Prev: [Samba] Slow domain logons with samba PDC
Next: [Samba] I have a weird problem with PDC on samba 3.5.3 and I think I need developers' help :)
From: Daniel Mueller on 7 Jun 2010 04:40
Hello Samba-List-Users

I have a problem with KDC network name resolution. I tried to google it
and sought help on IRC#samba, to no avail. So I'll post my problem here.

In the spirit of privacy and normalization all server names in this post
are replaced. CAPTIAL server names are actually capitalized in the
configuration files.

Setup:
1x Debian5 x64 server running samba 3.2.5
2x Windows Server 2008R2 domain controllers (Active Directory running in
native mode)
some Windows7 Clients

here are my configuration files:

smb.conf (global section)
------------------------------------8<--------------------------------------
# Global parameters
[global]
netbios name = SAMBASERVER01
workgroup = DOMAIN
realm = DOMAIN.LOCAL
preferred master = no
server string = Productive Datastore
interfaces = eth0 172.16.1.15
map to guest = bad user
security = ADS
encrypt passwords = yes
log level = 2
syslog = 2
winbind separator = +
printcap name = /etc/printcap
printing =
load printers = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
usershare allow guests = no
hide files = /$RECYCLE.BIN/desktop.ini/
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
#full_audit:facility = LOCAL7
full_audit:priority = NOTICE
------------------------------------8<--------------------------------------

krb5.conf
------------------------------------8<--------------------------------------
[libdefaults]
default_realm = DOMAIN.LOCAL

[realms]
DOMAIN.LOCAL = {
# dc01 is FSMO server
kdc = dc01.domain.local
kdc = dc02.domain.local
admin_server = dc01.megasol.local
default_domain = domain.local
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
------------------------------------8<--------------------------------------

the domain join ran without errors:

SAMBASERVER01:~# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DOMAIN
Joined 'SAMBASERVER01' to realm 'domain.local'

kinit is contempt, too:

SAMBASERVER01:~# kinit -V Administrator
Password for Administrator(a)DOMAIN.LOCAL:
Authenticated to Kerberos v5

I logged into DC01 using the domain administrator account:
I can connect to the samba server; no problems.

I logged into a windows7 client using a domain user:
I can connect to the samba server; no problems.

I logged into a windows7 client user local admin (no domain login):
I can't connect to the samba server

I use smbclient on SAMBASERVER01:
SAMBASERVER01:~# smbclient //SAMBASERVER01/SHARE -U Administrator
Enter Administrator's password:
session setup failed: NT code 0x00000721

I use smbclient on SAMBASERVER01 again:
SAMBASERVER01:~# smbclient //SAMBASERVER01/IT -U Administrator
Enter Administrator password:
session setup failed: NT_STATUS_PIPE_DISCONNECTED

I use smbclient using Kerberos authentication:
SAMBASERVER01:~# smbclient //SAMBASERVER01/IT -k
OS=[Unix] Server=[Samba 3.2.5]
smb: \>
that works!

the smbd and nmbd logs are clean
but it seems that winbind ist struggling:

log.winbindd
------------------------------------8<--------------------------------------
[2010/06/07 10:17:59, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(619)
Doing kerberos session setup
[2010/06/07 10:17:59, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
ads_krb5_mk_req: krb5_get_credentials failed for DC01$@DOMAIN (Cannot
resolve network address for KDC in requested realm)
[2010/06/07 10:17:59, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(626)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
[2010/06/07 10:17:59, 1] winbindd/winbindd_util.c:trustdom_recv(260)
Could not receive trustdoms
------------------------------------8<--------------------------------------

I'm at a loss here... can anyone help? Or point me into the right direction?

Cheers

Daniel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: [Samba] Slow domain logons with samba PDC
Next: [Samba] I have a weird problem with PDC on samba 3.5.3 and I think I need developers' help :)