[Samba] s3 winbind loosing kerbers ticket

Taylor, Jonn jonnt at taylortelephone.com
Mon May 2 15:54:01 MDT 2011 

I also found this in the logs on both servers.

[2011/05/02 16:52:01.425379,  0]
winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module ldap already registered!
[2011/05/02 16:52:01.496966,  0]
winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module tdb already registered!
[2011/05/02 16:52:01.569375,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/05/02 16:52:01.641802,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!
[2011/05/02 16:52:01.708285,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module rid already registered!
[2011/05/02 16:52:01.774795,  0] lib/module.c:69(do_smb_load_module)
  Module '/usr/lib64/samba/idmap/rid.so' initialization failed:
NT_STATUS_OBJECT_NAME_COLLISION
[2011/05/02 16:52:01.836023,  1] winbindd/idmap.c:580(idmap_alloc_init)
  could not find idmap alloc module rid:TAYLORTELEPHONE=500-4000000

Jonn

On 05/02/2011 12:14 PM, Taylor, Jonn wrote:
> I have 2 CentOS 5.6 x86_64 servers configured with with samba 3.5.4,
> CTDB, GFS and DRDB in an avtive,active cluster. After some time winbind
> looses the ticket. After this I have to do a net ads join on the server
> to get things going. The main DC is a windows 2003 server with SP2. I do
> have 2 more samba 4 DC's that I use for backup authentication only that
> run on debian 6 that are a VM. Not sure if they could be causing a
> problem or not.
>
> This is what I am seeing in the logs.
>
> winbindd/winbindd_util.c:289(trustdom_recv)  Could not receive trustdoms : 240 Time(s)
>
> And
>
> [root at pdc ~]# wbinfo -t
> checking the trust secret for domain TAYLORTELEPHONE via RPC calls failed
> Could not check secret
> [root at pdc ~]# wbinfo -a someuser%password
> plaintext password authentication failed
> Could not authenticate user someuser%password with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> error messsage was: Access denied
> Could not authenticate user someuser with challenge/response
>
> [root at pdc ~]# klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at TAYLORTELEPHONE.COM
>
> Valid starting     Expires            Service principal
> 04/28/11 09:23:18  04/28/11 09:23:22 
> krbtgt/TAYLORTELEPHONE.COM at TAYLORTELEPHONE.COM
>     renew until 04/28/11 09:23:22, Etype (skey, tkt): ArcFour with
> HMAC/md5, ArcFour with HMAC/md5
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
>
> And then if I do
>
> [root at pdc ~]# net ads join -Uadministrator%password
> Using short domain name -- TAYLORTELEPHONE
> Joined 'PDC' to realm 'taylortelephone.com'
> DNS update failed!
> [root at pdc ~]# wbinfo -a someuser%password
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> everything works again for awhile.
>
> samba3x-common-3.5.4-0.70.el5_6.1
> samba3x-winbind-3.5.4-0.70.el5_6.1
> samba3x-client-3.5.4-0.70.el5_6.1
> samba3x-3.5.4-0.70.el5_6.1
>
>
> [global]
>     workgroup = TAYLORTELEPHONE
>     realm = TAYLORTELEPHONE.COM
>     server string = Cluster Share %L
>     interfaces = eth0, lo
>     security = ADS
>     password server = 192.168.173.10
>     log file = /var/log/samba/samba3.log
>     clustering = Yes
>     wins server = 192.168.173.10
>     idmap backend = idmap_rid:TAYLORTELEPHONE=500-4000000
>     idmap uid = 500-4000000
>     idmap gid = 500-4000000
>     template homedir = /home/%U
>     template shell = /bin/bash
>     winbind enum users = Yes
>     winbind enum groups = Yes
>     winbind use default domain = Yes
>     winbind refresh tickets = Yes
>     winbind offline logon = Yes
>
> [apps]
>     comment = Application Data
>     path = /data/programs
>     force user = root
>     force group = Domain Admins
>     read only = No
>     inherit acls = Yes
>     vfs objects = recycle
>     recycle: config-files = /etc/samba/samba-recycle.conf
>
> [share]
>     comment = Share Data
>     path = /clusterdata/share
>     force user = root
>     force group = Domain Admins
>     read only = No
>     inherit acls = Yes
>     vfs objects = recycle
>     recycle: config-files = /etc/samba/samba-recycle.conf
>
> [home]
>     comment = Home Directories
>     path = /clusterdata/home
>     read only = No
>
> [printers]
>     comment = SMB Print Spool
>     path = /var/spool/samba
>     guest ok = Yes
>     printable = Yes
>     browseable = No
>
> [netlogon]
>     comment = Network Logon Service
>     path = /clusterdata/netlogon
>     guest ok = Yes
>     locking = No
>
> [profiles]
>     comment = Profile Share
>     path = /clusterdata/profiles
>     read only = No
>     inherit owner = Yes
>     profile acls = Yes
>     hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
>     store dos attributes = Yes
>
> [print$]
>     comment = Printer Drivers
>     path = /var/lib/samba/drivers
>     read only = No
> [root at pdc ~]# cat /etc/krb5.conf
> [libdefaults]
>  default_realm = TAYLORTELEPHONE.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>         ticket_lifetime = 24h
>         forwardable = yes
>
> [realms]
>         TAYLORTELEPHONE.COM = {
>   kdc = qbserver.taylortelephone.com:88
>   admin_server = qbserver.taylortelephone.com:749
>                 default_domain = taylortelephone.com
>         }
>
> [domain_realm]
>         .taylortelephone.com = TAYLORTELEPHONE.COM
>         taylortelephone.com = TAYLORTELEPHONE.COM
>  
> [appdefaults]
> pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
> }
>

More information about the samba mailing list