Hi there I'm having trouble getting winbindd working properly (I think).
My understanding is that winbindd uses a kerberos 5 session (with 2003 server) to authenticate the machine to ADS, before any users have logged in. Then it uses that session ticket to authenticate all users of the smb server. Is that correct ? I can run kinit ok, and klist shows me a krb5 ticket (using a Domain Administrator ID) Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 10/06/03 10:05:23 10/06/03 20:05:23 krbtgt/[EMAIL PROTECTED] 10/06/03 10:16:20 10/06/03 20:05:23 [EMAIL PROTECTED] 10/06/03 10:17:23 10/06/03 20:05:23 [EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Winbindd cannot appear to complete a secure dialog with ADS: [2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(667) got [EMAIL PROTECTED] [2003/10/06 10:51:19, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(493) Doing kerberos session setup [2003/10/06 10:51:19, 1] libsmb/smb_signing.c:signing_good(226) signing_good: SMB signature check failed on seq 1! [2003/10/06 10:51:19, 0] libsmb/clientgen.c:cli_receive_smb(121) SMB Signature verification failed on incoming packet! [2003/10/06 10:51:19, 4] nsswitch/winbindd_cm.c:cm_open_connection(185) failed kerberos session setup with NT_STATUS_OK [2003/10/06 10:51:19, 4] nsswitch/winbindd_cm.c:cm_open_connection(226) failed anonymous session setup with NT_STATUS_OK [2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_start_connection(1290) Connecting to host=BASHFUL [2003/10/06 10:51:19, 3] lib/util_sock.c:open_socket_out(690) Connecting to 10.0.0.104 at port 445 [2003/10/06 10:51:19, 2] libsmb/cliconnect.c:cli_session_setup_spnego(635) Doing spnego session setup (blob length=117) [2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660) got OID=1 2 840 48018 1 2 2 [2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660) got OID=1 2 840 113554 1 2 2 [2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660) got OID=1 2 840 113554 1 2 2 3 [2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660) got OID=1 3 6 1 4 1 311 2 2 10 [2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(667) got [EMAIL PROTECTED] [2003/10/06 10:51:19, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(493) Doing kerberos session setup [2003/10/06 10:51:19, 1] libsmb/smb_signing.c:signing_good(226) signing_good: SMB signature check failed on seq 1! [2003/10/06 10:51:19, 0] libsmb/clientgen.c:cli_receive_smb(121) SMB Signature verification failed on incoming packet! [2003/10/06 10:51:19, 4] nsswitch/winbindd_cm.c:cm_open_connection(185) failed kerberos session setup with NT_STATUS_OK [2003/10/06 10:51:19, 4] nsswitch/winbindd_cm.c:cm_open_connection(226) failed anonymous session setup with NT_STATUS_OK <snip> I'm now wondering how the winbind authenticates itself, as I can get wbinfo to list me users and groups, but no clients can authenticate. log of client attach: [2003/10/06 10:39:07, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(500) NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1] [2003/10/06 10:39:07, 3] smbd/sesssetup.c:reply_spnego_negotiate(385) Got OID 1 2 840 48018 1 2 2 [2003/10/06 10:39:07, 3] smbd/sesssetup.c:reply_spnego_negotiate(385) Got OID 1 2 840 113554 1 2 2 [2003/10/06 10:39:07, 3] smbd/sesssetup.c:reply_spnego_negotiate(385) Got OID 1 3 6 1 4 1 311 2 2 10 [2003/10/06 10:39:07, 3] smbd/sesssetup.c:reply_spnego_negotiate(388) Got secblob of size 1224 [2003/10/06 10:39:07, 3] libads/kerberos_verify.c:ads_verify_ticket(308) ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2003/10/06 10:39:07, 3] libads/kerberos_verify.c:ads_verify_ticket(316) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2003/10/06 10:39:07, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! [2003/10/06 10:39:07, 3] smbd/error.c:error_packet(94) error string = No such file or directory [2003/10/06 10:39:07, 3] smbd/error.c:error_packet(109) error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2003/10/06 10:39:07, 3] smbd/process.c:timeout_processing(1099) timeout_processing: End of file from client (client has disconnected). [2003/10/06 10:39:07, 3] smbd/sec_ctx.c:set_sec_ctx(287) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/10/06 10:39:07, 2] smbd/server.c:exit_server(558) Closing connections [2003/10/06 10:39:07, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2003/10/06 10:39:07, 3] smbd/connection.c:yield_connection(75) yield_connection: tdb_delete for name failed with error Record does not exist. [2003/10/06 10:39:07, 3] smbd/server.c:exit_server(601) Server exit (normal exit) I suspect winbindd is bound to ADS as 'anonymous', which I imagine gives the account read only and limited rights to do things. Does winbindd need to authenticate to the PDC with a specific (krb5) identify ? How do I set that up ? I can't successfully run kadmin [EMAIL PROTECTED] samba]# kadmin Authenticating as principal Administrator/[EMAIL PROTECTED] with password. kadmin: Client not found in Kerberos database while initializing kadmin interface The only example I can find for creating a /etc/krb5.keytab is http://mailman.mit.edu/pipermail/kerberos/2002-June/001055.html which talks about the FTP service key. Do I need to have a /etc/krb5.keytab file, and if so how do I create one ?? Anyone any help - I'm not sure if I have a winbind problem or a krb5 problem - somewhere in between ? Gavin Davenport -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
