[Samba] Samba 4.1.7 CTDB winbind not syncing when connected to MS AD 2008R2 - WAS: Re: Samba 4.1.7 clustering not using private dir
Taylor, Jonn
jonnt at taylortelephone.com
Mon May 5 20:13:38 MDT 2014
On 05/05/2014 04:58 PM, steve wrote:
> On Mon, 2014-05-05 at 11:52 -0500, Taylor, Jonn wrote:
>> On 05/05/2014 09:20 AM, steve wrote:
>>> On Mon, 2014-05-05 at 08:48 -0500, Taylor, Jonn wrote:
>>>
>>>> ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)**
>>>> ** ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
>>>> directory)*
>>>> [2014/05/05 08:36:53.741217, 0]
>>>> ../source3/libads/kerberos_util.c:74(ads_kinit_password)
>>>> kerberos_kinit_password SHR01$@TAYLORTELEPHONE.COM failed:
>>>> Preauthentication failed
>>>> [2014/05/05 08:36:53.741333, 1]
>>>> ../source3/winbindd/winbindd_ads.c:122(ads_cached_connection_connect)
>>>> ads_connect for domain TAYLORTELEPHONE failed: Preauthentication failed
>>>> [2014/05/05 08:36:53.741427, 1]
>>>> ../source3/winbindd/idmap_ad.c:199(idmap_ad_unixids_to_sids)
>>>> ADS uninitialized: Preauthentication failed
>>>> [2014/05/05 08:36:53.741538, 4]
>>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>>> Finished processing child request 59
>>>>
>>>> So what file or directory could not be found?
>>>>
>>>> Jonn
>>>>
>>> Do you have the SHR01$ machine key in the keytab? Is the keytab
>>> at /etc/krb5.keytab?
>>>
>> Followed wiki..... kinit Administrator and then net ads join
>> -UAdministrator . After a day I get that message.
>>
> Hi
> klist -k
> anything?
>
>
There would be no file. This is samba 4.1.7. It creates it's own
krb5.conf file at /var/cache/samba/smb_krb5/krb5.conf.TAYLORTELEPHONE
and loks like this.
[libdefaults]
default_realm = TAYLORTELEPHONE.COM
default_tgs_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
[realms]
TAYLORTELEPHONE.COM = {
kdc = 192.168.173.14
kdc = 192.168.173.13
}
Then it writes the keytab somewhere but that I can not find. I did a net
ads join -d6 but nothing jumps out. This is the keytab part.
Bind RPC Pipe: host DC1.taylortelephone.com auth_type 0, auth_level 1
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 240
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
saf_fetch[join]: Returning "DC1.taylortelephone.com" for
"taylortelephone.com" domain
get_dc_list: preferred server list: "DC1.taylortelephone.com, *"
name taylortelephone.com#1C found.
sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM:
"Default-First-Site-Name"
name DC1.taylortelephone.com#20 found.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.173.13:389 192.168.173.14:389
create_local_private_krb5_conf_for_domain: wrote file
/var/cache/samba/smb_krb5/krb5.conf.TAYLORTELEPHONE with realm
TAYLORTELEPHONE.COM KDC list = kdc = 192.168.173.13
kdc = 192.168.173.14
Bind RPC Pipe: host DC1.taylortelephone.com auth_type 0, auth_level 1
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 40
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 44
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 12
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 12
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
check lock order 2 for g_lock.tdb
db_open_ctdb: opened database 'dbwrap_watchers.tdb' with dbid 0xbce979dd
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 1 for secrets.tdb
release lock order 1 for secrets.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:758 transaction commit on db 0xb775fff6
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 1 for secrets.tdb
release lock order 1 for secrets.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:758 transaction commit on db 0xb775fff6
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 1 for secrets.tdb
release lock order 1 for secrets.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:758 transaction commit on db 0xb775fff6
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 1 for secrets.tdb
release lock order 1 for secrets.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:758 transaction commit on db 0xb775fff6
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 1 for secrets.tdb
release lock order 1 for secrets.tdb
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM:
"Default-First-Site-Name"
name DC1.taylortelephone.com#20 found.
ads_try_connect: sending CLDAP request to 192.168.173.13 (realm:
taylortelephone.com)
Successfully contacted LDAP server 192.168.173.13
Connected to LDAP server DC1.taylortelephone.com
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Tue, 06 May 2014 01:05:35 CDT
ads_domain_func_level: 4
kerberos_secrets_store_des_salt: Storing salt
"host/shr01.taylortelephone.com at TAYLORTELEPHONE.COM"
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 1 for secrets.tdb
release lock order 1 for secrets.tdb
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend wbc_sam
Successfully added passdb backend 'wbc_sam'
Attempting to register passdb backend samba_dsdb
Successfully added passdb backend 'samba_dsdb'
Attempting to register passdb backend samba4
Successfully added passdb backend 'samba4'
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend IPA_ldapsam
Successfully added passdb backend 'IPA_ldapsam'
Attempting to find a passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x2607456f
db_open_ctdb: opened database 'group_mapping.tdb' with dbid 0xe98e08b6
add_sid_to_builtin S-1-5-21-1647384629-2592896063-3438515345-512 is
already a member of S-1-5-32-544
db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x2607456f
db_open_ctdb: opened database 'passdb.tdb' with dbid 0x7bbbd26c
tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb
pdb_getsampwnam (TDB): error fetching database.
Key: USER_root
add_sid_to_builtin S-1-5-21-1647384629-2592896063-3438515345-513 is
already a member of S-1-5-32-545
sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM:
"Default-First-Site-Name"
name DC1.taylortelephone.com#20 found.
Connecting to 192.168.173.13 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 19800
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Bind RPC Pipe: host DC1.taylortelephone.com auth_type 0, auth_level 1
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 20
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 24
rpccli_netlogon_setup_creds: server DC1.taylortelephone.com credential
chain established.
Bind RPC Pipe: host DC1.taylortelephone.com auth_type 68, auth_level 6
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 72
check_bind_response: accepted!
seed xxxxxxxxxxxxxxxx
seed+time xxxxxxxxxxxxxxx
CLIENT xxxxxxxxxxxxxxxx
seed+time+1 xxxxxxxxxxxxxx
SERVER xxxxxxxxxxxxxxxxx
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 104
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'TAYLORTELEPHONE'
dns_domain_name : 'taylortelephone.com'
forest_name : 'taylortelephone.com'
dn :
'CN=shr01,CN=Computers,DC=taylortelephone,DC=com'
domain_sid : *
domain_sid :
S-1-5-21-1647384629-2592896063-3438515345
modified_config : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
result : WERR_OK
Using short domain name -- TAYLORTELEPHONE
Joined 'SHR01' to dns domain 'taylortelephone.com'
Not doing automatic DNS update in a clustered setup.
return code = 0
More information about the samba
mailing list