Hello,

I am always getting this error when I try to authenticate from a
certain domain.

[2007/08/14 14:08:37, 1] libsmb/clikrb5.c:ads_krb5_mk_req(560)
ads_krb5_mk_req: krb5_get_credentials failed for
catrksd0nam02$@7SINS.CORP.EVIL.COM (Server not found in Kerberos
database)
[2007/08/14 14:08:37, 1] libsmb/clikrb5.c:ads_krb5_mk_req(560)
ads_krb5_mk_req: krb5_get_credentials failed for
catrksd0nam02$@7SINS.CORP.EVIL.COM (Server not found in Kerberos
database)

Let me give you a little background. This is a webserver which has
some mapped drives users can connect to. We have 3 domains in this
network, DEMONIC, HELLSGATE, 7SINS. I am able to map the drives
authenticating against DEMONIC and HELLSGATE but not to 7SINS. Below
is my configuration.

Samba 3.0.23c
Heimdal 0.7
OpenLdap 2.3.27
Samba Server OS: Solaris10 - SunOS caotasa0web02 5.10
Generic_118833-36 sun4u sparc SUNW,Sun-Fire-V240
Windows Server: Windows 2K3

DOMAINS: DEMONIC.MFG.AD.EVIL.COM DEMONIC
HELLSGATE.MFG.AD.EVIL.COM HELLSGATE
7SINS.CORP.EVIL.COM 7SINS

caotasa0web02 is jointed to the DEMONIC domain and test ok.

caotasa0web02# net ads testjoin
Join is OK

Smb.conf

[global]
workgroup = DEMONIC
realm = DEMONIC.MFG.AD.EVIL.COM
server string = web server2
netbios name = caotasa0web02
security = ADS
password server = caotasd0mfg01.demonic.mfg.ad.evil.com,
caotasd0mfg02.demonic.mfg.ad.evil.com,
catrksd0nam02.7sins.corp.evil.com, *
log level = 3 passdb:5 auth:10 winbind:10
preferred master = No
local master = No
ldap ssl = no
allow trusted domains = yes
encrypt passwords = yes
client schannel = no
idmap uid = 10000 - 20000
idmap gid = 20000 - 30000
template homedir = /export/home/%D/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind uid = 10000 - 20000
winbind gid = 20000 - 30000
# winbind use default domain = yes
winbind separator = +
winbind cache time = 10

[webdocs]
comment = Web data top level directory
path = /opt/SUNWwbsvr/docs
read only = No

[jnk]
comment = junk share
path = /opt/jnk
read only = No

krb5.conf

[libdefaults]
default_realm = DEMONIC.MFG.AD.EVIL.COM

[realms]
DEMONIC.MFG.AD.EVIL.COM = {
kdc = caotasd0mfg01.demonic.mfg.ad.evil.com
admin_server = caotasd0mfg01.demonic.mfg.ad.evil.com
kpasswd_protocol = SET_CHANGE
}
7SINS.CORP.EVIL.COM = {
kdc = catrksd0nam02.7sins.corp.evil.com
admin_server = catrksd0nam02.7sins.corp.evil.com
kpasswd_protocol = SET_CHANGE
}


[domain_realm]
.demonic.mfg.ad.evil.com= DEMONIC.MFG.AD.EVIL.COM
demonic.mfg.ad.evil.com= DEMONIC.MFG.AD.EVIL.COM
.7sins.corp.evil.com = 7SINS.CORP.EVIL.COM
7sins.corp.evil.com = 7SINS.CORP.EVIL.COM


[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.
1, ...)

versions = 10
}

[appdefaults]
kinit = {

renewable = true
forwardable = true
proxiable = true
no_addresses = true
}

Nsswitch.conf

passwd: files winbind
group: files winbind

# You must also set up the /etc/resolv.conf file for DNS name
# server lookup. See resolv.conf(4).
hosts: files dns winbind

# Note that IPv4 addresses are searched for in all of the ipnodes
databases
# before searching the hosts databases.
ipnodes: files dns

networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
# At present there isn't a 'files' backend for netgroup; the system
will
# figure it out pretty quickly, and won't use netgroups at all.
netgroup: files
automount: files winbind
aliases: files
services: files
printers: user files

auth_attr: files
prof_attr: files
project: files

tnrhtp: files
tnrhdb: files




Now I know kerberos is working. I am again to receive tickets from all
domains, and I can use those tickets to authenticate to the different
domains. I've tested this by using smbclient -L {server} -k. A 7SINS
user can connect to a DEMONIC, 7SINS, HELLSGATE server and vice versa.
When I run klist, I see cross domain tickets for all the domains after
I initally connect to a server on which ever domain.

When I try to map a drive to caotasaweb02\jnk using a DEMONIC or
HELLSGATE account I have no issues but when I use a nam account I get
this:

[2007/08/15 07:15:12, 4] nsswitch/
winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2007/08/15 07:15:12, 10] nsswitch/
winbindd_dual.c:child_process_request(393)
process_request: request fn DUAL_USERINFO
[2007/08/15 07:15:12, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[24092]: lookupsid S-1-5-21-2484819571-2125529598-2454565363-497406
[2007/08/15 07:15:12, 10] nsswitch/
winbindd_cache.c:fetch_cache_seqnum(362)
fetch_cache_seqnum: timeout [7SINS][4294967295 @ 1187114917]
[2007/08/15 07:15:12, 3] nsswitch/winbindd_ads.c:sequence_number(1018)
ads: fetch sequence_number for 7SINS
[2007/08/15 07:15:12, 10] nsswitch/
winbindd_ads.c:ads_cached_connection(43)
ads_cached_connection
[2007/08/15 07:15:12, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: ", *"
[2007/08/15 07:15:12, 1] libads/dns.c:ads_dns_parse_rr_srv(173)
ads_dns_parse_rr_srv: Failed to parse RR record
[2007/08/15 07:15:12, 1] libads/dns.c:ads_dns_lookup_srv(307)
ads_dns_lookup_srv: Failed to parse answer record!
[2007/08/15 07:15:12, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: "120.64.243.97, *"
[2007/08/15 07:15:12, 3] libsmb/namequery.c:resolve_lmhosts(939)
resolve_lmhosts: Attempting lmhosts lookup for name 7SINS<0x1c>
[2007/08/15 07:15:12, 3] libsmb/namequery.c:resolve_wins(836)
resolve_wins: Attempting wins lookup for name 7SINS<0x1c>
[2007/08/15 07:15:12, 3] libsmb/namequery.c:resolve_wins(839)
resolve_wins: WINS server resolution selected and no WINS servers
listed.
[2007/08/15 07:15:12, 3] libsmb/namequery.c:name_resolve_bcast(778)
name_resolve_bcast: Attempting broadcast lookup for name 7SINS<0x1c>
[2007/08/15 07:15:12, 2] libsmb/namequery.c:name_query(577)
Got a positive name query response from 120.64.243.97
( 120.64.243.97 )
[2007/08/15 07:15:13, 3] libads/ldap.c:ads_connect(287)
Connected to LDAP server 120.64.243.97
[2007/08/15 07:15:13, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/08/15 07:15:13, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/08/15 07:15:13, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/08/15 07:15:13, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/08/15 07:15:13, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name
=catrksd0nam02$@7SINS.CORP.EVIL.COM
[2007/08/15 07:15:13, 1] libsmb/clikrb5.c:ads_krb5_mk_req(560)
ads_krb5_mk_req: krb5_get_credentials failed for
catrksd0nam02$@7SINS.CORP.EVIL.COM (Ticket expired)
[2007/08/15 07:15:13, 1] libsmb/clikrb5.c:ads_krb5_mk_req(560)
ads_krb5_mk_req: krb5_get_credentials failed for
catrksd0nam02$@7SINS.CORP.EVIL.COM (Server not found in Kerberos
database)
[2007/08/15 07:15:13, 1] nsswitch/
winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain 7SINS failed: Server not found in Kerberos
database
[2007/08/15 07:15:13, 10] nsswitch/
winbindd_cache.c:store_cache_seqnum(400)
store_cache_seqnum: success [7SINS][4294967295 @ 1187176513]
[2007/08/15 07:15:13, 10] nsswitch/
winbindd_cache.c:refresh_sequence_number(458)
refresh_sequence_number: 7SINS seq number is now -1
[2007/08/15 07:15:13, 1] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(157)
error getting user info for sid
S-1-5-21-2484819571-2125529598-2454565363-497406
[2007/08/15 07:15:13, 10] nsswitch/
winbindd_cache.c:cache_store_response(1955)
Storing response for pid 24097, len 3240
[2007/08/15 07:15:13, 4] nsswitch/
winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2007/08/15 07:15:13, 10] nsswitch/
winbindd_dual.c:child_process_request(393)
process_request: request fn DUAL_USERINFO
[2007/08/15 07:15:13, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[24092]: lookupsid S-1-5-21-2484819571-2125529598-2454565363-497406
[2007/08/15 07:15:13, 10] nsswitch/
winbindd_cache.c:refresh_sequence_number(430)
refresh_sequence_number: 7SINS time ok
[2007/08/15 07:15:13, 10] nsswitch/
winbindd_cache.c:refresh_sequence_number(458)
refresh_sequence_number: 7SINS seq number is now -1
[2007/08/15 07:15:13, 1] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(157)
error getting user info for sid
S-1-5-21-2484819571-2125529598-2454565363-497406
[2007/08/15 07:15:13, 10] nsswitch/
winbindd_cache.c:cache_store_response(1955)
Storing response for pid 24097, len 3240
[2007/08/15 07:15:13, 4] nsswitch/
winbindd_dual.c:fork_domain_child(806)
child daemon request 49
[2007/08/15 07:15:13, 10] nsswitch/
winbindd_dual.c:child_process_request(393)
process_request: request fn DUAL_USERINFO
[2007/08/15 07:15:13, 3] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(146)
[24092]: lookupsid S-1-5-21-2484819571-2125529598-2454565363-497406
[2007/08/15 07:15:13, 10] nsswitch/
winbindd_cache.c:refresh_sequence_number(430)
refresh_sequence_number: 7SINS time ok
[2007/08/15 07:15:13, 10] nsswitch/
winbindd_cache.c:refresh_sequence_number(458)
refresh_sequence_number: 7SINS seq number is now -1
[2007/08/15 07:15:13, 1] nsswitch/
winbindd_user.c:winbindd_dual_userinfo(157)
error getting user info for sid
S-1-5-21-2484819571-2125529598-2454565363-497406
[2007/08/15 07:15:13, 10] nsswitch/
winbindd_cache.c:cache_store_response(1955)
Storing response for pid 24097, len 3240

The end result on the windows box I try to connect to is:
" System Error 86 has occurred.
The specified network password is not correct. "

The password is correct.

Any help, Ideas, direction would be greatly appricated.

Thanks,
Paul.