|
Winbind error in /var/log/messages
I am running OEL6.1 connecting to a Windows 2008 active directory domain. I am able to join the domain and all works well. However, my messages log is blowing up with the same error over and over.
winbindd[8167]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot find KDC for requested realm Not sure what is causing this since, like I said, I am able to authenticate just fine. |
Often when you have a nice error message like that you can get a lot of information by doing web search for the non-numeric (which is usually specific process or something) portions of the message:
http://www.google.com/search?q=kinit...np&safe=active |
lmgtfy
Could have done a lmgtfy...ha. I did google first and found nothing
|
I was tempted to do the lmgtfy but thought perhaps you might have already searched and made it too specific by not stripping out the numeric portion. By doing the search I linked I did see many hits and that was just on one message. Usually it is best to look for the first message or something very close to it in web searches - the more messages in the error output the more likely later ones are simply symptoms of the earlier one. Once I and a co-worker got into a rather heated discussion because he couldn't understand why I was telling him troubleshooting message 99 instead of message 1 was pointless. The funny thing was when I saw message 1 it suggested an email issue to me and our mail administrator later confirmed that was indeed the problem. Some people who are rather smart sometimes go down blind alleys and you just have to shake your head.
|
Thank you Mensa.......and I certainly can appreciate that you definitely have to attempt to search by various bits and pieces of your errors. This one, however, is not producing any useful results. All the posts I have found regarding this typically fall into one of two categories:
1. People getting this can't authenticate at all. or 2. Their situation is completely different. I am getting this error every five minutes all day every day and it is skewing the stats on my central logging server and rendering it nearly impossible to sift through for true errors or problems. |
When you say "every 5 minutes" do you mean that literally or are you just saying you're getting it very frequently? If the former then it suggests and automated process is running every 5 minutes which perhaps is not properly setup. Have you check cron on this server? Have you tried running tcpdump to analyze traffic to this server to see if perhaps something external is doing this so you can hunt down the owner of that system and *ahem* deal with them?
|
It is literally every 5 minutes. Sometimes 10 but mostly every 5...bizarre. I have not run a tcpdump but will just to see if it sheds any light on the subject.
|
Ok, after combing through all the conf files I could think of that may affect performance (krb5.conf,nsswitch,resolv.conf,smb.conf,system-auth) I have found one difference.
In the two machines I have that continuously throw this error, in the /etc/pam.d/system-auth file the line is: session required pam_mkhomedir.so skel=/etc/skel umask=0022 In the machines that are not throwing the error the line is: session optional pam_mkhomedir.so skel=/etc/skel umask=0022 Would this make a difference and if so why? |
tcpdump
Also, here is my tcpdump for the exact time the error occurs. Actual domain info changed of course.
08:20:01.786658 IP ricoradb1.our.domain.int.45176 > riciadcomm1.our.domain.int.microsoft-ds: P 2830:3060(230) ack 2717 win 65535 08:20:01.787063 IP riciadcomm1.our.domain.int.microsoft-ds > ricoradb1.our.domain.int.45176: P 2717:2953(236) ack 3060 win 64533 08:20:01.787074 IP ricoradb1.our.domain.int.45176 > riciadcomm1.our.domain.int.microsoft-ds: . ack 2953 win 65535 08:20:01.789026 IP ricoradb1.our.domain.int.dec-mbadmin > riciadcomm1.our.domain.int.domain: 47454+ AAAA? RICIADROOT1.domain.int. (41) 08:20:01.789771 IP riciadcomm1.our.domain.int.domain > ricoradb1.our.domain.int.dec-mbadmin: 47454* 0/1/0 (87) 08:20:01.789805 IP ricoradb1.our.domain.int.32984 > riciadcomm1.our.domain.int.domain: 37758+[|domain] 08:20:01.790532 IP riciadcomm1.our.domain.int.domain > ricoradb1.our.domain.int.32984: 37758 NXDomain*[|domain] 08:20:01.790565 IP ricoradb1.our.domain.int.53047 > riciadcomm1.our.domain.int.domain: 55726+ AAAA? RICIADROOT1.domain.int.domain.int. (53) 08:20:01.791286 IP riciadcomm1.our.domain.int.domain > ricoradb1.our.domain.int.53047: 55726 NXDomain* 0/1/0 (122) 08:20:01.791304 IP ricoradb1.our.domain.int.6499 > riciadcomm1.our.domain.int.domain: 31455+ AAAA? RICIADROOT1.domain.int.domain.com. (53) 08:20:01.792053 IP riciadcomm1.our.domain.int.domain > ricoradb1.our.domain.int.6499: 31455 NXDomain* 0/1/0 (134) 08:20:01.792078 IP ricoradb1.our.domain.int.22986 > riciadcomm1.our.domain.int.domain: 17337+ A? RICIADROOT1.domain.int. (41) 08:20:01.792968 IP riciadcomm1.our.domain.int.domain > ricoradb1.our.domain.int.22986: 17337* 1/0/0 A[|domain] 08:20:01.798760 IP ricoradb1.our.domain.int.24063 > riciadcomm1.our.domain.int.kerberos: v5 08:20:01.799591 IP riciadcomm1.our.domain.int.kerberos > ricoradb1.our.domain.int.24063: 08:20:01.806521 IP ricoradb1.our.domain.int.20208 > riciadcomm1.our.domain.int.kerberos: v5 08:20:01.807606 IP riciadcomm1.our.domain.int.kerberos > ricoradb1.our.domain.int.20208: v5 08:20:01.808280 IP ricoradb1.our.domain.int.48434 > riciadcomm1.our.domain.int.kerberos: 08:20:01.809272 IP riciadcomm1.our.domain.int.kerberos > ricoradb1.our.domain.int.48434: 08:20:01.809409 IP ricoradb1.our.domain.int.17323 > riciadcomm1.our.domain.int.kerberos: 08:20:01.810364 IP riciadcomm1.our.domain.int.kerberos > ricoradb1.our.domain.int.17323: And the error in /var/log/messages Apr 12 08:20:01 ricoradb1 winbindd[8167]: [2012/04/12 08:20:01, 0] libads/sasl.c:ads_sasl_spnego_bind(330) Apr 12 08:20:01 ricoradb1 winbindd[8167]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot find KDC for requested realm |
| All times are GMT -5. The time now is 11:38 PM. |