[Samba] s3 winbind loosing kerbers ticket

Taylor, Jonn jonnt at taylortelephone.com
Mon May 2 11:14:41 MDT 2011 

I have 2 CentOS 5.6 x86_64 servers configured with with samba 3.5.4,
CTDB, GFS and DRDB in an avtive,active cluster. After some time winbind
looses the ticket. After this I have to do a net ads join on the server
to get things going. The main DC is a windows 2003 server with SP2. I do
have 2 more samba 4 DC's that I use for backup authentication only that
run on debian 6 that are a VM. Not sure if they could be causing a
problem or not.

This is what I am seeing in the logs.

winbindd/winbindd_util.c:289(trustdom_recv)  Could not receive trustdoms : 240 Time(s)

And

[root at pdc ~]# wbinfo -t
checking the trust secret for domain TAYLORTELEPHONE via RPC calls failed
Could not check secret
[root at pdc ~]# wbinfo -a someuser%password
plaintext password authentication failed
Could not authenticate user someuser%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user someuser with challenge/response

[root at pdc ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at TAYLORTELEPHONE.COM

Valid starting     Expires            Service principal
04/28/11 09:23:18  04/28/11 09:23:22 
krbtgt/TAYLORTELEPHONE.COM at TAYLORTELEPHONE.COM
    renew until 04/28/11 09:23:22, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


And then if I do

[root at pdc ~]# net ads join -Uadministrator%password
Using short domain name -- TAYLORTELEPHONE
Joined 'PDC' to realm 'taylortelephone.com'
DNS update failed!
[root at pdc ~]# wbinfo -a someuser%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

everything works again for awhile.

samba3x-common-3.5.4-0.70.el5_6.1
samba3x-winbind-3.5.4-0.70.el5_6.1
samba3x-client-3.5.4-0.70.el5_6.1
samba3x-3.5.4-0.70.el5_6.1


[global]
    workgroup = TAYLORTELEPHONE
    realm = TAYLORTELEPHONE.COM
    server string = Cluster Share %L
    interfaces = eth0, lo
    security = ADS
    password server = 192.168.173.10
    log file = /var/log/samba/samba3.log
    clustering = Yes
    wins server = 192.168.173.10
    idmap backend = idmap_rid:TAYLORTELEPHONE=500-4000000
    idmap uid = 500-4000000
    idmap gid = 500-4000000
    template homedir = /home/%U
    template shell = /bin/bash
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind refresh tickets = Yes
    winbind offline logon = Yes

[apps]
    comment = Application Data
    path = /data/programs
    force user = root
    force group = Domain Admins
    read only = No
    inherit acls = Yes
    vfs objects = recycle
    recycle: config-files = /etc/samba/samba-recycle.conf

[share]
    comment = Share Data
    path = /clusterdata/share
    force user = root
    force group = Domain Admins
    read only = No
    inherit acls = Yes
    vfs objects = recycle
    recycle: config-files = /etc/samba/samba-recycle.conf

[home]
    comment = Home Directories
    path = /clusterdata/home
    read only = No

[printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    guest ok = Yes
    printable = Yes
    browseable = No

[netlogon]
    comment = Network Logon Service
    path = /clusterdata/netlogon
    guest ok = Yes
    locking = No

[profiles]
    comment = Profile Share
    path = /clusterdata/profiles
    read only = No
    inherit owner = Yes
    profile acls = Yes
    hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
    store dos attributes = Yes

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    read only = No
[root at pdc ~]# cat /etc/krb5.conf
[libdefaults]
 default_realm = TAYLORTELEPHONE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
        ticket_lifetime = 24h
        forwardable = yes

[realms]
        TAYLORTELEPHONE.COM = {
  kdc = qbserver.taylortelephone.com:88
  admin_server = qbserver.taylortelephone.com:749
                default_domain = taylortelephone.com
        }

[domain_realm]
        .taylortelephone.com = TAYLORTELEPHONE.COM
        taylortelephone.com = TAYLORTELEPHONE.COM
 
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

More information about the samba mailing list