[Samba] Help w/ winbind & re-bind after error Referral

Thu, 09 Feb 2006 16:16:42 -0800

Hi, we've got a samba-3.0.21a-1 systems that's set up w/ winbind to query AD to authenticate users w/out Unix accts. The system is also set up to support our LDAP'd UNIX accts. 

After setting the [global] section like this:

[global]
   realm = WIN.OURDOMAIN.COM
   security = ads
   password server = thebes balsam
   encrypt passwords = yes
   log file = /var/log/samba/log.%m
   log level = 5
   max log size = 300
   debug level = 3
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   idmap uid = 15000-35000
   idmap gid = 15000-35000
   winbind separator = \\
   winbind use default domain = no
   netbios name = SLOCOMBE
   workgroup = OURDOMAIN

... /etc/nsswitch edited like this:

passwd:     files ldap winbind
group:      files ldap winbind

...and /etc/pam.d/system-auth edited like this:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth optional /lib/security/$ISA/pam_krb5.so use_first_pass minimum_uid=1 ticket_lifetime=90000 renew_lifetime=630000 forwardable 
auth        required      /lib/security/$ISA/pam_ldap.so use_first_pass
auth        sufficient    /lib/security/pam_winbind.so use_first_pass

account     sufficient    /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so 
account     sufficient    /lib/security/pam_winbind.so

... and turned OFF the nscd service...
... we can join the AD domain correctly via 'net join', and all appears to work: 'wbinfo -u' and 'wbinfo -g' show users & groups in all three of our AD domains. 'wbinfo -t' succeeds as well. SAMBA shares map correctly on our XP systems for users who only have AD accts., and those w/ LDAP accts. So far, so good.
But now, when you run 'id <user>' or 'groups <user>', the systems gets fairly catatonic, and smb / winbind must be restarted to regain sanity. 

From log.winbindd (these type of messages repeat over and over):

   [2006/02/09 13:53:59, 3] libads/ldap.c:ads_server_info(2541)
got ldap server name [EMAIL PROTECTED], using bind path: dc=WIN,dc=OURDOMAIN,dc=COM 
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/09 13:53:59, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] 
[2006/02/09 13:53:59, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(415)
Ticket in ccache[MEMORY:winbind_ccache] expiration Thu, 09 Feb 2006 23:53:11 PST 
[2006/02/09 13:53:59, 3] libads/ldap.c:ads_do_paged_search(527)
ads_do_paged_search: ldap_search_with_timeout((objectclass=*)) -> Referral 
[2006/02/09 13:53:59, 3] libads/ldap_utils.c:ads_do_search_retry(66)
Reopening ads connection to realm 'WIN.OURDOMAIN.COM' after error Referral 
[2006/02/09 13:53:59, 3] libsmb/namequery.c:resolve_lmhosts(855)
  resolve_lmhosts: Attempting lmhosts lookup for name balsam<0x20>
[2006/02/09 13:53:59, 3] libsmb/namequery.c:resolve_wins(752)
  resolve_wins: Attempting wins lookup for name balsam<0x20>
[2006/02/09 13:53:59, 3] libsmb/namequery.c:resolve_wins(755)
  resolve_wins: WINS server resolution selected and no WINS servers listed.
[2006/02/09 13:53:59, 3] libsmb/namequery.c:resolve_hosts(917)
  resolve_hosts: Attempting host lookup for name balsam<0x20>
[2006/02/09 13:53:59, 3] libsmb/namequery.c:name_resolve_bcast(694)
  name_resolve_bcast: Attempting broadcast lookup for name balsam<0x20>
[2006/02/09 13:54:00, 3] libads/ldap.c:ads_connect(288)
  Connected to LDAP server 192.168.55.60
[2006/02/09 13:54:00, 3] libads/ldap.c:ads_server_info(2541)
got ldap server name [EMAIL PROTECTED], using bind path: dc=WIN,dc=OURDOMAIN,dc=COM 
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/09 13:54:00, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] 
[2006/02/09 13:54:00, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(415)
Ticket in ccache[MEMORY:winbind_ccache] expiration Thu, 09 Feb 2006 23:53:11 PST 
[2006/02/09 13:54:00, 3] nsswitch/winbindd_ads.c:dn_lookup(393)
  ads: dn_lookup
[2006/02/09 13:54:00, 3] libads/ldap.c:ads_do_paged_search(527)
ads_do_paged_search: ldap_search_with_timeout((objectclass=*)) -> Referral 
[2006/02/09 13:54:00, 3] libads/ldap_utils.c:ads_do_search_retry(66)
Reopening ads connection to realm 'WIN.OURDOMAIN.COM' after error Referral 

Any ideas here?  Any info is appreciated.


 - SBC


--
Scott Chapin            Dreamworks Animation
[EMAIL PROTECTED]    (818) 695-6361
"Computer says no."
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to