samba - May 2011 - s3 winbind loosing kerbers ticket

I have 2 CentOS 5.6 x86_64 servers configured with with samba 3.5.4,
CTDB, GFS and DRDB in an avtive,active cluster. After some time winbind
looses the ticket. After this I have to do a net ads join on the server
to get things going. The main DC is a windows 2003 server with SP2. I do
have 2 more samba 4 DC's that I use for backup authentication only that
run on debian 6 that are a VM. Not sure if they could be causing a
problem or not.

This is what I am seeing in the logs.

winbindd/winbindd_util.c:289(trustdom_recv)  Could not receive trustdoms : 240
Time(s)

And

[root at pdc ~]# wbinfo -t
checking the trust secret for domain TAYLORTELEPHONE via RPC calls failed
Could not check secret
[root at pdc ~]# wbinfo -a someuser%password
plaintext password authentication failed
Could not authenticate user someuser%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user someuser with challenge/response

[root at pdc ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at TAYLORTELEPHONE.COM

Valid starting     Expires            Service principal
04/28/11 09:23:18  04/28/11 09:23:22 
krbtgt/TAYLORTELEPHONE.COM at TAYLORTELEPHONE.COM
    renew until 04/28/11 09:23:22, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


And then if I do

[root at pdc ~]# net ads join -Uadministrator%password
Using short domain name -- TAYLORTELEPHONE
Joined 'PDC' to realm 'taylortelephone.com'
DNS update failed!
[root at pdc ~]# wbinfo -a someuser%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

everything works again for awhile.

samba3x-common-3.5.4-0.70.el5_6.1
samba3x-winbind-3.5.4-0.70.el5_6.1
samba3x-client-3.5.4-0.70.el5_6.1
samba3x-3.5.4-0.70.el5_6.1


[global]
    workgroup = TAYLORTELEPHONE
    realm = TAYLORTELEPHONE.COM
    server string = Cluster Share %L
    interfaces = eth0, lo
    security = ADS
    password server = 192.168.173.10
    log file = /var/log/samba/samba3.log
    clustering = Yes
    wins server = 192.168.173.10
    idmap backend = idmap_rid:TAYLORTELEPHONE=500-4000000
    idmap uid = 500-4000000
    idmap gid = 500-4000000
    template homedir = /home/%U
    template shell = /bin/bash
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind refresh tickets = Yes
    winbind offline logon = Yes

[apps]
    comment = Application Data
    path = /data/programs
    force user = root
    force group = Domain Admins
    read only = No
    inherit acls = Yes
    vfs objects = recycle
    recycle: config-files = /etc/samba/samba-recycle.conf

[share]
    comment = Share Data
    path = /clusterdata/share
    force user = root
    force group = Domain Admins
    read only = No
    inherit acls = Yes
    vfs objects = recycle
    recycle: config-files = /etc/samba/samba-recycle.conf

[home]
    comment = Home Directories
    path = /clusterdata/home
    read only = No

[printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    guest ok = Yes
    printable = Yes
    browseable = No

[netlogon]
    comment = Network Logon Service
    path = /clusterdata/netlogon
    guest ok = Yes
    locking = No

[profiles]
    comment = Profile Share
    path = /clusterdata/profiles
    read only = No
    inherit owner = Yes
    profile acls = Yes
    hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
    store dos attributes = Yes

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    read only = No
[root at pdc ~]# cat /etc/krb5.conf
[libdefaults]
 default_realm = TAYLORTELEPHONE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
        ticket_lifetime = 24h
        forwardable = yes

[realms]
        TAYLORTELEPHONE.COM = {
  kdc = qbserver.taylortelephone.com:88
  admin_server = qbserver.taylortelephone.com:749
                default_domain = taylortelephone.com
        }

[domain_realm]
        .taylortelephone.com = TAYLORTELEPHONE.COM
        taylortelephone.com = TAYLORTELEPHONE.COM
 
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

I also found this in the logs on both servers.

[2011/05/02 16:52:01.425379,  0]
winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module ldap already registered!
[2011/05/02 16:52:01.496966,  0]
winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module tdb already registered!
[2011/05/02 16:52:01.569375,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/05/02 16:52:01.641802,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!
[2011/05/02 16:52:01.708285,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module rid already registered!
[2011/05/02 16:52:01.774795,  0] lib/module.c:69(do_smb_load_module)
  Module '/usr/lib64/samba/idmap/rid.so' initialization failed:
NT_STATUS_OBJECT_NAME_COLLISION
[2011/05/02 16:52:01.836023,  1] winbindd/idmap.c:580(idmap_alloc_init)
  could not find idmap alloc module rid:TAYLORTELEPHONE=500-4000000

Jonn

On 05/02/2011 12:14 PM, Taylor, Jonn wrote:
> I have 2 CentOS 5.6 x86_64 servers configured with with samba 3.5.4,
> CTDB, GFS and DRDB in an avtive,active cluster. After some time winbind
> looses the ticket. After this I have to do a net ads join on the server
> to get things going. The main DC is a windows 2003 server with SP2. I do
> have 2 more samba 4 DC's that I use for backup authentication only that
> run on debian 6 that are a VM. Not sure if they could be causing a
> problem or not.
>
> This is what I am seeing in the logs.
>
> winbindd/winbindd_util.c:289(trustdom_recv)  Could not receive trustdoms :
240 Time(s)
>
> And
>
> [root at pdc ~]# wbinfo -t
> checking the trust secret for domain TAYLORTELEPHONE via RPC calls failed
> Could not check secret
> [root at pdc ~]# wbinfo -a someuser%password
> plaintext password authentication failed
> Could not authenticate user someuser%password with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> error messsage was: Access denied
> Could not authenticate user someuser with challenge/response
>
> [root at pdc ~]# klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at TAYLORTELEPHONE.COM
>
> Valid starting     Expires            Service principal
> 04/28/11 09:23:18  04/28/11 09:23:22 
> krbtgt/TAYLORTELEPHONE.COM at TAYLORTELEPHONE.COM
>     renew until 04/28/11 09:23:22, Etype (skey, tkt): ArcFour with
> HMAC/md5, ArcFour with HMAC/md5
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
>
> And then if I do
>
> [root at pdc ~]# net ads join -Uadministrator%password
> Using short domain name -- TAYLORTELEPHONE
> Joined 'PDC' to realm 'taylortelephone.com'
> DNS update failed!
> [root at pdc ~]# wbinfo -a someuser%password
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> everything works again for awhile.
>
> samba3x-common-3.5.4-0.70.el5_6.1
> samba3x-winbind-3.5.4-0.70.el5_6.1
> samba3x-client-3.5.4-0.70.el5_6.1
> samba3x-3.5.4-0.70.el5_6.1
>
>
> [global]
>     workgroup = TAYLORTELEPHONE
>     realm = TAYLORTELEPHONE.COM
>     server string = Cluster Share %L
>     interfaces = eth0, lo
>     security = ADS
>     password server = 192.168.173.10
>     log file = /var/log/samba/samba3.log
>     clustering = Yes
>     wins server = 192.168.173.10
>     idmap backend = idmap_rid:TAYLORTELEPHONE=500-4000000
>     idmap uid = 500-4000000
>     idmap gid = 500-4000000
>     template homedir = /home/%U
>     template shell = /bin/bash
>     winbind enum users = Yes
>     winbind enum groups = Yes
>     winbind use default domain = Yes
>     winbind refresh tickets = Yes
>     winbind offline logon = Yes
>
> [apps]
>     comment = Application Data
>     path = /data/programs
>     force user = root
>     force group = Domain Admins
>     read only = No
>     inherit acls = Yes
>     vfs objects = recycle
>     recycle: config-files = /etc/samba/samba-recycle.conf
>
> [share]
>     comment = Share Data
>     path = /clusterdata/share
>     force user = root
>     force group = Domain Admins
>     read only = No
>     inherit acls = Yes
>     vfs objects = recycle
>     recycle: config-files = /etc/samba/samba-recycle.conf
>
> [home]
>     comment = Home Directories
>     path = /clusterdata/home
>     read only = No
>
> [printers]
>     comment = SMB Print Spool
>     path = /var/spool/samba
>     guest ok = Yes
>     printable = Yes
>     browseable = No
>
> [netlogon]
>     comment = Network Logon Service
>     path = /clusterdata/netlogon
>     guest ok = Yes
>     locking = No
>
> [profiles]
>     comment = Profile Share
>     path = /clusterdata/profiles
>     read only = No
>     inherit owner = Yes
>     profile acls = Yes
>     hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
>     store dos attributes = Yes
>
> [print$]
>     comment = Printer Drivers
>     path = /var/lib/samba/drivers
>     read only = No
> [root at pdc ~]# cat /etc/krb5.conf
> [libdefaults]
>  default_realm = TAYLORTELEPHONE.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>         ticket_lifetime = 24h
>         forwardable = yes
>
> [realms]
>         TAYLORTELEPHONE.COM = {
>   kdc = qbserver.taylortelephone.com:88
>   admin_server = qbserver.taylortelephone.com:749
>                 default_domain = taylortelephone.com
>         }
>
> [domain_realm]
>         .taylortelephone.com = TAYLORTELEPHONE.COM
>         taylortelephone.com = TAYLORTELEPHONE.COM
>  
> [appdefaults]
> pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
> }
>