Andriy Syrovenko
2011-Feb-02 09:35 UTC
[Samba] Samba 3.5.6 - numerous regressions while running as AD member against Samba4alpha14 DC
Hi! I've setup Samba4alpha14 on a FreeBSD 8.2-RC2 box as a DC which just works serving network of a couple of dozens of Win7 clients. Then I installed Samba 3.5.6 on another of FreeBSD box and wanted to join it into the AD. I've run in the following set of issues: 1. Joining domain with "net ads join -U administrator" fails with the following error messages: "kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials" and then: "Joining domain failed: Invalid credentials". Having spent some time in debugger I've finally managed to join the domain by adding the following line to my smd.conf: "client ldap sasl wrapping = seal" 2. Attempts to perform a dynamic DNS update with "net ads dns register -P" simply saying "DNS update failed!". Again a couple of hours of debugging, and the problem is solved using the following patch. Please not though that I don't really understand what this patch actually does! :) diff -ur samba-3.5.6.orig/source3/libaddns/dnsgss.c samba-3.5.6/source3/libaddns/dnsgss.c --- samba-3.5.6.orig/source3/libaddns/dnsgss.c 2010-10-07 19:41:16.000000000 +0300 +++ samba-3.5.6/source3/libaddns/dnsgss.c 2011-02-01 16:31:35.000000000 +0200 @@ -175,7 +175,7 @@ * TODO: Compare id and keyname */ - if ((resp->num_additionals != 1) || + if (/*(resp->num_additionals != 1) ||*/ (resp->num_answers == 0) || (resp->answers[0]->type != QTYPE_TKEY)) { err = ERROR_DNS_INVALID_MESSAGE; 3. nss_winbind shows only a single group for each domain user. I mean when I issue the 'id username' command the 'Domain Users' group is returned as primary group for username, but memberships in any other groups is lost. I did not found a solution for this problem. Meanwhile I reverted to Samba 3.4.9 and it just works. I've joined the domain without "client ldap sasl wrapping = seal" being specified in the config file, DDNS updates just work without any patches, and group membership resolution is also works just fine. When replying to this mail please place me in CC as I am not subscribed to the list (yet). Best regards, Andrey.
Michael Wood
2011-Feb-05 21:20 UTC
[Samba] Samba 3.5.6 - numerous regressions while running as AD member against Samba4alpha14 DC
I think samba-technical might be a more appropriate list for this question, since it involves Samba 4 (which is still in alpha and the HOWTO says to discuss issues on samba-technical). I have copied my reply there. On 2 February 2011 11:35, Andriy Syrovenko <andriys at gmail.com> wrote:> Hi! > > I've setup Samba4alpha14 on a FreeBSD 8.2-RC2 box as a DC which just > works serving network of a couple of dozens of Win7 clients. > Then I installed Samba 3.5.6 on another of FreeBSD box and wanted to > join it into the AD. > I've run in the following set of issues: > > 1. Joining domain with > > "net ads join -U administrator" > > fails with the following error messages: > > "kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials" > > and then: > > "Joining domain failed: Invalid credentials".Perhaps if you provide some network traces and maybe some debug level 10 logs from the client and server when you try this, someone will be able to tell you what the problem is.> Having spent some time in debugger I've finally managed to join the > domain by adding the following line to my smd.conf: > > "client ldap sasl wrapping = seal" > > 2. Attempts to perform a dynamic DNS update with > > "net ads dns register -P" > > simply saying "DNS update failed!". Again a couple of hours of > debugging, and the problem is solved using the following patch. Please > not though that I don't really understand what this patch actually > does! :) > > diff -ur samba-3.5.6.orig/source3/libaddns/dnsgss.c > samba-3.5.6/source3/libaddns/dnsgss.c > --- samba-3.5.6.orig/source3/libaddns/dnsgss.c ?2010-10-07 > 19:41:16.000000000 +0300 > +++ samba-3.5.6/source3/libaddns/dnsgss.c ? ? ? 2011-02-01 16:31:35.000000000 +0200 > @@ -175,7 +175,7 @@ > ? ? ? ? ? ? ? ? ? ? ? ? * TODO: Compare id and keyname > ? ? ? ? ? ? ? ? ? ? ? ? */ > > - ? ? ? ? ? ? ? ? ? ? ? if ((resp->num_additionals != 1) || > + ? ? ? ? ? ? ? ? ? ? ? if (/*(resp->num_additionals != 1) ||*/ > ? ? ? ? ? ? ? ? ? ? ? ? ? ?(resp->num_answers == 0) || > ? ? ? ? ? ? ? ? ? ? ? ? ? ?(resp->answers[0]->type != QTYPE_TKEY)) { > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?err = ERROR_DNS_INVALID_MESSAGE; > > 3. nss_winbind shows only a single group for each domain user. I mean > when I issue the 'id username' command the 'Domain Users' group is > returned as primary group for username, but memberships in any other > groups is lost. I did not found a solution for this problem. > > Meanwhile I reverted to Samba 3.4.9 and it just works. I've joined the > domain without "client ldap sasl wrapping = seal" being specified in > the config file, DDNS updates just work without any patches, and group > membership resolution is also works just fine. > > When replying to this mail please place me in CC as I am not > subscribed to the list (yet). > > Best regards, > Andrey.-- Michael Wood <esiotrot at gmail.com>
Apparently Analagous Threads
- Samba 3.5.6, Solaris 10, pam_winbind.so will not link
- Problem compiling Samba from source
- Linux disk quota support
- Kerberos-related configure script problem on Solaris with 3.2.0
- samba-3.3.4 AD/krb5/pam build failure on AIX 5.3/6.1 UNKNOWN_CREATE_KEY_FUNCTIONS