[Samba] AD Auth Trusted Domain issues

Paul Lauss plauss at protocolgs.com
Thu Apr 1 07:55:34 MDT 2010


We have corrected the issues of "KID" not being native but this does not
seem to have helped.  We did however see this error in the Windows Event
Viewer at the point that I am trying to make the connection.  I am not
certain what it means that there are no logon servers available... 
Thoughts?

Event Type:        Warning
Event Source:    LSASRV
Event Category:                SPNEGO (Negotiator)
Event ID:              40960
Date:                     3/31/2010
Time:                     3:19:00 AM
User:                     N/A
Computer:          CHLDDC01
Description:
The Security System detected an authentication error for the server
ldap/chlddc01.kid.rdomain.prv.  The failure code from authentication
protocol Kerberos was "There are currently no logon servers available to
service the logon request.
 (0xc000005e)".
 
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0               ^..À   


On 3/30/2010 6:20 PM, devel at thom.fr.eu.org wrote:
> So, as I already told you, I'm not familiar with that kind of setup.
>
> From what I could see, the fact that domain KID is not in ADS native may be the problem as you've got security = ADS and that expects native mode.
>
> You should try to go back to the list to confirm that. Your setup does not seem to be that odd, I could read lots of people trying (successfully for most of them if I remember correctly) to accomplish that kind of things.
>
> Sorry to not be able to help you more.
>
> François
>
> -----Message d'origine-----
> De : Paul Lauss [mailto:plauss at protocolgs.com] 
> Envoyé : mardi 30 mars 2010 23:26
> À : devel at thom.fr.eu.org
> Objet : Fwd: Re: [Samba] AD Auth Trusted Domain issues
>
> This didn't seem to go through the listserv...
>
>
> I am so sorry, I was trying to stay fairly concise... Here is the whole log file I extracted.
>
> On 3/30/2010 1:56 PM, devel at thom.fr.eu.org wrote:
>   
>> Could you provide the part that you removed, I can see that winbind is trying to connect to chlddc01.kid.rdomain.prv for domain kid, but then you removed that part of the transaction, and we end up with some info returned from main domain dc.
>>
>> François
>>
>> -----Message d'origine-----
>> De : samba-bounces at lists.samba.org 
>> [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss Envoyé 
>> : mardi 30 mars 2010 20:23 À : samba at lists.samba.org Objet : Re: 
>> [Samba] AD Auth Trusted Domain issues
>>
>> The trust check succeeded... I have attached the pertinent logs... it looks like it is timing out... I am not sure why though.  The link should be a little slower but it shouldn't be terrible, it is a 2Mb pipe.
>>
>> mailtestbed:~# wbinfo -t
>> checking the trust secret via RPC calls succeeded
>>
>> On 3/30/2010 9:47 AM, François Legal wrote:
>>   
>>     
>>> I'm not sure to 100% understand what you mean (it's been a long time 
>>> since I last used an AD server with SFU).
>>> However, next step now will be to increase winbindd debug level while 
>>> issuing the wbinfo -i command, and see what fails there.
>>>
>>> Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity.
>>>
>>> François
>>>
>>> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss 
>>> <plauss at protocolgs.com>
>>> wrote:
>>>   
>>>     
>>>       
>>>> Hello,
>>>> Thank you so much for your reply!  We are using AD 2003 R2 on both 
>>>> the domain and the child domain.  I am using 10000-29999 for IDs on 
>>>> the main domain (RDOMAIN) and 30000-100000 on the child domain (KID).
>>>> Interestingly, in the Unix tab (in AD Users and Computers for any
>>>> object) under "NIS Domain" on any of the RDOMAIN servers we get the 
>>>> pulldown option "RDOMAIN" but on the Trusted domains server the only 
>>>> option is "KID".  I'm not sure if that is expected or would affect 
>>>> this but I can't seem to get the RDOMAIN option in the KID Trusted domain.
>>>>
>>>> Thanks,
>>>> -Paul
>>>>
>>>> On 3/30/2010 2:27 AM, François Legal wrote:
>>>>     
>>>>       
>>>>         
>>>>> Hello,
>>>>>
>>>>> I'm not familiar with this kind of setup, but I wonder whether or 
>>>>> not
>>>>>       
>>>>>         
>>>>>           
>>> the
>>>   
>>>     
>>>       
>>>>> KID domain has the SFU schema extensions setup for idmapping (see 
>>>>> idmap backend = ad) and if porperly setup, check that the defined 
>>>>> uid/gid for that domain fall in the idmap uid range
>>>>>
>>>>> François
>>>>>
>>>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss 
>>>>> <plauss at protocolgs.com>
>>>>> wrote:
>>>>>   
>>>>>       
>>>>>         
>>>>>           
>>>>>> I have been killing myself on this issue over the last 2 weeks.  I
>>>>>>         
>>>>>>           
>>>>>>             
>>> have
>>>   
>>>     
>>>       
>>>>>> setup pam AD authentication using winbind on our companies email 
>>>>>> servers.  That part is currently working.  I have been trying to 
>>>>>> add
>>>>>>         
>>>>>>           
>>>>>>             
>>> an
>>>   
>>>     
>>>       
>>>>>> existing "Trusted" child domain and allow authentication from that 
>>>>>> domain as well.  I am part of the way there, but not quite to the 
>>>>>> functional point as of yet.  Our primary domain is rdomainprv or 
>>>>>> rdomain.prv and the child domain is kid.rdomain.prv.  Below is 
>>>>>> what I
>>>>>>         
>>>>>>           
>>>>>>             
>>> am
>>>   
>>>     
>>>       
>>>>>> seeing, followed by my configs.  Also, we had to open ports 88, 
>>>>>> 139
>>>>>>         
>>>>>>           
>>>>>>             
>>> and
>>>   
>>>     
>>>       
>>>>>> 389 (I believe those are the correct ports, though the networking 
>>>>>> guys opened them) from the email/winbind server to the child 
>>>>>> domain, at the firewall.  Any help would be very much appreciated!
>>>>>>
>>>>>> mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED RDOMAINPRV 
>>>>>> KID
>>>>>>
>>>>>> mailtestbed:~# wbinfo -u | grep testuser KID\testuser
>>>>>>
>>>>>> mailtestbed:~# wbinfo -a KID\\testuser%password plaintext password 
>>>>>> authentication succeeded challenge/response password 
>>>>>> authentication succeeded
>>>>>>
>>>>>> Here is where it's falling apart:
>>>>>> mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user 
>>>>>> KID\testuser
>>>>>>
>>>>>> mailtestbed:~# id KID\\testuser
>>>>>> id: KID\testuser: No such user
>>>>>>
>>>>>> mailtestbed:~# id testuser
>>>>>> id: testuser: No such user
>>>>>>
>>>>>> mailtestbed:~# getent passwd KID\\testuser mailtestbed:~#
>>>>>>
>>>>>> mailtestbed:~# getent passwd testuser mailtestbed:~#
>>>>>>
>>>>>> mailtestbed:~# id RDOMAINPRV\\testmer
>>>>>> uid=10001(testmer) gid=10001 groups=999(users)
>>>>>>
>>>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer 
>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash
>>>>>>
>>>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer 
>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash
>>>>>>
>>>>>> Versions (Debian Lenny)
>>>>>> samba    2:3.2.5-4lenny9
>>>>>> winbind  2:3.2.5-4lenny9
>>>>>>
>>>>>> smb.conf
>>>>>> [global]
>>>>>>    workgroup = RDOMAINPRV
>>>>>>    realm = RDOMAIN.PRV
>>>>>>    server string = %h server
>>>>>>    dns proxy = no
>>>>>>    name resolve order = lmhosts host wins bcast
>>>>>>    log file = /var/log/samba/log.%m
>>>>>>    max log size = 1000
>>>>>>    syslog = 0
>>>>>>    panic action = /usr/share/samba/panic-action %d
>>>>>>    security = ADS
>>>>>>    encrypt passwords = yes
>>>>>>    passdb backend = tdbsam
>>>>>>    obey pam restrictions = yes
>>>>>>    unix password sync = yes
>>>>>>    passwd program = /usr/bin/passwd %u
>>>>>>    passwd chat = *Enter\snew\s*\spassword:* %n\n
>>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>>>>>    pam password change = yes
>>>>>>    allow trusted domains = yes
>>>>>>    winbind trusted domains only = no
>>>>>>    idmap backend = ad
>>>>>>    idmap uid = 10000-1000000
>>>>>>    idmap gid = 10000-1000000
>>>>>>    template homedir = /home/%U
>>>>>>    winbind use default domain = yes
>>>>>>    winbind nss info = rfc2307
>>>>>>    winbind nested groups = yes
>>>>>>    client use spnego = yes
>>>>>>    client ntlmv2 auth = yes
>>>>>>    restrict anonymous = 2
>>>>>>    winbind enum groups = no
>>>>>>    winbind enum users = no
>>>>>>         
>>>>>>           
>>>>>>             
>>>>     
>>>>       
>>>>         
>>>>>>    winbind cache time = 30
>>>>>>
>>>>>> krb5.conf
>>>>>> [libdefaults]
>>>>>>         default_realm = RDOMAIN.PRV
>>>>>>         krb4_config = /etc/krb.conf
>>>>>>         krb4_realms = /etc/krb.realms
>>>>>>         kdc_timesync = 1
>>>>>>         ccache_type = 4
>>>>>>         forwardable = true
>>>>>>         proxiable = true
>>>>>>         default_tgs_enctypes = aes256-cts arcfour-hmac-md5
>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5
>>>>>>         default_tkt_enctypes = aes256-cts arcfour-hmac-md5
>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5
>>>>>>         permitted_enctypes = aes256-cts arcfour-hmac-md5
>>>>>>         
>>>>>>           
>>>>>>             
>>> des3-hmac-sha1
>>>   
>>>     
>>>       
>>>>>> des-cbc-crc des-cbc-md5
>>>>>>         v4_instance_resolve = false
>>>>>>         v4_name_convert = {
>>>>>>                 host = {
>>>>>>                         rcmd = host
>>>>>>                         ftp = ftp
>>>>>>                 }
>>>>>>                 plain = {
>>>>>>                         something = something-else
>>>>>>                 }
>>>>>>         }
>>>>>>         fcc-mit-ticketflags = true [realms]
>>>>>>         RDOMAIN.PRV = {
>>>>>>                 default_domain = RDOMAIN.PRV
>>>>>>                 master_kdc = dc02.rdomain.prv
>>>>>>                 admin_server = dc02.rdomain.prv
>>>>>>                 kdc = aurad.rdomain.prv
>>>>>>                 kdc = addc01.rdomain.prv
>>>>>>                 kdc = addc02.rdomain.prv
>>>>>>                 kdc = addc03.rdomain.prv
>>>>>>                 #kdc = addc04.rdomain.prv
>>>>>>                 kdc = addc05.rdomain.prv
>>>>>>                 kdc = chlddc01.kid.rdomain.prv
>>>>>>         }
>>>>>>         KID.RDOMAIN.PRV = {
>>>>>>                 default_domain = KID.RDOMAIN.PRV
>>>>>>                 kdc = chlddc01.kid.rdomain.prv
>>>>>>                master_kdc = addc02.rdomain.prv
>>>>>>                 admin_server = addc02.rdomain.prv
>>>>>>                 kdc = addc01.rdomain.prv
>>>>>>                 kdc = addc02.rdomain.prv
>>>>>>         }
>>>>>> [domain_realm]
>>>>>>         .rdomain.prv = RDOMAIN.PRV
>>>>>>         rdomain.prv = RDOMAIN.PRV
>>>>>>         .kid.rdomain.prv = KID.RDOMAIN.PRV
>>>>>>         kid.rdomain.prv = KID.RDOMAIN.PRV [kdc]  profile = 
>>>>>> /var/kerberos/krb5kdc/kdc.conf [appdefaults]  pam = {
>>>>>>    debug = false
>>>>>>    ticket_lifetime = 36000
>>>>>>    renew_lifetime = 36000
>>>>>>    forwardable = true
>>>>>>    krb4_convert = false
>>>>>>    validate = true
>>>>>>  }
>>>>>> [login]
>>>>>>         krb4_convert = true
>>>>>>         krb4_get_tickets = false
>>>>>>
>>>>>>         
>>>>>>           
>>>>>>             
>>   
>>     
>
>
>   


More information about the samba mailing list