I also found this in the logs on both servers. [2011/05/02 16:52:01.425379, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module ldap already registered! [2011/05/02 16:52:01.496966, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/05/02 16:52:01.569375, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/05/02 16:52:01.641802, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/05/02 16:52:01.708285, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module rid already registered! [2011/05/02 16:52:01.774795, 0] lib/module.c:69(do_smb_load_module) Module '/usr/lib64/samba/idmap/rid.so' initialization failed: NT_STATUS_OBJECT_NAME_COLLISION [2011/05/02 16:52:01.836023, 1] winbindd/idmap.c:580(idmap_alloc_init) could not find idmap alloc module rid:TAYLORTELEPHONE=500-4000000
Jonn On 05/02/2011 12:14 PM, Taylor, Jonn wrote: > I have 2 CentOS 5.6 x86_64 servers configured with with samba 3.5.4, > CTDB, GFS and DRDB in an avtive,active cluster. After some time winbind > looses the ticket. After this I have to do a net ads join on the server > to get things going. The main DC is a windows 2003 server with SP2. I do > have 2 more samba 4 DC's that I use for backup authentication only that > run on debian 6 that are a VM. Not sure if they could be causing a > problem or not. > > This is what I am seeing in the logs. > > winbindd/winbindd_util.c:289(trustdom_recv) Could not receive trustdoms : > 240 Time(s) > > And > > [root@pdc ~]# wbinfo -t > checking the trust secret for domain TAYLORTELEPHONE via RPC calls failed > Could not check secret > [root@pdc ~]# wbinfo -a someuser%password > plaintext password authentication failed > Could not authenticate user someuser%password with plaintext password > challenge/response password authentication failed > error code was NT_STATUS_ACCESS_DENIED (0xc0000022) > error messsage was: Access denied > Could not authenticate user someuser with challenge/response > > [root@pdc ~]# klist -e > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 04/28/11 09:23:18 04/28/11 09:23:22 > krbtgt/[email protected] > renew until 04/28/11 09:23:22, Etype (skey, tkt): ArcFour with > HMAC/md5, ArcFour with HMAC/md5 > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > > And then if I do > > [root@pdc ~]# net ads join -Uadministrator%password > Using short domain name -- TAYLORTELEPHONE > Joined 'PDC' to realm 'taylortelephone.com' > DNS update failed! > [root@pdc ~]# wbinfo -a someuser%password > plaintext password authentication succeeded > challenge/response password authentication succeeded > > everything works again for awhile. > > samba3x-common-3.5.4-0.70.el5_6.1 > samba3x-winbind-3.5.4-0.70.el5_6.1 > samba3x-client-3.5.4-0.70.el5_6.1 > samba3x-3.5.4-0.70.el5_6.1 > > > [global] > workgroup = TAYLORTELEPHONE > realm = TAYLORTELEPHONE.COM > server string = Cluster Share %L > interfaces = eth0, lo > security = ADS > password server = 192.168.173.10 > log file = /var/log/samba/samba3.log > clustering = Yes > wins server = 192.168.173.10 > idmap backend = idmap_rid:TAYLORTELEPHONE=500-4000000 > idmap uid = 500-4000000 > idmap gid = 500-4000000 > template homedir = /home/%U > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind refresh tickets = Yes > winbind offline logon = Yes > > [apps] > comment = Application Data > path = /data/programs > force user = root > force group = Domain Admins > read only = No > inherit acls = Yes > vfs objects = recycle > recycle: config-files = /etc/samba/samba-recycle.conf > > [share] > comment = Share Data > path = /clusterdata/share > force user = root > force group = Domain Admins > read only = No > inherit acls = Yes > vfs objects = recycle > recycle: config-files = /etc/samba/samba-recycle.conf > > [home] > comment = Home Directories > path = /clusterdata/home > read only = No > > [printers] > comment = SMB Print Spool > path = /var/spool/samba > guest ok = Yes > printable = Yes > browseable = No > > [netlogon] > comment = Network Logon Service > path = /clusterdata/netlogon > guest ok = Yes > locking = No > > [profiles] > comment = Profile Share > path = /clusterdata/profiles > read only = No > inherit owner = Yes > profile acls = Yes > hide files = /desktop.ini/outlook*.lnk/*Briefcase*/ > store dos attributes = Yes > > [print$] > comment = Printer Drivers > path = /var/lib/samba/drivers > read only = No > [root@pdc ~]# cat /etc/krb5.conf > [libdefaults] > default_realm = TAYLORTELEPHONE.COM > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > TAYLORTELEPHONE.COM = { > kdc = qbserver.taylortelephone.com:88 > admin_server = qbserver.taylortelephone.com:749 > default_domain = taylortelephone.com > } > > [domain_realm] > .taylortelephone.com = TAYLORTELEPHONE.COM > taylortelephone.com = TAYLORTELEPHONE.COM > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
