samba - Dec 2014 - samba 4 member server in WIn 2008 domain, wbinfo fails

I have started tinkering with samba 4.

I have a  Windows 2008 active directory domain  controller.  It is also 
the main DNS server but is not the wins server.   The DNS server does 
NOT allow DNS registration by client machines.

I have a fedora core 19 linux machine with samba 4.1.13  (bundled with 
Fedora.)


smb.conf includes

         security = ads
         realm = MYDOMAIN.COM
         password server = pdc.mydomain.com
         passdb backend = tdbsam
         encrypt passwords = yes
           winbind enum users = yes
           winbind enum groups = yes


krb5.conf includes

    [libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_realm = MYDOMAIN.COM
    default_ccache_name = KEYRING:persistent:%{uid}

    [realms]
      EXAMPLE.COM = {
       kdc = kerberos.example.com
       admin_server = kerberos.example.com
      }
      MYYDOMAIN.COM = {
       kdc =pdc.mydomain.com
       admin_server = pdc.mydomain.com
       kpasswd_server =pdc.mydomain.com
       default_domain = mydomain.com
    }

    [domain_realm]
      .mydomain.com = MYDOMAIN.COM
      mydomain.com = MYDOMAIN.COM




The "kinit someuser at MYDOMAIN" command works

I have not set up idmapping yet.   I want to make sure "wbinfo -u"
works
1st.

I have winbind running.  I don't think I need nmbd running.


I temporarily disabled the linux firewall and selinux.


Joined domain


        [root at penguin ~]#  net ads join -U Administrator
        Enter Administrator's password:
        Using short domain name -- MYDOMAIN
        Joined 'PENGUIN' to dns domain 'mydomain.com'
        DNS Update for penguin.mydomain.com failed: ERROR_DNS_GSS_ERROR
        DNS update failed: NT_STATUS_UNSUCCESSFUL
        [root at penguin ~]#

        [root at penguin]# net ads testjoin
        Join is OK
        [root at penguin]#



On the Win 2008 DC, AD U&C shows the linux machine.


wbinfo -u (and any wbinfo command) fails

        [root at penguin /]# wbinfo -u
        Error looking up domain users
        [root at penguin /]# wbinfo -t
        checking the trust secret for domain -not available- via RPC
        calls failed
        failed to call wbcCheckTrustCredentials: WBC_ERR_NOT_IMPLEMENTED
        Could not check secret
        [root at penguin /]# wbinfo -g
        failed to call wbcListGroups: WBC_ERR_NOT_IMPLEMENTED
        Error looking up domain groups
        [root at penguin /]#




The winbind logs show kerberos activity happening.  I don't see any 
obvious errors.  I see the following but I don't think it is an actual 
error


        [2014/12/23 15:38:40.325491,  5]
        ../source3/rpc_client/cli_pipe.c:1864(rpc_pipe_bind_step_two_done)
           We are checking against an old Samba version -
        NT_STATUS_NOT_IMPLEMENTED




Any advice?

Thanks

I also configured a Samba 3.6.x (on Solaris 11) member server.      
wbinfo works fine.   "wbinfo -u" lists users, and "wbinfo -S
somesid"
will return the unix UID. (I have Unix Identify Management installed on 
the Windows 2008 DC so that can configure  a unix user id number for 
each user.)


Solaris and Fedora both use MIT kerberos.      I have NOT configure a 
keytab file on either client set.          They should have the same 
krb5.conf file.


The only difference was that the Solaris machine did not complain about 
DNS updating failing.

I am guessing that winbind on Samba 4 member servers is behaving 
differently than Winbind on Samba 3.

I am unclear how and  if winbind clients authenticate themselves to 
domain controllers.   I am presuming the domain controller will only 
allow account queries from machines joined to the domain.



On the linux machine

# kinit myname
Password for myname at MYDOMAIN.COM:



]# klist -e
Ticket cache: KEYRING:persistent:0:0
Default principal: damian at SSCI.COM

Valid starting     Expires            Service principal
12/31/14 11:21:25  12/31/14 21:21:25 krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
     renew until 01/07/15 11:21:22, Etype (skey, tkt): arcfour-hmac, 
arcfour-hmac
[root at penguin ~]



On the solaris  machine



-> kinit
Password for myname at MYDOMAIN.COM:
kinit:  no ktkt_warnd warning possible
astronomix-> klist -e
...

Valid starting                Expires                Service principal
12/31/14 11:25:06  12/31/14 21:25:11 krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
         renew until 01/07/15 11:25:06, Etype(skey, tkt): ArcFour with 
HMAC/md5, ArcFour with HMAC/md5
astronomix->





It looks like the Windows 2008 server uses RC4 (ArcFour) encryption by 
default and both linux and solaris will accept that.     (With Unix 
kerberos servers, I find linux and solaris clients will support AES-256 
so I am pretty sure I do not have a compatibility issue with kerberos.)



Thanks






On 12/23/14 16:47, Gaiseric Vandal wrote:
> I have started tinkering with samba 4.
>
> I have a  Windows 2008 active directory domain  controller.  It is 
> also the main DNS server but is not the wins server.   The DNS server 
> does NOT allow DNS registration by client machines.
>
> I have a fedora core 19 linux machine with samba 4.1.13  (bundled with 
> Fedora.)
>
>
> smb.conf includes
>
>         security = ads
>         realm = MYDOMAIN.COM
>         password server = pdc.mydomain.com
>         passdb backend = tdbsam
>         encrypt passwords = yes
>           winbind enum users = yes
>           winbind enum groups = yes
>
>
> krb5.conf includes
>
>     [libdefaults]
>     dns_lookup_realm = false
>     ticket_lifetime = 24h
>     renew_lifetime = 7d
>     forwardable = true
>     rdns = false
>     default_realm = MYDOMAIN.COM
>     default_ccache_name = KEYRING:persistent:%{uid}
>
>     [realms]
>      EXAMPLE.COM = {
>       kdc = kerberos.example.com
>       admin_server = kerberos.example.com
>      }
>      MYYDOMAIN.COM = {
>       kdc =pdc.mydomain.com
>       admin_server = pdc.mydomain.com
>       kpasswd_server =pdc.mydomain.com
>       default_domain = mydomain.com
>     }
>
>     [domain_realm]
>      .mydomain.com = MYDOMAIN.COM
>      mydomain.com = MYDOMAIN.COM
>
>
>
>
> The "kinit someuser at MYDOMAIN" command works
>
> I have not set up idmapping yet.   I want to make sure "wbinfo
-u"
> works 1st.
>
> I have winbind running.  I don't think I need nmbd running.
>
>
> I temporarily disabled the linux firewall and selinux.
>
>
> Joined domain
>
>
>         [root at penguin ~]#  net ads join -U Administrator
>         Enter Administrator's password:
>         Using short domain name -- MYDOMAIN
>         Joined 'PENGUIN' to dns domain 'mydomain.com'
>         DNS Update for penguin.mydomain.com failed: ERROR_DNS_GSS_ERROR
>         DNS update failed: NT_STATUS_UNSUCCESSFUL
>         [root at penguin ~]#
>
>         [root at penguin]# net ads testjoin
>         Join is OK
>         [root at penguin]#
>
>
>
> On the Win 2008 DC, AD U&C shows the linux machine.
>
>
> wbinfo -u (and any wbinfo command) fails
>
>         [root at penguin /]# wbinfo -u
>         Error looking up domain users
>         [root at penguin /]# wbinfo -t
>         checking the trust secret for domain -not available- via RPC
>         calls failed
>         failed to call wbcCheckTrustCredentials: WBC_ERR_NOT_IMPLEMENTED
>         Could not check secret
>         [root at penguin /]# wbinfo -g
>         failed to call wbcListGroups: WBC_ERR_NOT_IMPLEMENTED
>         Error looking up domain groups
>         [root at penguin /]#
>
>
>
>
> The winbind logs show kerberos activity happening.  I don't see any 
> obvious errors.  I see the following but I don't think it is an actual 
> error
>
>
>         [2014/12/23 15:38:40.325491,  5]
>         ../source3/rpc_client/cli_pipe.c:1864(rpc_pipe_bind_step_two_done)
>           We are checking against an old Samba version -
>         NT_STATUS_NOT_IMPLEMENTED
>
>
>
>
> Any advice?
>
> Thanks
>
>
>
>
>
>
>
>