
   ads_sasl_spnego_bind: got server principal name 
=thebes$@WIN.OURDOMAIN.COM
[2006/02/09 13:53:59, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(415)
   Ticket in ccache[MEMORY:winbind_ccache] expiration Thu, 09 Feb 2006 
23:53:11 PST
[2006/02/09 13:53:59, 3] libads/ldap.c:ads_do_paged_search(527)
   ads_do_paged_search: ldap_search_with_timeout((objectclass=*)) -> 
Referral
[2006/02/09 13:53:59, 3] libads/ldap_utils.c:ads_do_search_retry(66)
   Reopening ads connection to realm 'WIN.OURDOMAIN.COM' after error 
Referral
[2006/02/09 13:53:59, 3] libsmb/namequery.c:resolve_lmhosts(855)
   resolve_lmhosts: Attempting lmhosts lookup for name balsam<0x20>
[2006/02/09 13:53:59, 3] libsmb/namequery.c:resolve_wins(752)
   resolve_wins: Attempting wins lookup for name balsam<0x20>
[2006/02/09 13:53:59, 3] libsmb/namequery.c:resolve_wins(755)
   resolve_wins: WINS server resolution selected and no WINS servers listed.
[2006/02/09 13:53:59, 3] libsmb/namequery.c:resolve_hosts(917)
   resolve_hosts: Attempting host lookup for name balsam<0x20>
[2006/02/09 13:53:59, 3] libsmb/namequery.c:name_resolve_bcast(694)
   name_resolve_bcast: Attempting broadcast lookup for name balsam<0x20>
[2006/02/09 13:54:00, 3] libads/ldap.c:ads_connect(288)
   Connected to LDAP server 192.168.55.60
[2006/02/09 13:54:00, 3] libads/ldap.c:ads_server_info(2541)
   got ldap server name thebes at WIN.OURDOMAIN.COM, using bind path: 
dc=WIN,dc=OURDOMAIN,dc=COM
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
   ads_sasl_spnego_bind: got server principal name 
=thebes$@WIN.OURDOMAIN.COM
[2006/02/09 13:54:00, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(415)
   Ticket in ccache[MEMORY:winbind_ccache] expiration Thu, 09 Feb 2006 
23:53:11 PST
[2006/02/09 13:54:00, 3] nsswitch/winbindd_ads.c:dn_lookup(393)
   ads: dn_lookup
[2006/02/09 13:54:00, 3] libads/ldap.c:ads_do_paged_search(527)
   ads_do_paged_search: ldap_search_with_timeout((objectclass=*)) -> 
Referral
[2006/02/09 13:54:00, 3] libads/ldap_utils.c:ads_do_search_retry(66)
   Reopening ads connection to realm 'WIN.OURDOMAIN.COM' after error 
Referral

Any ideas here?  Any info is appreciated.


  - SBC


-- 
Scott Chapin		Dreamworks Animation
schapin at anim.dreamworks.com    (818) 695-6361
"Computer says no."


More information about the samba mailing list