Brian_Gautreau@Dell.com
2005-Oct-10 21:14 UTC
[Samba] ADS auth when primary AD server fails
Im having some trouble getting, or even finding out if this works. I
have read through the samba by example and all the docs i can get my
hands on and i cant get this to work. Maybe it isn't supposed too....
I have setup samba under RHEL4 QU1 to authenticate to AD. I am just
using samba to authenticate users for login purposes. It works fine and
dandy until my primary AD box goes down.
I have a secondary AD server. It has a full replication of AD, DNS, and
also hands out kerberos tickets. My AD DNS has the listings for
_kerberos._tcp.gutbuster.local. `dig SRV
_kerberos._tcp.gutbuster.local` returns both server entries results
regardless of which DNS server I use.
I dont seem to get very far once my primary has gone down. The samba
host is able to get a new kerberos ticket from the secondary by running
`kinit administrator@GUTBUSTER.LOCAL` but can no longer get winbind info
with `wbinfo` and getent passwd fails to pull AD info. Have I said
enough yet?
my samba host is 10.180.23.69
my ad primary is 10.180.23.57
my ad secondary is 10.180.23.88
I have forced kerberos to use DNS to lookup the KDC
(dns_lookup_kdc=true) in the krb5.conf and i dont have any of the
KDC=10.180.23.88. I have tried using 'password server = *',
'password
server = 10.180.23.88 10.180.23.57', and removing the 'password
server='
line all together.
Does anyone know if this setup even works? Remember, It isn't that I
cant get AD to authenticate, its only when the primary AD server fails
and the secondary server is all that exists.
Here is my krb5.conf and my smb.conf.......
[root@bar ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = GUTBUSTER.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
GUTBUSTER.LOCAL = {
default_domain = gutbuster.local
}
[domain_realm]
.gutbuster.local = GUTBUSTER.LOCAL
gutbuster.local = GUTBUSTER.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[root@bar ~]#
[root@bar ~]# cat /etc/samba/smb.conf
[global]
winbind separator = +
winbind cache time = 10
workgroup = GUTBUSTER.LOCAL
winbind use default domain = yes
client schannel = no
realm = GUTBUSTER.LOCAL
security = ads
encrypt passwords = yes
idmap uid = 5000-5999
idmap gid = 6000-6999
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
[root@bar ~]#
Thanks,
Brian Gautreau
On Mon, Oct 10, 2005 at 03:52:02PM -0500, Brian_Gautreau@Dell.com wrote:> Im having some trouble getting, or even finding out if this works. I > have read through the samba by example and all the docs i can get my > hands on and i cant get this to work. Maybe it isn't supposed too.... > I have setup samba under RHEL4 QU1 to authenticate to AD. I am just > using samba to authenticate users for login purposes. It works fine and > dandy until my primary AD box goes down. > > I have a secondary AD server. It has a full replication of AD, DNS, and > also hands out kerberos tickets. My AD DNS has the listings for > _kerberos._tcp.gutbuster.local. `dig SRV > _kerberos._tcp.gutbuster.local` returns both server entries results > regardless of which DNS server I use. > > I dont seem to get very far once my primary has gone down. The samba > host is able to get a new kerberos ticket from the secondary by running > `kinit administrator@GUTBUSTER.LOCAL` but can no longer get winbind info > with `wbinfo` and getent passwd fails to pull AD info. Have I said > enough yet? > > my samba host is 10.180.23.69 > my ad primary is 10.180.23.57 > my ad secondary is 10.180.23.88 > > I have forced kerberos to use DNS to lookup the KDC > (dns_lookup_kdc=true) in the krb5.conf and i dont have any of the > KDC=10.180.23.88. I have tried using 'password server = *', 'password > server = 10.180.23.88 10.180.23.57', and removing the 'password server=' > line all together. > > Does anyone know if this setup even works? Remember, It isn't that I > cant get AD to authenticate, its only when the primary AD server fails > and the secondary server is all that exists.Very thorough, execpt you neglected to tell us what version of Samba you're using..... That actually does help you know :-). winbindd has been undergoing a lot of work recently - knowing the version you're using would help us investigate. Can you get an ethereal trace from your box when you're trying to get it to fail over please ? Jeremy.
Brian_Gautreau@Dell.com
2005-Oct-11 20:43 UTC
[Samba] ADS auth when primary AD server fails
My apologies for the lack of info. Thought I had it covered... (samba version is native to RHEL4) [root@bar ~]# rpm -qa | grep samba samba-common-3.0.10-1.4E samba-3.0.10-1.4E system-config-samba-1.2.21-1 samba-client-3.0.10-1.4E [root@bar ~]# [root@bar ~]# uname -a Linux bar 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 i686 i386 GNU/Linux [root@bar ~]# [root@bar ~]# smbd -V Version 3.0.10-1.4E [root@bar ~]# Windows: Win2k3 no service pack I will attach the tcpdump output. Im not sure if it is appropriate to attach it to send to the list. Please don't flame me, to bad, if it is the wrong thing to do. I don't know where I will provide it otherwise. It was run as `tcpdump -i eth0 -w /tmp/tcpdump.out host 10.180.23.57 or host 10.180.23.88` while trying to login with the primary AD server down. I also have a snip from /var/log/messages when this took place but I think it mostly just says winbindd can't talk to the domain.... ---- Snip ---- Oct 10 21:13:07 bar winbindd[4008]: [2005/10/10 21:13:07, 0] nsswitch/winbindd_util.c:get_trust_pw(1034) Oct 10 21:13:07 bar winbindd[4008]: get_trust_pw: could not fetch trust account password for my domain GUTBUSTER Oct 10 21:13:07 bar pam_winbind[28308]: request failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO, PAM error was 4, NT error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Oct 10 21:13:07 bar pam_winbind[28308]: internal module error (retval 4, user = `administrator' Oct 10 21:13:07 bar sshd(pam_unix)[28308]: check pass; user unknown Oct 10 21:13:07 bar sshd(pam_unix)[28308]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=windows.gutbuster.local Oct 10 21:13:07 bar winbindd[4008]: [2005/10/10 21:13:07, 0] nsswitch/winbindd_util.c:get_trust_pw(1034) Oct 10 21:13:07 bar winbindd[4008]: get_trust_pw: could not fetch trust account password for my domain GUTBUSTER Oct 10 21:13:07 bar pam_winbind[28308]: request failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO, PAM error was 4, NT error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Oct 10 21:13:07 bar pam_winbind[28308]: internal module error (retval 4, user = `administrator' Oct 10 21:13:13 bar winbindd[4008]: [2005/10/10 21:13:13, 0] nsswitch/winbindd_util.c:get_trust_pw(1034) Oct 10 21:13:13 bar winbindd[4008]: get_trust_pw: could not fetch trust account password for my domain GUTBUSTER Oct 10 21:13:13 bar pam_winbind[28308]: request failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO, PAM error was 4, NT error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Oct 10 21:13:13 bar pam_winbind[28308]: internal module error (retval 4, user = `administrator' Oct 10 21:13:13 bar sshd(pam_unix)[28308]: check pass; user unknown Oct 10 21:13:13 bar winbindd[4008]: [2005/10/10 21:13:13, 0] nsswitch/winbindd_util.c:get_trust_pw(1034) Oct 10 21:13:13 bar winbindd[4008]: get_trust_pw: could not fetch trust account password for my domain GUTBUSTER Oct 10 21:13:13 bar pam_winbind[28308]: request failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO, PAM error was 4, NT error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Oct 10 21:13:13 bar pam_winbind[28308]: internal module error (retval 4, user = `administrator' Oct 10 21:13:23 bar winbindd[4008]: [2005/10/10 21:13:23, 0] nsswitch/winbindd_util.c:get_trust_pw(1034) Oct 10 21:13:23 bar winbindd[4008]: get_trust_pw: could not fetch trust account password for my domain GUTBUSTER Oct 10 21:13:23 bar pam_winbind[28308]: request failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO, PAM error was 4, NT error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Oct 10 21:13:23 bar pam_winbind[28308]: internal module error (retval 4, user = `administrator' Oct 10 21:13:26 bar sshd(pam_unix)[28308]: check pass; user unknown Oct 10 21:13:26 bar winbindd[4008]: [2005/10/10 21:13:26, 0] nsswitch/winbindd_util.c:get_trust_pw(1034) Oct 10 21:13:26 bar winbindd[4008]: get_trust_pw: could not fetch trust account password for my domain GUTBUSTER Oct 10 21:13:26 bar pam_winbind[28308]: request failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO, PAM error was 4, NT error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Oct 10 21:13:26 bar pam_winbind[28308]: internal module error (retval 4, user = `administrator' ---- Snip ---- -Brian
Brian_Gautreau@Dell.com
2005-Oct-13 23:24 UTC
[Samba] ADS auth when primary AD server fails
The 3.0.20a version seems to have resolved the issue. At the very least, I am having a whole lot more luck when my primary goes down and still authenticating to my AD domain. I am opening a bug with redhat to have them take a look at the issue from their side of things. Thank you for the help. -Brian -----Original Message----- From: Jeremy Allison [mailto:jra@samba.org] Sent: Tuesday, October 11, 2005 4:51 PM To: Gautreau, Brian Cc: jra@samba.org; samba@lists.samba.org Subject: Re: [Samba] ADS auth when primary AD server fails On Tue, Oct 11, 2005 at 09:13:39AM -0500, Brian_Gautreau@Dell.com wrote:> > My apologies for the lack of info. Thought I had it covered... > > (samba version is native to RHEL4) > [root@bar ~]# rpm -qa | grep samba > samba-common-3.0.10-1.4E > samba-3.0.10-1.4E > system-config-samba-1.2.21-1 > samba-client-3.0.10-1.4E > [root@bar ~]# > [root@bar ~]# uname -a > Linux bar 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 i686 i386 > GNU/Linux [root@bar ~]# [root@bar ~]# smbd -V Version 3.0.10-1.4E > [root@bar ~]# > > Windows: > Win2k3 no service pack > > > I will attach the tcpdump output. Im not sure if it is appropriate to> attach it to send to the list. Please don't flame me, to bad, if it > is the wrong thing to do. I don't know where I will provide itotherwise.> It was run as `tcpdump -i eth0 -w /tmp/tcpdump.out host 10.180.23.57 > or host 10.180.23.88` while trying to login with the primary AD server> down. > > I also have a snip from /var/log/messages when this took place but I > think it mostly just says winbindd can't talk to the domain....Is it possible for you to try 3.0.20a or (later this week) 3.0.20b ? There are improvements in winbindd fallback code in those releases. At least then we know we're working with the latest code base (winbindd has had major changes on it between 3.0.10 and 3.0.20). Jeremy.