I have 2 CentOS 5.6 x86_64 servers configured with with samba 3.5.4, CTDB, GFS and DRDB in an avtive,active cluster. After some time winbind looses the ticket. After this I have to do a net ads join on the server to get things going. The main DC is a windows 2003 server with SP2. I do have 2 more samba 4 DC's that I use for backup authentication only that run on debian 6 that are a VM. Not sure if they could be causing a problem or not.
This is what I am seeing in the logs. winbindd/winbindd_util.c:289(trustdom_recv) Could not receive trustdoms : 240 Time(s) And [root@pdc ~]# wbinfo -t checking the trust secret for domain TAYLORTELEPHONE via RPC calls failed Could not check secret [root@pdc ~]# wbinfo -a someuser%password plaintext password authentication failed Could not authenticate user someuser%password with plaintext password challenge/response password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) error messsage was: Access denied Could not authenticate user someuser with challenge/response [root@pdc ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 04/28/11 09:23:18 04/28/11 09:23:22 krbtgt/[email protected] renew until 04/28/11 09:23:22, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached And then if I do [root@pdc ~]# net ads join -Uadministrator%password Using short domain name -- TAYLORTELEPHONE Joined 'PDC' to realm 'taylortelephone.com' DNS update failed! [root@pdc ~]# wbinfo -a someuser%password plaintext password authentication succeeded challenge/response password authentication succeeded everything works again for awhile. samba3x-common-3.5.4-0.70.el5_6.1 samba3x-winbind-3.5.4-0.70.el5_6.1 samba3x-client-3.5.4-0.70.el5_6.1 samba3x-3.5.4-0.70.el5_6.1 [global] workgroup = TAYLORTELEPHONE realm = TAYLORTELEPHONE.COM server string = Cluster Share %L interfaces = eth0, lo security = ADS password server = 192.168.173.10 log file = /var/log/samba/samba3.log clustering = Yes wins server = 192.168.173.10 idmap backend = idmap_rid:TAYLORTELEPHONE=500-4000000 idmap uid = 500-4000000 idmap gid = 500-4000000 template homedir = /home/%U template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes [apps] comment = Application Data path = /data/programs force user = root force group = Domain Admins read only = No inherit acls = Yes vfs objects = recycle recycle: config-files = /etc/samba/samba-recycle.conf [share] comment = Share Data path = /clusterdata/share force user = root force group = Domain Admins read only = No inherit acls = Yes vfs objects = recycle recycle: config-files = /etc/samba/samba-recycle.conf [home] comment = Home Directories path = /clusterdata/home read only = No [printers] comment = SMB Print Spool path = /var/spool/samba guest ok = Yes printable = Yes browseable = No [netlogon] comment = Network Logon Service path = /clusterdata/netlogon guest ok = Yes locking = No [profiles] comment = Profile Share path = /clusterdata/profiles read only = No inherit owner = Yes profile acls = Yes hide files = /desktop.ini/outlook*.lnk/*Briefcase*/ store dos attributes = Yes [print$] comment = Printer Drivers path = /var/lib/samba/drivers read only = No [root@pdc ~]# cat /etc/krb5.conf [libdefaults] default_realm = TAYLORTELEPHONE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] TAYLORTELEPHONE.COM = { kdc = qbserver.taylortelephone.com:88 admin_server = qbserver.taylortelephone.com:749 default_domain = taylortelephone.com } [domain_realm] .taylortelephone.com = TAYLORTELEPHONE.COM taylortelephone.com = TAYLORTELEPHONE.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
