» Samba3, вешается winbind

Доброго времени суток.
Столкнулся со следующей проблемой при заведении самбы в домен:
kinit проходит нормально, net join проходит нормально, getent passwd и getent group показывают юзеров и группы домена, wbinfo -p проходти нормально, дальше начинаются фокусы.

wbinfo -t выполняется минут 5, при этом winbind начинает жрать 100% процессора. wbinfo -u или -g дождаться сил не хватило.
В логах пишет:
ads_krb5_mk_req: krb5_get_credentials failed for NSKHQ$@DOMAINNAME (Cannot resolve network address for KDC in requested realm)

Что характерно, оно почему-то хочет найти KDC для netbios имени домена, хотя по идее должно обращаться по полному dns имени.

Пробовал добавить в krb5.conf дополнительный realm для этого имени, winbind начинает ругаться по-другому:
ads_krb5_mk_req: krb5_get_credentials failed for NSKHQ$@DOMAINNAME (KDC reply did not match expectations)
То же самое происходит, если в hosts добавляю запись для DOMAINNAME, соответствующую контроллеру домена.

Домен на Windows 2008 server.

[more=Конфигурация]
# uname -srv
Linux 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16 14:47:52 EST 2008

# smbd -V
Version 3.2.8-0.26.fc10

# cat /etc/samba/smb.conf
[global]
netbios name = NSKGW
workgroup = DOMAINNAME
realm = NSK.DOMAINNAME.RU
server string = Samba Server Version %v
security = ADS
auth methods = winbind
update encrypted = Yes
password server = nsk.domainname.ru
passdb backend = tdbsam
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
show add printer wizard = No
preferred master = No
local master = No
domain master = No
wins server = nsk.domainname.ru
ldap ssl = no
obey pam restrictions = yes
winbind use default domain = yes
winbind cache time = 0
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind uid = 10000-20000
winbind gid = 10000-20000

# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = NSK.DOMAINNAME.RU
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
clock_skew = 300

[realms]
NSK.DOMAINNAME.RU = {
kdc = nsk.domainname.ru:88
admin_server = nsk.domainname.ru:749
default_domain = nsk.domainname.ru
}

[domain_realm]
.nsk.domainname.ru = NSK.DOMAINNAME.RU
nsk.domainname.ru = NSK.DOMAINNAME.RU

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
kinit = {
renewable = true
forwardable = true
}

# grep winbind /etc/nsswitch.conf
passwd: files winbind
group: files winbind

# cat /etc/resolv.conf
domain nsk.domainname.ru
search nsk.domainname.ru
nameserver 192.168.249.7[/more]

Должно быть

в /etc/samba/smb.conf
realm = DOMAINNAME.RU

Убери
password server = nsk.domainname.ru

в /etc/resolv.conf
domain domainname.ru
search domainname.ru

Из /etc/krb5.conf убери все что добавлял (Самба создает свой krb5.conf и использует его).

DNS должен ссылаться на контролер домена (если нет то на сервере DNS делай вторичную зону с AD сервера. Лучше поднять бинд локально и сделать его вторичным ДНС сервером для домена, а зону DOMAINNAME.RU разнести по видам в зависимости от клиентов, локальным - АД с внутренней адресацией, внешним интернет зону с внешней адресацией)

После этого kinit administrator@DOMAINNAME.RU

если с ДНС все ОК то получишь
kinit: NOTICE: ticket renewable lifetime is 1 week

Не забудь перед kinit засинхранизировать время на коипах (лучше поднять у себя ntpd сервер и натравить контролер домена на него)

Поле этого стартуешь winbind и проверяешь
wbinfo -u
wbinfo -g

Drron
nsk.domainname.ru - это не контроллер домена, это домен.
Почему прописано, например, в password server именно так - потому что контроллеров два, а имя nsk.domainname.ru как раз ресолвится в оба, на случай пропадания одного из них из сети. Если прописывать вместо них конкретный ип - результат не изменяется.

Password server убрал, ничего не изменилось. kinit проходит, net join проходит, winbind вешается и жрёт память.

Тогда почему
workgroup = DOMAINNAME
должно быть NSK ???

Добавь в smb.conf
debug level = 2

и выкладывай логи

Цитата:

Тогда почему
workgroup = DOMAINNAME
должно быть NSK ???

нетбиос имя может быть произвольным, в данном случае просто для удобства выбрано DOMAINNAME.

debug level = 3
[more=log.wb-DOMAINNAME][2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(359)
[28638]: list trusted domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_ads.c:trusted_domains(1285)
ads: trusted_domains
[2009/02/13 15:39:44, 3] winbindd/winbindd_dual.c:child_read_request(52)
child_read_request: read_data failed: NT_STATUS_END_OF_FILE[/more]
[more=log.winbindd][2009/02/13 15:39:28, 0] winbindd/winbindd.c:main(1115)
winbindd version 3.3.0 started.
Copyright Andrew Tridgell and the Samba Team 1992-2009
[2009/02/13 15:39:28, 2] lib/tallocmsg.c:register_msg_pool_usage(106)
Registered MSG_REQ_POOL_USAGE
[2009/02/13 15:39:28, 2] lib/dmallocmsg.c:register_dmalloc_msgs(77)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2009/02/13 15:39:28, 3] param/loadparm.c:lp_load_ex(8782)
lp_load_ex: refreshing parameters
Initialising global parameters
[2009/02/13 15:39:28, 3] param/params.c:pm_process(569)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2009/02/13 15:39:28, 3] param/loadparm.c:do_section(7445)
Processing section "[global]"
[2009/02/13 15:39:28, 2] param/loadparm.c:do_section(7462)
Processing section "[www]"
[2009/02/13 15:39:28, 2] param/loadparm.c:do_section(7462)
Processing section "[html]"
[2009/02/13 15:39:28, 2] param/loadparm.c:do_section(7462)
Processing section "[storage]"
[2009/02/13 15:39:28, 3] param/loadparm.c:lp_add_ipc(5938)
adding IPC service
[2009/02/13 15:39:28, 2] lib/interface.c:add_interface(337)
added interface lo ip=::1 bcast=::1 netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
[2009/02/13 15:39:28, 2] lib/interface.c:add_interface(337)
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
[2009/02/13 15:39:28, 2] lib/interface.c:add_interface(337)
added interface eth0.2 ip=10.14.1.2 bcast=10.14.1.15 netmask=255.255.255.240
[2009/02/13 15:39:28, 2] lib/interface.c:add_interface(337)
added interface lo ip=::1 bcast=::1 netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
[2009/02/13 15:39:28, 2] lib/interface.c:add_interface(337)
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
[2009/02/13 15:39:28, 2] lib/interface.c:add_interface(337)
added interface eth0.2 ip=10.14.1.2 bcast=10.14.1.15 netmask=255.255.255.240
[2009/02/13 15:39:28, 0] winbindd/winbindd_cache.c:initialize_winbindd_cache(2578)
initialize_winbindd_cache: clearing cache and re-creating with version number 1
[2009/02/13 15:39:28, 2] winbindd/winbindd_util.c:add_trusted_domain(235)
Added domain BUILTIN S-1-5-32
[2009/02/13 15:39:28, 2] winbindd/winbindd_util.c:add_trusted_domain(235)
Added domain NSKGW S-1-5-21-1037004135-2719031263-3159761687
[2009/02/13 15:39:28, 2] winbindd/winbindd_util.c:add_trusted_domain(235)
Added domain DOMAINNAME NSK.DOMAINNAME.RU S-1-5-21-3139946500-841056496-3063108811
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(823)
Doing spnego session setup (blob length=124)
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850)
got OID=1 2 840 48018 1 2 2
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850)
got OID=1 2 840 113554 1 2 2
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850)
got OID=1 2 840 113554 1 2 2 3
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850)
got OID=1 3 6 1 4 1 311 2 2 10
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(858)
got principal=not_defined_in_RFC4178@please_ignore
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(899)
cli_session_setup_spnego: got a bad server principal, trying to guess ...
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(927)
cli_session_setup_spnego: guessed server principal=NSKHQ$@DOMAINNAME
[2009/02/13 15:39:28, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(617)
Doing kerberos session setup
[2009/02/13 15:39:28, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
ads_krb5_mk_req: krb5_get_credentials failed for NSKHQ$@DOMAINNAME (Cannot find KDC for requested realm)
[2009/02/13 15:39:28, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(624)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(823)
Doing spnego session setup (blob length=124)
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850)
got OID=1 2 840 48018 1 2 2
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850)
got OID=1 2 840 113554 1 2 2
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850)
got OID=1 2 840 113554 1 2 2 3
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(850)
got OID=1 3 6 1 4 1 311 2 2 10
[2009/02/13 15:39:28, 3] libsmb/cliconnect.c:cli_session_setup_spnego(858)
got principal=not_defined_in_RFC4178@please_ignore
[2009/02/13 15:39:28, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1027)
Got challenge flags:
[2009/02/13 15:39:28, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x62898215
[2009/02/13 15:39:28, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1049)
NTLMSSP: Set final flags:
[2009/02/13 15:39:28, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x60088215
[2009/02/13 15:39:28, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/02/13 15:39:28, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x60088215
[2009/02/13 15:39:28, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2234)
rpc_pipe_bind: host NSKHQ.nsk.domainname.ru, pipe \lsarpc, fnum 0x800c bind request returned ok.
[2009/02/13 15:39:28, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2234)
rpc_pipe_bind: host NSKHQ.nsk.domainname.ru, pipe \lsarpc, fnum 0x800d bind request returned ok.[/more]

Цитата:

[2009/02/13 15:39:28, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
ads_krb5_mk_req: krb5_get_credentials failed for NSKHQ$@DOMAINNAME (Cannot find KDC for requested realm)
[2009/02/13 15:39:28, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(624)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm

Это странно.
Зайди на сервер с ДНС и сделай
nslookup

ls -d NSK.DOMAINNAME.RU


Интересует наличие записей вида

_gc._tcp SRV priority=0, weight=100, port=3268,
_kerberos._tcp SRV priority=0, weight=100, port=88,
_kpasswd._tcp SRV priority=0, weight=100, port=464,
_ldap._tcp SRV priority=0, weight=100, port=389,

[more=nslookup] _gc._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=3268, nskhq.nsk.domainname.ru
_gc._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=3268, nskms.nsk.domainname.ru
_kerberos._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=88, nskms.nsk.domainname.ru
_kerberos._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=88, nskhq.nsk.domainname.ru
_ldap._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=389, nskms.nsk.domainname.ru
_ldap._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=389, nskhq.nsk.domainname.ru
_gc._tcp SRV priority=0, weight=100, port=3268, nskms.nsk.domainname.ru
_gc._tcp SRV priority=0, weight=100, port=3268, nskhq.nsk.domainname.ru
_kerberos._tcp SRV priority=0, weight=100, port=88, nskhq.nsk.domainname.ru
_kerberos._tcp SRV priority=0, weight=100, port=88, nskms.nsk.domainname.ru
_kpasswd._tcp SRV priority=0, weight=100, port=464, nskms.nsk.domainname.ru
_kpasswd._tcp SRV priority=0, weight=100, port=464, nskhq.nsk.domainname.ru
_ldap._tcp SRV priority=0, weight=100, port=389, nskms.nsk.domainname.ru
_ldap._tcp SRV priority=0, weight=100, port=389, nskhq.nsk.domainname.ru
_kerberos._udp SRV priority=0, weight=100, port=88, nskhq.nsk.domainname.ru
_kerberos._udp SRV priority=0, weight=100, port=88, nskms.nsk.domainname.ru
_kpasswd._udp SRV priority=0, weight=100, port=464, nskms.nsk.domainname.ru
_kpasswd._udp SRV priority=0, weight=100, port=464, nskhq.nsk.domainname.ru
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones SRV priority=0, weight=100, port=389, nskms.nsk.domainname.ru
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones SRV priority=0, weight=100, port=389, nskhq.nsk.domainname.ru
_ldap._tcp.DomainDnsZones SRV priority=0, weight=100, port=389, nskms.nsk.domainname.ru
_ldap._tcp.DomainDnsZones SRV priority=0, weight=100, port=389, nskhq.nsk.domainname.ru
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones SRV priority=0, weight=100, port=389, nskms.nsk.domainname.ru
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones SRV priority=0, weight=100, port=389, nskhq.nsk.domainname.ru
_ldap._tcp.ForestDnsZones SRV priority=0, weight=100, port=389, nskms.nsk.domainname.ru
_ldap._tcp.ForestDnsZones SRV priority=0, weight=100, port=389, nskhq.nsk.domainname.ru[/more]

Вроде всё на месте...
Кстати, ради интереса взял свободную машинку, воткнул на неё ту же 10 федору, только i386 (проц старенький) - заработало с полпинка. Непонятно...

Странно все должно работать!!!

А имена
nskhq.nsk.domainname.ru
nskms.nsk.domainname.ru
нормально резольвятся ДНСом ?
Телнет на 88, 389 порты проходит ?

С какими опциями собиралась samba на x64 и i386 (smbd -b) ?

Попробуй пересобрать вручную (с другим префиксом, чтобы не затиреть существующие файлы).

Самбу пересобирал, сделал rpm из ванильной самбы 3.3, удалил старую, установил новую, ничего не изменилось.
[more=smbd -b] --with Options:
WITH_ADS
WITH_AUTOMOUNT
WITH_CIFSMOUNT
WITH_CIFSUPCALL
WITH_DNS_UPDATES
WITH_PAM
WITH_PAM_MODULES
WITH_QUOTAS
WITH_SENDFILE
WITH_SYSLOG
WITH_UTMP
WITH_WINBIND

Builtin modules:
pdb_ldap pdb_smbpasswd pdb_tdbsam rpc_lsarpc rpc_winreg rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl2 rpc_ntsvcs2 rpc_netlogon rpc_netdfs rpc_srvsv
c rpc_spoolss rpc_eventlog2 rpc_samr idmap_ldap idmap_tdb idmap_passdb idmap_nss nss_info_template auth_sam auth_unix auth_winbind auth_server auth_domain au
th_builtin vfs_default vfs_posixacl
[/more] в этих местах совпадают на обеих машинах.
Такое подозрение, что виновата не самба, а какой-то посторонний модуль, на который завязан winbind.

Добавлено:
и да, имена отлично ресолвятся, и телнет тоже проходит )

Решено:
Оказывается, всё дело было в строке smb.conf
winbind cache time = 0
====
Следовало закомментить, либо поставить более приемлемое значение

Всем спасибо.