Michael Wray
2005-Apr-18 18:40 UTC
[Samba] \PIPE\NETLOGON (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
Help,
wbinfo -t fails with the error in subject, and getting sids of groups that
aren't BUILTIN fail. Everything else seems to work. Note: I am not
converting my kerberos tickets to krb4, is this necessary? (It used to work
without it..but now it seems not to work.) I get no errors from kinit.
all other wbinfo requests succeed with the exception of looking up the SIDS of
groups that aren't BUILTIN.
I need to get the SIDS for my application.
net ads testjoin succeeds, as does net rpc testjoin.
Get the exact same error on 2 different domains, one is 2003 the other is 2000
Active Directory on both.
smb.conf
#======================= Global Settings
====================================[global]
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
server string = Filtering Server
log file = /var/log/samba/log.%m
max log size = 50
security = ads
socket options = TCP_NODELAY
dns proxy = no
encrypt passwords = true
passdb backend = smbpasswd guest
winbind enum users = yes
winbind enum groups = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = S4FTEST
password server = server03test.test.com
realm=test.com
# use spnego = yes # 2003 breaks with and without this statement
winbind separator = \\
winbind use default domain = yes
krb5.conf
[libdefaults]
default_realm = TEST.COM
# The following krb5.conf variables are only for MIT Kerberos.
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
# permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
# krb4_config = /etc/krb.conf
# krb4_realms = /etc/krb.realms
# kdc_timesync = 1
# ccache_type = 4
forwardable = true
proxiable = true
krb4_get_tickets=no
# The following libdefaults parameters are only for Heimdal Kerberos.
# v4_instance_resolve = false
## v4_name_convert = {
# host = {
# rcmd = host
# ftp = ftp
# }
# plain = {
# something = something-else
# }
# }
[realms]
TEST.COM = {
kdc = server03test.test.com
admin_server = server03test.test.com
default_domain = test.com
}
[domain_realm]
.test.com = TEST.COM
log.winbindd without spnego
[15001]: request interface version
[2005/04/18 13:31:54, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[15001]: request location of privileged pipe
[2005/04/18 13:31:54, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(41)
[15001]: check machine account
[2005/04/18 13:31:54, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(106)
IPC$ connections done by user S4FTEST\Administrator
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
Doing spnego session setup (blob length=113)
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 48018 1 2 2
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 113554 1 2 2
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 113554 1 2 2 3
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 3 6 1 4 1 311 2 2 10
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740)
got principal=server03test$@S4FTEST.COM
[2005/04/18 13:31:54, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(533)
Doing kerberos session setup
[2005/04/18 13:31:54, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318)
Ticket in ccache[MEMORY:cliconnect] expiration Mon, 18 Apr 2005 23:29:32 GMT
[2005/04/18 13:31:54, 0] libsmb/smb_signing.c:signing_good(240)
signing_good: BAD SIG: seq 1
[2005/04/18 13:31:54, 0] libsmb/clientgen.c:cli_receive_smb(121)
SMB Signature verification failed on incoming packet!
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
Doing spnego session setup (blob length=113)
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 48018 1 2 2
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 113554 1 2 2
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 113554 1 2 2 3
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 3 6 1 4 1 311 2 2 10
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740)
got principal=server03test$@S4FTEST.COM
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup_ntlmssp(615)
Failed to send NTLMSSP/SPNEGO blob to server!
[2005/04/18 13:31:54, 3] libsmb/cliconnect.c:cli_session_setup(861)
SPNEGO login failed: Undetermined error
[2005/04/18 13:31:54, 3] nsswitch/winbindd_cm.c:new_cm_connection(755)
Could not open a connection to S4FTEST for \PIPE\NETLOGON
(NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
[2005/04/18 13:31:54, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(68)
could not open handle to NETLOGON pipe
[2005/04/18 13:31:54, 2]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98)
Checking the trust account password returned
NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
log.winbindd with spnego
[2005/04/18 13:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[16950]: request interface version
[2005/04/18 13:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[16950]: request location of privileged pipe
[2005/04/18 13:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[16950]: getgroups amavis
[2005/04/18 13:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[16943]: request interface version
[2005/04/18 13:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[16943]: request location of privileged pipe
[2005/04/18 13:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(41)
[16943]: check machine account
[2005/04/18 13:40:02, 3] nsswitch/winbindd_cm.c:new_cm_connection(755)
Could not open a connection to S4FTEST for \PIPE\NETLOGON
(NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
[2005/04/18 13:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(68)
could not open handle to NETLOGON pipe
[2005/04/18 13:40:02, 2]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98)
Checking the trust account password returned
NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
[2005/04/18 13:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[16957]: request interface version
[2005/04/18 13:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[16957]: request location of privileged pipe
[2005/04/18 13:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[16957]: getgroups root
[2005/04/18 13:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[16963]: request interface version
[2005/04/18 13:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[16963]: request location of privileged pipe
[2005/04/18 13:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[16963]: getgroups postfix
[2005/04/18 13:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[16964]: request interface version
[2005/04/18 13:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[16964]: request location of privileged pipe
[2005/04/18 13:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[16964]: getgroups root
[2005/04/18 13:40:02, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[16966]: request interface version
[2005/04/18 13:40:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[16966]: request location of privileged pipe
[2005/04/18 13:40:02, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1004)
[16966]: getgroups postfix
[2005/04/18 13:40:46, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[17211]: request interface version
[2005/04/18 13:40:46, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[17211]: request location of privileged pipe
[2005/04/18 13:40:46, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(41)
[17211]: check machine account
[2005/04/18 13:40:46, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(106)
IPC$ connections done by user S4FTEST\Administrator
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
Doing spnego session setup (blob length=113)
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 48018 1 2 2
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 113554 1 2 2
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 113554 1 2 2 3
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 3 6 1 4 1 311 2 2 10
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740)
got principal=server03test$@S4FTEST.COM
[2005/04/18 13:40:46, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(533)
Doing kerberos session setup
[2005/04/18 13:40:46, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318)
Ticket in ccache[MEMORY:cliconnect] expiration Mon, 18 Apr 2005 23:38:24 GMT
[2005/04/18 13:40:46, 0] libsmb/smb_signing.c:signing_good(240)
signing_good: BAD SIG: seq 1
[2005/04/18 13:40:46, 0] libsmb/clientgen.c:cli_receive_smb(121)
SMB Signature verification failed on incoming packet!
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
Doing spnego session setup (blob length=113)
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 48018 1 2 2
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 113554 1 2 2
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 113554 1 2 2 3
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 3 6 1 4 1 311 2 2 10
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740)
got principal=server03test$@S4FTEST.COM
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup_ntlmssp(615)
Failed to send NTLMSSP/SPNEGO blob to server!
[2005/04/18 13:40:46, 3] libsmb/cliconnect.c:cli_session_setup(861)
SPNEGO login failed: Undetermined error
[2005/04/18 13:40:46, 3] nsswitch/winbindd_cm.c:new_cm_connection(755)
Could not open a connection to S4FTEST for \PIPE\NETLOGON
(NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
[2005/04/18 13:40:46, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(68)
could not open handle to NETLOGON pipe
[2005/04/18 13:40:46, 2]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98)
Checking the trust account password returned
NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
--
Michael Wray
AimConnect, an S4F Inc. Company
918.524.1010 ext 106
mwray@aimconnect.com
http://www.aimconnect.com
David Michaels
2005-Apr-20 18:02 UTC
[Samba] \PIPE\NETLOGON (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
> > Michael Wray wrote: > >Help, > >wbinfo -t fails with the error in subject, and getting sids of groups that >aren't BUILTIN fail. Everything else seems to work. Note: I am not >converting my kerberos tickets to krb4, is this necessary? (It used to work >without it..but now it seems not to work.) I get no errors from kinit. > >all other wbinfo requests succeed with the exception of looking up the SIDS of >groups that aren't BUILTIN. > >I need to get the SIDS for my application. > >net ads testjoin succeeds, as does net rpc testjoin. > >Get the exact same error on 2 different domains, one is 2003 the other is 2000 >Active Directory on both. > >I was seeing this behavior with 3.0.4, server = domain. "wbinfo -t" would usually result in the subject message appearing in the winbind error log file, and the secret check would fail. I modified my "password server =" entry to point to the FQDN of the PDC, /and/ the canoniical name of the PDC (hostname only). After that, wbinfo -t returned success, quickly, and repeatedly. Give that a try? --Dragon