Bug 585360
| Summary: | Samba authentication problem against Windows Server 2008 R2 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Justin Payne <jpayne> |
| Component: | samba | Assignee: | Guenther Deschner <gdeschner> |
| Status: | CLOSED ERRATA | QA Contact: | qe-baseos-daemons |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 4.8 | CC: | azelinka, dpal, gdeschner, rvandolson |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | samba-3.0.33-0.28.el4 | Doc Type: | Bug Fix |
| Doc Text: |
Upgrading domain controllers to Windows Server 2008 R2 caused the Samba servers, running Red Hat Enterprise Linux 4, to fail to authenticate any Active Directory domain users. This was caused by Samba's strict expectations on certain buffer lengths which made the "NETLOGON" secure channel fail. This could occur when the 'winbind' daemon or the 'smbd' daemon contacted a Windows Server 2008 R2 domain controller. The failure of the secure channel caused the failure of the whole authentication process. Samba now correctly deals with larger buffers and the authentication process no longer fails.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-02-16 14:23:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Justin Payne
2010-04-23 19:18:13 UTC
Is winbind running on that RHEL server ? Looking through the sosreport attached to the Issue Tracker, winbind is not running. I've asked Karan to explain why it is not. I am curious to know why you ask though, as far as I know, 3.0.33 is incapable of functioning in a windows 2008 R2 environment when 2k8 R2 is the PDC. I just answered my own question as to why winbind is not running. The customer is not using winbind. They have configured nsswitch.conf and ldap.conf to use ldap instead. Right, there are some fixes missing in 3.0 to make it properly work. As for winbind: running winbind is always advised, even when not used for nsswitch - as it does serve as a netlogon proxy, making communication to an AD domain much more efficient. Not sure how I missed this one (I filed a different bug[1]). Also not running winbind here (using NIS for UID/GID mapping) and DOMAIN vs ADS as the server type. Justin, were your Samba servers running ok against Windows 2008 (not R2)? Is a test version of samba-3.0.33-0.28.el4 available somewhere? [1] https://bugzilla.redhat.com/show_bug.cgi?id=649421 *** Bug 649421 has been marked as a duplicate of this bug. ***
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Upgrading domain controllers to Windows Server 2008 R2 caused the Samba servers, running Red Hat Enterprise Linux 4, to fail to authenticate any Active Directory domain users. This was caused by Samba's strict expectations on certain buffer lengths which made the "NETLOGON" secure channel fail. This could occur when the 'winbind' daemon or the 'smbd' daemon contacted a Windows Server 2008 R2 domain controller. The failure of the secure channel caused the failure of the whole authentication process. Samba now correctly deals with larger buffers and the authentication process no longer fails.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0242.html |