Hello Samba-List-Users
I have a problem with KDC network name resolution. I tried to google it
and sought help on IRC#samba, to no avail. So I'll post my problem here.
In the spirit of privacy and normalization all server names in this post
are replaced. CAPTIAL server names are actually capitalized in the
configuration files.
Setup:
1x Debian5 x64 server running samba 3.2.5
2x Windows Server 2008R2 domain controllers (Active Directory running in
native mode)
some Windows7 Clients
here are my configuration files:
smb.conf (global section)
8<--
# Global parameters
[global]
netbios name = SAMBASERVER01
workgroup = DOMAIN
realm = DOMAIN.LOCAL
preferred master = no
server string = Productive Datastore
interfaces = eth0 172.16.1.15
map to guest = bad user
security = ADS
encrypt passwords = yes
log level = 2
syslog = 2
winbind separator = +
printcap name = /etc/printcap
printing =
load printers = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 1-2
idmap gid = 1-2
usershare allow guests = no
hide files = /$RECYCLE.BIN/desktop.ini/
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
#full_audit:facility = LOCAL7
full_audit:priority = NOTICE
8<--
krb5.conf
8<--
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
# dc01 is FSMO server
kdc = dc01.domain.local
kdc = dc02.domain.local
admin_server = dc01.megasol.local
default_domain = domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
8<--
the domain join ran without errors:
SAMBASERVER01:~# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DOMAIN
Joined 'SAMBASERVER01' to realm 'domain.local'
kinit is contempt, too:
SAMBASERVER01:~# kinit -V Administrator
Password for administra...@domain.local:
Authenticated to Kerberos v5
I logged into DC01 using the domain administrator account:
I can connect to the samba server; no problems.
I logged into a windows7 client using a domain user:
I can connect to the samba server; no problems.
I logged into a windows7 client user local admin (no domain login):
I can't connect to the samba server
I use smbclient on SAMBASERVER01:
SAMBASERVER01:~# smbclient //SAMBASERVER01/SHARE -U Administrator
Enter Administrator's password:
session setup failed: NT code 0x0721
I use smbclient on SAMBASERVER01 again:
SAMBASERVER01:~# smbclient //SAMBASERVER01/IT -U Administrator
Enter Administrator password:
session setup failed: NT_STATUS_PIPE_DISCONNECTED
I use smbclient using Kerberos authentication:
SAMBASERVER01:~# smbclient //SAMBASERVER01/IT -k
OS=[Unix] Server=[Samba 3.2.5]
smb: \>
that works!
the smbd and nmbd logs are clean
but it seems that winbind ist struggling:
log.winbindd
8<--
[2010/06/07 10:17:59, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(619)
Doing kerberos session setup
[2010/06/07 10:17:59, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
ads_krb5_mk_req: krb5_get_credentials failed for dc...@domain (Cannot
resolve network address for KDC in requested realm)
[2010/06/07 10:17:59, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(626)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
[2010/06/07 10:17:59, 1] winbindd/winbindd_util.c:trustdom_recv(260)
Could not receive trustdoms
8<--
I'm at a loss here... can anyone help? Or point me into the right direction?
Cheers
Daniel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
