Bug 287531 - samba security=ADS broke in rhel5 works in rhel4
samba security=ADS broke in rhel5 works in rhel4
Status: CLOSED DUPLICATE of bug 218774
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba (Show other bugs)
5.0
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Samba Maint Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-12 08:44 EDT by John Sopko
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-12 09:13:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Sopko 2007-09-12 08:44:48 EDT
Description of problem:

We have been using samba under rhel4 for a long time
using Windows 2003 AD server for authentication.
I am upgrading the server to rhel5 and cannot get
AD authentication to work. If I upgrade samba from
the Fedora core 7 release it works fine. See notes
below. I searched https://bugzilla.samba.org/ but
could not find what fixes this problem. I found
one other case on the samba mail list where a user
had the same problem when using samba 3.0.23c but
no solution.


Version-Release number of selected component (if applicable):

samba-3.0.23c-2.el5.2.0.2

How reproducible:

Always, tried on 2 different systems.

Steps to Reproduce:
1. Install latest rhel5 samba-3.0.23c-2.el5.2.0.2
2. Configure smb.conf to authenticated to Windows AD server
3. Try to connect to samba via a windows client or smbclinet -k
  
Actual results:

On windows you should just be able to connect to the samba
server using your current Windows tgt, instead the connection
fails and you get prompted for a username/password and this
also fails.

This output from /var/messages log on the samba server
with smb.conf syslog=10 and log level=10:

Sep 11 14:57:52 lark smbd[27709]:   Doing spnego session setup
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691)
Sep 11 14:57:52 lark smbd[27709]:   NativeOS=[Windows 2002 Service Pack 2 2600]
NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/sesssetup.c:reply_spnego_negotiate(551)
Sep 11 14:57:52 lark smbd[27709]:   Got OID 1 2 840 48018 1 2 2
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/sesssetup.c:reply_spnego_negotiate(551)
Sep 11 14:57:52 lark smbd[27709]:   Got OID 1 2 840 113554 1 2 2
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/sesssetup.c:reply_spnego_negotiate(551)
Sep 11 14:57:52 lark smbd[27709]:   Got OID 1 3 6 1 4 1 311 2 2 10
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/sesssetup.c:reply_spnego_negotiate(554)
Sep 11 14:57:52 lark smbd[27709]:   Got secblob of size 1164
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/sesssetup.c:reply_spnego_kerberos(207)
Sep 11 14:57:52 lark smbd[27709]:   Ticket name is [sopko@CS.UNC.EDU]
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 1]
smbd/sesssetup.c:reply_spnego_kerberos(334)
Sep 11 14:57:52 lark smbd[27709]:   make_server_info_info3 failed:
NT_STATUS_NO_SUCH_USER!
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/error.c:error_packet(146)
Sep 11 14:57:52 lark smbd[27709]:   error packet at smbd/sesssetup.c(339)
cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
Sep 11 14:57:52 lark smbd[27709]: [2007/09/11 14:57:52, 3]
smbd/process.c:timeout_processing(1359)
Sep 11 14:57:52 lark smbd[27709]:   timeout_processing: End of file from client
(client has disconnected).

This output from smbclient -k. Note that I have first get a tgt
fine from the CS.UNC.EDU domain, then use smbclient -k.
I get a cifs/swan5.cs.unc.edu@CS.UNC.EDU service ticket
just fine but the connection still fails. I also tried as
root which gets rid of the file permission problem but
it is still broke.

|sopko@lark:34% klist
Ticket cache: FILE:/tmp/krb5cc_3903_kGhJi1
Default principal: sopko@CS.UNC.EDU

Valid starting     Expires            Service principal
09/12/07 08:28:19  09/12/07 18:28:21  krbtgt/CS.UNC.EDU@CS.UNC.EDU
        renew until 09/19/07 08:28:19


Kerberos 4 ticket cache: /tmp/tkt3903
klist: You have no tickets cached

 |sopko@lark:35% smbclient -k -d 2 //swan5/playpen
added interface ip=152.2.129.13 bcast=152.2.255.255 nmask=255.255.0.0
tdb(unnamed): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb:
Permission denied
Doing kerberos session setup
cli_session_setup_blob: recieve failed (NT_STATUS_LOGON_FAILURE)
session setup failed: NT_STATUS_LOGON_FAILURE


 |sopko@lark:36% klist
Ticket cache: FILE:/tmp/krb5cc_3903_kGhJi1
Default principal: sopko@CS.UNC.EDU

Valid starting     Expires            Service principal
09/12/07 08:28:19  09/12/07 18:28:21  krbtgt/CS.UNC.EDU@CS.UNC.EDU
        renew until 09/19/07 08:28:19
09/12/07 08:28:37  09/12/07 18:28:21  cifs/swan5.cs.unc.edu@CS.UNC.EDU
        renew until 09/19/07 08:28:19


Kerberos 4 ticket cache: /tmp/tkt3903
klist: You have no tickets cached



Expected results:

Should get a samba connection. If I upgrade samba
to the latest fedora core 7 samba-3.0.25-2 things
work fine. I used the same smb.conf file for
both cases.


Additional info:


I am able to join the samba server to the AD domain fine using
"net ads join -U" command. The current version of samba
that comes with rhel5 is broke. The curent version of samba
that comes with rhel4, samba-3.0.10-1.4E.12.2 works fine.
The version of samba that comes with Fedora core 7 samba-3.0.25-2
works fine.
Comment 1 Simo Sorce 2007-09-12 09:13:07 EDT
Please test the version we have in the beta channel, that will solve your problem.

*** This bug has been marked as a duplicate of 218774 ***
Comment 2 John Sopko 2007-09-12 10:24:02 EDT
Darn, I searched for quite a while and did not see that this was reported.
I have a hard time using the bugzilla search features...

I installed samba-3.0.25b-0.el5.4.i386.rpm from the rhel5 beta channel
and tested, this fixed.

Thanks for the quick response and you can close the bug.


Note You need to log in before you can comment on or make changes to this bug.