I run FreeBSD 5.2.1 and recently configured Samba 3.0.2a (from ports)
for ADS using the FreeBSD-bundled krb5 (Heimdal 0.6, I believe) and
OpenLDAP 2.1.28 (from ports). It is setup to authenticate off a Windows
2000 Domain Controller and is primarily used to provide proxy
authentication for Squid. I will share more about my configuration if
asked, but as it works flawlessly at first I think it's something minor.
Everything works quite well until 10 hours after winbindd was started.
Then requests get denied. I set up a cron job to demonstrate this. The
cron job just logs the time and the output of "wbinfo -t" every five
minutes:
**********************************************************************
<started winbindd>
2004/03/26 02:50:00| checking the trust secret via RPC calls succeeded
2004/03/26 02:55:00| checking the trust secret via RPC calls succeeded
<snip>
2004/03/26 12:45:00| checking the trust secret via RPC calls succeeded
2004/03/26 12:50:00| checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret
2004/03/26 12:55:00| checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret
**********************************************************************
Some research showed this was probably kerberos tickets expiring or not
being renewed. I looked up the ticket lifetimes for Windows 2000 and
plugged those into my krb5.conf (hostnames changed):
**********************************************************************
$ less /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = EXAMPLE.ORG
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
ticket_lifetime = 36000
renew_lifetime = 604800
[realms]
EXAMPLE.ORG = {
kdc = dc1.example.org
kdc = dc2.example.org
admin_server = dc1.example.org
default_domain = example.org
}
[domain_realms]
.example.org = EXAMPLE.ORG
example.org = EXAMPLE.ORG
**********************************************************************
I then tested whether renewing worked (hostnames changed):
**********************************************************************
$ kinit
noackjr@EXAMPLE.ORG's Password:
$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: noackjr@EXAMPLE.ORG
Cache version: 4
Server: krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
Ticket etype: des-cbc-crc
Auth time: Mar 26 15:29:19 2004
End time: Mar 27 01:29:19 2004
Renew till: Apr 2 15:29:19 2004
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:10.0.0.2
$ kinit -R
$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: noackjr@EXAMPLE.ORG
Cache version: 4
Server: krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
Ticket etype: des-cbc-crc
Auth time: Mar 26 15:29:19 2004
Start time: Mar 26 15:29:26 2004
End time: Mar 27 01:29:26 2004
Renew till: Apr 2 15:29:19 2004
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:10.0.0.2
**********************************************************************
In any case, I still see the exact same behavior (death after 10 hours).
There is nothing in /var/log/krb5.log. Can anyone shed some light on
this for me? I suppose I could restart winbindd every 9 hours...
Thanks,
Jon Noack