From: Anders.Strandberg on 19 Dec 2006 11:50 Hi, As a follow-up: The problem exists with the setup below : OS: Linux (e.g. NLD9/SLED10) Samba: samba-3.0.23d compiled with heimdal-0.7.1 Pam_krb5 is installed. Pam-modules-line: auth sufficient pam_winbind.so use_first_pass krb5_auth krb5_ccache_type=FILE cached_login AD-server: Win 2003 with R2 The indicating error message : winbindd_raw_kerberos_login: kinit failed for 'myuser(a)MYDOMAIN.COM' with: Invalid argument (22) I believe that this should work , i.e. kereberos cached login with winbind towards AD 2003 ? As far as I can see, kinit and klist works from command line, but not from winbind. From the winbind log it seems that winbind/kinit looks for the correct cache-file : kerberos_kinit_password: using FILE:/tmp/krb5cc_55555 as ccache This file does not exist, but is not created either, and subsequently not possible to remove. Is there anybody who could shed light on this this ? /Anders -----Original Message----- From: samba-bounces+anders.strandberg=tietoenator.com(a)lists.samba.org [mailto:samba-bounces+anders.strandberg=tietoenator.com(a)lists.samba.org] On Behalf Of Anders.Strandberg(a)tietoenator.com Sent: den 14 december 2006 18:39 To: samba(a)lists.samba.org Subject: [Samba] winbindd_raw_kerberos_login: kinit failed Hi, I have set up Samba 3.0.23d on Linux Suse NLD9 with AD idmap backend with security = ads and rfc2307. At every login there is a log message in log.wb-MYDOMAIN : [2006/12/14 17:46:51, 1] nsswitch/winbindd_pam.c:winbindd_raw_kerberos_login(510) winbindd_raw_kerberos_login: kinit failed for 'myuser(a)MYDOMAIN.COM' with: Invalid argument (22) with debug level 10: winbindd_dual_pam_auth: domain: MYDOMAIN last was online winbindd_dual_pam_auth_kerberos is_myname("MYDOMAIN") returns 0 using ccache: FILE:/tmp/krb5cc_55555 winbindd_raw_kerberos_login: uid is 55555 kerberos_kinit_password: using FILE:/tmp/krb5cc_55555 as ccache winbindd_raw_kerberos_login: kinit failed for 'myuser(a)MYDOMAIN.COM' with: Invalid argument (22) winbindd_raw_kerberos_login: could not remove ccache winbindd_dual_pam_auth_kerberos failed: NT_STATUS_UNSUCCESSFUL Obviously winbindd_raw_kerberos login fails. I suppose it is some call in kerberos_kinit_password_ext that returns with error , but I have not found which one . The question is what argument is invalid, tcpdump gives some info on Unknown encryption types 0x11 and 0x12, and failed preauthentication. Login succeeds eventually, but this is samlogon. Does anyone have a hint about this or how to troubleshoot it further. /Anders -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
From: Anders.Strandberg on 21 Dec 2006 10:40 Hi, It seems that the solution to my problem lies within the scope of this bug report: https://bugzilla.samba.org/show_bug.cgi?id=4226 I've applied the patch and got rid of the annoying error message and could verify a valid ticket via klist. Anders -----Original Message----- From: samba-bounces+anders.strandberg=tietoenator.com(a)lists.samba.org [mailto:samba-bounces+anders.strandberg=tietoenator.com(a)lists.samba.org] On Behalf Of Anders.Strandberg(a)tietoenator.com Sent: den 19 december 2006 17:48 To: samba(a)lists.samba.org Subject: RE: [Samba] winbindd_raw_kerberos_login: kinit failed Hi, As a follow-up: The problem exists with the setup below : OS: Linux (e.g. NLD9/SLED10) Samba: samba-3.0.23d compiled with heimdal-0.7.1 Pam_krb5 is installed. Pam-modules-line: auth sufficient pam_winbind.so use_first_pass krb5_auth krb5_ccache_type=FILE cached_login AD-server: Win 2003 with R2 The indicating error message : winbindd_raw_kerberos_login: kinit failed for 'myuser(a)MYDOMAIN.COM' with: Invalid argument (22) I believe that this should work , i.e. kereberos cached login with winbind towards AD 2003 ? As far as I can see, kinit and klist works from command line, but not from winbind. From the winbind log it seems that winbind/kinit looks for the correct cache-file : kerberos_kinit_password: using FILE:/tmp/krb5cc_55555 as ccache This file does not exist, but is not created either, and subsequently not possible to remove. Is there anybody who could shed light on this this ? /Anders -----Original Message----- From: samba-bounces+anders.strandberg=tietoenator.com(a)lists.samba.org [mailto:samba-bounces+anders.strandberg=tietoenator.com(a)lists.samba.org] On Behalf Of Anders.Strandberg(a)tietoenator.com Sent: den 14 december 2006 18:39 To: samba(a)lists.samba.org Subject: [Samba] winbindd_raw_kerberos_login: kinit failed Hi, I have set up Samba 3.0.23d on Linux Suse NLD9 with AD idmap backend with security = ads and rfc2307. At every login there is a log message in log.wb-MYDOMAIN : [2006/12/14 17:46:51, 1] nsswitch/winbindd_pam.c:winbindd_raw_kerberos_login(510) winbindd_raw_kerberos_login: kinit failed for 'myuser(a)MYDOMAIN.COM' with: Invalid argument (22) with debug level 10: winbindd_dual_pam_auth: domain: MYDOMAIN last was online winbindd_dual_pam_auth_kerberos is_myname("MYDOMAIN") returns 0 using ccache: FILE:/tmp/krb5cc_55555 winbindd_raw_kerberos_login: uid is 55555 kerberos_kinit_password: using FILE:/tmp/krb5cc_55555 as ccache winbindd_raw_kerberos_login: kinit failed for 'myuser(a)MYDOMAIN.COM' with: Invalid argument (22) winbindd_raw_kerberos_login: could not remove ccache winbindd_dual_pam_auth_kerberos failed: NT_STATUS_UNSUCCESSFUL Obviously winbindd_raw_kerberos login fails. I suppose it is some call in kerberos_kinit_password_ext that returns with error , but I have not found which one . The question is what argument is invalid, tcpdump gives some info on Unknown encryption types 0x11 and 0x12, and failed preauthentication. Login succeeds eventually, but this is samlogon. Does anyone have a hint about this or how to troubleshoot it further. /Anders -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
Pages: 1 Prev: [Samba] Error Next: [Samba] Samba PDC with LDAP, can't join Domain |