Bug 561325 - Winbind authentication problem against Windows 2008 R2 AD.
Summary: Winbind authentication problem against Windows 2008 R2 AD.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba
Version: 5.4
Hardware: x86_64
OS: Linux
low
high
Target Milestone: rc
: ---
Assignee: Guenther Deschner
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-03 12:39 UTC by Johan Bergström
Modified: 2018-11-27 20:48 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-26 15:38:14 UTC
Target Upstream Version:


Attachments (Terms of Use)
Samba config (1.28 KB, application/octet-stream)
2010-02-03 12:39 UTC, Johan Bergström
no flags Details
Migration notes for samba3 (117.42 KB, application/pdf)
2010-06-18 20:17 UTC, Robert Freeman-Day
no flags Details

Description Johan Bergström 2010-02-03 12:39:44 UTC
Created attachment 388518 [details]
Samba config

Description of problem:

After joining a Win2k8 R2 Forest/Domain native AD without problems. I wanted to setup user authentication for logging in with pam_winbind. But encountered this problem;

[root@udcsp03 etc]# wbinfo -a domainuser%password
plaintext password authentication failed
error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0)
error messsage was: Named pipe dicconnected
Could not authenticate user domainuser%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0)
error messsage was: Named pipe dicconnected
Could not authenticate user domainuser with challenge/response

From /var/log/messages

Feb  3 12:57:23 udcsp03 winbindd[7034]: [2010/02/03 12:57:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
Feb  3 12:57:23 udcsp03 winbindd[7034]:   rpc_api_pipe: Remote machine INFRADC06.sweinfra.se pipe \NETLOGON fnum 0x800ereturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED

Authenticating using kerberos works fine,

[root@udcsp03 etc]# wbinfo -K domainuser%password
plaintext kerberos password authentication for [domainuser%password] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

Also, a local 'su - domainuser' works just fine, aswell as 'wbinfo -g' and 'wbinfo -u'. getent passwd/group works and 'id uid' returns all domaingroups aswell as local groups as it should. It seems to be a password authentication problem only.

After reading some mailing lists I noticed this problem have already been fixed in mainstream samba >3.3.10

References; 
http://old.nabble.com/NTLM_auth-to-win2008-r2-failed-%28NT_STATUS_PIPE_DISCONNECTED%29-td27336513.html

http://lists.samba.org/archive/samba/2009-November/151883.html

Version-Release number of selected component (if applicable):

[root@udcsp03 etc]# uname -a
Linux udcsp03.sweinfra.se 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
[root@udcsp03 etc]# rpm -qa | grep -E 'redhat-release|samba|krb'
samba-common-3.0.33-3.14.el5
redhat-release-5Server-5.4.0.3
krb5-workstation-1.6.1-36.el5
krb5-libs-1.6.1-36.el5
samba-common-3.0.33-3.14.el5
samba-3.0.33-3.14.el5
krb5-libs-1.6.1-36.el5

How reproducible:
100%

Steps to Reproduce:
1. wbinfo -a domainuser%password
2.
3.
  
Actual results:
Failure to authenticate.

Expected results:
User authenticated OK.

Additional info:
Attaching my smb.conf

Comment 1 Robert Freeman-Day 2010-02-19 14:11:26 UTC
I can confirm this as our environment is in the process of migrating to Win2k8 R2.  We have been using smbclient as our test program instead of wbinfo, however.  We point the smb.conf directive "password server" to a pre-upgraded Win2k8 Domain Controller, all works well with ntlmv2 auth (which is what "wbinfo -a domainuser%password" is using).  Pointing it to a Win2k8 R2 DC initally gives us (with "smbclient" and -d 10):

spnego_parse_auth_response failed at 1
Failed to parse auth response
SPNEGO login failed: NT code 0x00000721
session setup failed: NT code 0x00000721

subsequent connections:
SPNEGO login failed: Named pipe dicconnected
session setup failed: NT_STATUS_PIPE_DISCONNECTED

and we get matching /var/log/messages as Johan's even with the initial failure.
winbindd[4494]: [2010/02/12 14:23:33, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) 
winbindd[4494]: rpc_api_pipe: Remote machine IU-MSSG-TSDC1.testads.iu.edu pipe \NETLOGON fnum 0xereturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED

We are also getting this message in /var/log/samba/winbindd.log 
[2010/02/12 14:23:33, 1] nsswitch/winbindd_util.c:trustdom_recv(230) Could not receive trustdoms

Was not sure if that message could be related to this upstream bug:
https://bugzilla.samba.org/show_bug.cgi?id=6815
Which supposedly was fixed in this version of Samba:
http://www.samba.org/samba/history/samba-3.4.3.html

I cannot find an equivalent bug or change statement in the other code bases except 3.4.x.

We also have a test Domain that is fully Win2k8 R2 that we can do packet captures to assist with bugfixing.

Comment 2 Walter Gould 2010-03-01 16:34:20 UTC
Our college also can confirm this.  Our AD admins are in the process of upgrading  active directory DC's to Win2008R2.  We use Samba to join our AD domain in order to perform MS-CHAP wireless authentications on our campus (via FreeRADIUS).  When authenticating against our DC's running Windows 2003, we can perform ntlm auth's without errors.  When authenticating against the upgraded DC's (Win2008R2), we receive ntlm authentication errors as follows:

# wbinfo -a domainuser%password
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user stutest%5980178 with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0)
error messsage was: Named pipe dicconnected
Could not authenticate user stutest with challenge/response

From /var/log/samba/winbindd.log:
[2010/03/01 10:18:33, 1] nsswitch/winbindd_util.c:trustdom_recv(230)
  Could not receive trustdoms

Errors from /var/log/messages:
Mar  1 10:19:59 kruger winbindd[21651]: [2010/03/01 10:19:59, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) 
Mar  1 10:19:59 kruger winbindd[21651]:   rpc_api_pipe: Remote machine DUCNT31.auburn.edu pipe \NETLOGON fnum 0x1returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED

[root@kruger source3]# uname -a
Linux kruger.auburn.edu 2.6.18-128.7.1.el5 #1 SMP Mon Aug 24 08:20:55 EDT 2009 i686 i686 i386 GNU/Linux

[root@kruger ~]# rpm -qa | grep samba
samba-client-3.0.33-3.15.el5_4.1
samba-3.0.33-3.15.el5_4.1
system-config-samba-1.2.41-3.el5
samba-common-3.0.33-3.15.el5_4.1

How reproducible:
100% (on DC's running Win2008R2)

Steps to Reproduce:
1. wbinfo -a domainuser%password

Actual results:
Failure to authenticate.

Expected results:
User authenticated OK.

Comment 3 Johan Bergström 2010-03-02 10:02:13 UTC
Just saw this in the RHEL5.5 beta Release Notes.

Samba

Samba is a suite of programs used by machines to share files, printers, and other information. This update includes a newer version of Samba in the Samba3x package, adding support to interoperate with the latest operating systems of the Microsoft family, Windows 2008 and Windows 2008 R2 server, Windows Vista and Windows 7. This version of samba also provides many bugfixes and enhancements, including support for building clustered servers using the CTDB framework. 

So my guess is that we will have to wait until 5.5.

Comment 4 Manuel Pelayo 2010-03-05 10:32:09 UTC
RHEL 5.5 beta provides 2 samba versions:
- samba-3.0.33-3.28.el5
- samba3x-3.3.8-0.50.el5

The samba-3.0.33-3.28.el5 produces the same troubles, but the samba3x-3.3.8-0.50.el5 works fine:
# wbinfo -a domainuser%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

Comment 5 Robert Freeman-Day 2010-03-08 19:56:45 UTC
(In reply to comment #4)
> RHEL 5.5 beta provides 2 samba versions:
> - samba-3.0.33-3.28.el5
> - samba3x-3.3.8-0.50.el5
> 
> The samba-3.0.33-3.28.el5 produces the same troubles, but the
> samba3x-3.3.8-0.50.el5 works fine:
> # wbinfo -a domainuser%password
> plaintext password authentication succeeded
> challenge/response password authentication succeeded    

What would be the clean way to upgrade from samba to samba3x?  I tried to simply uninstal samba and install samba3x and winbindd would not start.

Comment 6 Johan Bergström 2010-03-09 10:53:07 UTC
I just tried RHEL5.5 beta aswell.

You can use the exact same configuration, but you need to 'net ads join' your machine to the domain with samba3x again.

After that it works as expected.

Comment 7 Robin R. Price II 2010-05-19 20:24:20 UTC
I can confirm this works in samba3x.  However, Motorola is unable to upgrade to samba3x because they are experiencing other bugs with-in their setup.

They would really like for this to be fixed with samba 3.0.33 in RHEL5.

-- Robin

Comment 8 Dmitri Pal 2010-05-26 15:38:14 UTC
It is not possible to back port this functionality to samba package. It can be be done only in samba3x so please give it a try.
If you see other issues in samba3x please file the bugs for those.

Comment 10 Robert Freeman-Day 2010-06-18 20:17:35 UTC
Created attachment 425247 [details]
Migration notes for samba3

This attachment is my notes for not only migrating to the samba3 packages provided by RHEL5.5, but also includes notes for using the SerNet packages.  I am posting it here with the hopes it will help people migrate with a minimum of pain.

Comment 11 Parker 2010-06-23 16:51:20 UTC
I am running into this same problem.  Question, will Redhat provide an update for the standard samba package sometime soon in the future?  Or will I have to migrate to the Samba3x packages?  One quick note: I changed my /etc/pam.d/system-auth file to temporarily fix my login problem.

instead of pam_winbind.so I used pam_krb5.so throughout the file.  


What do you guys think of this?  Thank you.

Comment 12 Dmitri Pal 2010-06-25 15:31:24 UTC
(In reply to comment #11)
> I am running into this same problem.  Question, will Redhat provide an update
> for the standard samba package sometime soon in the future? 

No

> Or will I have to
> migrate to the Samba3x packages?  

Yes

In RHEL 6 it is one package back again.

Dmitri


Note You need to log in before you can comment on or make changes to this bug.