[Samba] Help w/ winbind & re-bind after error Referral
Scott Chapin
schapin at anim.dreamworks.com
Thu Feb 9 23:08:19 GMT 2006
Hi, we've got a samba-3.0.21a-1 systems that's set up w/ winbind to
query AD to authenticate users w/out Unix accts. The system is also set
up to support our LDAP'd UNIX accts.
After setting the [global] section like this:
[global]
realm = WIN.OURDOMAIN.COM
security = ads
password server = thebes balsam
encrypt passwords = yes
log file = /var/log/samba/log.%m
log level = 5
max log size = 300
debug level = 3
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
idmap uid = 15000-35000
idmap gid = 15000-35000
winbind separator = \\
winbind use default domain = no
netbios name = SLOCOMBE
workgroup = OURDOMAIN
... /etc/nsswitch edited like this:
passwd: files ldap winbind
group: files ldap winbind
...and /etc/pam.d/system-auth edited like this:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth optional /lib/security/$ISA/pam_krb5.so use_first_pass
minimum_uid=1 ticket_lifetime=90000 renew_lifetime=630000 forwardable
auth required /lib/security/$ISA/pam_ldap.so use_first_pass
auth sufficient /lib/security/pam_winbind.so use_first_pass
account sufficient /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
account sufficient /lib/security/pam_winbind.so
... and turned OFF the nscd service...
... we can join the AD domain correctly via 'net join', and all appears
to work: 'wbinfo -u' and 'wbinfo -g' show users & groups in all three
of our AD domains. 'wbinfo -t' succeeds as well. SAMBA shares map
correctly on our XP systems for users who only have AD accts., and those
w/ LDAP accts. So far, so good.
But now, when you run 'id <user>' or 'groups <user>', the systems gets
fairly catatonic, and smb / winbind must be restarted to regain sanity.
From log.winbindd (these type of messages repeat over and over):
[2006/02/09 13:53:59, 3] libads/ldap.c:ads_server_info(2541)
got ldap server name thebes at WIN.OURDOMAIN.COM, using bind path:
dc=WIN,dc=OURDOMAIN,dc=COM
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name
=thebes$@WIN.OURDOMAIN.COM
[2006/02/09 13:53:59, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(415)
Ticket in ccache[MEMORY:winbind_ccache] expiration Thu, 09 Feb 2006
23:53:11 PST
[2006/02/09 13:53:59, 3] libads/ldap.c:ads_do_paged_search(527)
ads_do_paged_search: ldap_search_with_timeout((objectclass=*)) ->
Referral
[2006/02/09 13:53:59, 3] libads/ldap_utils.c:ads_do_search_retry(66)
Reopening ads connection to realm 'WIN.OURDOMAIN.COM' after error
Referral
[2006/02/09 13:53:59, 3] libsmb/namequery.c:resolve_lmhosts(855)
resolve_lmhosts: Attempting lmhosts lookup for name balsam<0x20>
[2006/02/09 13:53:59, 3] libsmb/namequery.c:resolve_wins(752)
resolve_wins: Attempting wins lookup for name balsam<0x20>
[2006/02/09 13:53:59, 3] libsmb/namequery.c:resolve_wins(755)
resolve_wins: WINS server resolution selected and no WINS servers listed.
[2006/02/09 13:53:59, 3] libsmb/namequery.c:resolve_hosts(917)
resolve_hosts: Attempting host lookup for name balsam<0x20>
[2006/02/09 13:53:59, 3] libsmb/namequery.c:name_resolve_bcast(694)
name_resolve_bcast: Attempting broadcast lookup for name balsam<0x20>
[2006/02/09 13:54:00, 3] libads/ldap.c:ads_connect(288)
Connected to LDAP server 192.168.55.60
[2006/02/09 13:54:00, 3] libads/ldap.c:ads_server_info(2541)
got ldap server name thebes at WIN.OURDOMAIN.COM, using bind path:
dc=WIN,dc=OURDOMAIN,dc=COM
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name
=thebes$@WIN.OURDOMAIN.COM
[2006/02/09 13:54:00, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(415)
Ticket in ccache[MEMORY:winbind_ccache] expiration Thu, 09 Feb 2006
23:53:11 PST
[2006/02/09 13:54:00, 3] nsswitch/winbindd_ads.c:dn_lookup(393)
ads: dn_lookup
[2006/02/09 13:54:00, 3] libads/ldap.c:ads_do_paged_search(527)
ads_do_paged_search: ldap_search_with_timeout((objectclass=*)) ->
Referral
[2006/02/09 13:54:00, 3] libads/ldap_utils.c:ads_do_search_retry(66)
Reopening ads connection to realm 'WIN.OURDOMAIN.COM' after error
Referral
Any ideas here? Any info is appreciated.
- SBC
--
Scott Chapin Dreamworks Animation
schapin at anim.dreamworks.com (818) 695-6361
"Computer says no."
More information about the samba
mailing list