[Samba] winbind + ads: only works for 10 hours?

[Jon Noack]

I run FreeBSD 5.2.1 and recently configured Samba 3.0.2a (from ports) 
for ADS using the FreeBSD-bundled krb5 (Heimdal 0.6, I believe) and 
OpenLDAP 2.1.28 (from ports).  It is setup to authenticate off a Windows 
2000 Domain Controller and is primarily used to provide proxy 
authentication for Squid.  I will share more about my configuration if 
asked, but as it works flawlessly at first I think it's something minor.

Everything works quite well until 10 hours after winbindd was started. 
Then requests get denied.  I set up a cron job to demonstrate this.  The 
cron job just logs the time and the output of "wbinfo -t" every five 
minutes:

**********************************************************************
<started winbindd>
2004/03/26 02:50:00| checking the trust secret via RPC calls succeeded
2004/03/26 02:55:00| checking the trust secret via RPC calls succeeded
<snip>
2004/03/26 12:45:00| checking the trust secret via RPC calls succeeded
2004/03/26 12:50:00| checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret
2004/03/26 12:55:00| checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret
**********************************************************************
Some research showed this was probably kerberos tickets expiring or not 
being renewed.  I looked up the ticket lifetimes for Windows 2000 and 
plugged those into my krb5.conf (hostnames changed):

**********************************************************************
$ less /etc/krb5.conf
[logging]
        default = FILE:/var/log/krb5.log
[libdefaults]
        default_realm = EXAMPLE.ORG
        default_etypes = des-cbc-crc
        default_etypes_des = des-cbc-crc
        ticket_lifetime = 36000
        renew_lifetime = 604800
[realms]
        EXAMPLE.ORG = {
                kdc = dc1.example.org
                kdc = dc2.example.org
                admin_server = dc1.example.org
                default_domain = example.org
        }
[domain_realms]
        .example.org = EXAMPLE.ORG
        example.org = EXAMPLE.ORG
**********************************************************************
I then tested whether renewing worked (hostnames changed):

**********************************************************************
$ kinit
[EMAIL PROTECTED]'s Password:
$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [EMAIL PROTECTED]
    Cache version: 4
Server: krbtgt/[EMAIL PROTECTED]
Ticket etype: des-cbc-crc
Auth time:  Mar 26 15:29:19 2004
End time:   Mar 27 01:29:19 2004
Renew till: Apr  2 15:29:19 2004
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:10.0.0.2
$ kinit -R
$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [EMAIL PROTECTED]
    Cache version: 4
Server: krbtgt/[EMAIL PROTECTED]
Ticket etype: des-cbc-crc
Auth time:  Mar 26 15:29:19 2004
Start time: Mar 26 15:29:26 2004
End time:   Mar 27 01:29:26 2004
Renew till: Apr  2 15:29:19 2004
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:10.0.0.2
**********************************************************************
In any case, I still see the exact same behavior (death after 10 hours). 
 There is nothing in /var/log/krb5.log.  Can anyone shed some light on 
this for me?  I suppose I could restart winbindd every 9 hours...

Thanks,
Jon Noack
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba