samba - Dec 2004 - Can RH AS3 be a ADS member with winbind+nss+krb5?

Samba is trying to be a member server in an AD in native mode, using
winbind, nss, and kerberose.  There are 3 kdc's (2 are Win2003, 1 is
Win2000), samba server is RH-AS3 + Samba version 3.0.9 (from samba.org)
+ krb5 1.3.1-6 (from Fedora Core).  I thought I had things working (join
succeeded, could access shares, modify files), and then it stopped
working.  After clearing out the host account from AD, when I try to add
sever back to the domain, the host is added to AD but the join fails. 

When it broke the following changes had occurred:
 I had restarted samba.
 I changed some pam files (which have been reverted).
 Windows administrators had turned on 'smb signing' around that time,
but I don't know how samba 3.0.9 will handle this.
 
Questions:
  Is this possible to setup samba as a member server in this
configuration with this network and software versions or should i try
another method?
  What is the next best setup method?

  I am left wondering what the best options are available at this point,
as things seem hopeless.  
  I have followed steps outline in Samba-3 By Example, by John H.
Terpstra, chapter 9.3.3
-- 
._____________________.
|   \0/    John Stile |
| UniX Administration |
|   / \  510-305-3800 |     
|     john@stilen.com |
.---------------------.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20041202/5cb168bd/attachment.bin

On Thu, 2004-12-02 at 13:26 -0800, John Stile wrote:
> Samba is trying to be a member server in an AD in native mode, using
> winbind, nss, and kerberose.  There are 3 kdc's (2 are Win2003, 1 is
> Win2000), samba server is RH-AS3 + Samba version 3.0.9 (from samba.org)
> + krb5 1.3.1-6 (from Fedora Core).  I thought I had things working (join
> succeeded, could access shares, modify files), and then it stopped
> working.  After clearing out the host account from AD, when I try to add
> sever back to the domain, the host is added to AD but the join fails. 
> 
> When it broke the following changes had occurred:
>  I had restarted samba.
>  I changed some pam files (which have been reverted).
>  Windows administrators had turned on 'smb signing' around that
time,
> but I don't know how samba 3.0.9 will handle this.
>  
> Questions:
>   Is this possible to setup samba as a member server in this
> configuration with this network and software versions or should i try
> another method?
>   What is the next best setup method?
> 
>   I am left wondering what the best options are available at this point,
> as things seem hopeless.  
>   I have followed steps outline in Samba-3 By Example, by John H.
> Terpstra, chapter 9.3.3
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
I'm still trying to find a solution.  Any ideas or feedback would really
help.  It seems like I'm seeing a lot of 'segmentation faults' and
'Cannot find kdc' from net commands but name resolution does work, so I
don't know what to make of it.   

More testing:
    kinit stile
      New ticket is stored in cachefile /tmp/krb5cc_0
     
    cat  /etc/nsswitch.conf  |egrep host
           hosts:      files dns winbind
   
    getent  passwd  |grep 'ad-'
        hcs-ad-c$:x:12439:10002:HCS-AD-C:/home/REALM/hcs-ad-c_:/bin/false
        hcs-ad-a$:x:12440:10002:HCS-AD-A:/home/REALM/hcs-ad-a_:/bin/false
        hcs-ad-b$:x:12441:10002:HCS-AD-B:/home/REALM/hcs-ad-b_:/bin/false
    net ads info
        LDAP server: 128.32.67.118
        LDAP server name: hcs-ad-b
        Realm: REALM.MY.DOMAIN.COM
        Bind Path: dc=REALM,dc=MY,dc=DOMAIN,dc=COM
        LDAP port: 389
        Server time: Thu, 02 Dec 2004 16:35:41 GMT
        KDC server: 128.32.67.118
        Server time offset: 1
    net ads testjoin -U admin 
        Join is OK
    net ads leave -U admin
        Removed 'MYHOST' from realm 'REALM.MY.DOMAIN.COM' 
    net time
        correct time displayed
    net ads info 
        dumps correct info about the windows 2000 ADS.

When I did not have a machine account in AD
    net ads keytab create -U admin
       libads/kerberose.c:get_service_ticket(335) 
       get_service_ticket: kerberose_kinit_password MYHOST2
$@REALM.MY.DOMAIN.COMM@REALM.MY.DOMAIN.COM failed: Client not found in
Kerberose database
       Segmentation fault
    net ads join -U admin
       libads/kerberose.c:get_service_ticket(335) 
       get_service_tiket: kerberose_kinit_password MYHOST2
$@REALM.MY.DOMAIN.COMM@REALM.MY.DOMAIN.COM failed: Client not found in
Kerberose database  
       Segmentation fault
Though the join command failed, the host does appear in AD.
Now I rerun the keytab creation:
    net ads keytab create -U admin 
       Warning: "use kerberose keytab" must be set to "true"
in order to
use keytab functions.
After starting winbind with 'winbindd -S -i -F -d 8 -Y' and running
'getent passwd' the query ends with the following lines: 
       ads_krb5_mk_req: krb5_get_credentials failed for actdir05
$@ROOTREALM.DOMAIN.COM' (Cannot find KDC for requested realm)
       ads_krb5_mk_req: krb5_get_credentials failed for actdir05
$@ROOTREALM.DOMAIN.COM' (Cannot find KDC for requested realm)
       ads_connect for domain ROOTREALM failed: Cannot find KDC for
requested realm
       [ 3123]:   getpwent
       [ 3123]:   endpwent
       read failed on sock 18, pid 3123: EOF
  net ads lookup myhostname
       Information for Domain Controller: foo-ad-b
       Response Type: SAMLOGON
       GUID: 5d58ee7c-0e3d-4743-adfb-3f6289593630
       Flags:
               Is a PDC:                                   no
               Is a GC of the forest:                      no
               Is an LDAP server:                          yes
               Supports DS:                                yes
               Is running a KDC:                           yes
               Is running time services:                   yes
                      Is the closest DC:                          yes
               Is writable:                                yes
               Has a hardware clock:                       no
               Is a non-domain NC serviced by LDAP server: no
       Forest:                 foo.domain.com
       Domain:                 realm.my.domain.com
       Domain Controller:      hcs-ad-b.realm.my.domain.com 
       Pre-Win2k Domain:       REALM
       Pre-Win2k Hostname:     HCS-AD-B
       Site Name:              MyOrgName
       Site Name (2):          MyOrgName
       NT Version: 5
       LMNT Token: ffff
       LM20 Token: ffff


kinit username@MY.DOMAIN.COM
Password for username@MY.DOMAIN.COM:
  Exception: krb_error 0 Cannot get kdc for realm HAAS No error
  KrbException: Cannot get kdc for realm HAAS
        at sun.security.krb5.KrbKdcReq.send(DashoA12275:133)
        at sun.security.krb5.KrbKdcReq.send(DashoA12275:106)
        at
sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:241)
        at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:106)


-- 
._____________________.
|   \0/    John Stile |
| UniX Administration |
|   / \  510-305-3800 |     
|     john@stilen.com |
.---------------------.