[Samba] Authenticating another domain

Trimble, Ronald D Ronald.Trimble at unisys.com
Thu Feb 16 20:23:54 GMT 2006


I can see the SID of the ID I am trying to authenticate with...

USTR-LINUX-1:~ # wbinfo -n EU\\inblr-auth1
S-1-5-21-606747145-879983540-1177238915-173280 User (1)

I have turned up the logging and added the EU domain to our krb5.conf.
My winbindd.log now shows the following:

[2006/02/16 14:14:58, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(1533)
  Retrieving response for pid 25124
[2006/02/16 14:14:58, 10] nsswitch/winbindd.c:process_request(325)
  process_request: request fn DOMAIN_INFO
[2006/02/16 14:14:58, 3]
nsswitch/winbindd_misc.c:winbindd_domain_info(356)
  [    0]: domain_info [EU.UIS.UNISYS.COM]
[2006/02/16 14:14:58, 6] nsswitch/winbindd.c:new_connection(596)
  accepted socket 18
[2006/02/16 14:14:58, 10] nsswitch/winbindd.c:process_request(325)
  process_request: request fn INTERFACE_VERSION
[2006/02/16 14:14:58, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(461)
  [    0]: request interface version
[2006/02/16 14:14:58, 10] nsswitch/winbindd.c:process_request(325)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2006/02/16 14:14:58, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(494)
  [    0]: request location of privileged pipe
[2006/02/16 14:14:58, 6] nsswitch/winbindd.c:new_connection(596)
  accepted socket 27
[2006/02/16 14:14:58, 10] nsswitch/winbindd.c:process_request(325)
  process_request: request fn DOMAIN_INFO
[2006/02/16 14:14:58, 3]
nsswitch/winbindd_misc.c:winbindd_domain_info(356)
  [    0]: domain_info [EU.UIS.UNISYS.COM]

********If I look in the log for the client I am trying to connect from,
I see this:

[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 10] auth/auth_util.c:get_user_groups(681)
  get_user_groups: winbind_getgroups(NA\ustr-netiq$): result = SUCCESS
[2006/02/16 14:14:58, 5] auth/auth_util.c:debug_unix_user_token(473)
  UNIX token of user 16783538
  Primary group is 16777671 and contains 1 supplementary groups
  Group[  0]: 16777671
[2006/02/16 14:14:58, 10] auth/auth_util.c:debug_nt_user_token(457)
  NT user token of user
S-1-5-21-3294472140-2299987452-2298777348-33568076
  contains 6 SIDs
  SID[  0]: S-1-5-21-3294472140-2299987452-2298777348-33568076
  SID[  1]: S-1-5-21-3294472140-2299987452-2298777348-33556343
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-725345543-2052111302-527237240-515
  SE_PRIV  0x0 0x0 0x0 0x0
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 5] auth/auth_util.c:free_server_info(1387)
  attempting to free (and zero) a server_info structure
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612)
  Closing connections
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 10] auth/auth_util.c:get_user_groups(681)
  get_user_groups: winbind_getgroups(NA\ustr-netiq$): result = SUCCESS
[2006/02/16 14:14:58, 5] auth/auth_util.c:debug_unix_user_token(473)
  UNIX token of user 16783538
  Primary group is 16777671 and contains 1 supplementary groups
  Group[  0]: 16777671
[2006/02/16 14:14:58, 10] auth/auth_util.c:debug_nt_user_token(457)
  NT user token of user
S-1-5-21-3294472140-2299987452-2298777348-33568076
  contains 6 SIDs
  SID[  0]: S-1-5-21-3294472140-2299987452-2298777348-33568076
  SID[  1]: S-1-5-21-3294472140-2299987452-2298777348-33556343
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-725345543-2052111302-527237240-515
  SE_PRIV  0x0 0x0 0x0 0x0
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 5] auth/auth_util.c:free_server_info(1387)
  attempting to free (and zero) a server_info structure
[2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612)
  Closing connections
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612)
  Closing connections
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 10] auth/auth_util.c:get_user_groups(681)
  get_user_groups: winbind_getgroups(NA\ustr-netiq$): result = SUCCESS
[2006/02/16 14:14:58, 5] auth/auth_util.c:debug_unix_user_token(473)
  UNIX token of user 16783538
  Primary group is 16777671 and contains 1 supplementary groups
  Group[  0]: 16777671
[2006/02/16 14:14:58, 10] auth/auth_util.c:debug_nt_user_token(457)
  NT user token of user
S-1-5-21-3294472140-2299987452-2298777348-33568076
  contains 6 SIDs
  SID[  0]: S-1-5-21-3294472140-2299987452-2298777348-33568076
  SID[  1]: S-1-5-21-3294472140-2299987452-2298777348-33556343
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-725345543-2052111302-527237240-515
  SE_PRIV  0x0 0x0 0x0 0x0
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 5] auth/auth_util.c:free_server_info(1387)
  attempting to free (and zero) a server_info structure
[2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612)
  Closing connections
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612)
  Closing connections
[2006/02/16 14:15:00, 2] smbd/server.c:exit_server(612)
  Closing connections

My wbinfo --sequence still shows the EU domain as being disconnected.

I just found this error in the log.wb-EU file:

[2006/02/16 14:51:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394)
  ads_krb5_mk_req: krb5_get_credentials failed for
usea-eudc1$@EU.UIS.UNISYS.COM (Cannot contact any KDC for requested
realm)
[2006/02/16 14:51:29, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394)
  ads_krb5_mk_req: krb5_get_credentials failed for
usea-eudc1$@EU.UIS.UNISYS.COM (Cannot contact any KDC for requested
realm)
[2006/02/16 14:51:29, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain EU failed: Cannot contact any KDC for requested
realm
-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at samba.org] 
Sent: Thursday, February 16, 2006 11:05 AM
To: Trimble, Ronald D
Cc: samba at lists.samba.org
Subject: Re: [Samba] Authenticating another domain

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Trimble, Ronald D wrote:

>   Username EU\inblr-auth1 is invalid on this system

figure this out.  That is the key.  Does
"getent passwd 'EU\inblr-auth1'" return anything?
What does wbinfo --sequence show?






cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD9KKUIR7qMdg1EfYRApFRAKC2rqZZ3cFZMV5jLfVtON/uD9P5rgCfR5tG
fAQ7r9ZXNxRfB1nYcF1qnW0=
=oH5D
-----END PGP SIGNATURE-----


More information about the samba mailing list