winbind doing dns on short domain
in [Samba]
|
From: Andrew Masterson on 19 Mar 2010 16:00 -----Original Message----- From: samba-bounces(a)lists.samba.org [mailto:samba-bounces(a)lists.samba.org] On Behalf Of Jim Kusznir Sent: Wednesday, March 10, 2010 7:20 PM To: samba(a)lists.samba.org Subject: [Samba] winbind doing dns on short domain Hi all: I'm building an authentication infrastructure for combined windows plus linux clients. To that end, I have a Win Server 2008r2 ADS and a win svr 2008r2 client, and an ubuntu 9.10 client running the default samba + winbind (whatever is in their production repos). I had it 95% working this morning...Then all of a sudden, all winbind queries died. No idea why. I spent the entire day debugging it, and I finally found out what its doing: Its DNS requests for the _kerberos... host are using the short domain, not the fqdn: 16:03:37.479967 IP 192.168.3.11.38775 > 192.168.3.16.53: 44000+ SRV? _kerberos._tcp.CASAS. (38) (domain is CASAS.WSU.EDU). I can do a DNS lookup with the fqdn, and it works fine, but the short name definitely does NOT work. I've even modified /etc/resolv.conf to directly query the windows dns server that is serving up casas.wsu.edu (which the normal production dns server is set to delegate to). DNS queries for any of the magic entries in proper form do work (with exception of reverse resolution of the linux host itself -- it returns a different domain name when querying the correct servers). I've gone through both /etc/krb5.conf and smb.conf; there are now NO occurrences of the short domain name in there. (I even changed "workgroup" in smb.conf to the fqdn, as that was the last remaining occurrence). Keep in mind that winbind was working fine with no edits to either files yesterday and early this morning, no changes had occurred anywhere on that line...all I did was tweak pam files to try and correct a different problem). Here are my config files: ------ smb.conf ------ [global] workgroup = CASAS.WSU.EDU server string = %h Ubuntu Termserver dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = ads realm = CASAS.WSU.EDU password server = 192.168.3.16 idmap uid = 10000-20000 idmap gid = 10000-20000 idmap backend = rid:CASAS.WSU.EDU=10000-20000 allow trusted domains = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2 encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no ------------------------ /etc/krb5.conf ------------------------ [libdefaults] default_realm = CASAS.WSU.EDU krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] CASAS.WSU.EDU = { kdc = ad1.casas.wsu.edu:88 admin_server = ad1.casas.wsu.edu default_domain = casas.wsu.edu } [domain_realm] .casas.wsu.edu = CASAS.WSU.EDU casas.wsu.edu = CASAS.WSU.EDU [login] krb4_convert = true krb4_get_tickets = false ------------------------- And here's a tcpdump done filtering on port 53 during a winbind restart: ------------------------- 16:03:37.399967 IP 192.168.3.11.49438 > 192.168.3.16.53: 3748+ A? AD1.CASAS.WSU.EDU. (35) 16:03:37.399967 IP 192.168.3.16.53 > 192.168.3.11.49438: 3748* 1/0/0 A[|domain] 16:03:37.399967 IP 192.168.3.11.43851 > 192.168.3.16.53: 27311+ A? AD1.CASAS.WSU.EDU. (35) 16:03:37.399967 IP 192.168.3.16.53 > 192.168.3.11.43851: 27311* 1/0/0 A[|domain] 16:03:37.429967 IP 192.168.3.11.40739 > 192.168.3.16.53: 46827+ A? ad1.casas.wsu.edu. (35) 16:03:37.429967 IP 192.168.3.16.53 > 192.168.3.11.40739: 46827* 1/0/0 A[|domain] 16:03:37.429967 IP 192.168.3.11.54465 > 192.168.3.16.53: 44669+[|domain] 16:03:37.429967 IP 192.168.3.16.53 > 192.168.3.11.54465: 44669 NXDomain*[|domain] 16:03:37.429967 IP 192.168.3.11.57928 > 192.168.3.16.53: 58938+[|domain] 16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.57928: 58938 NXDomain*[|domain] 16:03:37.439967 IP 192.168.3.11.45449 > 192.168.3.16.53: 58085+[|domain] 16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.45449: 58085 NXDomain*[|domain] 16:03:37.439967 IP 192.168.3.11.58599 > 192.168.3.16.53: 64069+[|domain] 16:03:37.439967 IP 192.168.3.16.53 > 192.168.3.11.58599: 64069 NXDomain*[|domain] 16:03:37.449967 IP 192.168.3.11.35620 > 192.168.3.16.53: 52173+ A? ad1.casas.wsu.edu. (35) 16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.35620: 52173* 1/0/0 A[|domain] 16:03:37.449967 IP 192.168.3.11.58933 > 192.168.3.16.53: 27556+ A? ad1.casas.wsu.edu. (35) 16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.58933: 27556* 1/0/0 A[|domain] 16:03:37.449967 IP 192.168.3.11.36892 > 192.168.3.16.53: 12188+[|domain] 16:03:37.449967 IP 192.168.3.16.53 > 192.168.3.11.36892: 12188 NXDomain*[|domain] 16:03:37.459967 IP 192.168.3.11.59294 > 192.168.3.16.53: 12121+ A? ad1.casas.wsu.edu. (35) 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.59294: 12121* 1/0/0 A[|domain] 16:03:37.469967 IP 192.168.3.11.59240 > 192.168.3.16.53: 54066+ A? ad1.casas.wsu.edu. (35) 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.59240: 54066* 1/0/0 A[|domain] 16:03:37.469967 IP 192.168.3.11.56838 > 192.168.3.16.53: 48561+[|domain] 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.56838: 48561 NXDomain*[|domain] 16:03:37.469967 IP 192.168.3.11.55189 > 192.168.3.16.53: 33246+ A? ad1.casas.wsu.edu. (35) 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.55189: 33246* 1/0/0 A[|domain] 16:03:37.469967 IP 192.168.3.11.52539 > 192.168.3.16.53: 19873+ A? ad1.casas.wsu.edu. (35) 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.52539: 19873* 1/0/0 A[|domain] 16:03:37.469967 IP 192.168.3.11.38806 > 192.168.3.16.53: 15173+[|domain] 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.38806: 15173 NXDomain*[|domain] 16:03:37.469967 IP 192.168.3.11.39860 > 192.168.3.16.53: 19200+ SRV? _kerberos._udp.CASAS. (38) 16:03:37.469967 IP 192.168.3.16.53 > 192.168.3.11.39860: 19200 NXDomain 0/1/0 (113) 16:03:37.469967 IP 192.168.3.11.40215 > 192.168.3.16.53: 12115+ SRV? _kerberos._tcp.CASAS. (38) 16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.40215: 12115 NXDomain 0/1/0 (113) 16:03:37.479967 IP 192.168.3.11.42234 > 192.168.3.16.53: 2986+ A? ad1.casas.wsu.edu. (35) 16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.42234: 2986* 1/0/0 A[|domain] 16:03:37.479967 IP 192.168.3.11.53553 > 192.168.3.16.53: 13263+ A? ad1.casas.wsu.edu. (35) 16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.53553: 13263* 1/0/0 A[|domain] 16:03:37.479967 IP 192.168.3.11.49456 > 192.168.3.16.53: 38656+[|domain] 16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.49456: 38656 NXDomain*[|domain] 16:03:37.479967 IP 192.168.3.11.56202 > 192.168.3.16.53: 7957+ SRV? _kerberos._udp.CASAS. (38) 16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.56202: 7957 NXDomain 0/1/0 (113) 16:03:37.479967 IP 192.168.3.11.38775 > 192.168.3.16.53: 44000+ SRV? _kerberos._tcp.CASAS. (38) 16:03:37.479967 IP 192.168.3.16.53 > 192.168.3.11.38775: 44000 NXDomain 0/1/0 (113) -------------------- Here's a chunk from the winbindd log: -------------------- [2010/03/10 16:04:22, 0] winbindd/winbindd.c:190(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=1) [2010/03/10 16:04:24, 0] winbindd/winbindd.c:1244(main) winbindd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009 [2010/03/10 16:04:24, 0] winbindd/winbindd_cache.c:2578(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2010/03/10 16:04:24, 0] winbindd/winbindd_util.c:782(init_domain_list) Could not fetch our SID - did we join? [2010/03/10 16:04:24, 0] winbindd/winbindd.c:1385(main) unable to initialize domain list ----------------------- Where is the problem / how do I fix this? ------------------------- It looks to me like your machine account in the domain has died - be it deleted, corrupted, whatever. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: Samba refresh problem Next: looking for source/documentation for old version 1.8.06 |