samba - Dec 2004 - Winbind problem revisited

Okay,

 

I started over from scratch with my samba server rebuild, but I am still
getting some weird issues.  Here are my config files of importance:

 

--------------/etc/samba/smb.conf--------------------

# Samba Configuration File

[global]

        workgroup = WAYNE

        realm = WAYNE.LOCAL

        server string = Samba Server

        security = ADS

        password server = police.wayne.local

        encrypt passwords = yes

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        template shell = /bin/bash

        winbind separator = +

        client signing = no

        client use spnego = no

 

[users]

        comment = Users on Linux

        path = /home/WAYNE

        read only = No

        browseable = Yes

 

-----------/etc/nsswitch.conf---------------------

passwd: compat winbind

group:  files dns compat winbind

shadow: files winbind

 

hosts:          dns winbind files lwres

networks:       files dns

 

services:       files

protocols:      files

rpc:            files

ethers:         files

netmasks:       files

netgroup:       files

publickey:      files

 

bootparams:     files

automount:      files winbind nis

aliases:        files winbind

 

------------/etc/pam.d/login--------------

#%PAM-1.0

auth     requisite      pam_unix2.so            nullok #set_secrpc

auth     required       pam_securetty.so

auth     required       pam_nologin.so

auth     sufficient     pam_winbind.so          use_first_pass use_authtok

#auth    required       pam_homecheck.so

auth     required       pam_env.so

auth     required       pam_mail.so

account  required       pam_unix2.so

account  sufficient     pam_winbind.so          use_first_pass use_authtok

password required       pam_pwcheck.so          nullok

password required       pam_unix2.so            nullok use_first_pass
use_authtok

password sufficient     pam_winbind.so          use_first_pass use_authtok

session  required       pam_unix2.so            none # debug or trace

session  sufficient     pam_winbind.so          use_first_pass use_authtok

session  required       pam_limits.so

session  required       pam_resmgr.so

------------/etc/krb5.conf---------------

[libdefaults]

        default_realm = WAYNE.LOCAL

        clockskew = 300

        dns_lookup_realm = false

        dns_lookup_kdc = false

        default_etypes = des-cbc-crc des-cbc-md5

        default_etypes_des = des-cbc-crc des-cbc-md5

 

[realms]

        WAYNE.LOCAL = {

                kdc = 192.168.1.11

                default_domain = WAYNE.LOCAL

                admin_server = police.wayne.local

                kpasswd_server = police.wayne.local

        }

 

[domain_realm]

        .WAYNE.LOCAL = WAYNE.LOCAL

        WAYNE.LOCAL = WAYNE.LOCAL

        .wayne.local = WAYNE.LOCAL

        wayne.local = WAYNE.LOCAL

 

[logging]

        default = SYSLOG:NOTICE:DAEMON

        kdc = FILE:/var/log/kdc.log

        kadmind = FILE:/var/log/kadmind.log

 

[appdefaults]

        pam = {

                ticket_lifetime = 1d

                renew_lifetime = 1d

                forwardable = true

                proxiable = false

                retain_after_close = false

                minimum_uid = 0

                debug = false

 

I have joined the AD successfully and have gained a Kerberos ticket.  I can
resolve windows user names and groups with the following conditions:  If I
leave the "default_etypes" lines in krb5.conf, then I get this in my
/var/log/samba/log.smbd file and I am unable to access the samba shares:

[2004/12/21 13:32:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)

  Failed to verify incoming ticket!

[2004/12/21 13:32:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)

  Failed to verify incoming ticket!

[2004/12/21 13:32:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)

  Failed to verify incoming ticket!

 

If I comment the etype lines out, the smb log file looks good and I can
access samba shares, but the /var/log/samba/log.winbind looks like this:

 

[2004/12/21 12:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)

  user 'root' does not exist

[2004/12/21 13:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)

  user 'root' does not exist

[2004/12/21 13:32:04, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)

  krb5_cc_get_principal failed (No such file or directory)

 

I also had this show up in /var/log/samba/log.winbind:  

[2004/12/21 13:26:26, 1] libads/ldap_utils.c:ads_do_search_retry(77)

  ads_search_retry: failed to reconnect (Invalid credentials)

 

Any interpretations?

 

Thanks.

Brian

On Tue, Dec 21, 2004 at 01:49:46PM -0600, Brian Kesting wrote:
  | -----------/etc/nsswitch.conf---------------------
  | 
  | passwd: compat winbind
  | group:  files dns compat winbind
  | shadow: files winbind

[digression about nsswitch]

On various nsswitch implementations (including the canonical
implementation on Solaris, and the NetBSD version), it's not
supported to list any other sources for a given database
at the same time as "compat", and "compat" only makes sense
for the databases "passwd" and "group".

If you're not using the "+/-" syntax in /etc/passwd and
/etc/group,
just use "files" instead of "compat".  Otherwise, you should
try
something like:
	passwd: compat
	passwd_compat: winbind
	group: compat
	group_compat: dns winbind

passwd_compat and group_compat specify the sources to lookup
stuff for the "+" and "-" entries in /etc/passwd &
/etc/group
(respectively).

I suspect you don't want "dns" in group/group_compat either,
unless you're running Hesiod at your site.

(You can't list "files" or "compat" as sources for
"passwd_compat"
or "group_compat" as it doesn't make sense).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20041223/e20c3e44/attachment.bin