[Samba] Problem with alternate domains and winbind
Trimble, Ronald D
Ronald.Trimble at unisys.com
Fri Jan 16 03:35:34 GMT 2009
I am seeing a strange problem with my domain controllers as they relate to winbind. From time to time, I lose my connection to the alternate domains. I really need some help figuring this out as I have gone as far as I can. I would be very appreciative of any ideas anyone may have.
Our primary domain is NA. I need to also be able to authenticate users in others domains such as EU, LAC, and AP. They are all trusted domains and this has worked in the past. No changes, that I am aware of, have been made to the domains.
For background, I am running samba-3.2.7-0.1.135.
When I issue to wbinfo -online-status command, I get the following:
(truncated to show the relevant portions)
USTR-LINUX-1:~ # wbinfo --online-status
BUILTIN : online
USTR-LINUX-1 : online
NA : online
AP : online
EU : online
LAC : online
To further investigate those domains, I run the -domain-info switch against the domain and get the following:
USTR-LINUX-1:~ # wbinfo --domain-info=NA
Name : NA
Alt_Name : na.uis.unisys.com
SID : S-1-5-21-725345543-2052111302-527237240
Active Directory : Yes
Native : Yes
Primary : Yes
USTR-LINUX-1:~ # wbinfo --domain-info=EU
Name : EU
Alt_Name : eu.uis.unisys.com
SID : S-1-5-21-606747145-879983540-1177238915
Active Directory : Yes
Native : No
Primary : No
USTR-LINUX-1:~ # wbinfo --domain-info=AP
Name : AP
Alt_Name : ap.uis.unisys.com
SID : S-1-5-21-57989841-507921405-527237240
Active Directory : Yes
Native : No
Primary : No
USTR-LINUX-1:~ # wbinfo --domain-info=LAC
Name : LAC
Alt_Name : lac.uis.unisys.com
SID : S-1-5-21-1085031214-1454471165-1644491937
Active Directory : Yes
Native : No
Primary : No
However, when I try to retrieve the DC names, only the NA domain returns anything:
USTR-LINUX-1:~ # wbinfo --getdcname=NA
USEA-NADC3
USTR-LINUX-1:~ # wbinfo --getdcname=EU
Could not get dc name for EU
The log.wb-EU shows the following:
[2009/01/15 22:11:11, 5] winbindd/winbindd_cache.c:get_cache(178)
get_cache: Setting ADS methods for domain EU
[2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:fetch_cache_seqnum(405)
fetch_cache_seqnum: invalid data size key [SEQNUM/EU]
[2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3863)
wcache_tdc_fetch_domain: Searching for domain EU
[2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3878)
wcache_tdc_fetch_domain: Found domain EU
[2009/01/15 22:11:11, 3] winbindd/winbindd_ads.c:sequence_number(1215)
ads: fetch sequence_number for EU
[2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3863)
wcache_tdc_fetch_domain: Searching for domain EU
[2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3878)
wcache_tdc_fetch_domain: Found domain EU
[2009/01/15 22:11:11, 10] winbindd/winbindd_ads.c:ads_cached_connection(45)
ads_cached_connection
[2009/01/15 22:11:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
ads_krb5_mk_req: krb5_get_credentials failed for usea-eudc2$@EU.UIS.UNISYS.COM (Cannot contact any KDC for requested realm)
[2009/01/15 22:11:11, 0] libads/sasl.c:ads_sasl_spnego_bind(819)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
[2009/01/15 22:11:11, 1] winbindd/winbindd_ads.c:ads_cached_connection(127)
ads_connect for domain EU failed: Cannot contact any KDC for requested realm
[2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:refresh_sequence_number(526)
refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL
[2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:store_cache_seqnum(456)
store_cache_seqnum: success [EU][4294967295 @ 1232075471]
[2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:refresh_sequence_number(538)
refresh_sequence_number: EU seq number is now -1
[2009/01/15 22:11:11, 1] winbindd/winbindd_user.c:winbindd_dual_userinfo(150)
error getting user info for sid S-1-5-21-606747145-879983540-1177238915-173280
[2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:cache_store_response(2423)
Storing response for pid 30838, len 3496
[2009/01/15 22:14:45, 4] winbindd/winbindd_dual.c:fork_domain_child(1238)
child daemon request 46
[2009/01/15 22:14:45, 10] winbindd/winbindd_dual.c:child_process_request(453)
child_process_request: request fn GETUSERDOMGROUPS
[2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:refresh_sequence_number(490)
refresh_sequence_number: EU time ok
[2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:refresh_sequence_number(538)
refresh_sequence_number: EU seq number is now -1
[2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:cache_store_response(2423)
Storing response for pid 30838, len 3496
The logs are similar for the other domains. What can I do to get this working? The linux server can successfully resolve the names of the other domain controllers.
My samba.conf is as follows:
[global]
workgroup = NA
realm = NA.UIS.UNISYS.COM
netbios name = ustr-linux-1
server string = USTR-LINUX-1 Samba Server
encrypt passwords = yes
security = ADS
password server = 129.224.152.11
passdb backend = smbpasswd
log level = 2 winbind:10 ads:10 auth:10
syslog = 0
log file = /var/log/samba/%m.log
# debug level = 10
max log size = 5000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind use default domain = no
winbind uid = 16777216-33554431
winbind gid = 16777216-33554431
winbind enum users = no
winbind enum groups = no
template homedir = /home/%D/%U
template shell = /bin/bash
nt acl support = yes
map acl inherit = yes
My krb5.conf is as follows:
[libdefaults]
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_realm = NA.UIS.UNISYS.COM
dns_lookup_kdc = true
[realms]
NA.UIS.UNISYS.COM = {
kdc = 129.224.152.11:88
kdc = 129.224.72.14:88
kdc = 129.224.72.12:88
admin_server = 129.224.152.11:749
}
EU.UIS.UNISYS.COM = {
kdc = 192.61.58.35:88
kdc = 129.221.252.21:88
kdc = 129.221.130.16:88
kdc = 129.227.37.30:88
admin_server = 192.61.58.35:749
}
AP.UIS.UNISYS.COM = {
kdc = 192.61.58.61:88
admin_server = 192.61.58.61:749
}
LAC.UIS.UNISYS.COM = {
kdc = 192.61.146.131:88
admin_server = 192.61.146.131:749
}
[domain_realm]
.na.uis.unisys.com = NA.UIS.UNISYS.COM
na.uis.unisys.com = NA.UIS.UNISYS.COM
.eu.uis.unisys.com = EU.UIS.UNISYS.COM
eu.uis.unisys.com = EU.UIS.UNISYS.COM
.ap.uis.unisys.com = AP.UIS.UNISYS.COM
ap.uis.unisys.com = AP.UIS.UNISYS.COM
.lac.uis.unisys.com = LAC.UIS.UNISYS.COM
lac.uis.unisys.com = LAC.UIS.UNISYS.COM
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
Can anyone please help me? I am going crazy trying to figure this problem out. Thanks so much for any help you may be able to offer.
More information about the samba
mailing list