[Samba] winbind doing dns on short domain
Jim Kusznir
jkusznir at gmail.com
Wed Mar 10 19:19:56 MST 2010
Hi all:
I'm building an authentication infrastructure for combined windows
plus linux clients. To that end, I have a Win Server 2008r2 ADS and a
win svr 2008r2 client, and an ubuntu 9.10 client running the default
samba + winbind (whatever is in their production repos).
I had it 95% working this morning...Then all of a sudden, all winbind
queries died. No idea why. I spent the entire day debugging it, and
I finally found out what its doing: Its DNS requests for the
_kerberos... host are using the short domain, not the fqdn:
16:03:37.479967 IP 192.168.3.11.38775 > 192.168.3.16.53: 44000+ SRV?
_kerberos._tcp.CASAS. (38)
(domain is CASAS.WSU.EDU). I can do a DNS lookup with the fqdn, and
it works fine, but the short name definitely does NOT work. I've even
modified /etc/resolv.conf to directly query the windows dns server
that is serving up casas.wsu.edu (which the normal production dns
server is set to delegate to). DNS queries for any of the magic
entries in proper form do work (with exception of reverse resolution
of the linux host itself -- it returns a different domain name when
querying the correct servers).
I've gone through both /etc/krb5.conf and smb.conf; there are now NO
occurrences of the short domain name in there. (I even changed
"workgroup" in smb.conf to the fqdn, as that was the last remaining
occurrence). Keep in mind that winbind was working fine with no edits
to either files yesterday and early this morning, no changes had
occurred anywhere on that line...all I did was tweak pam files to try
and correct a different problem).
Here are my config files:
------ smb.conf ------
[global]
workgroup = CASAS.WSU.EDU
server string = %h Ubuntu Termserver
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
realm = CASAS.WSU.EDU
password server = 192.168.3.16
idmap uid = 10000-20000
idmap gid = 10000-20000
idmap backend = rid:CASAS.WSU.EDU=10000-20000
allow trusted domains = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
------------------------
/etc/krb5.conf
------------------------
[libdefaults]
default_realm = CASAS.WSU.EDU
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
CASAS.WSU.EDU = {
kdc = ad1.casas.wsu.edu:88
admin_server = ad1.casas.wsu.edu
default_domain = casas.wsu.edu
}
[domain_realm]
.casas.wsu.edu = CASAS.WSU.EDU
casas.wsu.edu = CASAS.WSU.EDU
[login]
krb4_convert = true
krb4_get_tickets = false
-------------------------
And here's a tcpdump done filtering on port 53 during a winbind restart:
-------------------------
16:03:37.399967 IP 192.168.3.11.49438 > 192.168.3.16.53: 3748+ A?
AD1.CASAS.WSU.EDU. (35)
16:03:37.399967 IP 192.168.3.16.53 > 192.168.3.11.49438: 3748* 1/0/0 A[|domain]
16:03:37.399967 IP 192.168.3.11.43851 > 192.168.3.16.53: 27311+ A?
AD1.CASAS.WSU.EDU. (35)
16:03:37.399967 IP 192.168.3.16.53 > 192.168.3.11.43851: 27311* 1/0/0 A[|domain]
16:03:37.429967 IP 192.168.3.11.40739 > 192.168.3.16.53: 46827+ A?
ad1.casas.wsu.edu. (35)
16:03:37.429967 IP 192.168.3.16.53 > 192.168.3.11.40739: 46827* 1/0/0 A[|domain]
16:03:37.429967 IP 192.168.3.11.54465 > 192.168.3.16.53: 44669+[|domain]
16:03:37.429967 IP 192.168.3.16.53 > 192.168.3.11.54465: 44669
NXDomain*[|domain]
16:03:37.429967 IP 192.168.3.11.57928 > 192.168.3.16.53: 58938+[|domain]
16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.57928: 58938
NXDomain*[|domain]
16:03:37.439967 IP 192.168.3.11.45449 > 192.168.3.16.53: 58085+[|domain]
16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.45449: 58085
NXDomain*[|domain]
16:03:37.439967 IP 192.168.3.11.58599 > 192.168.3.16.53: 64069+[|domain]
16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.58599: 64069
NXDomain*[|domain]
16:03:37.449967 IP 192.168.3.11.35620 > 192.168.3.16.53: 52173+ A?
ad1.casas.wsu.edu. (35)
16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.35620: 52173* 1/0/0 A[|domain]
16:03:37.449967 IP 192.168.3.11.58933 > 192.168.3.16.53: 27556+ A?
ad1.casas.wsu.edu. (35)
16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.58933: 27556* 1/0/0 A[|domain]
16:03:37.449967 IP 192.168.3.11.36892 > 192.168.3.16.53: 12188+[|domain]
16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.36892: 12188
NXDomain*[|domain]
16:03:37.459967 IP 192.168.3.11.59294 > 192.168.3.16.53: 12121+ A?
ad1.casas.wsu.edu. (35)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.59294: 12121* 1/0/0 A[|domain]
16:03:37.469967 IP 192.168.3.11.59240 > 192.168.3.16.53: 54066+ A?
ad1.casas.wsu.edu. (35)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.59240: 54066* 1/0/0 A[|domain]
16:03:37.469967 IP 192.168.3.11.56838 > 192.168.3.16.53: 48561+[|domain]
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.56838: 48561
NXDomain*[|domain]
16:03:37.469967 IP 192.168.3.11.55189 > 192.168.3.16.53: 33246+ A?
ad1.casas.wsu.edu. (35)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.55189: 33246* 1/0/0 A[|domain]
16:03:37.469967 IP 192.168.3.11.52539 > 192.168.3.16.53: 19873+ A?
ad1.casas.wsu.edu. (35)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.52539: 19873* 1/0/0 A[|domain]
16:03:37.469967 IP 192.168.3.11.38806 > 192.168.3.16.53: 15173+[|domain]
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.38806: 15173
NXDomain*[|domain]
16:03:37.469967 IP 192.168.3.11.39860 > 192.168.3.16.53: 19200+ SRV?
_kerberos._udp.CASAS. (38)
16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.39860: 19200
NXDomain 0/1/0 (113)
16:03:37.469967 IP 192.168.3.11.40215 > 192.168.3.16.53: 12115+ SRV?
_kerberos._tcp.CASAS. (38)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.40215: 12115
NXDomain 0/1/0 (113)
16:03:37.479967 IP 192.168.3.11.42234 > 192.168.3.16.53: 2986+ A?
ad1.casas.wsu.edu. (35)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.42234: 2986* 1/0/0 A[|domain]
16:03:37.479967 IP 192.168.3.11.53553 > 192.168.3.16.53: 13263+ A?
ad1.casas.wsu.edu. (35)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.53553: 13263* 1/0/0 A[|domain]
16:03:37.479967 IP 192.168.3.11.49456 > 192.168.3.16.53: 38656+[|domain]
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.49456: 38656
NXDomain*[|domain]
16:03:37.479967 IP 192.168.3.11.56202 > 192.168.3.16.53: 7957+ SRV?
_kerberos._udp.CASAS. (38)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.56202: 7957 NXDomain
0/1/0 (113)
16:03:37.479967 IP 192.168.3.11.38775 > 192.168.3.16.53: 44000+ SRV?
_kerberos._tcp.CASAS. (38)
16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.38775: 44000
NXDomain 0/1/0 (113)
--------------------
Here's a chunk from the winbindd log:
--------------------
[2010/03/10 16:04:22, 0] winbindd/winbindd.c:190(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=1)
[2010/03/10 16:04:24, 0] winbindd/winbindd.c:1244(main)
winbindd version 3.4.0 started.
Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/03/10 16:04:24, 0]
winbindd/winbindd_cache.c:2578(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with
version number 1
[2010/03/10 16:04:24, 0] winbindd/winbindd_util.c:782(init_domain_list)
Could not fetch our SID - did we join?
[2010/03/10 16:04:24, 0] winbindd/winbindd.c:1385(main)
unable to initialize domain list
-----------------------
Where is the problem / how do I fix this?
Thanks!
--Jim
More information about the samba
mailing list