Hello: For a while, pam_winbind.so was looking up my domain (CASAS.WSU.EDU) as CASAS, specifically looking for _kerberos._udp.CASAS. This of course failed. wbinfo -u or -g commands, as well as all net ads commands worked fine. This installation was working, then at some point, suddenly stopped working with this problem. Ultimately, I restored it to functioning by stopping samba and winbind,rm -rf /var/lib/samba/*; rm -rf /var/cache/samba/*, and removing the computer account from the AD. Then, restarting samba and winbind and re-adding the computer to the domain, and finally restarting winbind one more time. I'm not sure what caused this problem, but it did persist accross several reboots. Here's most of the e-mail I sent to samba-users on March 10, 2010: 16:03:37.479967 IP 192.168.3.11.38775 > 192.168.3.16.53: 44000+ SRV? _kerberos._tcp.CASAS. (38) (domain is CASAS.WSU.EDU). I can do a DNS lookup with the fqdn, and it works fine, but the short name definitely does NOT work. I've even modified /etc/resolv.conf to directly query the windows dns server that is serving up casas.wsu.edu (which the normal production dns server is set to delegate to). DNS queries for any of the magic entries in proper form do work (with exception of reverse resolution of the linux host itself -- it returns a different domain name when querying the correct servers). I've gone through both /etc/krb5.conf and smb.conf; there are now NO occurrences of the short domain name in there. (I even changed "workgroup" in smb.conf to the fqdn, as that was the last remaining occurrence). Keep in mind that winbind was working fine with no edits to either files yesterday and early this morning, no changes had occurred anywhere on that line...all I did was tweak pam files to try and correct a different problem). Here are my config files: ------ smb.conf ------ [global] workgroup = CASAS.WSU.EDU server string = %h Ubuntu Termserver dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = ads realm = CASAS.WSU.EDU password server = 192.168.3.16 idmap uid = 10000-20000 idmap gid = 10000-20000 idmap backend = rid:CASAS.WSU.EDU=10000-20000 allow trusted domains = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2 encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no ------------------------ /etc/krb5.conf ------------------------ [libdefaults] default_realm = CASAS.WSU.EDU krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] CASAS.WSU.EDU = { kdc = ad1.casas.wsu.edu:88 admin_server = ad1.casas.wsu.edu default_domain = casas.wsu.edu } [domain_realm] .casas.wsu.edu = CASAS.WSU.EDU casas.wsu.edu = CASAS.WSU.EDU [login] krb4_convert = true krb4_get_tickets = false ------------------------- And here's a tcpdump done filtering on port 53 during a winbind restart: ------------------------- 16:03:37.399967 IP 192.168.3.11.49438 > 192.168.3.16.53: 3748+ A? AD1.CASAS.WSU.EDU. (35) 16:03:37.399967 IP 192.168.3.16.53 > 192.168.3.11.49438: 3748* 1/0/0 A[|domain] 16:03:37.399967 IP 192.168.3.11.43851 > 192.168.3.16.53: 27311+ A? AD1.CASAS.WSU.EDU. (35) 16:03:37.399967 IP 192.168.3.16.53 > 192.168.3.11.43851: 27311* 1/0/0 A[|domain] 16:03:37.429967 IP 192.168.3.11.40739 > 192.168.3.16.53: 46827+ A? ad1.casas.wsu.edu. (35) 16:03:37.429967 IP 192.168.3.16.53 > 192.168.3.11.40739: 46827* 1/0/0 A[|domain] 16:03:37.429967 IP 192.168.3.11.54465 > 192.168.3.16.53: 44669+[|domain] 16:03:37.429967 IP 192.168.3.16.53 > 192.168.3.11.54465: 44669 NXDomain*[|domain] 16:03:37.429967 IP 192.168.3.11.57928 > 192.168.3.16.53: 58938+[|domain] 16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.57928: 58938 NXDomain*[|domain] 16:03:37.439967 IP 192.168.3.11.45449 > 192.168.3.16.53: 58085+[|domain] 16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.45449: 58085 NXDomain*[|domain] 16:03:37.439967 IP 192.168.3.11.58599 > 192.168.3.16.53: 64069+[|domain] 16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.58599: 64069 NXDomain*[|domain] 16:03:37.449967 IP 192.168.3.11.35620 > 192.168.3.16.53: 52173+ A? ad1.casas.wsu.edu. (35) 16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.35620: 52173* 1/0/0 A[|domain] 16:03:37.449967 IP 192.168.3.11.58933 > 192.168.3.16.53: 27556+ A? ad1.casas.wsu.edu. (35) 16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.58933: 27556* 1/0/0 A[|domain] 16:03:37.449967 IP 192.168.3.11.36892 > 192.168.3.16.53: 12188+[|domain] 16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.36892: 12188 NXDomain*[|domain] 16:03:37.459967 IP 192.168.3.11.59294 > 192.168.3.16.53: 12121+ A? ad1.casas.wsu.edu. (35) 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.59294: 12121* 1/0/0 A[|domain] 16:03:37.469967 IP 192.168.3.11.59240 > 192.168.3.16.53: 54066+ A? ad1.casas.wsu.edu. (35) 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.59240: 54066* 1/0/0 A[|domain] 16:03:37.469967 IP 192.168.3.11.56838 > 192.168.3.16.53: 48561+[|domain] 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.56838: 48561 NXDomain*[|domain] 16:03:37.469967 IP 192.168.3.11.55189 > 192.168.3.16.53: 33246+ A? ad1.casas.wsu.edu. (35) 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.55189: 33246* 1/0/0 A[|domain] 16:03:37.469967 IP 192.168.3.11.52539 > 192.168.3.16.53: 19873+ A? ad1.casas.wsu.edu. (35) 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.52539: 19873* 1/0/0 A[|domain] 16:03:37.469967 IP 192.168.3.11.38806 > 192.168.3.16.53: 15173+[|domain] 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.38806: 15173 NXDomain*[|domain] 16:03:37.469967 IP 192.168.3.11.39860 > 192.168.3.16.53: 19200+ SRV? _kerberos._udp.CASAS. (38) 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.39860: 19200 NXDomain 0/1/0 (113) 16:03:37.469967 IP 192.168.3.11.40215 > 192.168.3.16.53: 12115+ SRV? _kerberos._tcp.CASAS. (38) 16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.40215: 12115 NXDomain 0/1/0 (113) 16:03:37.479967 IP 192.168.3.11.42234 > 192.168.3.16.53: 2986+ A? ad1.casas.wsu.edu. (35) 16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.42234: 2986* 1/0/0 A[|domain] 16:03:37.479967 IP 192.168.3.11.53553 > 192.168.3.16.53: 13263+ A? ad1.casas.wsu.edu. (35) 16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.53553: 13263* 1/0/0 A[|domain] 16:03:37.479967 IP 192.168.3.11.49456 > 192.168.3.16.53: 38656+[|domain] 16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.49456: 38656 NXDomain*[|domain] 16:03:37.479967 IP 192.168.3.11.56202 > 192.168.3.16.53: 7957+ SRV? _kerberos._udp.CASAS. (38) 16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.56202: 7957 NXDomain 0/1/0 (113) 16:03:37.479967 IP 192.168.3.11.38775 > 192.168.3.16.53: 44000+ SRV? _kerberos._tcp.CASAS. (38) 16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.38775: 44000 NXDomain 0/1/0 (113) -------------------- Here's a chunk from the winbindd log: -------------------- [2010/03/10 16:04:22, 0] winbindd/winbindd.c:190(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=1) [2010/03/10 16:04:24, 0] winbindd/winbindd.c:1244(main) winbindd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009 [2010/03/10 16:04:24, 0] winbindd/winbindd_cache.c:2578(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2010/03/10 16:04:24, 0] winbindd/winbindd_util.c:782(init_domain_list) Could not fetch our SID - did we join? [2010/03/10 16:04:24, 0] winbindd/winbindd.c:1385(main) unable to initialize domain list -----------------------
the REALM and the netbios domain name should be correct at all times and if you want to rely on the netbios name you cannot look that up via DNS and expect that to succeed, netbios domain lookup (if wanted at all) should be done via a wins server. Keept the This does not look like a bug to me.