Description of problem: After upgrading Domain Controllers to win2008 R2 RHEL 4 systems cannot authenticate anymore - It fails with these messages - ====== /var/log/samba/machine.log says: [2010/04/20 09:47:23, 0] auth/auth_domain.c:domain_client_validate(260) domain_client_validate: unable to validate password for user bozo in domain D to Domain controller EXAMPLE.COM. Error was NT_STATUS_INVALID_PARAMETER. ====== Version-Release number of selected component (if applicable): samba-3.0.33-0.18.el4_8.1 How reproducible: Always Steps to Reproduce: 1. Join RHEL-4 server to a Active Directory Domain with a Windows Server 2008 R1 or lower Domain Controller. 2. Upgrade the Domain Controller to Windows Server 2008 R2. Actual results: RHEL-4 server is no longer to authenticate AD domain users. Expected results: Authentication succeeds after DC update to 2008 R2.
Is winbind running on that RHEL server ?
Looking through the sosreport attached to the Issue Tracker, winbind is not running. I've asked Karan to explain why it is not. I am curious to know why you ask though, as far as I know, 3.0.33 is incapable of functioning in a windows 2008 R2 environment when 2k8 R2 is the PDC.
I just answered my own question as to why winbind is not running. The customer is not using winbind. They have configured nsswitch.conf and ldap.conf to use ldap instead.
Right, there are some fixes missing in 3.0 to make it properly work. As for winbind: running winbind is always advised, even when not used for nsswitch - as it does serve as a netlogon proxy, making communication to an AD domain much more efficient.
Not sure how I missed this one (I filed a different bug[1]). Also not running winbind here (using NIS for UID/GID mapping) and DOMAIN vs ADS as the server type. Justin, were your Samba servers running ok against Windows 2008 (not R2)? Is a test version of samba-3.0.33-0.28.el4 available somewhere? [1] https://bugzilla.redhat.com/show_bug.cgi?id=649421
*** Bug 649421 has been marked as a duplicate of this bug. ***
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Upgrading domain controllers to Windows Server 2008 R2 caused the Samba servers, running Red Hat Enterprise Linux 4, to fail to authenticate any Active Directory domain users. This was caused by Samba's strict expectations on certain buffer lengths which made the "NETLOGON" secure channel fail. This could occur when the 'winbind' daemon or the 'smbd' daemon contacted a Windows Server 2008 R2 domain controller. The failure of the secure channel caused the failure of the whole authentication process. Samba now correctly deals with larger buffers and the authentication process no longer fails.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0242.html