[Samba] wbinfo -K not working

Árpád Magosányi magwas at rabic.org
Thu May 28 17:13:16 GMT 2009 

Dear List!

I have the problem described at
http://lists.samba.org/archive/samba/2008-February/138451.html
It is materialized after an upgrade of samba/winbind. Everything was working
before.
I could not find the solution neither on the net, nor from people originally
having the problem, so here I am.
This problem is a showstopper for me. (I can login by changing pam_winbind
to pam_krb5, but this does not cache credentials, so I cannot work at home.)

Additional informations I figured out:
- According to wireshark, winbind (wbinfo -K) tries to authenticate the
principal 'RESmagosanyi1a313' instead of 'magosanyi1a313'
- There are logs saying "Cannot resolve network address for KDC in requested
realm" and "Could not receive trustdoms", which may or may not related to
the problem. (see detailed logs below)

original problem:

Works:
  kinit
  wbinfo -u
  wbinfo -g
  wbinfo -t
Fails:
root at mxln133738# wbinfo -K magosanyi1a313
Enter magosanyi1a313's password:
plaintext kerberos password authentication for [magosanyi1a313] failed
(requesting cctype: FILE)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [magosanyi1a313] with Kerberos (ccache: FILE)

smb.conf:
[global]
 client signing = yes
 client schannel = no
 client use spnego = yes
 client lanman auth = no
 client NTLMv2 auth = yes
 client plaintext auth = no

# idmap domains = RES
# idmap config RES:backend = ad
# idmap config RES:default = yes
# idmap config RES:schema_mode = rfc2307
# idmap config RES:range = 1000 - 300000000


#  dns_lookup_kdc = false
   workgroup = RES
   realm = RES.HU.CORP
   preferred master = no
   security = ADS
   encrypt passwords = true
   syslog only = yes
   syslog = 3
   log level = 3
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   winbind separator = +
   winbind refresh tickets = true
   winbind offline logon = yes
   winbind cache time = 300
   winbind normalize names = yes
   winbind offline logon = yes
   use kerberos keytab = Yes
   idmap uid = 3000-20000
   idmap gid = 3000-20000
   #idmap backend = idmap_rid:RES=3000-20000
   ;template primary group = "Domain Users"
   template shell = /bin/bash

winbind version:
magosanyi1a313 at mxln133738$ dpkg -l winbind
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name                           Version                        Description
+++-==============================-==============================-============================================================================
ii  winbind                        2:3.3.2-1ubuntu3
Samba nameservice integration server

May 28 19:11:53 mxln133738 winbindd[17221]: [2009/05/28 19:11:53,  2]
lib/tallocmsg.c:register_msg_pool_usage(106)
May 28 19:11:53 mxln133738 winbindd[17221]:   Registered MSG_REQ_POOL_USAGE
May 28 19:11:53 mxln133738 winbindd[17221]: [2009/05/28 19:11:53,  2]
lib/dmallocmsg.c:register_dmalloc_msgs(77)
May 28 19:11:53 mxln133738 winbindd[17221]:   Registered
MSG_REQ_DMALLOC_MARK and LOG_CHANGED
May 28 19:11:53 mxln133738 winbindd[17221]: [2009/05/28 19:11:53,  2]
lib/interface.c:add_interface(340)
May 28 19:11:53 mxln133738 winbindd[17221]:   added interface eth0
ip=10.3.125.42 bcast=10.3.127.255 netmask=255.255.248.0
May 28 19:11:53 mxln133738 winbindd[17221]: [2009/05/28 19:11:53,  2]
lib/interface.c:add_interface(340)
May 28 19:11:53 mxln133738 winbindd[17221]:   added interface eth0
ip=10.3.125.42 bcast=10.3.127.255 netmask=255.255.248.0
May 28 19:11:54 mxln133738 winbindd[17222]: [2009/05/28 19:11:54,  1]
lib/util_tdb.c:tdb_validate_and_backup(1426)
May 28 19:11:54 mxln133738 winbindd[17222]:   tdb
'/var/cache/samba/winbindd_cache.tdb' is valid
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07,  1]
lib/util_tdb.c:tdb_validate_and_backup(1436)
May 28 19:12:07 mxln133738 winbindd[17222]:   Created backup
'/var/cache/samba/winbindd_cache.tdb.bak' of tdb
'/var/cache/samba/winbindd_cache.tdb'
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07,  2]
winbindd/winbindd_util.c:add_trusted_domain(235)
May 28 19:12:07 mxln133738 winbindd[17222]:   Added domain BUILTIN  S-1-5-32
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07,  2]
winbindd/winbindd_util.c:add_trusted_domain(235)
May 28 19:12:07 mxln133738 winbindd[17222]:   Added domain MXLN133738
S-1-5-21-283202338-3230163293-2318106275
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07,  2]
winbindd/winbindd_util.c:add_trusted_domain(235)
May 28 19:12:07 mxln133738 winbindd[17222]:   Added domain RES
RES.HU.CORP S-1-5-21-698458317-4263495693-249106618
May 28 19:12:07 mxln133738 winbindd[17228]: [2009/05/28 19:12:07,  2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
May 28 19:12:07 mxln133738 winbindd[17228]:   Doing kerberos session setup
May 28 19:12:07 mxln133738 winbindd[17228]: [2009/05/28 19:12:07,  1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
May 28 19:12:07 mxln133738 winbindd[17228]:   ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network
address for KDC in requested realm)
May 28 19:12:07 mxln133738 winbindd[17228]: [2009/05/28 19:12:07,  1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
May 28 19:12:07 mxln133738 winbindd[17228]:
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07,  2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
May 28 19:12:07 mxln133738 winbindd[17222]:   Doing kerberos session setup
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07,  1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
May 28 19:12:07 mxln133738 winbindd[17222]:   ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network
address for KDC in requested realm)
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07,  1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
May 28 19:12:07 mxln133738 winbindd[17222]:
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07,  2]
winbindd/winbindd_util.c:add_trusted_domain(235)
May 28 19:12:07 mxln133738 winbindd[17222]:   Added domain HU hu.corp
S-1-5-21-432019103-1439757928-1114753422
May 28 19:12:08 mxln133738 winbindd[17237]: [2009/05/28 19:12:08,  2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
May 28 19:12:08 mxln133738 winbindd[17237]:   Doing kerberos session setup
May 28 19:12:08 mxln133738 winbindd[17237]: [2009/05/28 19:12:08,  1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
May 28 19:12:08 mxln133738 winbindd[17237]:   ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network
address for KDC in requested realm)
May 28 19:12:08 mxln133738 winbindd[17237]: [2009/05/28 19:12:08,  1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
May 28 19:12:08 mxln133738 winbindd[17237]:
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
May 28 19:12:08 mxln133738 winbindd[17222]: [2009/05/28 19:12:08,  2]
winbindd/winbindd.c:remove_client(744)
May 28 19:12:08 mxln133738 winbindd[17222]:   final write to client
failed: Broken pipe
May 28 19:12:09 mxln133738 winbindd[17222]: [2009/05/28 19:12:09,  2]
winbindd/winbindd.c:remove_client(744)
May 28 19:12:09 mxln133738 winbindd[17222]:   final write to client
failed: Broken pipe
May 28 19:12:18 mxln133738 wbinfo: [2009/05/28 19:12:18,  2]
lib/interface.c:add_interface(340)
May 28 19:12:18 mxln133738 wbinfo:   added interface eth0
ip=10.3.125.42 bcast=10.3.127.255 netmask=255.255.248.0
May 28 19:12:18 mxln133738 winbindd[17222]: [2009/05/28 19:12:18,  1]
winbindd/winbindd_util.c:trustdom_recv(303)
May 28 19:12:18 mxln133738 winbindd[17222]:   Could not receive trustdoms
May 28 19:12:21 mxln133738 winbindd[17222]: [2009/05/28 19:12:21,  2]
winbindd/winbindd.c:remove_client(744)
May 28 19:12:21 mxln133738 winbindd[17222]:   final write to client
failed: Broken pipe
May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21,  1]
libads/kerberos.c:smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(159)
May 28 19:12:21 mxln133738 winbindd[17228]:   no krb5_error
May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21,  1]
libads/authdata.c:kerberos_return_pac(398)
May 28 19:12:21 mxln133738 winbindd[17228]:   kinit failed for
'RES\magosanyi1a313 at RES.HU.CORP' with: Client not found in Kerberos
database (-1765328378)
May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21,  2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
May 28 19:12:21 mxln133738 winbindd[17228]:   Doing kerberos session setup
May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21,  1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
May 28 19:12:21 mxln133738 winbindd[17228]:   ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network
address for KDC in requested realm)
May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21,  1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
May 28 19:12:21 mxln133738 winbindd[17228]:
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21,  2]
winbindd/winbindd_pam.c:winbindd_dual_pam_auth(1727)
May 28 19:12:21 mxln133738 winbindd[17228]:   Plain-text
authentication for user RES\magosanyi1a313 returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
May 28 19:12:21 mxln133738 winbindd[17222]: [2009/05/28 19:12:21,  2]
winbindd/winbindd.c:remove_client(744)
May 28 19:12:21 mxln133738 winbindd[17222]:   final write to client
failed: Broken pipe
May 28 19:12:23 mxln133738 winbindd[17252]: [2009/05/28 19:12:23,  1]
rpc_client/cli_pipe.c:rpc_pipe_destructor(2362)
May 28 19:12:23 mxln133738 winbindd[17252]:   rpc_pipe_destructor:
cli_close failed on pipe host bindc01.res.hu.corp, pipe \NETLOGON,
fnum 0x4005. Error was SUCCESS - 0
May 28 19:12:23 mxln133738 winbindd[17252]: [2009/05/28 19:12:23,  2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
May 28 19:12:23 mxln133738 winbindd[17252]:   Doing kerberos session setup
May 28 19:12:23 mxln133738 winbindd[17252]: [2009/05/28 19:12:23,  1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
May 28 19:12:23 mxln133738 winbindd[17252]:   ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network
address for KDC in requested realm)
May 28 19:12:23 mxln133738 winbindd[17252]: [2009/05/28 19:12:23,  1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
May 28 19:12:23 mxln133738 winbindd[17252]:
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm

More information about the samba mailing list