[Samba] Nobody can log on from a trusted domain, EXCEPT my own account

Diego Zuccato diego.zuccato at unibo.it
Thu Feb 25 09:08:01 MST 2010


Hello.

The one of "strange problems" is here again.
This time it's even stranger.

I've setup a lab based on Mandriva 2010.0. I use winbind for 
authentication. I just installed ONE machine, then cloned it on the 
others, changing IP, name, and rejoining.
We have two main domains (PERSONALE and STUDENTI). Machines have to be 
joined to PERSONALE, but the majority of users are students (accounts in 
STUDENTI).
Well, on SOME machines, it works well. On others I can logon with my 
student account, but other students can't.
The student account I use is NOT the one I used to join'em, so it 
shouldn't be cached.
If I request an "ls -l" of /home/STUDENTI/ I see that the ONLY UID that 
gets resolved is my own (STUDENTI\diego.zuccato2) while the others are 
numeric. With that account I can log on, too.

I installed samba-winbins-3.4.3-2mdv2010.0 on all the machines. AD is 
hosted on Windows servers outside of my control, but it should be in 
"native mode".

I already tried to rejoin the misbehaving machines, with no luck.

When another student tries to login, I can see this message in 
log.winbindd (if I run it with -d 10):
ads_sasl_spnego_bind: got server principal name = 
edge$@STUDENTI.DIR.UNIBO.IT
ads_krb5_mk_req: krb5_get_credentials failed for 
edge$@STUDENTI.DIR.UNIBO.IT (Cannot find KDC for requested realm)
ads_sasl_spnego_krb5_bind failed with: Cannot find KDC for requested 
realm, calling kinit
kerberos_kinit_password: as STR00160-11-13$@PERSONALE.DIR.UNIBO.IT using 
[MEMORY:winbind_ccache] as ccache and config [(null)]
ads_krb5_mk_req: krb5_get_credentials failed for 
edge$@STUDENTI.DIR.UNIBO.IT (Cannot find KDC for requested realm)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot find KDC 
for requested realm
ads_connect for domain STUDENTI failed: Cannot find KDC for requested realm
refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL
store_cache_seqnum: success [STUDENTI][4294967295 @ 1267108652]
refresh_sequence_number: STUDENTI seq number is now -1
error getting user info for sid 
S-1-5-21-790525478-1035525444-682003330-????????
Storing response for pid 3622, len 3496
s3_event: Destroying timer event 0xb8128398 "async_request_timeout_handler"
Retrieving response for pid 3622
query_user returned an error
Could not query domain STUDENTI SID 
S-1-5-21-790525478-1035525444-682003330-???????

Does it ring a bell to someone?

Tks!

-- 
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Università di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: diego.zuccato at unibo.it


More information about the samba mailing list