[Samba] wbinfo -K not working
Árpád Magosányi
magwas at rabic.org
Thu May 28 17:13:16 GMT 2009
Dear List!
I have the problem described at
http://lists.samba.org/archive/samba/2008-February/138451.html
It is materialized after an upgrade of samba/winbind. Everything was working
before.
I could not find the solution neither on the net, nor from people originally
having the problem, so here I am.
This problem is a showstopper for me. (I can login by changing pam_winbind
to pam_krb5, but this does not cache credentials, so I cannot work at home.)
Additional informations I figured out:
- According to wireshark, winbind (wbinfo -K) tries to authenticate the
principal 'RESmagosanyi1a313' instead of 'magosanyi1a313'
- There are logs saying "Cannot resolve network address for KDC in requested
realm" and "Could not receive trustdoms", which may or may not related to
the problem. (see detailed logs below)
original problem:
Works:
kinit
wbinfo -u
wbinfo -g
wbinfo -t
Fails:
root at mxln133738# wbinfo -K magosanyi1a313
Enter magosanyi1a313's password:
plaintext kerberos password authentication for [magosanyi1a313] failed
(requesting cctype: FILE)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [magosanyi1a313] with Kerberos (ccache: FILE)
smb.conf:
[global]
client signing = yes
client schannel = no
client use spnego = yes
client lanman auth = no
client NTLMv2 auth = yes
client plaintext auth = no
# idmap domains = RES
# idmap config RES:backend = ad
# idmap config RES:default = yes
# idmap config RES:schema_mode = rfc2307
# idmap config RES:range = 1000 - 300000000
# dns_lookup_kdc = false
workgroup = RES
realm = RES.HU.CORP
preferred master = no
security = ADS
encrypt passwords = true
syslog only = yes
syslog = 3
log level = 3
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = true
winbind offline logon = yes
winbind cache time = 300
winbind normalize names = yes
winbind offline logon = yes
use kerberos keytab = Yes
idmap uid = 3000-20000
idmap gid = 3000-20000
#idmap backend = idmap_rid:RES=3000-20000
;template primary group = "Domain Users"
template shell = /bin/bash
winbind version:
magosanyi1a313 at mxln133738$ dpkg -l winbind
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============================-==============================-============================================================================
ii winbind 2:3.3.2-1ubuntu3
Samba nameservice integration server
May 28 19:11:53 mxln133738 winbindd[17221]: [2009/05/28 19:11:53, 2]
lib/tallocmsg.c:register_msg_pool_usage(106)
May 28 19:11:53 mxln133738 winbindd[17221]: Registered MSG_REQ_POOL_USAGE
May 28 19:11:53 mxln133738 winbindd[17221]: [2009/05/28 19:11:53, 2]
lib/dmallocmsg.c:register_dmalloc_msgs(77)
May 28 19:11:53 mxln133738 winbindd[17221]: Registered
MSG_REQ_DMALLOC_MARK and LOG_CHANGED
May 28 19:11:53 mxln133738 winbindd[17221]: [2009/05/28 19:11:53, 2]
lib/interface.c:add_interface(340)
May 28 19:11:53 mxln133738 winbindd[17221]: added interface eth0
ip=10.3.125.42 bcast=10.3.127.255 netmask=255.255.248.0
May 28 19:11:53 mxln133738 winbindd[17221]: [2009/05/28 19:11:53, 2]
lib/interface.c:add_interface(340)
May 28 19:11:53 mxln133738 winbindd[17221]: added interface eth0
ip=10.3.125.42 bcast=10.3.127.255 netmask=255.255.248.0
May 28 19:11:54 mxln133738 winbindd[17222]: [2009/05/28 19:11:54, 1]
lib/util_tdb.c:tdb_validate_and_backup(1426)
May 28 19:11:54 mxln133738 winbindd[17222]: tdb
'/var/cache/samba/winbindd_cache.tdb' is valid
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 1]
lib/util_tdb.c:tdb_validate_and_backup(1436)
May 28 19:12:07 mxln133738 winbindd[17222]: Created backup
'/var/cache/samba/winbindd_cache.tdb.bak' of tdb
'/var/cache/samba/winbindd_cache.tdb'
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 2]
winbindd/winbindd_util.c:add_trusted_domain(235)
May 28 19:12:07 mxln133738 winbindd[17222]: Added domain BUILTIN S-1-5-32
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 2]
winbindd/winbindd_util.c:add_trusted_domain(235)
May 28 19:12:07 mxln133738 winbindd[17222]: Added domain MXLN133738
S-1-5-21-283202338-3230163293-2318106275
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 2]
winbindd/winbindd_util.c:add_trusted_domain(235)
May 28 19:12:07 mxln133738 winbindd[17222]: Added domain RES
RES.HU.CORP S-1-5-21-698458317-4263495693-249106618
May 28 19:12:07 mxln133738 winbindd[17228]: [2009/05/28 19:12:07, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
May 28 19:12:07 mxln133738 winbindd[17228]: Doing kerberos session setup
May 28 19:12:07 mxln133738 winbindd[17228]: [2009/05/28 19:12:07, 1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
May 28 19:12:07 mxln133738 winbindd[17228]: ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network
address for KDC in requested realm)
May 28 19:12:07 mxln133738 winbindd[17228]: [2009/05/28 19:12:07, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
May 28 19:12:07 mxln133738 winbindd[17228]:
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
May 28 19:12:07 mxln133738 winbindd[17222]: Doing kerberos session setup
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
May 28 19:12:07 mxln133738 winbindd[17222]: ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network
address for KDC in requested realm)
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
May 28 19:12:07 mxln133738 winbindd[17222]:
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 2]
winbindd/winbindd_util.c:add_trusted_domain(235)
May 28 19:12:07 mxln133738 winbindd[17222]: Added domain HU hu.corp
S-1-5-21-432019103-1439757928-1114753422
May 28 19:12:08 mxln133738 winbindd[17237]: [2009/05/28 19:12:08, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
May 28 19:12:08 mxln133738 winbindd[17237]: Doing kerberos session setup
May 28 19:12:08 mxln133738 winbindd[17237]: [2009/05/28 19:12:08, 1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
May 28 19:12:08 mxln133738 winbindd[17237]: ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network
address for KDC in requested realm)
May 28 19:12:08 mxln133738 winbindd[17237]: [2009/05/28 19:12:08, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
May 28 19:12:08 mxln133738 winbindd[17237]:
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
May 28 19:12:08 mxln133738 winbindd[17222]: [2009/05/28 19:12:08, 2]
winbindd/winbindd.c:remove_client(744)
May 28 19:12:08 mxln133738 winbindd[17222]: final write to client
failed: Broken pipe
May 28 19:12:09 mxln133738 winbindd[17222]: [2009/05/28 19:12:09, 2]
winbindd/winbindd.c:remove_client(744)
May 28 19:12:09 mxln133738 winbindd[17222]: final write to client
failed: Broken pipe
May 28 19:12:18 mxln133738 wbinfo: [2009/05/28 19:12:18, 2]
lib/interface.c:add_interface(340)
May 28 19:12:18 mxln133738 wbinfo: added interface eth0
ip=10.3.125.42 bcast=10.3.127.255 netmask=255.255.248.0
May 28 19:12:18 mxln133738 winbindd[17222]: [2009/05/28 19:12:18, 1]
winbindd/winbindd_util.c:trustdom_recv(303)
May 28 19:12:18 mxln133738 winbindd[17222]: Could not receive trustdoms
May 28 19:12:21 mxln133738 winbindd[17222]: [2009/05/28 19:12:21, 2]
winbindd/winbindd.c:remove_client(744)
May 28 19:12:21 mxln133738 winbindd[17222]: final write to client
failed: Broken pipe
May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21, 1]
libads/kerberos.c:smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(159)
May 28 19:12:21 mxln133738 winbindd[17228]: no krb5_error
May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21, 1]
libads/authdata.c:kerberos_return_pac(398)
May 28 19:12:21 mxln133738 winbindd[17228]: kinit failed for
'RES\magosanyi1a313 at RES.HU.CORP' with: Client not found in Kerberos
database (-1765328378)
May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
May 28 19:12:21 mxln133738 winbindd[17228]: Doing kerberos session setup
May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21, 1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
May 28 19:12:21 mxln133738 winbindd[17228]: ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network
address for KDC in requested realm)
May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
May 28 19:12:21 mxln133738 winbindd[17228]:
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21, 2]
winbindd/winbindd_pam.c:winbindd_dual_pam_auth(1727)
May 28 19:12:21 mxln133738 winbindd[17228]: Plain-text
authentication for user RES\magosanyi1a313 returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
May 28 19:12:21 mxln133738 winbindd[17222]: [2009/05/28 19:12:21, 2]
winbindd/winbindd.c:remove_client(744)
May 28 19:12:21 mxln133738 winbindd[17222]: final write to client
failed: Broken pipe
May 28 19:12:23 mxln133738 winbindd[17252]: [2009/05/28 19:12:23, 1]
rpc_client/cli_pipe.c:rpc_pipe_destructor(2362)
May 28 19:12:23 mxln133738 winbindd[17252]: rpc_pipe_destructor:
cli_close failed on pipe host bindc01.res.hu.corp, pipe \NETLOGON,
fnum 0x4005. Error was SUCCESS - 0
May 28 19:12:23 mxln133738 winbindd[17252]: [2009/05/28 19:12:23, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
May 28 19:12:23 mxln133738 winbindd[17252]: Doing kerberos session setup
May 28 19:12:23 mxln133738 winbindd[17252]: [2009/05/28 19:12:23, 1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
May 28 19:12:23 mxln133738 winbindd[17252]: ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network
address for KDC in requested realm)
May 28 19:12:23 mxln133738 winbindd[17252]: [2009/05/28 19:12:23, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
May 28 19:12:23 mxln133738 winbindd[17252]:
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
More information about the samba
mailing list