[Samba] Error accessing others domains in forest

NdK ndk.clanbo at gmail.com
Thu Feb 23 07:36:29 MST 2012


Hello all.

After last update (from winbind-3.5.3 and krb5-1.8.1 to winbind-3.5.10
and krb5-1.9.1) users from a trusted domain can't authenticate any more.

Machines are joined to domain PERSONALE, and users from domain STUDENTI
aren't recognized. Domains are handled by W2k8 or W2k8r2 (I have no
control on these).

Last lines from /var/log/samba/log.wb-STUDENTI report:
[2012/02/23 10:42:20.205656,  3] libads/sasl.c:793(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got server principal name =
edge$@STUDENTI.DIR.UNIBO.IT
[2012/02/23 10:42:20.239823,  1] libsmb/clikrb5.c:789(ads_krb5_mk_req)
  ads_krb5_mk_req: smb_krb5_get_credentials failed for
ldap/edge.studenti.dir.unibo.it at STUDENTI.DIR.UNIBO.IT (Realm not local
to KDC)
[2012/02/23 10:42:20.311687,  1] libsmb/clikrb5.c:789(ads_krb5_mk_req)
  ads_krb5_mk_req: smb_krb5_get_credentials failed for
ldap/edge.studenti.dir.unibo.it at STUDENTI.DIR.UNIBO.IT (Realm not local
to KDC)
[2012/02/23 10:42:20.311765,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Realm not local
to KDC
[2012/02/23 10:42:20.312246,  1]
winbindd/winbindd_ads.c:126(ads_cached_connection)
  ads_connect for domain STUDENTI failed: Realm not local to KDC
[2012/02/23 11:04:15.428341,  3]
winbindd/winbindd_dual.c:53(child_read_request)
  child_read_request: read_data failed: NT_STATUS_END_OF_FILE

'edge' is one of the DCs of the STUDENTI domain, but it seems the PC
can't acquire a ticket for that domain.

Machine is correctly joined, and actually my employee account works. But
not the student one :(

[root at str00160-bibl4 ~]# wbinfo -i studenti\\diego.zuccato2
Could not get info for user studenti\diego.zuccato2
[root at str00160-bibl4 ~]# wbinfo -i diego.zuccato
diego.zuccato:*:108036:100013:Mat032398:/home/PERSONALE/diego.zuccato:/bin/bash

I already tried deleting all .tdb files (in /etc/samba and
/var/cache/samba ) and rejoining (some hickups here, but net ads
testjoin reports "join is OK").

My /etc/samba/smb.conf is the same that worked for a couple of years:
[global]
        workgroup = PERSONALE
        realm  = PERSONALE.DIR.UNIBO.IT
        server string = %v
        security = ADS
        encrypt passwords = Yes
        #password server = atu.personale.dir.unibo.it
        log file = /var/log/samba/log.%m
        log level = 3
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        local master = No
        dns proxy = No

        #winbind separator = -
        winbind enum users = No
        winbind enum groups = No
        winbind offline logon = Yes
        winbind nested groups = Yes
        winbind normalize names = Yes
        winbind refresh tickets = Yes
        winbind use default domain = yes
        winbind uid = 100000-100000000
        winbind gid = 100000-100000000

        idmap config PERSONALE:backend = rid
        idmap config PERSONALE:base_rid  = 500
        idmap config PERSONALE:range = 100000 - 49999999
        idmap config STUDENTI:backend = rid
        idmap config STUDENTI:base_rid  = 500
        idmap config STUDENTI:range = 50000000 - 99999999

        template homedir = /home/local/%D/%U
        template shell = /bin/bash

And the same for my /etc/krb5.conf (but I think this one gets ignored):
[logging]
 default = FILE:/var/log/kerberos/krb5libs.log
 kdc = FILE:/var/log/kerberos/krb5kdc.log
 admin_server = FILE:/var/log/kerberos/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = PERSONALE.DIR.UNIBO.IT
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 PERSONALE.DIR.UNIBO.IT = {
  kdc = aki.PERSONALE.DIR.UNIBO.IT:88
  admin_server = aki.PERSONALE.DIR.UNIBO.IT:749
  default_domain = PERSONALE.DIR.UNIBO.IT
 }

[domain_realm]
 .PERSONALE.DIR.UNIBO.IT = PERSONALE.DIR.UNIBO.IT

[kdc]
 profile = /etc/kerberos/krb5kdc/kdc.conf

[login]
 krb4_convert = false
 krb4_get_tickets = false

[appdefaults]
    pam = {
        debug = true
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = true
        mappings = ([a-z\.]*)@studio.unibo.it STUDENTI-$1
    }

Too bad I already upgraded more than 60 machines to the new packages...
What can I do to fix it? Next week students start coming to the lab...

TIA!

BYtE,
 Diego.


More information about the samba mailing list