[Samba] winbind failure with libkrb5-3 1.8 in Debian *RENAMED*
I have renamed this thread as the panics stopped when libkrb5-3, et.al. were upgraded to 1.8. However, bigger problems are now occurring. See below. On 01/27/2010 10:13 AM, Volker Lendecke wrote: On Wed, Jan 27, 2010 at 04:05:46AM -0800, Steve Langasek wrote: On Tue, Jan 26, 2010 at 02:22:36PM -0800, Steve Langasek wrote: On Tue, Jan 26, 2010 at 05:03:51PM -0500, Sam Hartman wrote: "Steve" == Steve Langasek writes: Steve> On Tue, Jan 26, 2010 at 01:29:08PM -0500, Sam Hartman wrote: >> OK. Can someone on the Samba side confirm that the Linux kernel >> only supports DES for some Samba related Kerberos operation? >> Specific details on what is going on would be useful. Steve> The kernel is only involved when one is using CIFS mounts, Steve> which aren't relevant to winbind and domain joining; so this Steve> shouldn't be a kernel issue. OK. Then I currently have no idea why allow_weak_crypto would be desirable for Samba. In the case of AD realms that were continuously upgraded from NT4 domains, you may have accounts only using RC4 as an enctype for backwards-compatibility with pre-AD systems. I don't know if this is the reason these users are seeing problems, but it's the only case I can think of why allow_weak_crypto should be needed. Sorry, having looked at the source now, I see that the weak crypto handling is specific to DES, not RC4; and if Samba were *only* using RC4, this error would not happen. However, Samba requests both RC4 and DES, a historical remnant of the time when DES was the only enctype in common between all Kerberos implementations. Referring to the SUBJECT: Where is this leading to a panic in Samba 3.4, I got lost in the meantime. Volker Now, winbind simply doesn't work in 3.4.3 nor in 3.4.5, the latter which I tested this morning. The 3.4.5 testing was done with libkrb5-3 1.8+dsfg~alpha1-5, upgraded from alpha1-4. This also includes setting allow_weak_crypto=true in krb5.conf; however, the encryption error message returns when testing the join or doing kinit. [date time, 0] libads/sasl.c:819(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type. [repeat above two lines] Join to domain is not valid: Undetermined error I guess I should retest stable to see what that yields. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind failure
In case anyone was following along, I've solved the problem. I'm not sure what technically did it, but I upgraded Samba from 3.0.25a to 3.0.25b. Also, I used the "net" command that came with the package (bin/net) which I apparently wasn't using before (doing a "which net" command). After that I did a kdestroy, kinit, net ads join and all worked again! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind failure
On Tuesday 10 July 2007 6:03 pm, Michael Bann wrote: > After copying over the lock files and the secrets.tdb file, I get a new > error. (I attempted to reinstall Samba and did not copy those files over > before.) > > I removed the computer name... > > [2007/07/10 16:51:31, 0] smbd/server.c:main(986) > standard input is not a socket, assuming -D option > [2007/07/10 16:51:31, 0] > nsswitch/winbindd_cache.c:initialize_winbindd_cache(2221) > initialize_winbindd_cache: clearing cache and re-creating with version > number 1 > [2007/07/10 16:51:32, 0] libads/kerberos.c:ads_kinit_password(227) > kerberos_kinit_password [EMAIL PROTECTED] failed: > Preauthentication failed > [2007/07/10 16:51:32, 0] printing/nt_printing.c:nt_printing_init(650) > nt_printing_init: error checking published printers: WERR_ACCESS_DENIED > [2007/07/10 16:51:32, 0] libsmb/cliconnect.c:cli_session_setup_spnego(853) > Kinit failed: Preauthentication failed > [2007/07/10 16:51:32, 1] nsswitch/winbindd_util.c:trustdom_recv(237) > Could not receive trustdoms > > Any ideas? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba This is probably of no use to you, but, who knows. I had the same thing happen on one of my CentOS 3 boxes; same errors. I generally like to roll my own RPMs from source RPMs, and use the source RPM from sernet. As the machine in question is VERY old (Dell PW 6100/200 - test machine that otherwise works very well), I couldn't do this without the machine hanging. So, I DL'd the full sernet RPMs. I believe I tried both the RedHat and CentOS RPMs and ... I got the exact same messages as you. After struggling to figure out what the problem was, the light bulb finally lit. I copied over RPMs I had created on another CentOS 3 box and ,,, all errors vanished, and I was able to connect the box to my AD network. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind failure
After copying over the lock files and the secrets.tdb file, I get a new error. (I attempted to reinstall Samba and did not copy those files over before.) I removed the computer name... [2007/07/10 16:51:31, 0] smbd/server.c:main(986) standard input is not a socket, assuming -D option [2007/07/10 16:51:31, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2221) initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2007/07/10 16:51:32, 0] libads/kerberos.c:ads_kinit_password(227) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed [2007/07/10 16:51:32, 0] printing/nt_printing.c:nt_printing_init(650) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED [2007/07/10 16:51:32, 0] libsmb/cliconnect.c:cli_session_setup_spnego(853) Kinit failed: Preauthentication failed [2007/07/10 16:51:32, 1] nsswitch/winbindd_util.c:trustdom_recv(237) Could not receive trustdoms Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind failure
After entering the command I get the following: Version 3.0.10-1.4E.12.2 Roberto Lizana wrote: what is your version of winbind??? (type winbindd --version in console). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind failure
Folks, I am setting up a server to use cups printing and samba to communicate with windows. Samba appeared to be working for a little while and then for some reason stopped working. Looking at the log files I see the following: [2007/07/10 12:49:16, 0] smbd/server.c:main(986) standard input is not a socket, assuming -D option [2007/07/10 12:49:16, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2221) initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2007/07/10 12:49:16, 0] nsswitch/winbindd_util.c:init_domain_list(513) Could not fetch our SID - did we join? [2007/07/10 12:49:16, 0] nsswitch/winbindd.c:main(1088) unable to initalize domain list [2007/07/10 12:49:16, 0] printing/nt_printing.c:nt_printing_init(650) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED The command "getent passwd" lists users on the domain. The command "net ads testjoin" results in "Join is OK". Testparm says that the configuration file is fine. "net getlocalsid" and "net getlocalsid cems" both return a sid value. Klist shows valid tickets for my domain. Doing a /etc/init.d/smb restart shows that winbind starts up "ok" but will always "fail" on shutdown. This leads me to believe that it's not actually starting "ok", or that it is but it's crashing quickly thereafter. Does anyone have ideas about why this might be happening? Thanks, Michael -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
