Bug 257121 - Windows XP client Domain Authentication not working with "security = ADS"
Summary: Windows XP client Domain Authentication not working with "security = ADS"
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba
Version: 5.0
Hardware: All
OS: All
medium
high
Target Milestone: ---
: ---
Assignee: Samba Maint Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-27 16:48 UTC by Charles Gillet
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-08-27 20:43:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Debug 10 output of attempt to authenticate (anonymized) (414.38 KB, text/plain)
2007-08-27 16:48 UTC, Charles Gillet 		no flags Details
View All

Description Charles Gillet 2007-08-27 16:48:01 UTC 
Description of problem: 

Unable to authenticate samba against a Windows 2003 Server domain controller for
authentication


Version-Release number of selected component (if applicable): 

samba-3.0.23c-2.el5.2.0.2


How reproducible: 

On any Redhat Ent. 5 machine at my site while attempting to authenticate from
Windows XP SP2 client system.


Steps to Reproduce:
1. Create local /etc/passwd entry for user already on Windows 2003 server domain
2. Set up kerberos realm configuration and use "net ads join ..." command to
create machine account for Samba server on Windows domain
3. Attempt to browse samba share points from Windows XP client
  
Actual results: Client returns back failed authentication


Expected results: Browse samba shares, access files as usual


Additional info:
The exact smb.conf I was using on RHEL 4 U5 (samba-3.0.10-1.4E.12.2) and when I
compile and use samba source (3.0.25c) work fine.  Something with domain auth is
broken in the RHEL 5 shipping version.  I ran smbd in debug 10 and am completely
stumped.
Comment 1 Charles Gillet 2007-08-27 16:48:01 UTC 
Created attachment 174001 [details]
Debug 10 output of attempt to authenticate (anonymized)
Comment 2 Charles Gillet 2007-08-27 16:57:39 UTC 
smb.conf:

[global]
   workgroup = WINDOWS
   server string = Samba Server
   security = ADS
   load printers = yes
   cups options = raw
   log file = /var/log/samba/smb.log
   max log size = 5000
   realm = WINDOWS.DOMAIN
   dns proxy = no

[share]
    comment = Share
    path =  /export/share
Comment 3 Simo Sorce 2007-08-27 19:25:55 UTC 
I think I remember a fix we addedd upstream after 3.0.23c was released that may
address your problem. In the beta channel we have a newer version of samba that
should address it. Will you consider testing the version we have in the beta
channel?

If you do please make sure you backup all relevant files in case you want to
revert back to 3.0.23c afterwards.
Comment 4 Charles Gillet 2007-08-27 20:29:01 UTC 
Yes, the beta channel version works.  Looking forward to U1.
Comment 5 Simo Sorce 2007-08-27 20:43:07 UTC 
Thank you.
Comment 6 Kostas Georgiou 2007-08-29 17:36:57 UTC 
Same problem here (NT_STATUS_NO_SUCH_USER errors), the 5.1 beta version works
fine for me as well.
Comment 7 Colin.Simpson 2007-09-07 13:07:00 UTC 
This is the same bug as FC6 had here:

https://bugzilla.redhat.com/show_bug.cgi?id=217293

I've been forced to upgrade our EL 5 systems Sambas to FC6 versions, to get this
to work now. 

The upstream Samba bug was this one:

https://bugzilla.samba.org/show_bug.cgi?id=4095
Comment 8 Simo Sorce 2007-09-07 15:17:54 UTC 
So why can't you just use the beta as Charles did?
Anyway it will be fixed in 5.1, you should be able to go back to use the RHEL
samba packages then.
Comment 9 Colin.Simpson 2007-09-25 17:22:31 UTC 
There wasn't a beta version when we installed RH5.
Comment 10 Simo Sorce 2007-10-01 03:55:54 UTC 
The beta is available in the beta channel.
You can subscribe your machine to the beta channel via RHN.
Note You need to log in before you can comment on or make changes to this bug.