thr3ads.net - samba - [Samba] Winbindd startup kerberos fail [Aug 2004]

If this information is useful, please help other people find it:
Share via:

Joe

2004-Aug-15 11:22 UTC

[Samba] Winbindd startup kerberos fail

I'm trying to learn about the interactions between SAMBA and Win2k
DCs.??The eventual goal is to have a Win2k server with ADS working with
a FreeBSD SAMBA server.??I've?used?the?setup?from
http://oslabs.mikro-net.com/fbsd_samba.html  and many other articles as
the basis for what I've done so far.  Winbind seems to work and I can
show users and gropus using wbinfo although I see some things in the
logs that I haven't been able to figure out.

I'm using a Win2k native domain, FreeBSD 5.2-RELEASE, and Samba 3.0.4. 
The domain is HOME, the win2k server is frosty.home.local and the Samba
machine is kara.home.local.

I'm working my way through the initial startup of winbindd, and have the
following in my logs.  I can't figure out what the failure is at the
end, could it be the machine password stored on KARA is wrong?.  

I can use kinit and get tickets for users from the kerberos server, and
access user specific shares with smbclient

--------------------
[2004/08/15 08:00:05, 5] nsswitch/winbindd_cm.c:cm_open_connection(256)
  connecting to FROSTY from KARA with kerberos principal
[KARA$@HOME.LOCAL]
[2004/08/15 08:00:05, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(535)
  Doing kerberos session setup
[2004/08/15 08:00:05, 10]
nsswitch/winbindd_cache.c:wcache_flush_cache(66)
  wcache_flush_cache success
[2004/08/15 08:00:05, 10] nsswitch/winbindd_cache.c:alternate_name(1326)
  alternate_name: [Cached] - doing backend query for info for domain
HOME
[2004/08/15 08:00:05, 3] nsswitch/winbindd_ads.c:alternate_name(932)
  ads: alternate_name
[2004/08/15 08:00:05, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
  krb5_cc_get_principal failed (No such file or directory)
-----------------------

If anyone can point me to anything more I can read to help me explain
what's going on I would appreciate it.

I have attached the full log, and smb.conf in case they are useful.

Thanks,
Joe.
-------------- next part --------------
[2004/08/15 08:00:04, 1] nsswitch/winbindd.c:main(843)
  winbindd version 3.0.4 started.
  Copyright The Samba Team 2000-2004
[2004/08/15 08:00:04, 2] param/loadparm.c:do_section(3392)
  Processing section "[homes]"
[2004/08/15 08:00:04, 2] param/loadparm.c:do_section(3392)
  Processing section "[storage]"
[2004/08/15 08:00:05, 2] lib/interface.c:add_interface(79)
  added interface ip=10.0.0.102 bcast=10.0.0.255 nmask=255.255.255.0
[2004/08/15 08:00:05, 2] lib/interface.c:add_interface(79)
  added interface ip=10.0.0.102 bcast=10.0.0.255 nmask=255.255.255.0
[2004/08/15 08:00:05, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
  Registered MSG_REQ_POOL_USAGE
[2004/08/15 08:00:05, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2004/08/15 08:00:05, 3] nsswitch/winbindd_util.c:add_trusted_domain(173)
  add_trusted_domain: HOME is an NT4  domain
[2004/08/15 08:00:05, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
  Added domain HOME HOME.LOCAL S-0-0
[2004/08/15 08:00:05, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(110)
  IPC$ connections done anonymously
[2004/08/15 08:00:05, 5] nsswitch/winbindd_cm.c:cm_open_connection(256)
  connecting to FROSTY from KARA with kerberos principal [KARA$@HOME.LOCAL]
[2004/08/15 08:00:05, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
  Doing kerberos session setup
[2004/08/15 08:00:05, 10] nsswitch/winbindd_cache.c:wcache_flush_cache(66)
  wcache_flush_cache success
[2004/08/15 08:00:05, 10] nsswitch/winbindd_cache.c:alternate_name(1326)
  alternate_name: [Cached] - doing backend query for info for domain HOME
[2004/08/15 08:00:05, 3] nsswitch/winbindd_ads.c:alternate_name(932)
  ads: alternate_name
[2004/08/15 08:00:05, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
  krb5_cc_get_principal failed (No such file or directory)
[2004/08/15 08:00:05, 5] nsswitch/winbindd_util.c:add_trusted_domains(207)
  scanning trusted domain list
[2004/08/15 08:00:05, 10] nsswitch/winbindd_cache.c:trusted_domains(1301)
  trusted_domains: [Cached] - doing backend query for info for domain HOME
[2004/08/15 08:00:05, 3] nsswitch/winbindd_ads.c:trusted_domains(832)
  ads: trusted_domains
[2004/08/15 08:00:05, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(110)
  IPC$ connections done anonymously
[2004/08/15 08:00:05, 5] nsswitch/winbindd_cm.c:cm_open_connection(256)
  connecting to FROSTY from KARA with kerberos principal [KARA$@HOME.LOCAL]
[2004/08/15 08:00:05, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
  Doing kerberos session setup
[2004/08/15 08:00:05, 10] nsswitch/winbindd_util.c:add_trusted_domains(226)
  Found domain HOME
[2004/08/15 08:00:05, 3] nsswitch/winbindd_util.c:add_trusted_domain(173)
  add_trusted_domain: BUILTIN is an NT4  domain
[2004/08/15 08:00:05, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
  Added domain BUILTIN  S-1-5-32
[2004/08/15 08:00:05, 3] nsswitch/winbindd_util.c:add_trusted_domain(173)
  add_trusted_domain: KARA is an NT4  domain
[2004/08/15 08:00:05, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
  Added domain KARA  S-1-5-21-3424855220-147354258-856157331
[2004/08/15 08:00:05, 5] nsswitch/winbindd_util.c:add_trusted_domains(207)
  scanning trusted domain list
[2004/08/15 08:00:05, 10] nsswitch/winbindd_cache.c:trusted_domains(1301)
  trusted_domains: [Cached] - doing backend query for info for domain HOME
[2004/08/15 08:00:05, 3] nsswitch/winbindd_ads.c:trusted_domains(832)
  ads: trusted_domains
[2004/08/15 08:00:05, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(110)
  IPC$ connections done anonymously
[2004/08/15 08:00:05, 5] nsswitch/winbindd_cm.c:cm_open_connection(256)
  connecting to FROSTY from KARA with kerberos principal [KARA$@HOME.LOCAL]
[2004/08/15 08:00:05, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
  Doing kerberos session setup
[2004/08/15 08:00:05, 10] nsswitch/winbindd_util.c:add_trusted_domains(226)
  Found domain HOME
[2004/08/15 08:00:05, 10] nsswitch/winbindd_util.c:open_winbindd_socket(673)
  open_winbindd_socket: opened socket fd 15
[2004/08/15 08:00:05, 10]
nsswitch/winbindd_util.c:open_winbindd_priv_socket(685)
  open_winbindd_priv_socket: opened socket fd 17

************** Start 'wbinfo -g' ********************8

[2004/08/15 08:01:10, 6] nsswitch/winbindd.c:new_connection(343)
  accepted socket 18
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 1824 bytes. Need 0 more for a full request.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:process_request(308)
  process_request: request fn INTERFACE_VERSION
[2004/08/15 08:01:10, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [37379]: request interface version
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 1300 bytes.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 1824 bytes. Need 0 more for a full request.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:process_request(308)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2004/08/15 08:01:10, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [37379]: request location of privileged pipe
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 1300 bytes.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:client_write(557)
  client_write: need to write 34 extra data bytes.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 34 bytes.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:client_write(546)
  client_write: client_write: complete response written.
[2004/08/15 08:01:10, 6] nsswitch/winbindd.c:new_connection(343)
  accepted socket 19
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 0 bytes. Need 1824 more for a full request.
[2004/08/15 08:01:10, 5] nsswitch/winbindd.c:winbind_client_read(465)
  read failed on sock 18, pid 37379: EOF
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 1824 bytes. Need 0 more for a full request.
[2004/08/15 08:01:10, 10] nsswitch/winbindd.c:process_request(308)
  process_request: request fn LIST_GROUPS
[2004/08/15 08:01:10, 3] nsswitch/winbindd_group.c:winbindd_list_groups(848)
  [37379]: list groups
[2004/08/15 08:01:10, 4] nsswitch/winbindd_group.c:get_sam_group_entries(564)
  get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2004/08/15 08:01:10, 2] lib/smbldap.c:smbldap_search_domain_info(1344)
  Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=KARA))]
[2004/08/15 08:01:10, 2] lib/smbldap.c:smbldap_open_connection(639)
  smbldap_open_connection: connection opened
[2004/08/15 08:01:11, 1] lib/smbldap.c:add_new_domain_info(1314)
  failed to add domain dn= sambaDomainName=KARA,dc=home,dc=local with: No such
attribute
  	00000057: LdapErr: DSID-0C09098B, comment: Error in attribute conversion
operation, data 0, v893
[2004/08/15 08:01:11, 0] lib/smbldap.c:smbldap_search_domain_info(1363)
  Adding domain info for KARA failed with NT_STATUS_UNSUCCESSFUL
[2004/08/15 08:01:11, 2] passdb/pdb_ldap.c:pdb_init_ldapsam(2740)
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
domain
  pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new
users/groups, and will risk BDCs having inconsistant SIDs
[2004/08/15 08:01:12, 2] passdb/pdb_ldap.c:ldapsam_setsamgrent(2248)
  ldapsam_setsampwent: 0 entries in the base!
[2004/08/15 08:01:12, 4] nsswitch/winbindd_group.c:get_sam_group_entries(573)
  get_sam_group_entries: Returned 0 local groups
[2004/08/15 08:01:12, 4] nsswitch/winbindd_group.c:get_sam_group_entries(564)
  get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2004/08/15 08:01:13, 2] passdb/pdb_ldap.c:ldapsam_setsamgrent(2248)
  ldapsam_setsampwent: 0 entries in the base!
[2004/08/15 08:01:13, 4] nsswitch/winbindd_group.c:get_sam_group_entries(573)
  get_sam_group_entries: Returned 0 local groups
[2004/08/15 08:01:13, 10] nsswitch/winbindd_cache.c:fetch_cache_seqnum(272)
  fetch_cache_seqnum: invalid data size key [SEQNUM/HOME]
[2004/08/15 08:01:13, 3] nsswitch/winbindd_ads.c:sequence_number(792)
  ads: fetch sequence_number for HOME
[2004/08/15 08:01:13, 7] nsswitch/winbindd_ads.c:ads_cached_connection(48)
  Current tickets expire at 1092589241
  , time is now 1092553273
[2004/08/15 08:01:13, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(325)
  store_cache_seqnum: success [HOME][245716 @ 1092553273]
[2004/08/15 08:01:13, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(380)
  refresh_sequence_number: HOME seq number is now 245716
[2004/08/15 08:01:13, 10] nsswitch/winbindd_cache.c:enum_dom_groups(818)
  enum_dom_groups: [Cached] - doing backend query for list for domain HOME
[2004/08/15 08:01:13, 3] nsswitch/winbindd_ads.c:enum_dom_groups(230)
  ads: enum_dom_groups
[2004/08/15 08:01:13, 7] nsswitch/winbindd_ads.c:ads_cached_connection(48)
  Current tickets expire at 1092589241
  , time is now 1092553273
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
  No rid for Administrators !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
  No rid for Users !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
  No rid for Guests !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
  No rid for Backup Operators !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
  No rid for Replicator !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
  No rid for Server Operators !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
  No rid for Account Operators !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
  No rid for Print Operators !?
[2004/08/15 08:01:13, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282)
  No rid for Pre-Windows 2000 Compatible Access !?
[2004/08/15 08:01:13, 3] nsswitch/winbindd_ads.c:enum_dom_groups(296)
  ads enum_dom_groups gave 15 entries
[2004/08/15 08:01:13, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(355)
  refresh_sequence_number: HOME time ok
[2004/08/15 08:01:13, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(380)
  refresh_sequence_number: HOME seq number is now 245716
[2004/08/15 08:01:13, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 1300 bytes.
[2004/08/15 08:01:13, 10] nsswitch/winbindd.c:client_write(557)
  client_write: need to write 309 extra data bytes.
[2004/08/15 08:01:13, 10] nsswitch/winbindd.c:client_write(512)
  client_write: wrote 309 bytes.
[2004/08/15 08:01:13, 10] nsswitch/winbindd.c:client_write(546)
  client_write: client_write: complete response written.
[2004/08/15 08:01:13, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 0 bytes. Need 1824 more for a full request.
[2004/08/15 08:01:13, 5] nsswitch/winbindd.c:winbind_client_read(465)
  read failed on sock 19, pid 37379: EOF
[2004/08/15 08:01:30, 10] nsswitch/winbindd.c:winbind_client_read(458)
  client_read: read 0 bytes. Need 1824 more for a full request.
[2004/08/15 08:01:30, 5] nsswitch/winbindd.c:winbind_client_read(465)
  read failed on sock 8, pid 37374: EOF
-------------- next part --------------
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# NOTE: Whenever you modify this file you should run the command
"testparm"
# to check that you have not made any basic syntactic errors. 
#

#======================= Global Settings
====================================[global]
   security = ADS
   realm = home.local
   workgroup = HOME
   netbios name = KARA
   server string = Hi I'm Kara

   encrypt passwords = yes
   password server = *
   passdb backend = ldapsam:ldaps://frosty.home.local
   ldap suffix = dc=home,dc=local
   ldap admin dn = cn=ldapgoddess,cn=users,dc=home,dc=local
   ldap filter = (&(uid=%u)(objectclass=person))
   ldap filter =
(&(uid=%u)(objectCategory=person)(objectClass=user)(sAMAccountName=*))
   ldap server = frosty.home.local
   ldap ssl = on
   restrict anonymous = 2

;   server signing = mandatory
   server schannel = yes
;   ntlm auth = no
;   lm announce = no
;   minprotocol = NT1
   
   client schannel = yes
;   client signing = mandatory
;   client signing = auto
   client ntlmv2 auth = yes
   ;;;;;may be broken according to man page, for win2k3
#   client use spnego = yes
   
   winbind separator = +
   idmap uid = 10000-11000
   idmap gid = 10000-11000
; disable enum to reduce noise in logs
;   winbind enum users = Yes
;   winbind enum groups = Yes
   winbind enum users = no
   winbind enum groups = no
   template shell = /usr/local/bin/bash
   template homedir = /home/%D/%U

   log file = /var/log/samba/log.%m
   max log size = 100
   log level = 2 passdb:2 winbind:10 auth:2

#============================ Share Definitions
=============================[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[storage]
   path = /home/share
   readonly = no
   guest ok = Yes

Gerald (Jerry) Carter

2004-Aug-23 19:38 UTC

head link

[Samba] Winbindd startup kerberos fail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe wrote:

| [2004/08/15 08:01:11, 1] lib/smbldap.c:add_new_domain_info(1314)
|   failed to add domain dn= sambaDomainName=KARA,dc=home,dc=local with:
No such attribute
|   	00000057: LdapErr: DSID-0C09098B, comment: Error in attribute
conversion operation, data 0, v893
....

| [global]
|    security = ADS
|    realm = home.local
|    workgroup = HOME
|    netbios name = KARA
|    server string = Hi I'm Kara
|
|    encrypt passwords = yes
|    password server = *
|    passdb backend = ldapsam:ldaps://frosty.home.local
|    ldap suffix = dc=home,dc=local
|    ldap admin dn = cn=ldapgoddess,cn=users,dc=home,dc=local
|    ldap filter = (&(uid=%u)(objectclass=person))
|    ldap filter
(&(uid=%u)(objectCategory=person)(objectClass=user)(sAMAccountName=*)
|    ldap server = frosty.home.local

the ldap settings are not for 'security = ads'.  Winbindd will handle
the ldap lookups on its own.




cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot
(2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBKkfBIR7qMdg1EfYRAvG0AKDB9PPW/yaklEyl53DdZI+KPMkzvQCgm+yr
onH9Pa7feZSfhyIWIAa+Nvc=5Ofj
-----END PGP SIGNATURE-----

Reasonably Related Threads

Search for more maybe matching threads

samba - Aug 2004 - Winbindd startup kerberos fail

[Samba] Winbindd startup kerberos fail

[Samba] Winbindd startup kerberos fail

Reasonably Related Threads