[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

Jonathan Petersson jpetersson at garnser.se
Wed Sep 23 17:30:01 MDT 2009


Also, looking further at this, shouldn't winbind use the realm rather
than the workgroup for this?

Thanks

/Jonathan

On Wed, Sep 23, 2009 at 11:04 AM, Jonathan Petersson
<jpetersson at garnser.se> wrote:
> Hi all,
>
> I've been working on getting Samba to authenticate via ADS for the
> past few weeks with some lack of success. I had somewhat of a
> breakthrough the other day realizing that the problem was related to
> the kerberos authentication between Samba and the Win 2008 R2 AD
> server. Trying to fix this I generated a keytab with ktpass which I
> uploaded to the server.
>
> I've been successful to join the server in the domain, wbinfo and
> kinit responds as one wants it to but when upon samba and winbind
> starting I'm seeing the following in the logs which I'm guessing is
> the cause for me being unable to authenticate any users:
>
> log.wb-PRESIDIO
>  ads_krb5_mk_req: krb5_get_credentials failed for pdc$@PRESIDIO
> (Cannot find KDC for requested realm)
> [2009/09/23 10:54:31,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(624)
>  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
> find KDC for requested realm
> [2009/09/23 10:54:31,  0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(494)
>  cli_pipe_verify_schannel: auth_len 56.
>
> log.winbindd
> [2009/09/23 10:54:30,  0]
> winbindd/winbindd_cache.c:initialize_winbindd_cache(2577)
>  initialize_winbindd_cache: clearing cache and re-creating with
> version number 1
> [2009/09/23 10:54:31,  1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
>  ads_krb5_mk_req: krb5_get_credentials failed for pdc$@PRESIDIO
> (Cannot find KDC for requested realm)
> [2009/09/23 10:54:31,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(624)
>  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
> find KDC for requested realm
> [2009/09/23 10:54:31,  1] winbindd/winbindd_util.c:trustdom_recv(303)
>  Could not receive trustdoms
>
> As it seams the server tries to authenticate as pdc$ rather than
> presidio3$ which is the hostname of the server and the name it's
> registered as. What could the cause of this be?
>
> smb.conf:
>   workgroup = PRESIDIO
>   password server = pdc.domain.com
>   realm = DOMAIN.COM
>   security = ads
>   idmap uid = 8000-33554431
>   idmap gid = 8000-33554431
>   winbind separator = +
>   template shell = /bin/bash
>   winbind use default domain = yes
>   winbind offline logon = false
> ...
>        server string = presidio3
>
>        netbios name = presidio3
>
> Please advice.
>
> Thanks
>
> /Jonathan
>


More information about the samba mailing list