Bug 257121

Summary: Windows XP client Domain Authentication not working with "security = ADS"
Product: Red Hat Enterprise Linux 5 Reporter: Charles Gillet <charles>
Component: sambaAssignee: Samba Maint Team <samba-bugs-list>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 5.0CC: jplans, k.georgiou, sputhenp
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-27 20:43:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Debug 10 output of attempt to authenticate (anonymized) none

Description Charles Gillet 2007-08-27 16:48:01 UTC 
Description of problem: 

Unable to authenticate samba against a Windows 2003 Server domain controller for
authentication


Version-Release number of selected component (if applicable): 

samba-3.0.23c-2.el5.2.0.2


How reproducible: 

On any Redhat Ent. 5 machine at my site while attempting to authenticate from
Windows XP SP2 client system.


Steps to Reproduce:
1. Create local /etc/passwd entry for user already on Windows 2003 server domain
2. Set up kerberos realm configuration and use "net ads join ..." command to
create machine account for Samba server on Windows domain
3. Attempt to browse samba share points from Windows XP client
  
Actual results: Client returns back failed authentication


Expected results: Browse samba shares, access files as usual


Additional info:
The exact smb.conf I was using on RHEL 4 U5 (samba-3.0.10-1.4E.12.2) and when I
compile and use samba source (3.0.25c) work fine.  Something with domain auth is
broken in the RHEL 5 shipping version.  I ran smbd in debug 10 and am completely
stumped.
Comment 1 Charles Gillet 2007-08-27 16:48:01 UTC 
Created attachment 174001 [details]
Debug 10 output of attempt to authenticate (anonymized)
Comment 2 Charles Gillet 2007-08-27 16:57:39 UTC 
smb.conf:

[global]
   workgroup = WINDOWS
   server string = Samba Server
   security = ADS
   load printers = yes
   cups options = raw
   log file = /var/log/samba/smb.log
   max log size = 5000
   realm = WINDOWS.DOMAIN
   dns proxy = no

[share]
    comment = Share
    path =  /export/share
Comment 3 Simo Sorce 2007-08-27 19:25:55 UTC 
I think I remember a fix we addedd upstream after 3.0.23c was released that may
address your problem. In the beta channel we have a newer version of samba that
should address it. Will you consider testing the version we have in the beta
channel?

If you do please make sure you backup all relevant files in case you want to
revert back to 3.0.23c afterwards.
Comment 4 Charles Gillet 2007-08-27 20:29:01 UTC 
Yes, the beta channel version works.  Looking forward to U1.
Comment 5 Simo Sorce 2007-08-27 20:43:07 UTC 
Thank you.
Comment 6 Kostas Georgiou 2007-08-29 17:36:57 UTC 
Same problem here (NT_STATUS_NO_SUCH_USER errors), the 5.1 beta version works
fine for me as well.
Comment 7 Colin.Simpson 2007-09-07 13:07:00 UTC 
This is the same bug as FC6 had here:

https://bugzilla.redhat.com/show_bug.cgi?id=217293

I've been forced to upgrade our EL 5 systems Sambas to FC6 versions, to get this
to work now. 

The upstream Samba bug was this one:

https://bugzilla.samba.org/show_bug.cgi?id=4095
Comment 8 Simo Sorce 2007-09-07 15:17:54 UTC 
So why can't you just use the beta as Charles did?
Anyway it will be fixed in 5.1, you should be able to go back to use the RHEL
samba packages then.
Comment 9 Colin.Simpson 2007-09-25 17:22:31 UTC 
There wasn't a beta version when we installed RH5.
Comment 10 Simo Sorce 2007-10-01 03:55:54 UTC 
The beta is available in the beta channel.
You can subscribe your machine to the beta channel via RHN.