Hello all.
After last update (from winbind-3.5.3 and krb5-1.8.1 to winbind-3.5.10
and krb5-1.9.1) users from a trusted domain can't authenticate any more.
Machines are joined to domain PERSONALE, and users from domain STUDENTI
aren't recognized. Domains are handled by W2k8 or W2k8r2 (I have no
control on these).
Last lines from /var/log/samba/log.wb-STUDENTI report:
[2012/02/23 10:42:20.205656, 3] libads/sasl.c:793(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got server principal name edge$@STUDENTI.DIR.UNIBO.IT
[2012/02/23 10:42:20.239823, 1] libsmb/clikrb5.c:789(ads_krb5_mk_req)
ads_krb5_mk_req: smb_krb5_get_credentials failed for
ldap/edge.studenti.dir.unibo.it at STUDENTI.DIR.UNIBO.IT (Realm not local
to KDC)
[2012/02/23 10:42:20.311687, 1] libsmb/clikrb5.c:789(ads_krb5_mk_req)
ads_krb5_mk_req: smb_krb5_get_credentials failed for
ldap/edge.studenti.dir.unibo.it at STUDENTI.DIR.UNIBO.IT (Realm not local
to KDC)
[2012/02/23 10:42:20.311765, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Realm not local
to KDC
[2012/02/23 10:42:20.312246, 1]
winbindd/winbindd_ads.c:126(ads_cached_connection)
ads_connect for domain STUDENTI failed: Realm not local to KDC
[2012/02/23 11:04:15.428341, 3]
winbindd/winbindd_dual.c:53(child_read_request)
child_read_request: read_data failed: NT_STATUS_END_OF_FILE
'edge' is one of the DCs of the STUDENTI domain, but it seems the PC
can't acquire a ticket for that domain.
Machine is correctly joined, and actually my employee account works. But
not the student one :(
[root at str00160-bibl4 ~]# wbinfo -i studenti\\diego.zuccato2
Could not get info for user studenti\diego.zuccato2
[root at str00160-bibl4 ~]# wbinfo -i diego.zuccato
diego.zuccato:*:108036:100013:Mat032398:/home/PERSONALE/diego.zuccato:/bin/bash
I already tried deleting all .tdb files (in /etc/samba and
/var/cache/samba ) and rejoining (some hickups here, but net ads
testjoin reports "join is OK").
My /etc/samba/smb.conf is the same that worked for a couple of years:
[global]
workgroup = PERSONALE
realm = PERSONALE.DIR.UNIBO.IT
server string = %v
security = ADS
encrypt passwords = Yes
#password server = atu.personale.dir.unibo.it
log file = /var/log/samba/log.%m
log level = 3
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = No
dns proxy = No
#winbind separator = -
winbind enum users = No
winbind enum groups = No
winbind offline logon = Yes
winbind nested groups = Yes
winbind normalize names = Yes
winbind refresh tickets = Yes
winbind use default domain = yes
winbind uid = 100000-100000000
winbind gid = 100000-100000000
idmap config PERSONALE:backend = rid
idmap config PERSONALE:base_rid = 500
idmap config PERSONALE:range = 100000 - 49999999
idmap config STUDENTI:backend = rid
idmap config STUDENTI:base_rid = 500
idmap config STUDENTI:range = 50000000 - 99999999
template homedir = /home/local/%D/%U
template shell = /bin/bash
And the same for my /etc/krb5.conf (but I think this one gets ignored):
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = PERSONALE.DIR.UNIBO.IT
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
PERSONALE.DIR.UNIBO.IT = {
kdc = aki.PERSONALE.DIR.UNIBO.IT:88
admin_server = aki.PERSONALE.DIR.UNIBO.IT:749
default_domain = PERSONALE.DIR.UNIBO.IT
}
[domain_realm]
.PERSONALE.DIR.UNIBO.IT = PERSONALE.DIR.UNIBO.IT
[kdc]
profile = /etc/kerberos/krb5kdc/kdc.conf
[login]
krb4_convert = false
krb4_get_tickets = false
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
mappings = ([a-z\.]*)@studio.unibo.it STUDENTI-$1
}
Too bad I already upgraded more than 60 machines to the new packages...
What can I do to fix it? Next week students start coming to the lab...
TIA!
BYtE,
Diego.