On Mon, Jun 7, 2010 at 2:31 AM, Daniel Mueller <da_mueller at gmx.net>
wrote:
> Hello Samba-List-Users
>
> I have a problem with KDC network name resolution. I tried to google it and
> sought help on IRC#samba, to no avail. So I'll post my problem here.
>
> In the spirit of privacy and normalization all server names in this post
> are replaced. CAPTIAL server names are actually capitalized in the
> configuration files.
>
> Setup:
> 1x Debian5 x64 server running samba 3.2.5
> 2x Windows Server 2008R2 domain controllers (Active Directory running in
> native mode)
> some Windows7 Clients
>
> here are my configuration files:
>
> smb.conf (global section)
>
>
------------------------------------8<--------------------------------------
> # Global parameters
> [global]
> netbios name = SAMBASERVER01
> workgroup = DOMAIN
> realm = DOMAIN.LOCAL
> preferred master = no
> server string = Productive Datastore
> interfaces = eth0 172.16.1.15
> map to guest = bad user
> security = ADS
> encrypt passwords = yes
> log level = 2
> syslog = 2
> winbind separator = +
> printcap name = /etc/printcap
> printing > load printers = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> usershare allow guests = no
> hide files = /$RECYCLE.BIN/desktop.ini/
> vfs objects = full_audit
> full_audit:prefix = %u|%I|%m|%S
> full_audit:success = mkdir rename unlink rmdir pwrite
> full_audit:failure = none
> #full_audit:facility = LOCAL7
> full_audit:priority = NOTICE
>
>
------------------------------------8<--------------------------------------
>
> krb5.conf
>
>
------------------------------------8<--------------------------------------
> [libdefaults]
> default_realm = DOMAIN.LOCAL
>
> [realms]
> DOMAIN.LOCAL = {
> # dc01 is FSMO server
> kdc = dc01.domain.local
> kdc = dc02.domain.local
> admin_server = dc01.megasol.local
> default_domain = domain.local
> }
>
> [domain_realm]
> .domain.local = DOMAIN.LOCAL
> domain.local = DOMAIN.LOCAL
>
>
------------------------------------8<--------------------------------------
>
> the domain join ran without errors:
>
> SAMBASERVER01:~# net ads join -U Administrator
> Enter Administrator's password:
> Using short domain name -- DOMAIN
> Joined 'SAMBASERVER01' to realm 'domain.local'
>
> kinit is contempt, too:
>
> SAMBASERVER01:~# kinit -V Administrator
> Password for Administrator at DOMAIN.LOCAL:
> Authenticated to Kerberos v5
>
> I logged into DC01 using the domain administrator account:
> I can connect to the samba server; no problems.
>
> I logged into a windows7 client using a domain user:
> I can connect to the samba server; no problems.
>
> I logged into a windows7 client user local admin (no domain login):
> I can't connect to the samba server
>
> I use smbclient on SAMBASERVER01:
> SAMBASERVER01:~# smbclient //SAMBASERVER01/SHARE -U Administrator
> Enter Administrator's password:
> session setup failed: NT code 0x00000721
>
> I use smbclient on SAMBASERVER01 again:
> SAMBASERVER01:~# smbclient //SAMBASERVER01/IT -U Administrator
> Enter Administrator password:
> session setup failed: NT_STATUS_PIPE_DISCONNECTED
>
> I use smbclient using Kerberos authentication:
> SAMBASERVER01:~# smbclient //SAMBASERVER01/IT -k
> OS=[Unix] Server=[Samba 3.2.5]
> smb: \>
> that works!
>
> the smbd and nmbd logs are clean
> but it seems that winbind ist struggling:
>
> log.winbindd
>
>
------------------------------------8<--------------------------------------
> [2010/06/07 10:17:59, 2]
> libsmb/cliconnect.c:cli_session_setup_kerberos(619)
> Doing kerberos session setup
> [2010/06/07 10:17:59, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
> ads_krb5_mk_req: krb5_get_credentials failed for DC01$@DOMAIN (Cannot
> resolve network address for KDC in requested realm)
> [2010/06/07 10:17:59, 1]
> libsmb/cliconnect.c:cli_session_setup_kerberos(626)
> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve
> network address for KDC in requested realm
> [2010/06/07 10:17:59, 1] winbindd/winbindd_util.c:trustdom_recv(260)
> Could not receive trustdoms
>
>
------------------------------------8<--------------------------------------
>
> I'm at a loss here... can anyone help? Or point me into the right
> direction?
>
> Cheers
>
> Daniel
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
I found this bug and submitted a patch, however, 3.2.x was in security fix
status only at the time. I use backports for Lenny as the samba packages in
it has the fix. The patch is very simple and could be applied to 3.2.x, see
bug 6700 for the patch if you want to recompile 3.2.x.
https://bugzilla.samba.org/show_bug.cgi?id=6700
Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University