[Freeipa-users] problems with trust with AD (2 different domains
Sumit Bose
sbose at redhat.com
Fri Apr 19 09:27:41 UTC 2013
On Fri, Apr 19, 2013 at 11:03:02AM +0200, Natxo Asenjo wrote:
> hi,
>
> while following the instructions in
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html
>
> I run step 9:
>
> smbclient -L kdc.ipa.asenjo.nx -k
> lp_load_ex: changing to config backend registry
> Connection to kdc.ipa.asenjo.nx failed (Error NT_STATUS_CONNECTION_REFUSED)
>
> I have a valid ticket:
>
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at IPA.ASENJO.NX
>
> Valid starting Expires Service principal
> 04/19/13 08:46:48 04/20/13 08:46:48 krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX
> 04/19/13 08:56:59 04/20/13 08:46:48 HTTP/kdc.ipa.asenjo.nx at IPA.ASENJO.NX
did ipa-adtrust-install finished successfully?
Can you check if there is a cifs service:
$ ipa service show cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX
the output should show 'Keytab: True'
Then please check if samba knows about the keytab and it's content.
$ net conf list
should contain 'kerberos method = dedicated keytab' and
'dedicated keytab file = FILE:/etc/samba/samba.keytab'
$ klist -ekt /etc/samba/samba.keytab
should show entries with different encryption types.
Next please try to get a ticket for this service:
$ kvno cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX
klist should now list the ticket. Please try the smbclient command
agains.
bye,
Sumit
>
> and I see this on the /var/log/messages:
>
> Apr 19 10:54:06 kdc winbindd[6379]: [2013/04/19 10:54:06.497215, 0]
> ipa_sam.c:3689(bind_callback_cleanup)
> Apr 19 10:54:06 kdc winbindd[6379]: kerberos error: code=-1765328203,
> message=Keytab contains no suitable keys for cifs/kdc at IPA.ASENJO.NX
> Apr 19 10:54:06 kdc winbindd[6379]: [2013/04/19 10:54:06.498194, 0]
> ../source3/lib/smbldap.c:998(smbldap_connect_system)
> Apr 19 10:54:06 kdc winbindd[6379]: failed to bind to server
> ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket with dn="[Anonymous
> bind]" Error: Local error
> Apr 19 10:54:06 kdc winbindd[6379]: #011(unknown)
> Apr 19 10:54:07 kdc winbindd[6379]: [2013/04/19 10:54:07.500882, 0]
> ipa_sam.c:3689(bind_callback_cleanup)
> Apr 19 10:54:07 kdc winbindd[6379]: kerberos error: code=-1765328203,
> message=Keytab contains no suitable keys for cifs/kdc at IPA.ASENJO.NX
>
> and shortly afterwards winbindd dumps core:
>
> Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.625708, 0]
> ipa_sam.c:4001(pdb_init_ipasam)
> Apr 19 10:59:22 kdc winbindd[6568]: Failed to get base DN.
> Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.625837, 0]
> ../source3/passdb/pdb_interface.c:177(make_pdb_method_name)
> Apr 19 10:59:22 kdc winbindd[6568]: pdb backend
> ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket did not correctly
> init (error was NT_STATUS_UNSUCCESSFUL)
> Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.626032, 0]
> ../source3/lib/util.c:810(smb_panic_s3)
> Apr 19 10:59:22 kdc winbindd[6568]: PANIC (pid 6568): pdb_get_methods:
> failed to get pdb methods for backend
> ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket
> Apr 19 10:59:22 kdc winbindd[6568]:
> Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.627382, 0]
> ../source3/lib/util.c:921(log_stack_trace)
> Apr 19 10:59:22 kdc winbindd[6568]: BACKTRACE: 27 stack frames:
> Apr 19 10:59:22 kdc winbindd[6568]: #0
> /usr/lib/libsmbconf.so.0(log_stack_trace+0x2e) [0x4e69de]
> Apr 19 10:59:22 kdc winbindd[6568]: #1
> /usr/lib/libsmbconf.so.0(smb_panic_s3+0x32) [0x4e6b02]
> Apr 19 10:59:22 kdc winbindd[6568]: #2
> /usr/lib/libsamba-util.so.0(smb_panic+0x20b) [0x7faf6b]
> Apr 19 10:59:22 kdc winbindd[6568]: #3 /usr/lib/libpdb.so.0(+0x1f884)
> [0x2a6884]
> Apr 19 10:59:22 kdc winbindd[6568]: #4
> /usr/lib/libpdb.so.0(pdb_capabilities+0xc) [0x2a6d0c]
> Apr 19 10:59:22 kdc winbindd[6568]: #5
> winbindd(_lsa_EnumTrustedDomainsEx+0x26) [0x80ee736]
> Apr 19 10:59:22 kdc winbindd[6568]: #6 winbindd() [0x80fb440]
> Apr 19 10:59:22 kdc winbindd[6568]: #7 winbindd() [0x80c7e58]
> Apr 19 10:59:22 kdc winbindd[6568]: #8
> /usr/lib/libdcerpc-binding.so.0(dcerpc_binding_handle_raw_call_send+0xaf)
> [0x369289f]
> Apr 19 10:59:22 kdc winbindd[6568]: #9
> /usr/lib/libdcerpc-binding.so.0(dcerpc_binding_handle_call_send+0x2ac)
> [0x3692bac]
> Apr 19 10:59:22 kdc winbindd[6568]: #10
> /usr/lib/libdcerpc-binding.so.0(dcerpc_binding_handle_call+0x6a) [0x3692cca]
> Apr 19 10:59:22 kdc winbindd[6568]: #11
> /usr/lib/samba/libdcerpc-samba.so(dcerpc_lsa_EnumTrustedDomainsEx_r+0x55)
> [0x3716165]
> Apr 19 10:59:22 kdc winbindd[6568]: #12
> /usr/lib/samba/libdcerpc-samba.so(dcerpc_lsa_EnumTrustedDomainsEx+0x50)
> [0x37161d0]
> Apr 19 10:59:22 kdc winbindd[6568]: #13
> winbindd(rpc_trusted_domains+0xa3) [0x808edb3]
> Apr 19 10:59:22 kdc winbindd[6568]: #14 winbindd() [0x809662a]
> Apr 19 10:59:22 kdc winbindd[6568]: #15 winbindd() [0x8076d5c]
> Apr 19 10:59:22 kdc winbindd[6568]: #16
> winbindd(winbindd_dual_list_trusted_domains+0x51) [0x80844b1]
> Apr 19 10:59:22 kdc winbindd[6568]: #17 winbindd() [0x809c4fc]
> Apr 19 10:59:22 kdc winbindd[6568]: #18 winbindd() [0x809d19d]
> Apr 19 10:59:22 kdc winbindd[6568]: #19 /usr/lib/libtevent.so.0()
> [0xda9d15]
> Apr 19 10:59:22 kdc winbindd[6568]: #20
> /usr/lib/libtevent.so.0(tevent_common_loop_immediate+0xef) [0xda987f]
> Apr 19 10:59:22 kdc winbindd[6568]: #21
> /usr/lib/libsmbconf.so.0(run_events_poll+0x41) [0x4ff9a1]
> Apr 19 10:59:22 kdc winbindd[6568]: #22
> /usr/lib/libsmbconf.so.0(+0x36186) [0x500186]
> Apr 19 10:59:22 kdc winbindd[6568]: #23
> /usr/lib/libtevent.so.0(_tevent_loop_once+0x98) [0xda8c18]
> Apr 19 10:59:22 kdc winbindd[6568]: #24 winbindd(main+0x973) [0x806ddd3]
> Apr 19 10:59:22 kdc winbindd[6568]: #25
> /lib/libc.so.6(__libc_start_main+0xe6) [0xe13ce6]
> Apr 19 10:59:22 kdc winbindd[6568]: #26 winbindd() [0x8060271]
> Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.630601, 0]
> ../source3/lib/dumpcore.c:317(dump_core)
> Apr 19 10:59:22 kdc winbindd[6568]: dumping core in
> /var/log/samba/cores/winbindd
> Apr 19 10:59:22 kdc winbindd[6568]:
> Apr 19 10:59:22 kdc abrtd: Directory 'ccpp-2013-04-19-10:59:22-6568'
> creation detected
> Apr 19 10:59:22 kdc abrt[6571]: Saved core dump of pid 6568
> (/usr/sbin/winbindd) to /var/spool/abrt/ccpp-2013-04-19-10:59:22-6568
> (1814528 bytes)
>
>
> --
> Groeten,
> natxo
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list