Hello all. After last update (from winbind-3.5.3 and krb5-1.8.1 to winbind-3.5.10 and krb5-1.9.1) users from a trusted domain can't authenticate any more.
Machines are joined to domain PERSONALE, and users from domain STUDENTI aren't recognized. Domains are handled by W2k8 or W2k8r2 (I have no control on these). Last lines from /var/log/samba/log.wb-STUDENTI report: [2012/02/23 10:42:20.205656, 3] libads/sasl.c:793(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got server principal name = edge$@STUDENTI.DIR.UNIBO.IT [2012/02/23 10:42:20.239823, 1] libsmb/clikrb5.c:789(ads_krb5_mk_req) ads_krb5_mk_req: smb_krb5_get_credentials failed for ldap/edge.studenti.dir.unibo...@studenti.dir.unibo.it (Realm not local to KDC) [2012/02/23 10:42:20.311687, 1] libsmb/clikrb5.c:789(ads_krb5_mk_req) ads_krb5_mk_req: smb_krb5_get_credentials failed for ldap/edge.studenti.dir.unibo...@studenti.dir.unibo.it (Realm not local to KDC) [2012/02/23 10:42:20.311765, 0] libads/sasl.c:823(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Realm not local to KDC [2012/02/23 10:42:20.312246, 1] winbindd/winbindd_ads.c:126(ads_cached_connection) ads_connect for domain STUDENTI failed: Realm not local to KDC [2012/02/23 11:04:15.428341, 3] winbindd/winbindd_dual.c:53(child_read_request) child_read_request: read_data failed: NT_STATUS_END_OF_FILE 'edge' is one of the DCs of the STUDENTI domain, but it seems the PC can't acquire a ticket for that domain. Machine is correctly joined, and actually my employee account works. But not the student one :( [root@str00160-bibl4 ~]# wbinfo -i studenti\\diego.zuccato2 Could not get info for user studenti\diego.zuccato2 [root@str00160-bibl4 ~]# wbinfo -i diego.zuccato diego.zuccato:*:108036:100013:Mat032398:/home/PERSONALE/diego.zuccato:/bin/bash I already tried deleting all .tdb files (in /etc/samba and /var/cache/samba ) and rejoining (some hickups here, but net ads testjoin reports "join is OK"). My /etc/samba/smb.conf is the same that worked for a couple of years: [global] workgroup = PERSONALE realm = PERSONALE.DIR.UNIBO.IT server string = %v security = ADS encrypt passwords = Yes #password server = atu.personale.dir.unibo.it log file = /var/log/samba/log.%m log level = 3 max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No dns proxy = No #winbind separator = - winbind enum users = No winbind enum groups = No winbind offline logon = Yes winbind nested groups = Yes winbind normalize names = Yes winbind refresh tickets = Yes winbind use default domain = yes winbind uid = 100000-100000000 winbind gid = 100000-100000000 idmap config PERSONALE:backend = rid idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:range = 100000 - 49999999 idmap config STUDENTI:backend = rid idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:range = 50000000 - 99999999 template homedir = /home/local/%D/%U template shell = /bin/bash And the same for my /etc/krb5.conf (but I think this one gets ignored): [logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = PERSONALE.DIR.UNIBO.IT dns_lookup_realm = true dns_lookup_kdc = true [realms] PERSONALE.DIR.UNIBO.IT = { kdc = aki.PERSONALE.DIR.UNIBO.IT:88 admin_server = aki.PERSONALE.DIR.UNIBO.IT:749 default_domain = PERSONALE.DIR.UNIBO.IT } [domain_realm] .PERSONALE.DIR.UNIBO.IT = PERSONALE.DIR.UNIBO.IT [kdc] profile = /etc/kerberos/krb5kdc/kdc.conf [login] krb4_convert = false krb4_get_tickets = false [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = true mappings = ([a-z\.]*)@studio.unibo.it STUDENTI-$1 } Too bad I already upgraded more than 60 machines to the new packages... What can I do to fix it? Next week students start coming to the lab... TIA! BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba