Red Hat Bugzilla – Bug 450653
Samba server can't authenticate to NT domain after 2008-05-28 update
Last modified: 2008-07-24 15:54:49 EDT
+++ This bug was initially created as a clone of Bug #449000 +++
Description of problem:
For over a year, this installation has successfully served ms-windows clients
on a windows NT domain, after joining the domain with the command 'net rpc
join member -U adm'. Simultaneous with an automatic update on 2008-05-28,
no client could log in to the RHEL samba server.
# smbclient -L penguin -U nt
[2008/05/28 16:30:56, 0]
connect_to_domain_password_server: unable to open the domain client session
to machine DOMCONT
Even removing all configs then trying rejoining the domain didn't work:
attempt gave: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE.
The same problem existed on the backup machine, running a similar
RHEL5. There was no such problem with other systems (e.g. gentoo) and
their latest releases. I removed all samba components and installed
from the old CDs, version samba-3.0.23c-2.x86_64; this worked fine,
until a few minutes later it was auto-updated again. I finally
installed the old version and turned off updates... not a nice state.
Version-Release number of selected component (if applicable):
See the above description. Clearly it's not very thoroughly tested,
since I haven't time to experiment with clean installations, different
settings, etc. I've already wasted well over an hour.
Steps to Reproduce:
Be on my department's Windows2000 NT domain, and try updating
RHEL5 samba! I.e. it seems a samba-3.0.28-1.el5_2.1 problem
with NT domain controllers, but perhaps some local peculiarity
No authentication provided to the samba server from domain controller.
-- Additional comment from firstname.lastname@example.org on 2008-05-29 18:36 EST --
can you attach your smb.conf file so that I can try to reproduce here?
also logs would be nice
-- Additional comment from email@example.com on 2008-05-30 05:07 EST --
Created an attachment (id=307175)
samba config file
-- Additional comment from firstname.lastname@example.org on 2008-05-30 05:08 EST --
Created an attachment (id=307176)
samba log of client session
-- Additional comment from email@example.com on 2008-05-30 05:09 EST --
Certainly: here's more detail.
smb.conf is the config.
gnu.log is a log of an attempted access to samba shares.
The [ns]mb.log don't contain any details of the problem; they just have
When I tried to (re)join the domain, in case somehow the 'trust' had been
overwritten in the update, the following message was shown on the command line
but nothing in the logs:
# net rpc join member -U nt.adm
[2008/05/30 10:56:14, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(371)
Error in domain join verification (credential setup failed):
Unable to join domain EKC.KTH.SE.
According to the admin for the windows network, nothing has changed there in
recent days. Furthermore, everything worked with the original version from
the CDs 1 year ago, then worked with all the updates up to then, then failed
on this last update, then worked with regression to the old version from the
CD, then failed with update to the new, then worked with the old again...
-- Additional comment from firstname.lastname@example.org on 2008-05-30 05:35 EST --
So, is your domain controlled by NT4 domain controllers or Windows 2000 domain
-- Additional comment from email@example.com on 2008-05-30 06:08 EST --
It's a single NT4 domain controller, running Windows NT 4 with current
updates, serving a domain of Win2000 and WinXP clients.
Sorry for the confusion. I only knew the "NT domain" bit, and had to contact
the windows admin to find out the full details.
-- Additional comment from firstname.lastname@example.org on 2008-05-30 10:16 EST --
Created an attachment (id=307202)
always return netlogon negotiate flags
This patch fixes it for me.
-- Additional comment from email@example.com on 2008-06-01 07:18 EST --
Thanks for the patch. I'm very happy to leave the testing to RedHat,
particularly if a working update to samba will come soon. If it's of help
that I test the patch on our network too, please would you (Simo) send me an
rpm or details of how to get the srpm; it's 'non-obvious' to me from the rhn
website, and it's years since I played with rpms.
-- Additional comment from firstname.lastname@example.org on 2008-06-02 15:21 EST --
For what it's worth, the patch in Comment #7 fixes this issue for us, also.
-- Additional comment from email@example.com on 2008-06-02 16:25
Same problem, except I had working domain members of an NT domain stop working
until I fell back my samba version. Current domain is pdc + 2 bdc (NT).
-- Additional comment from firstname.lastname@example.org on 2008-06-02 21:01 EST --
We will provide an offical update soon, in the meantime, you can find test rpms at:
Please let us know if it fixes this issue.
-- Additional comment from email@example.com on 2008-06-03 07:00 EST --
Yes, thanks. These rpms 3.0.28-1.el5_2.2 don't have the authentication
problem of 3.0.28-1.el5_2.1.
-- Additional comment from firstname.lastname@example.org on 2008-06-03 08:13 EST --
As an extra data point, the patch in comment #7 fixed the problem (joining an NT
4.0 domain) for me under Fedora 8 when applied to samba-3.0.30-0.fc8
-- Additional comment from email@example.com on 2008-06-03 08:55
Fixes it for me.
-- Additional comment from firstname.lastname@example.org on 2008-06-03 09:53 EST --
The RPMs posted in Comment #11 work for us, also.
-- Additional comment from email@example.com on 2008-06-09 08:27 EST --
*** Bug 450509 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.