I can see the SID of the ID I am trying to authenticate with...
USTR-LINUX-1:~ # wbinfo -n EU\\inblr-auth1
S-1-5-21-606747145-879983540-1177238915-173280 User (1)
I have turned up the logging and added the EU domain to our krb5.conf.
My winbindd.log now shows the following:
[2006/02/16 14:14:58, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(1533)
Retrieving response for pid 25124
[2006/02/16 14:14:58, 10] nsswitch/winbindd.c:process_request(325)
process_request: request fn DOMAIN_INFO
[2006/02/16 14:14:58, 3]
nsswitch/winbindd_misc.c:winbindd_domain_info(356)
[ 0]: domain_info [EU.UIS.UNISYS.COM]
[2006/02/16 14:14:58, 6] nsswitch/winbindd.c:new_connection(596)
accepted socket 18
[2006/02/16 14:14:58, 10] nsswitch/winbindd.c:process_request(325)
process_request: request fn INTERFACE_VERSION
[2006/02/16 14:14:58, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(461)
[ 0]: request interface version
[2006/02/16 14:14:58, 10] nsswitch/winbindd.c:process_request(325)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2006/02/16 14:14:58, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(494)
[ 0]: request location of privileged pipe
[2006/02/16 14:14:58, 6] nsswitch/winbindd.c:new_connection(596)
accepted socket 27
[2006/02/16 14:14:58, 10] nsswitch/winbindd.c:process_request(325)
process_request: request fn DOMAIN_INFO
[2006/02/16 14:14:58, 3]
nsswitch/winbindd_misc.c:winbindd_domain_info(356)
[ 0]: domain_info [EU.UIS.UNISYS.COM]
********If I look in the log for the client I am trying to connect from,
I see this:
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 10] auth/auth_util.c:get_user_groups(681)
get_user_groups: winbind_getgroups(NA\ustr-netiq$): result = SUCCESS
[2006/02/16 14:14:58, 5] auth/auth_util.c:debug_unix_user_token(473)
UNIX token of user 16783538
Primary group is 16777671 and contains 1 supplementary groups
Group[ 0]: 16777671
[2006/02/16 14:14:58, 10] auth/auth_util.c:debug_nt_user_token(457)
NT user token of user
S-1-5-21-3294472140-2299987452-2298777348-33568076
contains 6 SIDs
SID[ 0]: S-1-5-21-3294472140-2299987452-2298777348-33568076
SID[ 1]: S-1-5-21-3294472140-2299987452-2298777348-33556343
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-21-725345543-2052111302-527237240-515
SE_PRIV 0x0 0x0 0x0 0x0
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 5] auth/auth_util.c:free_server_info(1387)
attempting to free (and zero) a server_info structure
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612)
Closing connections
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 10] auth/auth_util.c:get_user_groups(681)
get_user_groups: winbind_getgroups(NA\ustr-netiq$): result = SUCCESS
[2006/02/16 14:14:58, 5] auth/auth_util.c:debug_unix_user_token(473)
UNIX token of user 16783538
Primary group is 16777671 and contains 1 supplementary groups
Group[ 0]: 16777671
[2006/02/16 14:14:58, 10] auth/auth_util.c:debug_nt_user_token(457)
NT user token of user
S-1-5-21-3294472140-2299987452-2298777348-33568076
contains 6 SIDs
SID[ 0]: S-1-5-21-3294472140-2299987452-2298777348-33568076
SID[ 1]: S-1-5-21-3294472140-2299987452-2298777348-33556343
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-21-725345543-2052111302-527237240-515
SE_PRIV 0x0 0x0 0x0 0x0
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 5] auth/auth_util.c:free_server_info(1387)
attempting to free (and zero) a server_info structure
[2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612)
Closing connections
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612)
Closing connections
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 10] auth/auth_util.c:get_user_groups(681)
get_user_groups: winbind_getgroups(NA\ustr-netiq$): result = SUCCESS
[2006/02/16 14:14:58, 5] auth/auth_util.c:debug_unix_user_token(473)
UNIX token of user 16783538
Primary group is 16777671 and contains 1 supplementary groups
Group[ 0]: 16777671
[2006/02/16 14:14:58, 10] auth/auth_util.c:debug_nt_user_token(457)
NT user token of user
S-1-5-21-3294472140-2299987452-2298777348-33568076
contains 6 SIDs
SID[ 0]: S-1-5-21-3294472140-2299987452-2298777348-33568076
SID[ 1]: S-1-5-21-3294472140-2299987452-2298777348-33556343
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-21-725345543-2052111302-527237240-515
SE_PRIV 0x0 0x0 0x0 0x0
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 5] auth/auth_util.c:free_server_info(1387)
attempting to free (and zero) a server_info structure
[2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612)
Closing connections
[2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username EU\inblr-auth1 is invalid on this system
[2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612)
Closing connections
[2006/02/16 14:15:00, 2] smbd/server.c:exit_server(612)
Closing connections
My wbinfo --sequence still shows the EU domain as being disconnected.
I just found this error in the log.wb-EU file:
[2006/02/16 14:51:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394)
ads_krb5_mk_req: krb5_get_credentials failed for
usea-eudc1$@EU.UIS.UNISYS.COM (Cannot contact any KDC for requested
realm)
[2006/02/16 14:51:29, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394)
ads_krb5_mk_req: krb5_get_credentials failed for
usea-eudc1$@EU.UIS.UNISYS.COM (Cannot contact any KDC for requested
realm)
[2006/02/16 14:51:29, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain EU failed: Cannot contact any KDC for requested
realm
-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
Sent: Thursday, February 16, 2006 11:05 AM
To: Trimble, Ronald D
Cc: samba@lists.samba.org
Subject: Re: [Samba] Authenticating another domain
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Trimble, Ronald D wrote:
> Username EU\inblr-auth1 is invalid on this system
figure this out. That is the key. Does
"getent passwd 'EU\inblr-auth1'" return anything?
What does wbinfo --sequence show?
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD9KKUIR7qMdg1EfYRApFRAKC2rqZZ3cFZMV5jLfVtON/uD9P5rgCfR5tG
fAQ7r9ZXNxRfB1nYcF1qnW0=oH5D
-----END PGP SIGNATURE-----