samba - Mar 2005 - samba 3 member of win2003 domain + winbind can't see users

Hi Samba gurus,

I have the following problem with a samba member server on a windows 2003
domain. I have managed to join the domain and my trust secret is good, but
I can't list users or groups using "wbinfo -u" or "wbinfo
-g"

OS version 		Red Hat Enterprise Linux AS release 3 (Taroon)
Samba version		samba-3.0.9-1.3E.2
Kerb version		krb5-libs-1.2.7-38

This is the result from the join. It worked but produced this error :

net join ads -U admin
Password:

	[2005/03/18 3:41:00, 0] libads/kerberos.c:
ads_kinit_password(133) kerberos_kinit_password admin@AU.DOMAIN.INT
failed: ASN.1 encoding ended unexpectedly
	Joined domain AU

This is a similar error that I get when I use kinit :

kinit username@AU.DOMAIN.INT
Password for username@AU.DOMAIN.INT:
kinit(v5): ASN.1 encoding ended unexpectedly while getting initial
credentials

However, wbinfo -a username works fine (see below). Also, if I enter a
wrong password or username to kinit, it tells me the client does not
exist. Whats wrong with my kerberos?

The server now appears in the Active Directory, the trust secret is good,
and users can be authenticated  using "wbinfo -a", but when trying to
list
users and groups, it hangs, and winbind must be restarted. I will show the
output of these commands here.

~> wbinfo -t
checking the trust secret via RPC calls succeeded

~> wbinfo -a domuser%PASSWD
plaintext password authentication succeeded
challenge/response password authentication succeeded

~> wbinfo -u (hangs for about 30 seconds)
Error looking up domain users

Winbind must then be restarted or "wbinfo -t" starts to fail with :

checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret

I have also setup (in an attempt to solve this problem) a --set-auth-user.
I have tried both admin and non-admin accounts. When I do a tdbdump of the
secrets.tdb, I can see it in there and the details are correct, but I get
the same result. In the secrets.tdb, my domain is set to just AU, not,
AU.DOMAIN.INT. Is this correct? How do I even change it?

My config files are as follows :

krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AU.DOMAIN.INT

[realms]
 au.domain.int = {
  kdc = dc001.AU.DOMAIN.INT:88
  kdc = dc002.AU.DOMAIN.INT:88
 }

[domain_realms]
.au.domain.int = AU.DOMAIN.INT
au.domain.int = AU.DOMAIN.INT

smb.conf

[global]

   workgroup = AU
   netbios name = aucbcosrv016
   realm = AU.DOMAIN.INT
   server string = Test Samba Server
   printcap name = /etc/printcap
   load printers = yes
   printing = lprng
   log file = /var/log/samba/%m.log
   max log size = 0
   security = ads
   winbind enum users = yes
   winbind gid = 10000-20000
   winbind enum groups = yes
   winbind uid = 10000-20000
   winbind cache time = 15
   winbind use default domain = yes
   name resolve order = hosts lmhosts wins bcast
   password server = aucbcosrv001 aucbcosrv002
   encrypt passwords = yes
   smb passwd file = /etc/samba/smbpasswd
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no

<shares excluded>

nsswitch.conf

passwd:     files winbind
shadow:     files
group:      files winbind

Does this sound familiar to anyone? I've really hit a wall on this. Any
help would be greatly appreciated, and rewarded with lots of praise and
that warm fuzzy feeling :)

Thanks,
Stuart

Stuart Westbury wrote:
> Hi Samba gurus,
> 
> I have the following problem with a samba member server on a windows 2003
> domain. I have managed to join the domain and my trust secret is good, but
> I can't list users or groups using "wbinfo -u" or
"wbinfo -g"
> 
> OS version 		Red Hat Enterprise Linux AS release 3 (Taroon)
> Samba version		samba-3.0.9-1.3E.2
> Kerb version		krb5-libs-1.2.7-38
You're error is definately a kerberos error code.
The MIT doco for kerberos 1.2 says this:
the only supported encryption types are "des3-hmac-sha1" and
"des-cbc-crc".
Samba can handle "des only", but I don't recall if the
modifications for
this were in samba 3.0.9 or came later.  I'm pretty sure they were in there.
If you have access to ldp.exe on the windows DC, check that 
UF_WORKSTATION_TRUST_ACCOUNT includes UF_USE_DES_KEY_ONLY

In any event, I only had success using des instead of windows default 
rc4-hmac enctype when I allowed samba to manage the keytab.
     use kerberos keytab = yes
When samba manages the keytab file, it adds just about every HOST/host 
or CIFS/cifs and hostname case variation that might occur.

If you decide to try this, you should be able to generate the keytab 
entries with
     net ads changetrustpw
If it hangs during that process, I've never found a good way to 
regenerate them other than to delete /etc/krb5.keytab and re-run the 
command.

There's some caching going on, and I've found rebooting to force usage 
of the new keys can help after a major key change and things aren't 
quite working right.
> I have also setup (in an attempt to solve this problem) a --set-auth-user.
> I have tried both admin and non-admin accounts. When I do a tdbdump of the
> secrets.tdb, I can see it in there and the details are correct, but I get
> the same result. In the secrets.tdb, my domain is set to just AU, not,
> AU.DOMAIN.INT. Is this correct? How do I even change it?
Domain is the NT40 stlye windows domain.
> My config files are as follows :
> 
> krb5.conf
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = AU.DOMAIN.INT
> 
> [realms]
>  au.domain.int = {
>   kdc = dc001.AU.DOMAIN.INT:88
>   kdc = dc002.AU.DOMAIN.INT:88
>  }
> 
> [domain_realms]
> .au.domain.int = AU.DOMAIN.INT
> au.domain.int = AU.DOMAIN.INT
I've used DNS to find the kdc
[libdefaults]
  dns_lookup_kdc = true
  dns_lookup_realm = false
  default_realm = NT.LDXNET.COM

Without the entry for [realms] with success.

I don't think you can specify "kdc = " twice.  Only one would be
used.
> smb.conf
> 
> [global]
> 
>    workgroup = AU
>    netbios name = aucbcosrv016
>    realm = AU.DOMAIN.INT
>    server string = Test Samba Server
>    printcap name = /etc/printcap
>    load printers = yes
>    printing = lprng
>    log file = /var/log/samba/%m.log
>    max log size = 0
>    security = ads
>    winbind enum users = yes
>    winbind gid = 10000-20000
>    winbind enum groups = yes
>    winbind uid = 10000-20000
>    winbind cache time = 15
>    winbind use default domain = yes
>    name resolve order = hosts lmhosts wins bcast
>    password server = aucbcosrv001 aucbcosrv002
In AD, I can't speculate what happens when the password servers are 
different than the domain controllers dc001 and dc002.
     password server = *
finds the password servers for the AD domain.  Or you can specify a 
preference
     password server = dc002, dc001, *
would allow for additional DC's to be used for fallback.
>    encrypt passwords = yes
>    smb passwd file = /etc/samba/smbpasswd
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>    dns proxy = no
> 
> <shares excluded>
> 
> nsswitch.conf
> 
> passwd:     files winbind
> shadow:     files
> group:      files winbind
I use compat instead of files.  I forget the reason right now, but files 
was used in libc5 and the newer usage is compat for full semantics.

passwd:     compat winbind
shadow:     compat
group:     compat winbind
> 
> Does this sound familiar to anyone? I've really hit a wall on this. Any
> help would be greatly appreciated, and rewarded with lots of praise and
> that warm fuzzy feeling :)
> 
> Thanks,
> Stuart
Good luck.
Doug