[Samba] ongoing problems with winbind since we rolled out RODCs
in [Samba]
|
From: Jason Haar on 25 Jul 2010 21:40 Hi there We've been merrily chugging away with a large number (>30) of samba-3.2.11 CentOS4.8 servers for some time now. Unfortunately in the past two months our AD team has started replacing our Win2K3 domain controllers with Win2K8 RODC (read-only DCs). As each site has been migrated over to RODCs, the Samba server associated with that site has started experiencing sporadic problems. e.g. "net ads testjoin" would fail ("-d9" would show it failed against the RODC), and yet if you did a "net ads testjoin -S real.dc" (ie point back at a Win2K3 DC) that would work - and more importantly - would IMMEDIATELY fix the problem with the RODC! i.e. net ads testjoin -S ro.dc - FAILS net ads testjoin -S rw.dc - OK net ads testjoin -S ro.dc - OK Obviously the RODC is clearing out something that is needed for when the next time Samba comes a-knocking - but the fact is that our Windows users are not seeing any issues at all - other than these issues with Samba. I even upgraded them all to Samba-3.5.4 - didn't help a bit. Right now I've got a new problem: somehow the Kerberos key has become corrupt or something on one Samba server (primarily) talking to a RODC, it's reporting [2010/07/26 01:24:34.498197, 0] libads/sasl.c:820(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Decrypt integrity check failed [2010/07/26 01:24:34.960102, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password SAMBA-01$@AD.DOMAIN failed: KRB5 error code 29 Join to domain is not valid: Undetermined error The "Undetermined error" is a bit of a pain :-) Any ideas what's happening here? I assume tonnes of other Samba sites talk to RODCs and I haven't heard of this as a general issue? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: [Samba] Sharing USB/xp printer in samba domain Next: [Samba] Samba 3.5.4 dependencies |