Bug 561325
| Summary: | Winbind authentication problem against Windows 2008 R2 AD. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Johan Bergström <johan.bergstrom> | ||||||
| Component: | samba | Assignee: | Guenther Deschner <gdeschner> | ||||||
| Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 5.4 | CC: | dpal, gdeschner, hoan.dinh, jardine_p, johan.bergstrom, manuel.pelayo, mniranja, oguzyilmaz, presgas, rdieter, rprice, tao, ukh, walt | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2010-05-26 15:38:14 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Johan Bergström
2010-02-03 12:39:44 UTC
I can confirm this as our environment is in the process of migrating to Win2k8 R2. We have been using smbclient as our test program instead of wbinfo, however. We point the smb.conf directive "password server" to a pre-upgraded Win2k8 Domain Controller, all works well with ntlmv2 auth (which is what "wbinfo -a domainuser%password" is using). Pointing it to a Win2k8 R2 DC initally gives us (with "smbclient" and -d 10): spnego_parse_auth_response failed at 1 Failed to parse auth response SPNEGO login failed: NT code 0x00000721 session setup failed: NT code 0x00000721 subsequent connections: SPNEGO login failed: Named pipe dicconnected session setup failed: NT_STATUS_PIPE_DISCONNECTED and we get matching /var/log/messages as Johan's even with the initial failure. winbindd[4494]: [2010/02/12 14:23:33, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) winbindd[4494]: rpc_api_pipe: Remote machine IU-MSSG-TSDC1.testads.iu.edu pipe \NETLOGON fnum 0xereturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED We are also getting this message in /var/log/samba/winbindd.log [2010/02/12 14:23:33, 1] nsswitch/winbindd_util.c:trustdom_recv(230) Could not receive trustdoms Was not sure if that message could be related to this upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=6815 Which supposedly was fixed in this version of Samba: http://www.samba.org/samba/history/samba-3.4.3.html I cannot find an equivalent bug or change statement in the other code bases except 3.4.x. We also have a test Domain that is fully Win2k8 R2 that we can do packet captures to assist with bugfixing. Our college also can confirm this. Our AD admins are in the process of upgrading active directory DC's to Win2008R2. We use Samba to join our AD domain in order to perform MS-CHAP wireless authentications on our campus (via FreeRADIUS). When authenticating against our DC's running Windows 2003, we can perform ntlm auth's without errors. When authenticating against the upgraded DC's (Win2008R2), we receive ntlm authentication errors as follows: # wbinfo -a domainuser%password plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user stutest%5980178 with plaintext password challenge/response password authentication failed error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0) error messsage was: Named pipe dicconnected Could not authenticate user stutest with challenge/response From /var/log/samba/winbindd.log: [2010/03/01 10:18:33, 1] nsswitch/winbindd_util.c:trustdom_recv(230) Could not receive trustdoms Errors from /var/log/messages: Mar 1 10:19:59 kruger winbindd[21651]: [2010/03/01 10:19:59, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) Mar 1 10:19:59 kruger winbindd[21651]: rpc_api_pipe: Remote machine DUCNT31.auburn.edu pipe \NETLOGON fnum 0x1returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED [root@kruger source3]# uname -a Linux kruger.auburn.edu 2.6.18-128.7.1.el5 #1 SMP Mon Aug 24 08:20:55 EDT 2009 i686 i686 i386 GNU/Linux [root@kruger ~]# rpm -qa | grep samba samba-client-3.0.33-3.15.el5_4.1 samba-3.0.33-3.15.el5_4.1 system-config-samba-1.2.41-3.el5 samba-common-3.0.33-3.15.el5_4.1 How reproducible: 100% (on DC's running Win2008R2) Steps to Reproduce: 1. wbinfo -a domainuser%password Actual results: Failure to authenticate. Expected results: User authenticated OK. Just saw this in the RHEL5.5 beta Release Notes. Samba Samba is a suite of programs used by machines to share files, printers, and other information. This update includes a newer version of Samba in the Samba3x package, adding support to interoperate with the latest operating systems of the Microsoft family, Windows 2008 and Windows 2008 R2 server, Windows Vista and Windows 7. This version of samba also provides many bugfixes and enhancements, including support for building clustered servers using the CTDB framework. So my guess is that we will have to wait until 5.5. RHEL 5.5 beta provides 2 samba versions: - samba-3.0.33-3.28.el5 - samba3x-3.3.8-0.50.el5 The samba-3.0.33-3.28.el5 produces the same troubles, but the samba3x-3.3.8-0.50.el5 works fine: # wbinfo -a domainuser%password plaintext password authentication succeeded challenge/response password authentication succeeded (In reply to comment #4) > RHEL 5.5 beta provides 2 samba versions: > - samba-3.0.33-3.28.el5 > - samba3x-3.3.8-0.50.el5 > > The samba-3.0.33-3.28.el5 produces the same troubles, but the > samba3x-3.3.8-0.50.el5 works fine: > # wbinfo -a domainuser%password > plaintext password authentication succeeded > challenge/response password authentication succeeded What would be the clean way to upgrade from samba to samba3x? I tried to simply uninstal samba and install samba3x and winbindd would not start. I just tried RHEL5.5 beta aswell. You can use the exact same configuration, but you need to 'net ads join' your machine to the domain with samba3x again. After that it works as expected. I can confirm this works in samba3x. However, Motorola is unable to upgrade to samba3x because they are experiencing other bugs with-in their setup. They would really like for this to be fixed with samba 3.0.33 in RHEL5. -- Robin It is not possible to back port this functionality to samba package. It can be be done only in samba3x so please give it a try. If you see other issues in samba3x please file the bugs for those. Created attachment 425247 [details]
Migration notes for samba3
This attachment is my notes for not only migrating to the samba3 packages provided by RHEL5.5, but also includes notes for using the SerNet packages. I am posting it here with the hopes it will help people migrate with a minimum of pain.
I am running into this same problem. Question, will Redhat provide an update for the standard samba package sometime soon in the future? Or will I have to migrate to the Samba3x packages? One quick note: I changed my /etc/pam.d/system-auth file to temporarily fix my login problem. instead of pam_winbind.so I used pam_krb5.so throughout the file. What do you guys think of this? Thank you. (In reply to comment #11) > I am running into this same problem. Question, will Redhat provide an update > for the standard samba package sometime soon in the future? No > Or will I have to > migrate to the Samba3x packages? Yes In RHEL 6 it is one package back again. Dmitri |