Bug 287531

Summary: samba security=ADS broke in rhel5 works in rhel4
Product: Red Hat Enterprise Linux 5 Reporter: John Sopko <sopko>
Component: sambaAssignee: Samba Maint Team <samba-bugs-list>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 5.0CC: jplans
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-12 13:13:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Sopko 2007-09-12 12:44:48 UTC 
Description of problem:

We have been using samba under rhel4 for a long time
using Windows 2003 AD server for authentication.
I am upgrading the server to rhel5 and cannot get
AD authentication to work. If I upgrade samba from
the Fedora core 7 release it works fine. See notes
below. I searched https://bugzilla.samba.org/ but
could not find what fixes this problem. I found
one other case on the samba mail list where a user
had the same problem when using samba 3.0.23c but
no solution.


Version-Release number of selected component (if applicable):

samba-3.0.23c-2.el5.2.0.2

How reproducible:

Always, tried on 2 different systems.

Steps to Reproduce:
1. Install latest rhel5 samba-3.0.23c-2.el5.2.0.2
2. Configure smb.conf to authenticated to Windows AD server
3. Try to connect to samba via a windows client or smbclinet -k
  
Actual results:

On windows you should just be able to connect to the samba
server using your current Windows tgt, instead the connection
fails and you get prompted for a username/password and this
also fails.

This output from /var/messages log on the samba server
with smb.conf syslog=10 and log level=10:

Sep 11 14:57:52 lark smbd[27709]:   Doing spnego session setup
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691)
Sep 11 14:57:52 lark smbd[27709]:   NativeOS=[Windows 2002 Service Pack 2 2600]
NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/sesssetup.c:reply_spnego_negotiate(551)
Sep 11 14:57:52 lark smbd[27709]:   Got OID 1 2 840 48018 1 2 2
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/sesssetup.c:reply_spnego_negotiate(551)
Sep 11 14:57:52 lark smbd[27709]:   Got OID 1 2 840 113554 1 2 2
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/sesssetup.c:reply_spnego_negotiate(551)
Sep 11 14:57:52 lark smbd[27709]:   Got OID 1 3 6 1 4 1 311 2 2 10
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/sesssetup.c:reply_spnego_negotiate(554)
Sep 11 14:57:52 lark smbd[27709]:   Got secblob of size 1164
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/sesssetup.c:reply_spnego_kerberos(207)
Sep 11 14:57:52 lark smbd[27709]:   Ticket name is [sopko.EDU]
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 1]
smbd/sesssetup.c:reply_spnego_kerberos(334)
Sep 11 14:57:52 lark smbd[27709]:   make_server_info_info3 failed:
NT_STATUS_NO_SUCH_USER!
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/error.c:error_packet(146)
Sep 11 14:57:52 lark smbd[27709]:   error packet at smbd/sesssetup.c(339)
cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/process.c:timeout_processing(1359)
Sep 11 14:57:52 lark smbd[27709]:   timeout_processing: End of file from client
(client has disconnected).

This output from smbclient -k. Note that I have first get a tgt
fine from the CS.UNC.EDU domain, then use smbclient -k.
I get a cifs/swan5.cs.unc.edu.EDU service ticket
just fine but the connection still fails. I also tried as
root which gets rid of the file permission problem but
it is still broke.

|sopko@lark:34% klist
Ticket cache: FILE:/tmp/krb5cc_3903_kGhJi1
Default principal: sopko.EDU

Valid starting     Expires            Service principal
09/12/07 08:28:19  09/12/07 18:28:21  krbtgt/CS.UNC.EDU.EDU
        renew until 09/19/07 08:28:19


Kerberos 4 ticket cache: /tmp/tkt3903
klist: You have no tickets cached

 |sopko@lark:35% smbclient -k -d 2 //swan5/playpen
added interface ip=152.2.129.13 bcast=152.2.255.255 nmask=255.255.0.0
tdb(unnamed): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb:
Permission denied
Doing kerberos session setup
cli_session_setup_blob: recieve failed (NT_STATUS_LOGON_FAILURE)
session setup failed: NT_STATUS_LOGON_FAILURE


 |sopko@lark:36% klist
Ticket cache: FILE:/tmp/krb5cc_3903_kGhJi1
Default principal: sopko.EDU

Valid starting     Expires            Service principal
09/12/07 08:28:19  09/12/07 18:28:21  krbtgt/CS.UNC.EDU.EDU
        renew until 09/19/07 08:28:19
09/12/07 08:28:37  09/12/07 18:28:21  cifs/swan5.cs.unc.edu.EDU
        renew until 09/19/07 08:28:19


Kerberos 4 ticket cache: /tmp/tkt3903
klist: You have no tickets cached



Expected results:

Should get a samba connection. If I upgrade samba
to the latest fedora core 7 samba-3.0.25-2 things
work fine. I used the same smb.conf file for
both cases.


Additional info:


I am able to join the samba server to the AD domain fine using
"net ads join -U" command. The current version of samba
that comes with rhel5 is broke. The curent version of samba
that comes with rhel4, samba-3.0.10-1.4E.12.2 works fine.
The version of samba that comes with Fedora core 7 samba-3.0.25-2
works fine.
Comment 1 Simo Sorce 2007-09-12 13:13:07 UTC 
Please test the version we have in the beta channel, that will solve your problem.

*** This bug has been marked as a duplicate of 218774 ***
Comment 2 John Sopko 2007-09-12 14:24:02 UTC 
Darn, I searched for quite a while and did not see that this was reported.
I have a hard time using the bugzilla search features...

I installed samba-3.0.25b-0.el5.4.i386.rpm from the rhel5 beta channel
and tested, this fixed.

Thanks for the quick response and you can close the bug.