[Samba] wbinfo -K no such user

Thu, 15 Apr 2010 10:46:01 -0700

I'm attempting to get ubuntu to work with an AD 2008 server for authentication and authorization.
DNS is on a separate unix host, with dns on the windows server as a non-authoritative source. 

It appears that I have a kerberos problem.

What works:

1. kinit user
Password for u...@ad.engr.wisc.edu

2. wbinfo -t, wbinfo -u, wbinfo -g all succeed.

What sort-of works:

1. net ads join -U user complains:

DNS update failed!

but net ads testjoin gives:
Join is OK

What fails:
1. wbinfo -K u...@ad.engr.wisc.edu
Enter u...@ad.engr.wisc.edu's password:

plaintext kerberos password authentication for [u...@ad.engr.wisc.edu] 
failed (requesting cctype: FILE)

error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user

Could not authenticate user [u...@ad.engr.wisc.edu] with Kerberos 
(ccache: FILE)


2. wbinfo -i user


3. calls to nss, getent passwd, id user (yes I have compat winbind in 
nsswitch for passwd and groups)



The nss calls create failed LDAP bind messages in the logs. My sense is 
that the failure of the ldap bind is related to the apparent kerberos 
problem.


Thanks is advance
Russ Poyner



[libdefaults]
        default_domain = AD.ENGR.WISC.EDU
        default_realm = AD.ENGR.WISC.EDU
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true
        default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
        default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
        preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
        dns_lookup_kdc = true

# The following krb5.conf variables are only for MIT Kerberos.

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.

[realms]
        AD.ENGR.WISC.EDU = {
                kdc = engr-dc1.ad.engr.wisc.edu
                kdc = engr-dc2.ad.engr.wisc.edu
                kdc = engr-dc3.ad.engr.wisc.edu
        }
#       ENGR.WISC.EDU = {
#               kdc = kdc1.cae.wisc.edu
#               kdc = kdc2.cae.wisc.edu
#               kdc = kdc-master.cae.wisc.edu
#               admin_server = kdc-master.cae.wisc.edu
#               default_domain = cae.wisc.edu
#       }
#       AD.ENGR.WISC.EDU = {
#               auth_to_local = 
RULE:[1:$0\$1](^AD\.ENGR\.WISC\.EDU\\.*)s/^AD\.ENGR\.WISC\.EDU/ENGR/
#               auth_to_local = DEFAULT
#       }
        CS.WISC.EDU = { 
                kdc = kerberos-1.cs.wisc.edu
                kdc = kerberos-2.cs.wisc.edu
                kdc = kerberos.cs.wisc.edu
                admin_server = kerberos.cs.wisc.edu
        }

# Our ENGR.WISC.EDU realm that's used for AFS, NFS, etc.
# We aren't specifying any v4_ rules like default_domain since we shouldn't
# need to support that anymore.
# TODO: test to see if we need any mapping rules (auth_to_local*)

# An entry for the ActiveDirectory Kerberos realm at CAE, possibly useful for
# cross-site trust.

# Some more entries for CS's Kerberos so we can share AFS.

# These were defaults in the kdc.conf file upon installation.  I see no
# immediate need to remove them, though the data should be available via DNS
# TXT and SRV records now.
# See Also:
# http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS
# 2009-08-18
# bpkroth


[domain_realm]
        .engr.wisc.edu = ENGR.WISC.EDU
        engr.wisc.edu = ENGR.WISC.EDU
        .cae.wisc.edu = ENGR.WISC.EDU
        cae.wisc.edu = ENGR.WISC.EDU
        .ad.engr.wisc.edu = AD.ENGR.WISC.EDU
        ad.engr.wisc.edu = AD.ENGR.WISC.EDU
        .ece.wisc.edu = AD.ENGR.WISC.EDU
        ece.wisc.edu = AD.ENGR.WISC.EDU
        .cs.wisc.edu = CS.WISC.EDU
        cs.wisc.edu = CS.WISC.EDU
# Locally added realms for CAE.
# 2009-08-18
# bpkroth



# These were defaults in the kdc.conf file upon installation.  I see no
# immediate need to remove them, though the data should be available via DNS
# TXT and SRV records now.
# See Also:
# http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS
# 2009-08-18
# bpkroth


# Adding a section to setup logging.
# 2009-08-18
# bpkroth
[logging]
        default=SYSLOG

# Setup capaths for cross-site authentication with ad.engr.wisc.edu.
[capaths]
        ENGR.WISC.EDU = {
                AD.ENGR.WISC.EDU = .
        }
        AD.ENGR.WISC.EDU = {
                ENGR.WISC.EDU = .
        }

[login]
        krb4_convert = true
        krb4_get_tickets = false
[appdefaults]
        pam = {
   mappings = ENGR\\(.*) $...@ad.engr.wisc.edu
   forwardable = true
   validate = true
        }
        httpd = {
   mappings = ENGR\\(.*) $...@ad.engr.wisc.edu
   reverse_mappings = (.*)@AD\.ENGR\.WISC\.EDU ENGR\$1
        }
# krb5.conf
# 2009-08-17
# bpkroth
# 
# The client/server config file for Kerberos v5 on Linux machines at CAE.
# This file is used both by KDCs, clients, and applications.


127.0.0.1       localhost.localdomain   localhost
128.104.182.240 rp-ubunt10vm.ece.wisc.edu       rp-ubuntu10vm
128.104.182.240 rp-ubuntu10vm.ad.engr.wisc.edu

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

[global]
        workgroup = ENGR
        realm = AD.ENGR.WISC.EDU
        security = ADS
        allow trusted domains = No
        password server = 144.92.13.232
        restrict anonymous = 2
        kerberos method = system keytab
        log level = 3
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        disable netbios = Yes
        client use spnego = No
        dns proxy = No
        ldap admin dn = cn=rpoyner,ou=caeid,ou=cae,dc=ad,dc=engr,dc=wisc,dc=edu
        ldap suffix = dc=ad,dc=engr,dc=wisc,dc=edu
        ldap ssl = no
        ldap connection timeout = 3
        ldap debug level = 1
        panic action = /usr/share/samba/panic-action %d
        idmap backend = ldap:ldap://engr-dc2.ad.engr.wisc.edu
        idmap uid = 1000-999999
        idmap gid = 1000-999999
        template shell = /bin/bash
        winbind separator = @
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        winbind normalize names = Yes
        idmap config ENGR:range = 1000-999999
        idmap config ENGR:ldap_url = ldap://engr-dc1.ad.wisc.edu
        idmap config ENGR:schema_mode = rfc2307
        idmap config ENGR:backend = ldap
        idmap config ENGR:default = yes

[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No
        browsable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba













    











					Reply via email to