Jonathan Petersson
2009-Sep-23 18:04 UTC
[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS
Hi all, I've been working on getting Samba to authenticate via ADS for the past few weeks with some lack of success. I had somewhat of a breakthrough the other day realizing that the problem was related to the kerberos authentication between Samba and the Win 2008 R2 AD server. Trying to fix this I generated a keytab with ktpass which I uploaded to the server. I've been successful to join the server in the domain, wbinfo and kinit responds as one wants it to but when upon samba and winbind starting I'm seeing the following in the logs which I'm guessing is the cause for me being unable to authenticate any users: log.wb-PRESIDIO ads_krb5_mk_req: krb5_get_credentials failed for pdc$@PRESIDIO (Cannot find KDC for requested realm) [2009/09/23 10:54:31, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(624) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm [2009/09/23 10:54:31, 0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(494) cli_pipe_verify_schannel: auth_len 56. log.winbindd [2009/09/23 10:54:30, 0] winbindd/winbindd_cache.c:initialize_winbindd_cache(2577) initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2009/09/23 10:54:31, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686) ads_krb5_mk_req: krb5_get_credentials failed for pdc$@PRESIDIO (Cannot find KDC for requested realm) [2009/09/23 10:54:31, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(624) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm [2009/09/23 10:54:31, 1] winbindd/winbindd_util.c:trustdom_recv(303) Could not receive trustdoms As it seams the server tries to authenticate as pdc$ rather than presidio3$ which is the hostname of the server and the name it's registered as. What could the cause of this be? smb.conf: workgroup = PRESIDIO password server = pdc.domain.com realm = DOMAIN.COM security = ads idmap uid = 8000-33554431 idmap gid = 8000-33554431 winbind separator = + template shell = /bin/bash winbind use default domain = yes winbind offline logon = false ... server string = presidio3 netbios name = presidio3 Please advice. Thanks /Jonathan
Jonathan Petersson
2009-Sep-23 23:30 UTC
[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS
Also, looking further at this, shouldn't winbind use the realm rather than the workgroup for this? Thanks /Jonathan On Wed, Sep 23, 2009 at 11:04 AM, Jonathan Petersson <jpetersson at garnser.se> wrote:> Hi all, > > I've been working on getting Samba to authenticate via ADS for the > past few weeks with some lack of success. I had somewhat of a > breakthrough the other day realizing that the problem was related to > the kerberos authentication between Samba and the Win 2008 R2 AD > server. Trying to fix this I generated a keytab with ktpass which I > uploaded to the server. > > I've been successful to join the server in the domain, wbinfo and > kinit responds as one wants it to but when upon samba and winbind > starting I'm seeing the following in the logs which I'm guessing is > the cause for me being unable to authenticate any users: > > log.wb-PRESIDIO > ?ads_krb5_mk_req: krb5_get_credentials failed for pdc$@PRESIDIO > (Cannot find KDC for requested realm) > [2009/09/23 10:54:31, ?1] libsmb/cliconnect.c:cli_session_setup_kerberos(624) > ?cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot > find KDC for requested realm > [2009/09/23 10:54:31, ?0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(494) > ?cli_pipe_verify_schannel: auth_len 56. > > log.winbindd > [2009/09/23 10:54:30, ?0] > winbindd/winbindd_cache.c:initialize_winbindd_cache(2577) > ?initialize_winbindd_cache: clearing cache and re-creating with > version number 1 > [2009/09/23 10:54:31, ?1] libsmb/clikrb5.c:ads_krb5_mk_req(686) > ?ads_krb5_mk_req: krb5_get_credentials failed for pdc$@PRESIDIO > (Cannot find KDC for requested realm) > [2009/09/23 10:54:31, ?1] libsmb/cliconnect.c:cli_session_setup_kerberos(624) > ?cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot > find KDC for requested realm > [2009/09/23 10:54:31, ?1] winbindd/winbindd_util.c:trustdom_recv(303) > ?Could not receive trustdoms > > As it seams the server tries to authenticate as pdc$ rather than > presidio3$ which is the hostname of the server and the name it's > registered as. What could the cause of this be? > > smb.conf: > ? workgroup = PRESIDIO > ? password server = pdc.domain.com > ? realm = DOMAIN.COM > ? security = ads > ? idmap uid = 8000-33554431 > ? idmap gid = 8000-33554431 > ? winbind separator = + > ? template shell = /bin/bash > ? winbind use default domain = yes > ? winbind offline logon = false > ... > ? ? ? ?server string = presidio3 > > ? ? ? ?netbios name = presidio3 > > Please advice. > > Thanks > > /Jonathan >
Adam Nielsen
2009-Sep-24 02:02 UTC
[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS
> As it seams the server tries to authenticate as pdc$ rather than > presidio3$ which is the hostname of the server and the name it's > registered as. What could the cause of this be? > > smb.conf: > workgroup = PRESIDIO > password server = pdc.domain.com > realm = DOMAIN.COM > security = ads > netbios name = presidio3I think the workgroup is meant to be the short version of the domain, so if your realm is DOMAIN.COM your workgroup should be DOMAIN. Are you trying to join Samba to the domain? If so, you shouldn't need to specify a password server, that's only used to check passwords when Samba isn't part of the domain (IIRC.) If you intend to add Samba as a normal PC inside the domain then password authentication will work (perhaps courtesy of winbind) without specifying a password server. Cheers, Adam.