6094 – winbind doesn't work...

Bug 6094 - winbind doesn't work...

Summary: winbind doesn't work...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Samba 3.3
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	3.3.0
Hardware:	PPC AIX

Importance:	P3 normal
Target Milestone:	---
Assignee:	Michael Adam
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-02-06 04:45 UTC by Vancutsem Damien
Modified:	2014-06-11 13:52 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vancutsem Damien 2009-02-06 04:45:40 UTC

Hello,

For one of my customer, i try to configure samba for authenticate users-groups again AD with windbind. 
For doing that, i did the following :

1) install Samba and all pre - required packages using pware binaries.
2) Create a smb.conf :

[global]
workgroup = FINBEL
netbios name = orange-sv
server string = orange Samba Server
bind interfaces only = true
security = ADS
realm = FINBEL.INTRA
password server = fngsvaddcs01, fngsvaddcs02, fngsvaddcs03, fngsvaddcs04, fngsvaddcs05, fngsvaddcs06
private dir = /home/hacmp/orange-sv/
encrypt passwords = yes
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind separator = +
winbind use default domain = Yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 0
#Uncomment to allow these options
log level = 10
log file = /var/log/samba.log
max log size = 5000000
debug timestamp = yes
browseable = yes

[test]
        comment = test Share
        path = /tmp/test
        valid users = FINBEL+vhottat
        read only = No
        create mask = 0770
        security mask = 0770
        directory mask = 0770

3)Configure winbind :
cp /opt/pware/samba/3.0.31/lib/security/WINBIND /usr/lib/security
	
Add lines in  "/usr/lib/security/methods.cfg"

		WINBIND:
        		program = /usr/lib/security/WINBIND
        		options = authonly

4) Configure /etc/krb3.conf :

[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log

[libdefaults]
ticket_lifetime = 24000
default_realm = FINBEL.INTRA
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
FINBEL.INTRA = {
default_domain = finbel.intra
kdc = fngsvaddcs01.finbel.intra:88
kdc = fngsvaddcs02.finbel.intra:88
kdc = fngsvaddcs03.finbel.intra:88
kdc = fngsvaddcs04.finbel.intra:88
kdc = fngsvaddcs05.finbel.intra:88
kdc = fngsvaddcs06.finbel.intra:88
admin_server = fngsvaddcs01.finbel.intra:749
}

[domain_realm]
.domain.com = FINBEL.INTRA
domain.com = FINBEL.INTRA

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

5) Test kerberos 

root@orange /home/hacmp # kinit vhottat@FINBEL.INTRA
Password for vhottat@FINBEL.INTRA:

root@orange /home/hacmp # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: vhottat@FINBEL.INTRA

Valid starting     Expires            Service principal
07/24/08 14:30:12  07/24/08 21:10:12  krbtgt/FINBEL.INTRA@FINBEL.INTRA


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
 => OK

6) Join domain :
net ads join -s /home/hacmp/smb.conf -U adm_jebe
	adm_jebe's password:
	Using short domain name -- FINBEL
	Joined 'orange-sv' to realm 'FINBEL.INTRA'

=> OK

7) start smbd, nmdb and winbindd

=> OK

8) Try to access the share 
=> NOTOK :

Enter the user name for 'orange.finbel.intra': FINBEL\sambatest
Enter the password for orange.finbel.intra:
System error 64 has occurred.

The specified network name is no longer available.


in the log, i can find :

[2009/02/05 12:32:59,  5] rpc_parse/parse_prs.c:prs_uint8s(865)
[2009/02/05 12:32:59,  1] libads/cldap.c:recv_cldap_netlogon(157)
  no reply received to cldap netlogon
[2009/02/05 12:32:59,  3] libads/ldap.c:ads_try_connect(208)
      0220 sig  : 77 00 7a 00 ff ff 00 00 
  ads_try_connect: CLDAP request TFSRV01.DEBT.AGENCY failed.
[2009/02/05 12:32:59,  5] rpc_parse/parse_prs.c:prs_uint8s(865)
[2009/02/05 12:32:59,  1] winbindd/winbindd_ads.c:ads_cached_connection(127)
  ads_connect for domain AGENCY failed: No logon servers
      0228 seq_num: dc 37 0c e6 12 f1 cb b5 
[2009/02/05 12:32:59,  3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(367)
[2009/02/05 12:32:59,  5] rpc_parse/parse_prs.c:prs_uint8s(865)
  winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL
      0230 packet_digest: 86 66 f8 b1 a7 02 27 b8 
[2009/02/05 12:32:59,  5] rpc_parse/parse_prs.c:prs_uint8s(865)
[2009/02/05 12:32:59,  1] winbindd/winbindd_util.c:trustdom_recv(303)
  Could not receive trustdoms


I don't understand what's TFSRV01.DEBT.AGENCY  ????
And also why i always get the folloing error :
winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL

Can you help me please?

Comment 1 Björn Jacke 2014-06-11 13:52:10 UTC

password server and winbind parameters are set to not recommended values. Also cannot reproduce this problem with 4.0. if you can reproduce this with a cleaned up config and with a recent samba version, please reopen this bug with level 10 log files attached