[Freeipa-users] problems with trust with AD (2 different domains

Sumit Bose sbose at redhat.com
Fri Apr 19 09:27:41 UTC 2013 

On Fri, Apr 19, 2013 at 11:03:02AM +0200, Natxo Asenjo wrote:
> hi,
> 
> while following the instructions in
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html
> 
> I run step 9:
> 
> smbclient -L kdc.ipa.asenjo.nx -k
> lp_load_ex: changing to config backend registry
> Connection to kdc.ipa.asenjo.nx failed (Error NT_STATUS_CONNECTION_REFUSED)
> 
> I have a valid ticket:
> 
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at IPA.ASENJO.NX
> 
> Valid starting     Expires            Service principal
> 04/19/13 08:46:48  04/20/13 08:46:48  krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX
> 04/19/13 08:56:59  04/20/13 08:46:48  HTTP/kdc.ipa.asenjo.nx at IPA.ASENJO.NX

did ipa-adtrust-install finished successfully?

Can you check if there is a cifs service:

$ ipa service show cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX

the output should show 'Keytab: True'

Then please check if samba knows about the keytab and it's content.

$ net conf list

should contain 'kerberos method = dedicated keytab' and
'dedicated keytab file = FILE:/etc/samba/samba.keytab'

$ klist -ekt /etc/samba/samba.keytab

should show entries with different encryption types. 

Next please try to get a ticket for this service:

$ kvno cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX

klist should now list the ticket. Please try the smbclient command
agains.

bye,
Sumit

> 
> and I see this on the /var/log/messages:
> 
> Apr 19 10:54:06 kdc winbindd[6379]: [2013/04/19 10:54:06.497215,  0]
> ipa_sam.c:3689(bind_callback_cleanup)
> Apr 19 10:54:06 kdc winbindd[6379]:   kerberos error: code=-1765328203,
> message=Keytab contains no suitable keys for cifs/kdc at IPA.ASENJO.NX
> Apr 19 10:54:06 kdc winbindd[6379]: [2013/04/19 10:54:06.498194,  0]
> ../source3/lib/smbldap.c:998(smbldap_connect_system)
> Apr 19 10:54:06 kdc winbindd[6379]:   failed to bind to server
> ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket with dn="[Anonymous
> bind]" Error: Local error
> Apr 19 10:54:06 kdc winbindd[6379]:   #011(unknown)
> Apr 19 10:54:07 kdc winbindd[6379]: [2013/04/19 10:54:07.500882,  0]
> ipa_sam.c:3689(bind_callback_cleanup)
> Apr 19 10:54:07 kdc winbindd[6379]:   kerberos error: code=-1765328203,
> message=Keytab contains no suitable keys for cifs/kdc at IPA.ASENJO.NX
> 
> and shortly afterwards winbindd dumps core:
> 
> Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.625708,  0]
> ipa_sam.c:4001(pdb_init_ipasam)
> Apr 19 10:59:22 kdc winbindd[6568]:   Failed to get base DN.
> Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.625837,  0]
> ../source3/passdb/pdb_interface.c:177(make_pdb_method_name)
> Apr 19 10:59:22 kdc winbindd[6568]:   pdb backend
> ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket did not correctly
> init (error was NT_STATUS_UNSUCCESSFUL)
> Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.626032,  0]
> ../source3/lib/util.c:810(smb_panic_s3)
> Apr 19 10:59:22 kdc winbindd[6568]:   PANIC (pid 6568): pdb_get_methods:
> failed to get pdb methods for backend
> ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket
> Apr 19 10:59:22 kdc winbindd[6568]:
> Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.627382,  0]
> ../source3/lib/util.c:921(log_stack_trace)
> Apr 19 10:59:22 kdc winbindd[6568]:   BACKTRACE: 27 stack frames:
> Apr 19 10:59:22 kdc winbindd[6568]:    #0
> /usr/lib/libsmbconf.so.0(log_stack_trace+0x2e) [0x4e69de]
> Apr 19 10:59:22 kdc winbindd[6568]:    #1
> /usr/lib/libsmbconf.so.0(smb_panic_s3+0x32) [0x4e6b02]
> Apr 19 10:59:22 kdc winbindd[6568]:    #2
> /usr/lib/libsamba-util.so.0(smb_panic+0x20b) [0x7faf6b]
> Apr 19 10:59:22 kdc winbindd[6568]:    #3 /usr/lib/libpdb.so.0(+0x1f884)
> [0x2a6884]
> Apr 19 10:59:22 kdc winbindd[6568]:    #4
> /usr/lib/libpdb.so.0(pdb_capabilities+0xc) [0x2a6d0c]
> Apr 19 10:59:22 kdc winbindd[6568]:    #5
> winbindd(_lsa_EnumTrustedDomainsEx+0x26) [0x80ee736]
> Apr 19 10:59:22 kdc winbindd[6568]:    #6 winbindd() [0x80fb440]
> Apr 19 10:59:22 kdc winbindd[6568]:    #7 winbindd() [0x80c7e58]
> Apr 19 10:59:22 kdc winbindd[6568]:    #8
> /usr/lib/libdcerpc-binding.so.0(dcerpc_binding_handle_raw_call_send+0xaf)
> [0x369289f]
> Apr 19 10:59:22 kdc winbindd[6568]:    #9
> /usr/lib/libdcerpc-binding.so.0(dcerpc_binding_handle_call_send+0x2ac)
> [0x3692bac]
> Apr 19 10:59:22 kdc winbindd[6568]:    #10
> /usr/lib/libdcerpc-binding.so.0(dcerpc_binding_handle_call+0x6a) [0x3692cca]
> Apr 19 10:59:22 kdc winbindd[6568]:    #11
> /usr/lib/samba/libdcerpc-samba.so(dcerpc_lsa_EnumTrustedDomainsEx_r+0x55)
> [0x3716165]
> Apr 19 10:59:22 kdc winbindd[6568]:    #12
> /usr/lib/samba/libdcerpc-samba.so(dcerpc_lsa_EnumTrustedDomainsEx+0x50)
> [0x37161d0]
> Apr 19 10:59:22 kdc winbindd[6568]:    #13
> winbindd(rpc_trusted_domains+0xa3) [0x808edb3]
> Apr 19 10:59:22 kdc winbindd[6568]:    #14 winbindd() [0x809662a]
> Apr 19 10:59:22 kdc winbindd[6568]:    #15 winbindd() [0x8076d5c]
> Apr 19 10:59:22 kdc winbindd[6568]:    #16
> winbindd(winbindd_dual_list_trusted_domains+0x51) [0x80844b1]
> Apr 19 10:59:22 kdc winbindd[6568]:    #17 winbindd() [0x809c4fc]
> Apr 19 10:59:22 kdc winbindd[6568]:    #18 winbindd() [0x809d19d]
> Apr 19 10:59:22 kdc winbindd[6568]:    #19 /usr/lib/libtevent.so.0()
> [0xda9d15]
> Apr 19 10:59:22 kdc winbindd[6568]:    #20
> /usr/lib/libtevent.so.0(tevent_common_loop_immediate+0xef) [0xda987f]
> Apr 19 10:59:22 kdc winbindd[6568]:    #21
> /usr/lib/libsmbconf.so.0(run_events_poll+0x41) [0x4ff9a1]
> Apr 19 10:59:22 kdc winbindd[6568]:    #22
> /usr/lib/libsmbconf.so.0(+0x36186) [0x500186]
> Apr 19 10:59:22 kdc winbindd[6568]:    #23
> /usr/lib/libtevent.so.0(_tevent_loop_once+0x98) [0xda8c18]
> Apr 19 10:59:22 kdc winbindd[6568]:    #24 winbindd(main+0x973) [0x806ddd3]
> Apr 19 10:59:22 kdc winbindd[6568]:    #25
> /lib/libc.so.6(__libc_start_main+0xe6) [0xe13ce6]
> Apr 19 10:59:22 kdc winbindd[6568]:    #26 winbindd() [0x8060271]
> Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.630601,  0]
> ../source3/lib/dumpcore.c:317(dump_core)
> Apr 19 10:59:22 kdc winbindd[6568]:   dumping core in
> /var/log/samba/cores/winbindd
> Apr 19 10:59:22 kdc winbindd[6568]:
> Apr 19 10:59:22 kdc abrtd: Directory 'ccpp-2013-04-19-10:59:22-6568'
> creation detected
> Apr 19 10:59:22 kdc abrt[6571]: Saved core dump of pid 6568
> (/usr/sbin/winbindd) to /var/spool/abrt/ccpp-2013-04-19-10:59:22-6568
> (1814528 bytes)
> 
> 
> --
> Groeten,
> natxo

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list