Hi!
The problem lies in the "winbind separator" settings. If I use
winbind separator = \\
everything goes well.
I believe this is due to a bug. As I don't want to register to yet another
bugzilla, please someone issue the report there.
Explanation:
winbindd_raw_kerberos_login uses parse_domain_user to
generate the kerberos principal from state->request.data.auth.user
at this point state->request.data.auth.user is in form
'DOMAIN\username',
regardless the winbind separator setting. parse_domain_user uses winbind
separator setting to parse this, so it will fail if the separator is
anything but '\\'
documentation actually suggests to change winbind separator to something
other than '\\'
2009/5/28 ?rp?d Magos?nyi <magwas@rabic.org>
> Dear List!
>
> I have the problem described at
> http://lists.samba.org/archive/samba/2008-February/138451.html
> It is materialized after an upgrade of samba/winbind. Everything was
> working before.
> I could not find the solution neither on the net, nor from people
> originally having the problem, so here I am.
> This problem is a showstopper for me. (I can login by changing pam_winbind
> to pam_krb5, but this does not cache credentials, so I cannot work at
home.)
>
> Additional informations I figured out:
> - According to wireshark, winbind (wbinfo -K) tries to authenticate the
> principal 'RESmagosanyi1a313' instead of 'magosanyi1a313'
> - There are logs saying "Cannot resolve network address for KDC in
> requested realm" and "Could not receive trustdoms", which
may or may not
> related to the problem. (see detailed logs below)
>
> original problem:
>
> Works:
> kinit
> wbinfo -u
> wbinfo -g
> wbinfo -t
> Fails:
> root@mxln133738# wbinfo -K magosanyi1a313
> Enter magosanyi1a313's password:
> plaintext kerberos password authentication for [magosanyi1a313] failed
(requesting cctype: FILE)
>
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user [magosanyi1a313] with Kerberos (ccache: FILE)
>
> smb.conf:
> [global]
> client signing = yes
>
> client schannel = no
> client use spnego = yes
> client lanman auth = no
> client NTLMv2 auth = yes
> client plaintext auth = no
>
> # idmap domains = RES
> # idmap config RES:backend = ad
> # idmap config RES:default = yes
>
> # idmap config RES:schema_mode = rfc2307
> # idmap config RES:range = 1000 - 300000000
>
>
> # dns_lookup_kdc = false
> workgroup = RES
> realm = RES.HU.CORP
> preferred master = no
> security = ADS
>
> encrypt passwords = true
> syslog only = yes
> syslog = 3
> log level = 3
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nested groups = Yes
>
> winbind separator = +
> winbind refresh tickets = true
> winbind offline logon = yes
> winbind cache time = 300
> winbind normalize names = yes
> winbind offline logon = yes
> use kerberos keytab = Yes
>
> idmap uid = 3000-20000
> idmap gid = 3000-20000
> #idmap backend = idmap_rid:RES=3000-20000
> ;template primary group = "Domain Users"
> template shell = /bin/bash
>
> winbind version:
> magosanyi1a313@mxln133738$ dpkg -l winbind
>
> Desired=Unknown/Install/Remove/Purge/Hold
> |
Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
uppercase=bad)
> ||/ Name Version
Description
>
>
+++-==============================-==============================-===========================================================================>
ii winbind 2:3.3.2-1ubuntu3 Samba
nameservice integration server
>
> May 28 19:11:53 mxln133738 winbindd[17221]: [2009/05/28 19:11:53, 2]
lib/tallocmsg.c:register_msg_pool_usage(106)
> May 28 19:11:53 mxln133738 winbindd[17221]: Registered MSG_REQ_POOL_USAGE
> May 28 19:11:53 mxln133738 winbindd[17221]: [2009/05/28 19:11:53, 2]
lib/dmallocmsg.c:register_dmalloc_msgs(77)
>
> May 28 19:11:53 mxln133738 winbindd[17221]: Registered
MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> May 28 19:11:53 mxln133738 winbindd[17221]: [2009/05/28 19:11:53, 2]
lib/interface.c:add_interface(340)
> May 28 19:11:53 mxln133738 winbindd[17221]: added interface eth0
ip=10.3.125.42 bcast=10.3.127.255 netmask=255.255.248.0
>
> May 28 19:11:53 mxln133738 winbindd[17221]: [2009/05/28 19:11:53, 2]
lib/interface.c:add_interface(340)
> May 28 19:11:53 mxln133738 winbindd[17221]: added interface eth0
ip=10.3.125.42 bcast=10.3.127.255 netmask=255.255.248.0
>
> May 28 19:11:54 mxln133738 winbindd[17222]: [2009/05/28 19:11:54, 1]
lib/util_tdb.c:tdb_validate_and_backup(1426)
> May 28 19:11:54 mxln133738 winbindd[17222]: tdb
'/var/cache/samba/winbindd_cache.tdb' is valid
>
> May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 1]
lib/util_tdb.c:tdb_validate_and_backup(1436)
> May 28 19:12:07 mxln133738 winbindd[17222]: Created backup
'/var/cache/samba/winbindd_cache.tdb.bak' of tdb
'/var/cache/samba/winbindd_cache.tdb'
>
> May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 2]
winbindd/winbindd_util.c:add_trusted_domain(235)
> May 28 19:12:07 mxln133738 winbindd[17222]: Added domain BUILTIN
S-1-5-32
> May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 2]
winbindd/winbindd_util.c:add_trusted_domain(235)
>
> May 28 19:12:07 mxln133738 winbindd[17222]: Added domain MXLN133738
S-1-5-21-283202338-3230163293-2318106275
> May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 2]
winbindd/winbindd_util.c:add_trusted_domain(235)
>
> May 28 19:12:07 mxln133738 winbindd[17222]: Added domain RES RES.HU.CORP
S-1-5-21-698458317-4263495693-249106618
> May 28 19:12:07 mxln133738 winbindd[17228]: [2009/05/28 19:12:07, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
>
> May 28 19:12:07 mxln133738 winbindd[17228]: Doing kerberos session setup
> May 28 19:12:07 mxln133738 winbindd[17228]: [2009/05/28 19:12:07, 1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
> May 28 19:12:07 mxln133738 winbindd[17228]: ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network address for
KDC in requested realm)
>
> May 28 19:12:07 mxln133738 winbindd[17228]: [2009/05/28 19:12:07, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
> May 28 19:12:07 mxln133738 winbindd[17228]: cli_session_setup_kerberos:
spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in
requested realm
>
> May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
> May 28 19:12:07 mxln133738 winbindd[17222]: Doing kerberos session setup
> May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
>
> May 28 19:12:07 mxln133738 winbindd[17222]: ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network address for
KDC in requested realm)
> May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
>
> May 28 19:12:07 mxln133738 winbindd[17222]: cli_session_setup_kerberos:
spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in
requested realm
> May 28 19:12:07 mxln133738 winbindd[17222]: [2009/05/28 19:12:07, 2]
winbindd/winbindd_util.c:add_trusted_domain(235)
>
> May 28 19:12:07 mxln133738 winbindd[17222]: Added domain HU hu.corp
S-1-5-21-432019103-1439757928-1114753422
> May 28 19:12:08 mxln133738 winbindd[17237]: [2009/05/28 19:12:08, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
>
> May 28 19:12:08 mxln133738 winbindd[17237]: Doing kerberos session setup
> May 28 19:12:08 mxln133738 winbindd[17237]: [2009/05/28 19:12:08, 1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
> May 28 19:12:08 mxln133738 winbindd[17237]: ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network address for
KDC in requested realm)
>
> May 28 19:12:08 mxln133738 winbindd[17237]: [2009/05/28 19:12:08, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
> May 28 19:12:08 mxln133738 winbindd[17237]: cli_session_setup_kerberos:
spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in
requested realm
>
> May 28 19:12:08 mxln133738 winbindd[17222]: [2009/05/28 19:12:08, 2]
winbindd/winbindd.c:remove_client(744)
> May 28 19:12:08 mxln133738 winbindd[17222]: final write to client failed:
Broken pipe
> May 28 19:12:09 mxln133738 winbindd[17222]: [2009/05/28 19:12:09, 2]
winbindd/winbindd.c:remove_client(744)
>
> May 28 19:12:09 mxln133738 winbindd[17222]: final write to client failed:
Broken pipe
> May 28 19:12:18 mxln133738 wbinfo: [2009/05/28 19:12:18, 2]
lib/interface.c:add_interface(340)
> May 28 19:12:18 mxln133738 wbinfo: added interface eth0 ip=10.3.125.42
bcast=10.3.127.255 netmask=255.255.248.0
>
> May 28 19:12:18 mxln133738 winbindd[17222]: [2009/05/28 19:12:18, 1]
winbindd/winbindd_util.c:trustdom_recv(303)
> May 28 19:12:18 mxln133738 winbindd[17222]: Could not receive trustdoms
> May 28 19:12:21 mxln133738 winbindd[17222]: [2009/05/28 19:12:21, 2]
winbindd/winbindd.c:remove_client(744)
>
> May 28 19:12:21 mxln133738 winbindd[17222]: final write to client failed:
Broken pipe
> May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21, 1]
libads/kerberos.c:smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(159)
>
> May 28 19:12:21 mxln133738 winbindd[17228]: no krb5_error
> May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21, 1]
libads/authdata.c:kerberos_return_pac(398)
> May 28 19:12:21 mxln133738 winbindd[17228]: kinit failed for
'RES\magosanyi1a313@RES.HU.CORP' with: Client not found in Kerberos
database (-1765328378)
>
> May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
> May 28 19:12:21 mxln133738 winbindd[17228]: Doing kerberos session setup
> May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21, 1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
>
> May 28 19:12:21 mxln133738 winbindd[17228]: ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network address for
KDC in requested realm)
> May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
>
> May 28 19:12:21 mxln133738 winbindd[17228]: cli_session_setup_kerberos:
spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in
requested realm
> May 28 19:12:21 mxln133738 winbindd[17228]: [2009/05/28 19:12:21, 2]
winbindd/winbindd_pam.c:winbindd_dual_pam_auth(1727)
>
> May 28 19:12:21 mxln133738 winbindd[17228]: Plain-text authentication for
user RES\magosanyi1a313 returned NT_STATUS_NO_SUCH_USER (PAM: 10)
> May 28 19:12:21 mxln133738 winbindd[17222]: [2009/05/28 19:12:21, 2]
winbindd/winbindd.c:remove_client(744)
>
> May 28 19:12:21 mxln133738 winbindd[17222]: final write to client failed:
Broken pipe
> May 28 19:12:23 mxln133738 winbindd[17252]: [2009/05/28 19:12:23, 1]
rpc_client/cli_pipe.c:rpc_pipe_destructor(2362)
> May 28 19:12:23 mxln133738 winbindd[17252]: rpc_pipe_destructor:
cli_close failed on pipe host bindc01.res.hu.corp, pipe \NETLOGON, fnum 0x4005.
Error was SUCCESS - 0
>
> May 28 19:12:23 mxln133738 winbindd[17252]: [2009/05/28 19:12:23, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)
> May 28 19:12:23 mxln133738 winbindd[17252]: Doing kerberos session setup
> May 28 19:12:23 mxln133738 winbindd[17252]: [2009/05/28 19:12:23, 1]
libsmb/clikrb5.c:ads_krb5_mk_req(686)
>
> May 28 19:12:23 mxln133738 winbindd[17252]: ads_krb5_mk_req:
krb5_get_credentials failed for bindc01$@RES (Cannot resolve network address for
KDC in requested realm)
> May 28 19:12:23 mxln133738 winbindd[17252]: [2009/05/28 19:12:23, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)
>
> May 28 19:12:23 mxln133738 winbindd[17252]: cli_session_setup_kerberos:
spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in
requested realm
>
>