av.podrezov@stalcom.com
2005-Sep-01 21:46 UTC
[Samba] Samba - PDC(Windows 2003) connection trouble
Hello. We have squid proxy server with ntlm authentication and 20 trusted domains. All work fine, but sometimes winbind stop authenticate users and squid restart. OS: Linux 2.4.30 Samba: 3.0.14a Kerberos: krb5-1.4 Squid: 2.5.Stable10 2005/08/31 at 17:02:30 run commands: /usr/bin/wbinfo -a 'department\tmpuser'%'xxxxxx' plaintext password authentication failed Could not authenticate user department\tmpuser%xxxxxx with plaintext password /usr/bin/ntlm_auth --username=tmpuser --domain=department --password=xxxxxx could not obtain winbind separator! After several minutes all work fine again. winbind log: ... [2005/08/31 17:02:30, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435) cli_pipe: return critical error. Error was Call timed out: server did not respond after 10000 milliseconds [2005/08/31 17:02:30, 3] nsswitch/winbindd_cm.c:connection_ok(724) Connection to for domain DEPARTMENT (pipe \PIPE\NETLOGON) has died or was never started (fd == -1) ... windows 2003 log: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 31.08.2005 Time: 17:02:30 User: NT AUTHORITY\SYSTEM Computer: PDC Description: Pre-authentication failed: User Name: tmpuser$ User ID: DEPARTMENT\tmpuser$ Service Name: krbtgt/DEPARTMENT.COMPANY.COM Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 1.2.3.4 smb.conf: [global] hosts allow = 1. 127. interfaces = 1.2.3.4/24 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = no guest account = nobody log file = /var/log/samba.%m log level = 4 passdb:5 auth:10 winbind:4 max log size = 102400 unix charset = UTF8 display charset = ASCII syslog = 0 server string = proxy netbios name = PROXY security = ads workgroup = DEPARTMENT realm = DEPARTMENT.COMPANY.COM password server = PDC BDC allow trusted domains = yes client use spnego = yes local master = no domain master = no preferred master = no domain logons = no wins support = no wins server = 1.2.3.5 dns proxy = no disable netbios = no auth methods = winbind winbind use default domain = no winbind uid = 10000-100000 winbind gid = 10000-100000 winbind enum users = yes winbind enum groups = yes krb5.conf: [libdefaults] default_realm = DEPARTMENT.COMPANY.COM dns_lookup_realm = true dns_lookup_kdc = true [realms] DEPARTMENT.COMPANY.COM = { tcp/kdc = pdc.department.company.com admin_server = pdc.department.company.com } [domain_realms] .department.company.com = DEPARTMENT.COMPANY.COM