[Samba] s3 winbind loosing kerbers ticket
Taylor, Jonn
jonnt at taylortelephone.com
Wed May 4 08:52:16 MDT 2011
Anyone???
On 05/02/2011 04:54 PM, Taylor, Jonn wrote:
> I also found this in the logs on both servers.
>
> [2011/05/02 16:52:01.425379, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2011/05/02 16:52:01.496966, 0]
> winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2011/05/02 16:52:01.569375, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2011/05/02 16:52:01.641802, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2011/05/02 16:52:01.708285, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module rid already registered!
> [2011/05/02 16:52:01.774795, 0] lib/module.c:69(do_smb_load_module)
> Module '/usr/lib64/samba/idmap/rid.so' initialization failed:
> NT_STATUS_OBJECT_NAME_COLLISION
> [2011/05/02 16:52:01.836023, 1] winbindd/idmap.c:580(idmap_alloc_init)
> could not find idmap alloc module rid:TAYLORTELEPHONE=500-4000000
>
> Jonn
>
> On 05/02/2011 12:14 PM, Taylor, Jonn wrote:
>> I have 2 CentOS 5.6 x86_64 servers configured with with samba 3.5.4,
>> CTDB, GFS and DRDB in an avtive,active cluster. After some time winbind
>> looses the ticket. After this I have to do a net ads join on the server
>> to get things going. The main DC is a windows 2003 server with SP2. I do
>> have 2 more samba 4 DC's that I use for backup authentication only that
>> run on debian 6 that are a VM. Not sure if they could be causing a
>> problem or not.
>>
>> This is what I am seeing in the logs.
>>
>> winbindd/winbindd_util.c:289(trustdom_recv) Could not receive trustdoms : 240 Time(s)
>>
>> And
>>
>> [root at pdc ~]# wbinfo -t
>> checking the trust secret for domain TAYLORTELEPHONE via RPC calls failed
>> Could not check secret
>> [root at pdc ~]# wbinfo -a someuser%password
>> plaintext password authentication failed
>> Could not authenticate user someuser%password with plaintext password
>> challenge/response password authentication failed
>> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
>> error messsage was: Access denied
>> Could not authenticate user someuser with challenge/response
>>
>> [root at pdc ~]# klist -e
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administrator at TAYLORTELEPHONE.COM
>>
>> Valid starting Expires Service principal
>> 04/28/11 09:23:18 04/28/11 09:23:22
>> krbtgt/TAYLORTELEPHONE.COM at TAYLORTELEPHONE.COM
>> renew until 04/28/11 09:23:22, Etype (skey, tkt): ArcFour with
>> HMAC/md5, ArcFour with HMAC/md5
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>>
>>
>> And then if I do
>>
>> [root at pdc ~]# net ads join -Uadministrator%password
>> Using short domain name -- TAYLORTELEPHONE
>> Joined 'PDC' to realm 'taylortelephone.com'
>> DNS update failed!
>> [root at pdc ~]# wbinfo -a someuser%password
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>>
>> everything works again for awhile.
>>
>> samba3x-common-3.5.4-0.70.el5_6.1
>> samba3x-winbind-3.5.4-0.70.el5_6.1
>> samba3x-client-3.5.4-0.70.el5_6.1
>> samba3x-3.5.4-0.70.el5_6.1
>>
>>
>> [global]
>> workgroup = TAYLORTELEPHONE
>> realm = TAYLORTELEPHONE.COM
>> server string = Cluster Share %L
>> interfaces = eth0, lo
>> security = ADS
>> password server = 192.168.173.10
>> log file = /var/log/samba/samba3.log
>> clustering = Yes
>> wins server = 192.168.173.10
>> idmap backend = idmap_rid:TAYLORTELEPHONE=500-4000000
>> idmap uid = 500-4000000
>> idmap gid = 500-4000000
>> template homedir = /home/%U
>> template shell = /bin/bash
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind refresh tickets = Yes
>> winbind offline logon = Yes
>>
>> [apps]
>> comment = Application Data
>> path = /data/programs
>> force user = root
>> force group = Domain Admins
>> read only = No
>> inherit acls = Yes
>> vfs objects = recycle
>> recycle: config-files = /etc/samba/samba-recycle.conf
>>
>> [share]
>> comment = Share Data
>> path = /clusterdata/share
>> force user = root
>> force group = Domain Admins
>> read only = No
>> inherit acls = Yes
>> vfs objects = recycle
>> recycle: config-files = /etc/samba/samba-recycle.conf
>>
>> [home]
>> comment = Home Directories
>> path = /clusterdata/home
>> read only = No
>>
>> [printers]
>> comment = SMB Print Spool
>> path = /var/spool/samba
>> guest ok = Yes
>> printable = Yes
>> browseable = No
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /clusterdata/netlogon
>> guest ok = Yes
>> locking = No
>>
>> [profiles]
>> comment = Profile Share
>> path = /clusterdata/profiles
>> read only = No
>> inherit owner = Yes
>> profile acls = Yes
>> hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
>> store dos attributes = Yes
>>
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/drivers
>> read only = No
>> [root at pdc ~]# cat /etc/krb5.conf
>> [libdefaults]
>> default_realm = TAYLORTELEPHONE.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [realms]
>> TAYLORTELEPHONE.COM = {
>> kdc = qbserver.taylortelephone.com:88
>> admin_server = qbserver.taylortelephone.com:749
>> default_domain = taylortelephone.com
>> }
>>
>> [domain_realm]
>> .taylortelephone.com = TAYLORTELEPHONE.COM
>> taylortelephone.com = TAYLORTELEPHONE.COM
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
More information about the samba
mailing list