Bug 1175710 - Authentication fails when netbios/hostname is longer than MAX_NETBIOSNAME_LEN-1
Summary: Authentication fails when netbios/hostname is longer than MAX_NETBIOSNAME_LEN-1
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-18 12:48 UTC by Harald Reindl
Modified: 2015-01-26 02:30 UTC (History)
8 users (show)

Fixed In Version: samba-4.1.15-1.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-17 23:56:12 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Samba Project 11008 None None None Never

Description Harald Reindl 2014-12-18 12:48:44 UTC
i have here 6 machines with nearly identical configurations - one is in fact a 2 years ago disc clone and only on one machine after update to 4.1.14 login fails

* downgrade
* login works again
* update
* login for every user broken
* downgrade
* works again

reproduced 5 times

check_ntlm_password:  Authentication for user [reindl] -> [reindl] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/12/18 13:22:25.630123,  2] ../source3/auth/auth.c:288(auth_check_ntlm_password)
____________________________________

BTW: while update this crash happens every time

Dec 18 13:33:11 south smbd: /usr/sbin/smbd: /usr/lib64/samba/libwinbind-client.so: version `SAMBA_4.1.12' not found (required by /lib64/libwbclient.so.0)
Dec 18 13:33:11 south systemd: smb.service: control process exited, code=exited status=1
Dec 18 13:33:11 south systemd: Failed to start Samba SMB Daemon.
____________________________________

[global]
 server string = fileserver
 netbios name = fileserver

 hosts allow = 192.168.1.0/24 127.0.0.1
 hosts deny = all
 veto files = /.DS_Store/._*/.AppleDB/.AppleDesktop/.AppleDouble/.Parent/.TemporaryItems/Temporary Items/Network Trash Folder/.bin/.FBCIndex/.FBCLockFolder/TheFindByContentFolder/
 delete veto files = yes

 workgroup = LOUNGE
 lm announce = no
 lanman auth = no
 ntlm auth = no
 client lanman auth = no
 client ntlmv2 auth = yes
 multicast dns register = no
 max protocol = SMB3
 client signing = disabled
 store dos attributes = no
 log file = /var/log/samba/samba.log
 log level = 1 all:1 auth:2 passdb:2 tdb:2 vfs:1 smb:1 locking:0 sam:0 winbind:0 idmap:0 quota:0 acls:0 msdfs:0 dmapi:0 registry:0 printdrivers:0 lanman:0 rpc_parse:0 rpc_srv:0 rpc_cli:0
 max log size = 4048
 os level = 0
 domain master = no
 preferred master = no
 local master = no
 disable netbios = yes
 wins support = no
 browse list = no
 dns proxy = no
 name resolve order = lmhosts hosts bcast
 nmbd bind explicit broadcast = no
 remote announce = 192.168.1.255
 syslog = 0
 syslog only = no
 smb ports = 445 139
 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
 max smbd processes = 50
 max xmit = 32768
 read raw = no
 write raw = no
 getwd cache = yes
 stat cache = yes
 max stat cache size = 512
 use sendfile = yes
 restrict anonymous = 1
 security = user
 invalid users = nobody root admin administrator guest gast pcguest anonymous
 access based share enum = yes
 ldap ssl = no
 server signing = Auto
 time server = no
 unix extensions = no
 show add printer wizard = no
 load printers = no
 printable = no
 printing = bsd
 printcap name = /dev/null
 hide unreadable = yes

[homes]
 comment = Private Data
 writable = yes
 browseable = no
 valid users = %S
 nt acl support = no
 locking = yes
 oplocks = no
 level2 oplocks = no
 use sendfile = yes
 inherit permissions = yes
 vfs objects = netatalk
 follow symlinks = no
 wide links = no
 hide special files = yes
 strict allocate = yes
 strict sync = no

Comment 1 Harald Reindl 2014-12-18 12:51:04 UTC
P.S: yes i know that i gave karma after upgraded the first machines without any troubles except two remote servers while the last one failed

Comment 2 Guenther Deschner 2014-12-18 12:57:20 UTC
Have you upgraded libwbclient as well ?

Comment 3 Harald Reindl 2014-12-18 12:59:33 UTC
surely

Dec 18 10:32:48 Installed: 2:libwbclient-4.1.14-1.fc20.x86_64
Dec 18 10:32:49 Installed: 2:samba-libs-4.1.14-1.fc20.x86_64
Dec 18 10:32:49 Installed: 2:samba-common-4.1.14-1.fc20.x86_64
Dec 18 10:32:49 Installed: 2:libsmbclient-4.1.14-1.fc20.x86_64
Dec 18 10:32:49 Installed: 2:samba-client-4.1.14-1.fc20.x86_64
Dec 18 10:32:50 Installed: 2:samba-4.1.14-1.fc20.x86_64

Dec 18 13:31:52 Installed: 2:libwbclient-4.1.12-5.fc20.x86_64
Dec 18 13:31:53 Installed: 2:samba-libs-4.1.12-5.fc20.x86_64
Dec 18 13:31:54 Installed: 2:samba-common-4.1.12-5.fc20.x86_64
Dec 18 13:31:54 Installed: 2:libsmbclient-4.1.12-5.fc20.x86_64
Dec 18 13:31:54 Installed: 2:samba-client-4.1.12-5.fc20.x86_64
Dec 18 13:31:54 Installed: 2:samba-4.1.12-5.fc20.x86_64

Dec 18 13:33:09 Updated: 2:libwbclient-4.1.14-1.fc20.x86_64
Dec 18 13:33:11 Updated: 2:samba-libs-4.1.14-1.fc20.x86_64
Dec 18 13:33:11 Updated: 2:samba-common-4.1.14-1.fc20.x86_64
Dec 18 13:33:11 Updated: 2:libsmbclient-4.1.14-1.fc20.x86_64
Dec 18 13:33:11 Updated: 2:samba-client-4.1.14-1.fc20.x86_64
Dec 18 13:33:11 Updated: 2:samba-4.1.14-1.fc20.x86_64

Dec 18 13:34:04 Installed: 2:libwbclient-4.1.12-5.fc20.x86_64
Dec 18 13:34:05 Installed: 2:samba-libs-4.1.12-5.fc20.x86_64
Dec 18 13:34:06 Installed: 2:samba-common-4.1.12-5.fc20.x86_64
Dec 18 13:34:06 Installed: 2:libsmbclient-4.1.12-5.fc20.x86_64
Dec 18 13:34:06 Installed: 2:samba-client-4.1.12-5.fc20.x86_64
Dec 18 13:34:06 Installed: 2:samba-4.1.12-5.fc20.x86_64

Comment 4 Michael Adam 2014-12-18 15:41:46 UTC
Is an old smbd still running by chance?

i.e. unless you are not already doing so:

could you make sure the upgrade process incorporates the following steps:

- stop the samba services
- make sure no smbd / winbindd / nmbd process is running
- upgrade the packages to 4.1.14
- check symbol versions with "nm /lib64/libwbclient.so.0"
  and look out for occurrences of 4.1.12
- start samba
- try login

If the same happens as above, or if the nm check shows 4.1.12
then we have a problem with the binaries/libraries in the pkg.
But since the upgrade works nicely on other servers, I rather
think there is a more likely a problem with the starting/stopping
the daemons during upgrade.

Michael

Comment 5 Harald Reindl 2014-12-18 15:58:10 UTC
nm: /lib64/libwbclient.so.0: no symbols

i completly stopped samba multiple times and restarted it at least 30 times by trying to play around with smb.conf (use one from other working machines) and raise/lower logging on the affected machine, deleted *anything* below /var/lib/samba/ and added a new user after that with "smbpasswd"

after 3 hours i gave up, downgraded and all worked with the new password-database as well as with the backups containing the existing users and after another update it pretended again "NT_STATUS_NO_SUCH_USER" which is a different message than "NT_STATUS_WRONG_PASSWORD"

i really have no clue what's going on there nor how it is possible that this affects only one machine but in fact "samba-4.1.12-5.fc20.x86_64" don't have that issue

Comment 6 Sumit Bose 2014-12-18 16:31:16 UTC
Please try

objdump -T /lib64/libwbclient.so.0 | grep SAMBA

instead of nm. 

For me it looks that the update did not remove the old version of the library. Pleae note that in 4.1.14 /lib/libwbclient.* is manages by the alternatives tool which afaik does not remove existing files.

After the update /lib64/libwbclient.so.0.11 should be a link to /etc/alternatives/...  If it is a file it is most probably the old version and yum/rpm was not able to remove it.

Comment 7 Harald Reindl 2014-12-18 16:56:49 UTC
* it is a symlink
* i removed the phyiscal file before update again
* Dec 18 17:51:35 south smbd: /usr/sbin/smbd: error 
  while loading shared libraries: libwbclient.so.0: cannot 
  open shared object file: No such file or directory
* so the upgrade path is borked because smbd restarts
  in the middle fof the yum transaction
* FRANKLY THAT is why i hate this damned automatic restarts
  because i am the once who decides when to restart services
  in case of deploy updates to 30 machines 
* i really don't get why we start with alternatives crap
  in case of libraries

in any case - on that machine 4.1.4 don't work
NT_STATUS_NO_SUCH_USER

downgraded again before users kill me and all is fine
_____________________________________________

that crash happens exatly *once* due upgrade

Dec 18 17:47:56 localhost smbd: /usr/sbin/smbd: error while loading shared libraries: libwbclient.so.0: cannot open shared object file: No such file or directory
Dec 18 17:47:56 localhost systemd: smb.service: control process exited, code=exited status=127
Dec 18 17:47:56 localhost systemd: Failed to start Samba SMB Daemon.

0000000000000000      DF *UND*  0000000000000000  SAMBA_4.1.14 winbindd_free_response
0000000000000000      DF *UND*  0000000000000000  SAMBA_4.1.14 winbindd_request_response
0000000000000000      DF *UND*  0000000000000000  SAMBA_4.1.14 winbindd_priv_request_response

Comment 8 Martin Smith 2015-01-09 10:27:17 UTC
I seem to have this problem as well. I also have several machines and only one is affected. The problem started as soon as the 4.1.14 update was installed. An active connection from a Windows machine stopped working and I could not authenticate it again.

They all have fairly basic SMB configurations - standalone servers with a small number of shares and users.

The machines that work are older installs and are still using an smbpasswd file.

The affected machine will not accept logins. I get NT_STATUS_NO_SUCH_USER. The user is in the tdbsam database and prior to the update everything was working.

The library file mentioned above is a symlink. I have verified the samba RPMS and they are ok. I have spent several hours troubleshooting and have not identified the problem.

Local connection fails:

smbclient //localhost/video -U martin
Enter martin's password: *********
session setup failed: NT_STATUS_LOGON_FAILURE

Samba log snippet:

[2015/01/09 10:19:44.982150,  3] ../source3/auth/auth.c:177(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [MYGROUP]\[martin]@[ANALYTICAL-ENGINE] with the new password interface
[2015/01/09 10:19:44.982187,  3] ../source3/auth/auth.c:180(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [ANALYTICAL-ENGINE]\[martin]@[ANALYTICAL-ENGINE]
[2015/01/09 10:19:44.982221,  2] ../source3/auth/auth.c:288(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [martin] -> [martin] FAILED with error NT_STATUS_NO_SUCH_USER
[2015/01/09 10:19:44.982266,  2] ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER

pdbedit output:

Module 'tdbsam' loaded
Unix username:        martin
NT username:          
Account Flags:        [U          ]
User SID:             S-1-5-21-807222276-2518046738-2387355048-1005
Primary Group SID:    S-1-5-21-807222276-2518046738-2387355048-513
Full Name:            Martin
Home Directory:       \\analytical-engine\martin
HomeDir Drive:        
Logon Script:         
Profile Path:         \\analytical-engine\martin\profile
Domain:               
Account desc:         
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          Wed, 06 Feb 2036 15:06:39 GMT
Kickoff time:         Wed, 06 Feb 2036 15:06:39 GMT
Password last set:    Fri, 09 Jan 2015 09:27:22 GMT
Password can change:  Fri, 09 Jan 2015 09:27:22 GMT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

# ls -l /lib64/libwbclient.so.0.11
lrwxrwxrwx. 1 root root 40 Jan  8 11:33 /lib64/libwbclient.so.0.11 -> /etc/alternatives/libwbclient.so.0.11-64

# rpm --verify samba samba-common samba-libs libwbclient
S.5....T.  c /etc/samba/smb.conf

Comment 9 Martin Smith 2015-01-09 12:34:18 UTC
I think the answer is here:

https://bbs.archlinux.org/viewtopic.php?id=190592

4.1.14 appears to have changed the way long server names are handled. Previously they were not truncated, now they are. This causes a check for local name to fail. It's visible with auth logging set to 10.

I have manually set a short netbios name in the config and the shares are now accessible.

Comment 10 Harald Reindl 2015-01-09 13:12:27 UTC
indeed - the servername in smb.conf had 16 chars, changed to one with 5 chars and login works also with 4.1.14 - Aaaaaargh

Comment 11 Andreas Schneider 2015-01-12 17:15:01 UTC
I've proposed a patch to fix this issue upstream.

Comment 12 Fedora Update System 2015-01-14 07:51:05 UTC
samba-4.1.15-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/samba-4.1.15-1.fc20

Comment 13 Fedora Update System 2015-01-14 07:52:33 UTC
samba-4.1.15-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/samba-4.1.15-1.fc21

Comment 14 Fedora Update System 2015-01-14 23:55:47 UTC
Package samba-4.1.15-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing samba-4.1.15-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-0701/samba-4.1.15-1.fc20
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2015-01-17 23:56:12 UTC
samba-4.1.15-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2015-01-26 02:30:36 UTC
samba-4.1.15-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.