Bug 257121 - Windows XP client Domain Authentication not working with "security = ADS"
Windows XP client Domain Authentication not working with "security = ADS"
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba (Show other bugs)
5.0
All All
medium Severity high
: ---
: ---
Assigned To: Samba Maint Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-27 12:48 EDT by Charles Gillet
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-27 16:43:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Debug 10 output of attempt to authenticate (anonymized) (414.38 KB, text/plain)
2007-08-27 12:48 EDT, Charles Gillet
no flags Details

  None (edit)
Description Charles Gillet 2007-08-27 12:48:01 EDT
Description of problem: 

Unable to authenticate samba against a Windows 2003 Server domain controller for
authentication


Version-Release number of selected component (if applicable): 

samba-3.0.23c-2.el5.2.0.2


How reproducible: 

On any Redhat Ent. 5 machine at my site while attempting to authenticate from
Windows XP SP2 client system.


Steps to Reproduce:
1. Create local /etc/passwd entry for user already on Windows 2003 server domain
2. Set up kerberos realm configuration and use "net ads join ..." command to
create machine account for Samba server on Windows domain
3. Attempt to browse samba share points from Windows XP client
  
Actual results: Client returns back failed authentication


Expected results: Browse samba shares, access files as usual


Additional info:
The exact smb.conf I was using on RHEL 4 U5 (samba-3.0.10-1.4E.12.2) and when I
compile and use samba source (3.0.25c) work fine.  Something with domain auth is
broken in the RHEL 5 shipping version.  I ran smbd in debug 10 and am completely
stumped.
Comment 1 Charles Gillet 2007-08-27 12:48:01 EDT
Created attachment 174001 [details]
Debug 10 output of attempt to authenticate (anonymized)
Comment 2 Charles Gillet 2007-08-27 12:57:39 EDT
smb.conf:

[global]
   workgroup = WINDOWS
   server string = Samba Server
   security = ADS
   load printers = yes
   cups options = raw
   log file = /var/log/samba/smb.log
   max log size = 5000
   realm = WINDOWS.DOMAIN
   dns proxy = no

[share]
    comment = Share
    path =  /export/share
Comment 3 Simo Sorce 2007-08-27 15:25:55 EDT
I think I remember a fix we addedd upstream after 3.0.23c was released that may
address your problem. In the beta channel we have a newer version of samba that
should address it. Will you consider testing the version we have in the beta
channel?

If you do please make sure you backup all relevant files in case you want to
revert back to 3.0.23c afterwards.
Comment 4 Charles Gillet 2007-08-27 16:29:01 EDT
Yes, the beta channel version works.  Looking forward to U1.
Comment 5 Simo Sorce 2007-08-27 16:43:07 EDT
Thank you.
Comment 6 Kostas Georgiou 2007-08-29 13:36:57 EDT
Same problem here (NT_STATUS_NO_SUCH_USER errors), the 5.1 beta version works
fine for me as well.
Comment 7 Colin Simpson 2007-09-07 09:07:00 EDT
This is the same bug as FC6 had here:

https://bugzilla.redhat.com/show_bug.cgi?id=217293

I've been forced to upgrade our EL 5 systems Sambas to FC6 versions, to get this
to work now. 

The upstream Samba bug was this one:

https://bugzilla.samba.org/show_bug.cgi?id=4095

Comment 8 Simo Sorce 2007-09-07 11:17:54 EDT
So why can't you just use the beta as Charles did?
Anyway it will be fixed in 5.1, you should be able to go back to use the RHEL
samba packages then.
Comment 9 Colin Simpson 2007-09-25 13:22:31 EDT
There wasn't a beta version when we installed RH5.

Comment 10 Simo Sorce 2007-09-30 23:55:54 EDT
The beta is available in the beta channel.
You can subscribe your machine to the beta channel via RHN.

Note You need to log in before you can comment on or make changes to this bug.