Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 585360 - Samba authentication problem against Windows Server 2008 R2
Summary: Samba authentication problem against Windows Server 2008 R2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: samba
Version: 4.8
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Guenther Deschner
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
: 649421 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-23 19:18 UTC by Justin Payne
Modified: 2018-11-14 19:38 UTC (History)
4 users (show)

Fixed In Version: samba-3.0.33-0.28.el4
Doc Type: Bug Fix
Doc Text:
Upgrading domain controllers to Windows Server 2008 R2 caused the Samba servers, running Red Hat Enterprise Linux 4, to fail to authenticate any Active Directory domain users. This was caused by Samba's strict expectations on certain buffer lengths which made the "NETLOGON" secure channel fail. This could occur when the 'winbind' daemon or the 'smbd' daemon contacted a Windows Server 2008 R2 domain controller. The failure of the secure channel caused the failure of the whole authentication process. Samba now correctly deals with larger buffers and the authentication process no longer fails.
Clone Of:
Environment:
Last Closed: 2011-02-16 14:23:31 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0242 0 normal SHIPPED_LIVE samba bug fix and enhancement update 2011-02-15 16:34:56 UTC
Samba Project 6697 0 None None None Never

Description Justin Payne 2010-04-23 19:18:13 UTC
Description of problem:

After upgrading Domain Controllers to win2008 R2 RHEL 4 systems cannot authenticate anymore -
It fails with these messages -
======
/var/log/samba/machine.log says:
[2010/04/20 09:47:23, 0] auth/auth_domain.c:domain_client_validate(260)
domain_client_validate: unable to validate password for user bozo in domain D to Domain controller EXAMPLE.COM. Error was NT_STATUS_INVALID_PARAMETER.  
======

Version-Release number of selected component (if applicable):

samba-3.0.33-0.18.el4_8.1

How reproducible:

Always

Steps to Reproduce:
1. Join RHEL-4 server to a Active Directory Domain with a Windows Server 2008 R1 or lower Domain Controller.

2. Upgrade the Domain Controller to Windows Server 2008 R2.
  
Actual results:

RHEL-4 server is no longer to authenticate AD domain users.

Expected results:

Authentication succeeds after DC update to 2008 R2.

Comment 1 Guenther Deschner 2010-05-10 12:35:46 UTC
Is winbind running on that RHEL server ?

Comment 2 Justin Payne 2010-05-10 13:18:47 UTC
Looking through the sosreport attached to the Issue Tracker, winbind is not running. I've asked Karan to explain why it is not.

I am curious to know why you ask though, as far as I know, 3.0.33 is incapable of functioning in a windows 2008 R2 environment when 2k8 R2 is the PDC.

Comment 3 Justin Payne 2010-05-10 13:22:13 UTC
I just answered my own question as to why winbind is not running. The customer is not using winbind. They have configured nsswitch.conf and ldap.conf to use ldap instead.

Comment 4 Guenther Deschner 2010-05-10 13:28:28 UTC
Right, there are some fixes missing in 3.0 to make it properly work. As for winbind: running winbind is always advised, even when not used for nsswitch - as it does serve as a netlogon proxy, making communication to an AD domain much more efficient.

Comment 12 Ray Van Dolson 2010-11-05 16:26:25 UTC
Not sure how I missed this one (I filed a different bug[1]).  Also not running winbind here (using NIS for UID/GID mapping) and DOMAIN vs ADS as the server type.

Justin, were your Samba servers running ok against Windows 2008 (not R2)?  Is a test version of samba-3.0.33-0.28.el4 available somewhere?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=649421

Comment 13 Guenther Deschner 2010-11-16 11:40:59 UTC
*** Bug 649421 has been marked as a duplicate of this bug. ***

Comment 15 Martin Prpič 2011-02-16 13:22:07 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Upgrading domain controllers to Windows Server 2008 R2 caused the Samba servers, running Red Hat Enterprise Linux 4, to fail to authenticate any Active Directory domain users. This was caused by Samba's strict expectations on certain buffer lengths which made the "NETLOGON" secure channel fail. This could occur when the 'winbind' daemon or the 'smbd' daemon contacted a Windows Server 2008 R2 domain controller. The failure of the secure channel caused the failure of the whole authentication process. Samba now correctly deals with larger buffers and the authentication process no longer fails.

Comment 16 errata-xmlrpc 2011-02-16 14:23:31 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0242.html


Note You need to log in before you can comment on or make changes to this bug.