Bug 449000 - Samba server can't authenticate to NT domain after 2008-05-28 update
Samba server can't authenticate to NT domain after 2008-05-28 update
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba (Show other bugs)
5.2
x86_64 Linux
urgent Severity urgent
: rc
: ---
Assigned To: Guenther Deschner
: ZStream
: 450509 (view as bug list)
Depends On:
Blocks: 450653 455418
  Show dependency treegraph
 
Reported: 2008-05-29 16:25 EDT by Nathaniel Taylor
Modified: 2009-02-16 10:02 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:47:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
samba config file (2.14 KB, text/plain)
2008-05-30 05:07 EDT, Nathaniel Taylor
no flags Details
samba log of client session (3.98 KB, text/plain)
2008-05-30 05:08 EDT, Nathaniel Taylor
no flags Details
always return netlogon negotiate flags (882 bytes, patch)
2008-05-30 10:16 EDT, Guenther Deschner
no flags Details | Diff

  None (edit)
Description Nathaniel Taylor 2008-05-29 16:25:32 EDT
Description of problem:

For over a year, this installation has successfully served ms-windows clients 
on a windows NT domain, after joining the domain  with the command 'net rpc 
join member -U adm'.  Simultaneous with an automatic update on 2008-05-28, 
no client could log in to the RHEL samba server.  

# smbclient  -L penguin -U nt
[2008/05/28 16:30:56, 0] 
auth/auth_domain.c:connect_to_domain_password_server(119)
  connect_to_domain_password_server: unable to open the domain client session 
to machine DOMCONT
Even removing all configs then trying rejoining the domain didn't work:
attempt gave:   NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE.

The same problem existed on the backup machine, running a similar
RHEL5.  There was no such problem with other systems (e.g. gentoo) and
their latest releases.  I removed all samba components and installed
from the old CDs, version samba-3.0.23c-2.x86_64; this worked fine, 
until a few minutes later it was auto-updated again.  I finally
installed the old version and turned off updates... not a nice state.



Version-Release number of selected component (if applicable):

3.0.28-1.el5_2.1



How reproducible:

See the above description.  Clearly it's not very thoroughly tested,
since I haven't time to experiment with clean installations, different
settings, etc.  I've already wasted well over an hour.



Steps to Reproduce:

Be on my department's Windows2000 NT domain, and try updating
RHEL5 samba!  I.e. it seems a samba-3.0.28-1.el5_2.1 problem 
with NT domain controllers, but perhaps some local peculiarity
exists.

  
Actual results:
No authentication provided to the samba server from domain controller.

Expected results:
Samba works.

Additional info:
Comment 1 Simo Sorce 2008-05-29 18:36:11 EDT
can you attach your smb.conf file so that I can try to reproduce here?
also logs would be nice
Comment 2 Nathaniel Taylor 2008-05-30 05:07:21 EDT
Created attachment 307175 [details]
samba config file
Comment 3 Nathaniel Taylor 2008-05-30 05:08:25 EDT
Created attachment 307176 [details]
samba log of client session
Comment 4 Nathaniel Taylor 2008-05-30 05:09:07 EDT
Certainly:  here's more detail.

smb.conf is the config.
gnu.log is a log of an attempted access to samba shares.

The [ns]mb.log don't contain any details of the problem; they just have
startup times.

When I tried to (re)join the domain, in case somehow the 'trust' had been 
overwritten in the update, the following message was shown on the command line 
but nothing in the logs:

# net rpc join member -U nt.adm
Password:
[2008/05/30 10:56:14, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(371)
  Error in domain join verification (credential setup failed): 
NT_STATUS_ACCESS_DENIED
Unable to join domain EKC.KTH.SE.

According to the admin for the windows network, nothing has changed there in 
recent days.  Furthermore, everything worked with the original version from 
the CDs 1 year ago, then worked with all the updates up to then, then failed 
on this last update, then worked with regression to the old version from the 
CD, then failed with update to the new, then worked with the old again...
 
Comment 5 Guenther Deschner 2008-05-30 05:35:12 EDT
So, is your domain controlled by NT4 domain controllers or Windows 2000 domain
controllers ?
Comment 6 Nathaniel Taylor 2008-05-30 06:08:21 EDT
It's a single NT4 domain controller, running Windows NT 4 with current 
updates, serving a domain of Win2000 and WinXP clients. 

Sorry for the confusion.  I only knew the "NT domain" bit, and had to contact 
the windows admin to find out the full details.
Comment 7 Guenther Deschner 2008-05-30 10:16:52 EDT
Created attachment 307202 [details]
always return netlogon negotiate flags

This patch fixes it for me.
Comment 8 Nathaniel Taylor 2008-06-01 07:18:22 EDT
Thanks for the patch.  I'm very happy to leave the testing to RedHat, 
particularly if a working update to samba will come soon.  If it's of help 
that I test the patch on our network too, please would you (Simo) send me an 
rpm or details of how to get the srpm; it's 'non-obvious' to me from the rhn 
website, and it's years since I played with rpms.
Comment 9 Devin Bougie 2008-06-02 15:21:08 EDT
For what it's worth, the patch in Comment #7 fixes this issue for us, also.
Comment 10 Monty Walls 2008-06-02 16:25:29 EDT
Same problem, except I had working domain members of an NT domain stop working
until I fell back my samba version.  Current domain is pdc + 2 bdc (NT).
Comment 11 Guenther Deschner 2008-06-02 21:01:29 EDT
We will provide an offical update soon, in the meantime, you can find test rpms at:
http://people.redhat.com/gdeschne/bugs/449000/

Please let us know if it fixes this issue.
Comment 12 Nathaniel Taylor 2008-06-03 07:00:29 EDT
Yes, thanks.  These rpms 3.0.28-1.el5_2.2 don't have the authentication 
problem of 3.0.28-1.el5_2.1.
Comment 13 mattg 2008-06-03 08:13:13 EDT
As an extra data point, the patch in comment #7 fixed the problem (joining an NT
4.0 domain) for me under Fedora 8 when applied to samba-3.0.30-0.fc8

Comment 14 Monty Walls 2008-06-03 08:55:02 EDT
Fixes it for me.
Comment 15 Devin Bougie 2008-06-03 09:53:14 EDT
The RPMs posted in Comment #11 work for us, also.
Comment 16 Guenther Deschner 2008-06-09 08:27:08 EDT
*** Bug 450509 has been marked as a duplicate of this bug. ***
Comment 17 Nathaniel Taylor 2008-07-02 06:48:18 EDT
What's going on with this bug?  The working patch came out about a month ago, 
but there isn't yet a mention of an official update. Until there is, I can't 
afford to use updates.  There must be many more users than have shown up on 
this list, who can't use their samba.
Comment 24 Janne Blomqvist 2008-09-17 09:22:18 EDT
To reiterate, what's going on? It's now 3 and a half months since the one-line patch that fixes the problem came out, and yet no official update.
Comment 25 Simo Sorce 2008-09-17 10:39:14 EDT
Janne,
if you are in urgent need of a patched binary I suggest you contact support and escalate the issue to get an hotfix.
The fix is scheduled to be released with the 5.3 update for now.
Comment 27 Rob Garth 2008-12-03 17:46:18 EST
Thankyou for the RPMs, they have worked for us. Is there an ETA for the rpms to be released officially?
Comment 29 errata-xmlrpc 2009-01-20 16:47:12 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0180.html

Note You need to log in before you can comment on or make changes to this bug.