|Summary:||Winbind authentication problem against Windows 2008 R2 AD.|
|Product:||Red Hat Enterprise Linux 5||Reporter:||Johan Bergström <johan.bergstrom>|
|Component:||samba||Assignee:||Guenther Deschner <gdeschner>|
|Status:||CLOSED WONTFIX||QA Contact:||qe-baseos-daemons|
|Version:||5.4||CC:||dpal, gdeschner, hoan.dinh, jardine_p, johan.bergstrom, manuel.pelayo, mniranja, oguzyilmaz, presgas, rdieter, rprice, tao, ukh, walt|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-05-26 15:38:14 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Johan Bergström 2010-02-03 12:39:44 UTC
Created attachment 388518 [details] Samba config Description of problem: After joining a Win2k8 R2 Forest/Domain native AD without problems. I wanted to setup user authentication for logging in with pam_winbind. But encountered this problem; [root@udcsp03 etc]# wbinfo -a domainuser%password plaintext password authentication failed error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0) error messsage was: Named pipe dicconnected Could not authenticate user domainuser%password with plaintext password challenge/response password authentication failed error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0) error messsage was: Named pipe dicconnected Could not authenticate user domainuser with challenge/response From /var/log/messages Feb 3 12:57:23 udcsp03 winbindd: [2010/02/03 12:57:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) Feb 3 12:57:23 udcsp03 winbindd: rpc_api_pipe: Remote machine INFRADC06.sweinfra.se pipe \NETLOGON fnum 0x800ereturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED Authenticating using kerberos works fine, [root@udcsp03 etc]# wbinfo -K domainuser%password plaintext kerberos password authentication for [domainuser%password] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 Also, a local 'su - domainuser' works just fine, aswell as 'wbinfo -g' and 'wbinfo -u'. getent passwd/group works and 'id uid' returns all domaingroups aswell as local groups as it should. It seems to be a password authentication problem only. After reading some mailing lists I noticed this problem have already been fixed in mainstream samba >3.3.10 References; http://old.nabble.com/NTLM_auth-to-win2008-r2-failed-%28NT_STATUS_PIPE_DISCONNECTED%29-td27336513.html http://lists.samba.org/archive/samba/2009-November/151883.html Version-Release number of selected component (if applicable): [root@udcsp03 etc]# uname -a Linux udcsp03.sweinfra.se 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux [root@udcsp03 etc]# rpm -qa | grep -E 'redhat-release|samba|krb' samba-common-3.0.33-3.14.el5 redhat-release-5Server-18.104.22.168 krb5-workstation-1.6.1-36.el5 krb5-libs-1.6.1-36.el5 samba-common-3.0.33-3.14.el5 samba-3.0.33-3.14.el5 krb5-libs-1.6.1-36.el5 How reproducible: 100% Steps to Reproduce: 1. wbinfo -a domainuser%password 2. 3. Actual results: Failure to authenticate. Expected results: User authenticated OK. Additional info: Attaching my smb.conf
Comment 1 Robert Freeman-Day 2010-02-19 14:11:26 UTC
I can confirm this as our environment is in the process of migrating to Win2k8 R2. We have been using smbclient as our test program instead of wbinfo, however. We point the smb.conf directive "password server" to a pre-upgraded Win2k8 Domain Controller, all works well with ntlmv2 auth (which is what "wbinfo -a domainuser%password" is using). Pointing it to a Win2k8 R2 DC initally gives us (with "smbclient" and -d 10): spnego_parse_auth_response failed at 1 Failed to parse auth response SPNEGO login failed: NT code 0x00000721 session setup failed: NT code 0x00000721 subsequent connections: SPNEGO login failed: Named pipe dicconnected session setup failed: NT_STATUS_PIPE_DISCONNECTED and we get matching /var/log/messages as Johan's even with the initial failure. winbindd: [2010/02/12 14:23:33, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) winbindd: rpc_api_pipe: Remote machine IU-MSSG-TSDC1.testads.iu.edu pipe \NETLOGON fnum 0xereturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED We are also getting this message in /var/log/samba/winbindd.log [2010/02/12 14:23:33, 1] nsswitch/winbindd_util.c:trustdom_recv(230) Could not receive trustdoms Was not sure if that message could be related to this upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=6815 Which supposedly was fixed in this version of Samba: http://www.samba.org/samba/history/samba-3.4.3.html I cannot find an equivalent bug or change statement in the other code bases except 3.4.x. We also have a test Domain that is fully Win2k8 R2 that we can do packet captures to assist with bugfixing.
Comment 2 Walter Gould 2010-03-01 16:34:20 UTC
Our college also can confirm this. Our AD admins are in the process of upgrading active directory DC's to Win2008R2. We use Samba to join our AD domain in order to perform MS-CHAP wireless authentications on our campus (via FreeRADIUS). When authenticating against our DC's running Windows 2003, we can perform ntlm auth's without errors. When authenticating against the upgraded DC's (Win2008R2), we receive ntlm authentication errors as follows: # wbinfo -a domainuser%password plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user stutest%5980178 with plaintext password challenge/response password authentication failed error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0) error messsage was: Named pipe dicconnected Could not authenticate user stutest with challenge/response From /var/log/samba/winbindd.log: [2010/03/01 10:18:33, 1] nsswitch/winbindd_util.c:trustdom_recv(230) Could not receive trustdoms Errors from /var/log/messages: Mar 1 10:19:59 kruger winbindd: [2010/03/01 10:19:59, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) Mar 1 10:19:59 kruger winbindd: rpc_api_pipe: Remote machine DUCNT31.auburn.edu pipe \NETLOGON fnum 0x1returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED [root@kruger source3]# uname -a Linux kruger.auburn.edu 2.6.18-128.7.1.el5 #1 SMP Mon Aug 24 08:20:55 EDT 2009 i686 i686 i386 GNU/Linux [root@kruger ~]# rpm -qa | grep samba samba-client-3.0.33-3.15.el5_4.1 samba-3.0.33-3.15.el5_4.1 system-config-samba-1.2.41-3.el5 samba-common-3.0.33-3.15.el5_4.1 How reproducible: 100% (on DC's running Win2008R2) Steps to Reproduce: 1. wbinfo -a domainuser%password Actual results: Failure to authenticate. Expected results: User authenticated OK.
Comment 3 Johan Bergström 2010-03-02 10:02:13 UTC
Just saw this in the RHEL5.5 beta Release Notes. Samba Samba is a suite of programs used by machines to share files, printers, and other information. This update includes a newer version of Samba in the Samba3x package, adding support to interoperate with the latest operating systems of the Microsoft family, Windows 2008 and Windows 2008 R2 server, Windows Vista and Windows 7. This version of samba also provides many bugfixes and enhancements, including support for building clustered servers using the CTDB framework. So my guess is that we will have to wait until 5.5.
Comment 4 Manuel Pelayo 2010-03-05 10:32:09 UTC
RHEL 5.5 beta provides 2 samba versions: - samba-3.0.33-3.28.el5 - samba3x-3.3.8-0.50.el5 The samba-3.0.33-3.28.el5 produces the same troubles, but the samba3x-3.3.8-0.50.el5 works fine: # wbinfo -a domainuser%password plaintext password authentication succeeded challenge/response password authentication succeeded
Comment 5 Robert Freeman-Day 2010-03-08 19:56:45 UTC
(In reply to comment #4) > RHEL 5.5 beta provides 2 samba versions: > - samba-3.0.33-3.28.el5 > - samba3x-3.3.8-0.50.el5 > > The samba-3.0.33-3.28.el5 produces the same troubles, but the > samba3x-3.3.8-0.50.el5 works fine: > # wbinfo -a domainuser%password > plaintext password authentication succeeded > challenge/response password authentication succeeded What would be the clean way to upgrade from samba to samba3x? I tried to simply uninstal samba and install samba3x and winbindd would not start.
Comment 6 Johan Bergström 2010-03-09 10:53:07 UTC
I just tried RHEL5.5 beta aswell. You can use the exact same configuration, but you need to 'net ads join' your machine to the domain with samba3x again. After that it works as expected.
Comment 7 Robin R. Price II 2010-05-19 20:24:20 UTC
I can confirm this works in samba3x. However, Motorola is unable to upgrade to samba3x because they are experiencing other bugs with-in their setup. They would really like for this to be fixed with samba 3.0.33 in RHEL5. -- Robin
Comment 8 Dmitri Pal 2010-05-26 15:38:14 UTC
It is not possible to back port this functionality to samba package. It can be be done only in samba3x so please give it a try. If you see other issues in samba3x please file the bugs for those.
Comment 10 Robert Freeman-Day 2010-06-18 20:17:35 UTC
Created attachment 425247 [details] Migration notes for samba3 This attachment is my notes for not only migrating to the samba3 packages provided by RHEL5.5, but also includes notes for using the SerNet packages. I am posting it here with the hopes it will help people migrate with a minimum of pain.
Comment 11 Parker 2010-06-23 16:51:20 UTC
I am running into this same problem. Question, will Redhat provide an update for the standard samba package sometime soon in the future? Or will I have to migrate to the Samba3x packages? One quick note: I changed my /etc/pam.d/system-auth file to temporarily fix my login problem. instead of pam_winbind.so I used pam_krb5.so throughout the file. What do you guys think of this? Thank you.
Comment 12 Dmitri Pal 2010-06-25 15:31:24 UTC
(In reply to comment #11) > I am running into this same problem. Question, will Redhat provide an update > for the standard samba package sometime soon in the future? No > Or will I have to > migrate to the Samba3x packages? Yes In RHEL 6 it is one package back again. Dmitri