[samba-jp:19861] Re: winbindのメモリリークについて
c-ssugimoto @ hitachijoho.com
c-ssugimoto @ hitachijoho.com
2007年 11月 26日 (月) 14:00:14 JST
杉本です。レスが遅くなり申し訳ありません。
>>気になったのでsamba-3.0.25b-1.el4_6.2でnet ads joinを試してみました。
>>ちょっと気をつけないといけない部分はありましたが、基本的には
>> 3.0.10のままのsmb.confで問題ありませんでした。
/etc/hosts に記述があること、DNSでの名前解決とも問題ないことを確認しましたが、どうしても net ads join ができません。
>> net rpc joinはNTドメイン方式のドメイン参加です。
>> 3.0.25でもKerberosやDNSなどが正しく設定されていれば、
>> net ads joinできるはずです。(たぶん...)
Kerberos の設定は、krb5のパッケージがインストールされていて、/etc/krb5.conf を設定するだけという認識ですがこれで合っているでしょうか?
net ads join の際のデバッグメッセージも取ってみました。やはり「NT_STATUS_INVALID_ACCOUNT_NAME」というエラーのようです。Administratorアカウント以外に、テスト用ユーザに「Domain Admins」権限を与えて実行してみたりもしましたが、変わりませんでした。
手順としては、以下の内容で行っています。
1. 下記パッケージのインストール
・krb5-devel-1.3.4-49
・krb5-lib-1.3.4-49
・krb5-workstation-1.3.4-49
・pam_krb5-2.1.8-1
・samba-3.0.10-1.4E.12.2
・samba-common-3.0.10-1.4E.12.2
・samba-client-3.0.10-1.4E.12.2
2. smb.conf、krb5.conf、nsswitch.conf の設定
3. net ads join コマンドでドメイン参加(上記パッケージでは問題ありません)
4. winbind デーモン起動(wbinfoでユーザ/グループが正しく取得できます)
ここまでは問題ないので、次にパッケージをアップデートします。
5. Active Directory側で既に作成されているコンピュータアカウントを削除
6. winbind デーモン停止
7. 下記パッケージのアップグレード
・krb5-devel-1.3.4-54
・krb5-lib-1.3.4-54
・krb5-workstation-1.3.4-54
・pam_krb5-2.1.17-1
・samba-3.0.25b-1.el4_6.2
・samba-common-3.0.25b-1.el4_6.2
・samba-client-3.0.25b-1.el4_6.2
8. smb.conf に下記2行のみ追加
winbind enum users = Yes
winbind enum groups = Yes
9. net ads join コマンドでドメイン参加(失敗)
アップデート時、/var/cache/sambaのクリアや、AD側のコンピュータアカウント削除等試してみましたが、全て同じ結果でした。
再度設定ファイル等を添付しておきますので、何かナレッジがあれば幸いです。
------------------------------------------
------------ rpm -qa | grep krb5 ---------
------------------------------------------
krb5-workstation-1.3.4-54
krb5-auth-dialog-0.2-1
krb5-libs-1.3.4-54
krb5-devel-1.3.4-54
pam_krb5-2.1.17-1
------------------------------------------
------------ rpm -qa | grep samba --------
------------------------------------------
samba-common-3.0.25b-1.el4_6.2
samba-3.0.25b-1.el4_6.2
samba-client-3.0.25b-1.el4_6.2
------------------------------------------
------------ /etc/samba/smb.conf ---------
------------------------------------------
[global]
workgroup = MYDOMAIN
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
password server = ad.mydomain.com
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 10000-50000
idmap gid = 10000-50000
idmap backend = idmap_rid:MYDOMAIN=10000-50000
allow trusted domains = no
template shell = /bin/false
winbind use default domain = yes
realm = MYDOMAIN.COM
netbios name = pop
winbind cache time = 900
winbind separator = @
template homedir = /home/%U
Obey pam restrictions = yes
# winbind enum users = Yes # samba 3.0.25b の場合のみ追加
# winbind enum groups = Yes # samba 3.0.25b の場合のみ追加
------------------------------------------
------------ /etc/krb5.conf --------------
------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYDOMAIN.COM = {
kdc = ad.mydomain.com
admin_server = ad.mydomain.com
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
------------------------------------------
------------ /etc/nsswitch.conf ----------
------------------------------------------
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
------------------------------------------
------------ /etc/hosts ------------------
------------------------------------------
127.0.0.1 localhost localhost.localdomain
192.168.0.2 pop.mydomain.com pop
192.168.0.1 ad.mydomain.com ad
------------------------------------------
------------ /etc/resolv.conf ------------
------------------------------------------
search mydomain.com
nameserver 192.168.0.1
------------------------------------------
------------ net ads join -U administrator -d 3
------------------------------------------
[root @ pop /]# net ads join -U administrator -d 3
[2007/11/26 13:24:42, 3] param/loadparm.c:lp_load(5033)
lp_load: refreshing parameters
[2007/11/26 13:24:42, 3] param/loadparm.c:init_globals(1424)
Initialising global parameters
[2007/11/26 13:24:42, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2007/11/26 13:24:42, 3] param/loadparm.c:do_section(3772)
Processing section "[global]"
[2007/11/26 13:24:42, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.0.2 bcast=192.168.0.255 nmask=255.255.255.0
[2007/11/26 13:24:42, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ", ad.mydomain.com"
[2007/11/26 13:24:42, 3] libsmb/namequery.c:resolve_lmhosts(966)
resolve_lmhosts: Attempting lmhosts lookup for name ad.mydomain.com<0x20
>
[2007/11/26 13:24:42, 3] libsmb/namequery.c:resolve_wins(863)
resolve_wins: Attempting wins lookup for name ad.mydomain.com<0x20>
[2007/11/26 13:24:42, 3] libsmb/namequery.c:resolve_wins(866)
resolve_wins: WINS server resolution selected and no WINS servers listed.
[2007/11/26 13:24:42, 3] libsmb/namequery.c:resolve_hosts(1029)
resolve_hosts: Attempting host lookup for name ad.mydomain.com<0x20>
[2007/11/26 13:24:42, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 192.168.0.1
[2007/11/26 13:24:42, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ", ad.mydomain.com"
[2007/11/26 13:24:42, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ", ad.mydomain.com"
administrator's password:********
[2007/11/26 13:24:45, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: ", ad.mydomain.com"
[2007/11/26 13:24:45, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 192.168.0.1
[2007/11/26 13:24:45, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/11/26 13:24:45, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/11/26 13:24:45, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/11/26 13:24:45, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/11/26 13:24:45, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
ads_sasl_spnego_bind: got server principal name = ad$@MYDOMAIN.COM
[2007/11/26 13:24:45, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/11/26 13:24:45, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Mon, 26
Nov 2007 23:24:03 JST
[2007/11/26 13:24:45, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "192.168.0.1, ad.mydomain.com"
[2007/11/26 13:24:45, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 192.168.0.1
[2007/11/26 13:24:45, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/11/26 13:24:45, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/11/26 13:24:45, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/11/26 13:24:45, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/11/26 13:24:45, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
ads_sasl_spnego_bind: got server principal name = ad$@MYDOMAIN.COM
[2007/11/26 13:24:45, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Mon, 26
Nov 2007 23:24:03 JST
[2007/11/26 13:24:45, 3] libsmb/cliconnect.c:cli_start_connection(1505)
Connecting to host=ad.mydomain.com
[2007/11/26 13:24:45, 3] lib/util_sock.c:open_socket_out(874)
Connecting to 192.168.0.1 at port 445
[2007/11/26 13:24:45, 3] libsmb/cliconnect.c:cli_session_setup_spnego(789)
Doing spnego session setup (blob length=110)
[2007/11/26 13:24:45, 3] libsmb/cliconnect.c:cli_session_setup_spnego(814)
got OID=1 2 840 48018 1 2 2
[2007/11/26 13:24:45, 3] libsmb/cliconnect.c:cli_session_setup_spnego(814)
got OID=1 2 840 113554 1 2 2
[2007/11/26 13:24:45, 3] libsmb/cliconnect.c:cli_session_setup_spnego(814)
got OID=1 2 840 113554 1 2 2 3
[2007/11/26 13:24:45, 3] libsmb/cliconnect.c:cli_session_setup_spnego(814)
got OID=1 3 6 1 4 1 311 2 2 10
[2007/11/26 13:24:45, 3] libsmb/cliconnect.c:cli_session_setup_spnego(822)
got principal=ad$@MYDOMAIN.COM
[2007/11/26 13:24:45, 0] libsmb/cliconnect.c:cli_session_setup_spnego(853)
Kinit failed: Client not found in Kerberos database
[2007/11/26 13:24:45, 3] libsmb/cliconnect.c:cli_session_setup(957)
SPNEGO login failed: Client not found in Kerberos database
[2007/11/26 13:24:45, 1] libsmb/cliconnect.c:cli_full_connection(1605)
failed session setup with NT_STATUS_INVALID_ACCOUNT_NAME
[2007/11/26 13:24:45, 1] utils/net.c:connect_to_ipc_krb5(294)
Cannot connect to server using kerberos. Error was NT_STATUS_INVALID_ACCOUNT_
NAME
[2007/11/26 13:24:45, 1] utils/net_ads.c:net_ads_join(1548)
call of net_join_domain failed: Improperly formed account name
Failed to join domain: Improperly formed account name
[2007/11/26 13:24:45, 2] utils/net.c:main(1032)
return code = -1
samba-jp メーリングリストの案内