Everything works quite well until 10 hours after winbindd was started. Then requests get denied. I set up a cron job to demonstrate this. The cron job just logs the time and the output of "wbinfo -t" every five minutes:
********************************************************************** <started winbindd> 2004/03/26 02:50:00| checking the trust secret via RPC calls succeeded 2004/03/26 02:55:00| checking the trust secret via RPC calls succeeded <snip> 2004/03/26 12:45:00| checking the trust secret via RPC calls succeeded 2004/03/26 12:50:00| checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) Could not check secret 2004/03/26 12:55:00| checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) Could not check secret **********************************************************************
Some research showed this was probably kerberos tickets expiring or not being renewed. I looked up the ticket lifetimes for Windows 2000 and plugged those into my krb5.conf (hostnames changed):
********************************************************************** $ less /etc/krb5.conf [logging] default = FILE:/var/log/krb5.log
[libdefaults] default_realm = EXAMPLE.ORG default_etypes = des-cbc-crc default_etypes_des = des-cbc-crc ticket_lifetime = 36000 renew_lifetime = 604800
[realms] EXAMPLE.ORG = { kdc = dc1.example.org kdc = dc2.example.org admin_server = dc1.example.org default_domain = example.org }
[domain_realms] .example.org = EXAMPLE.ORG example.org = EXAMPLE.ORG **********************************************************************
I then tested whether renewing worked (hostnames changed):
********************************************************************** $ kinit [EMAIL PROTECTED]'s Password: $ klist -v Credentials cache: FILE:/tmp/krb5cc_1001 Principal: [EMAIL PROTECTED] Cache version: 4
Server: krbtgt/[EMAIL PROTECTED] Ticket etype: des-cbc-crc Auth time: Mar 26 15:29:19 2004 End time: Mar 27 01:29:19 2004 Renew till: Apr 2 15:29:19 2004 Ticket flags: renewable, initial, pre-authenticated Addresses: IPv4:10.0.0.2
$ kinit -R $ klist -v Credentials cache: FILE:/tmp/krb5cc_1001 Principal: [EMAIL PROTECTED] Cache version: 4
Server: krbtgt/[EMAIL PROTECTED] Ticket etype: des-cbc-crc Auth time: Mar 26 15:29:19 2004 Start time: Mar 26 15:29:26 2004 End time: Mar 27 01:29:26 2004 Renew till: Apr 2 15:29:19 2004 Ticket flags: renewable, initial, pre-authenticated Addresses: IPv4:10.0.0.2 **********************************************************************
In any case, I still see the exact same behavior (death after 10 hours). There is nothing in /var/log/krb5.log. Can anyone shed some light on this for me? I suppose I could restart winbindd every 9 hours...
Thanks, Jon Noack
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba