William R. Lorenz
2004-May-13 22:19 UTC
[Samba] Winbind ADS Issues w/ *TONS* of Pre-Research
Samba Team, I've been trying to get my Samba server to authenticate users against a Windows 2000 Active Directory domain controller, and it just doesn't work. I've encountered a TREMENDOUS amount of postings from people who have run into the same issue, and there's never any responses with a resolution. I must have viewed more than 500 postings over the course of the day. I have a seemingly valid Samba configuration file. All of the `wbinfo -u`, `wbinfo -g`, `getent passwd`, and `getent group` commands work just fine. Howver, `wbinfo -t` and `wbinfo -a` don't work, and I can't authenticate users against the domain controller. As an example: [root@nasone samba]# net ads join -U Administrator Administrator's password: [2004/05/13 17:49:30, 0] libads/ldap.c:ads_add_machine_acct(1006) Host account for nasone already exists - modifying old account Using short domain name -- ECHUDSON Joined 'NASONE' to realm 'HUDSON-OFFICE.ECEDIINC.COM' [root@nasone samba]# net rpc join -U Administrator Password: Joined domain ECHUDSON. [root@nasone samba]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_UNSUCCESSFUL (0xc0000001) Could not check secret [root@nasone samba]# After trying to do the `wbinfo -t`, I see the following in 'winbindd.log': [2004/05/13 17:49:41, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/05/13 17:49:41, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336) rpc_auth_pipe: wrong schannel auth len 24 [2004/05/13 17:49:41, 0] rpc_client/cli_netlogon.c:cli_nt_setup_creds(249) cli_nt_setup_creds: request challenge failed [2004/05/13 17:49:41, 2] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98) Checking the trust account password returned NT_STATUS_UNSUCCESSFUL I am using Samba 3.0.4, as distributed in Fedora Core 1 RPM format on the main Samba website @ http://www.samba.org/. Here's the details: [root@nasone samba]# rpm -qa | grep ^samba samba-common-3.0.4-2 samba-client-3.0.4-2 samba-3.0.4-2 [root@nasone samba]# rpm -qa | grep ^krb5 krb5-libs-1.3.1-6 krb5-workstation-1.3.1-6 [root@nasone samba]# The output of `wbinfo -a` produces the following: [root@nasone samba]# wbinfo -a Administrator plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user Administrator with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error messsage was: No logon servers Could not authenticate user Administrator with challenge/response [root@nasone samba]# And this results in the following in 'winbindd.log': [2004/05/13 17:53:04, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/05/13 17:53:04, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336) rpc_auth_pipe: wrong schannel auth len 24 [2004/05/13 17:53:04, 0] rpc_client/cli_netlogon.c:cli_nt_setup_creds(249) cli_nt_setup_creds: request challenge failed [2004/05/13 17:53:04, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(612) NTLM CRAP authentication for user [ECHUDSON]\[Administrator] returned NT_STATUS_NO_LOGON_SERVERS (PAM: 4) NTLM CRAP authentication is right -- this just doesn't want to work! ;) Here's the contents of my '/etc/samba/smb.conf' configuration file: [root@nasone samba]# grep -v ^\; /etc/samba/smb.conf [global] workgroup = ECHUDSON realm = HUDSON-OFFICE.LOCAL server string = NASONE hosts allow = 10.0.0.0/24 load printers = no security = ads auth methods = winbind password server = ARIEL name resolve order = bcast wins host wins server = 10.0.0.150 10.0.0.151 log level = 2 log file = /var/log/samba/samba-global.log log file = /var/log/samba/%m.log max log size = 0 winbind separator = + encrypt passwords = yes idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind cache time = 15 template shell = /sbin/nologin template homedir = /dev/null/%D/%U socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = 10.0.0.180/24 10.0.1.180/24 os level = 33 local master = no domain master = no preferred master = no domain logons = no wins support = no dns proxy = no [volume01] comment = volume01 path = /mnt/volumes/lv01 public = no writable = no printable = no valid users = @"ECHUDSON+Domain Admins" write list = @"ECHUDSON+Domain Admins" create mask = 0664 directory mask = 0775 nt acl support = yes [root@nasone samba]# Here's a one example of other people having the same issue (I searched long and hard for any resolutions many of these had found, to no avail!): http://lists.samba.org/archive/samba-technical/2003-July/030983.html I'd grab others, but I've already closed lots of browser windows. ;) Here's some additional Kerberos information this is probably pertinent: [root@nasone root]# kinit administrator@HUDSON-OFFICE.LOCAL Password for administrator@HUDSON-OFFICE.LOCAL: [root@nasone root]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@HUDSON-OFFICE.LOCAL Valid starting Expires Service principal 05/13/04 18:13:23 05/14/04 04:14:36 krbtgt/HUDSON-OFFICE.ECEDIINC.COM@HUDSON-OFFICE.LOCAL renew until 05/14/04 18:13:23 05/13/04 18:15:33 05/14/04 04:14:36 ariel$@HUDSON-OFFICE.LOCAL renew until 05/14/04 18:13:23 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@nasone root]# And finally, let's get in a good test of Kerberos with the -k flag: [root@nasone root]# smbclient -U Administrator -k //10.0.0.150/GENSRVNT OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: \> ls . D 0 Thu Apr 1 15:37:04 2004 .. D 0 Thu Apr 1 15:37:04 2004 [ADDITIONAL DIRECTORY LISTING TRIMMED] smb: \> quit [root@nasone root]# Does anyone have any ideas?!?! -- _ __ __ ___ _| | William R. Lorenz <wrl@express.org> \ V V / '_| | http://www.clevelandlug.net/ ; "Every revolution was \./\./|_| |_| first a thought in one man's mind." - Ralph Waldo Emerson
Hi, just like: http://lists.samba.org/archive/samba/2004-May/085521.html http://lists.samba.org/archive/samba/2004-May/085808.html huh? Another *just* came in also: http://lists.samba.org/archive/samba/2004-May/085881.html Well, this one has many persons puzzeled. The best place so far is: <http://www.linuxquestions.org/questions/showthread.php?s=&threadid=161506>http://www.linuxquestions.org/questions/showthread.php?s=&threadid=161506 I guess that the Samba community is still (which of course we are part of) does not have the solution for this problem, since it has not been answered/adressed by anybody in great lenght/detail. The HOWTO adresses it in: http://se.samba.org/samba/docs/man/howto/domain-member.html#ads-member but really that is no HOWTO. As long as it does not show you HOW-TO. I also guess that some people that have followed this thread for a while are starting to get bugged by me :) Sorry I can't help you, I have not figured it out either. YS Anders Berg At 18:18 13.05.2004 -0400, William R. Lorenz wrote:>Samba Team, > >I've been trying to get my Samba server to authenticate users against a >Windows 2000 Active Directory domain controller, and it just doesn't work. >I've encountered a TREMENDOUS amount of postings from people who have run >into the same issue, and there's never any responses with a resolution. >I must have viewed more than 500 postings over the course of the day. > >I have a seemingly valid Samba configuration file. All of the `wbinfo >-u`, `wbinfo -g`, `getent passwd`, and `getent group` commands work just >fine. Howver, `wbinfo -t` and `wbinfo -a` don't work, and I can't >authenticate users against the domain controller. As an example: > > [root@nasone samba]# net ads join -U Administrator > Administrator's password: > [2004/05/13 17:49:30, 0] libads/ldap.c:ads_add_machine_acct(1006) > Host account for nasone already exists - modifying old account > Using short domain name -- ECHUDSON > Joined 'NASONE' to realm 'HUDSON-OFFICE.ECEDIINC.COM' > [root@nasone samba]# net rpc join -U Administrator > Password: > Joined domain ECHUDSON. > [root@nasone samba]# wbinfo -t > checking the trust secret via RPC calls failed > error code was NT_STATUS_UNSUCCESSFUL (0xc0000001) > Could not check secret > [root@nasone samba]# > >After trying to do the `wbinfo -t`, I see the following in 'winbindd.log': > > [2004/05/13 17:49:41, 2] > libsmb/cliconnect.c:cli_session_setup_kerberos(535) > Doing kerberos session setup > [2004/05/13 17:49:41, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336) > rpc_auth_pipe: wrong schannel auth len 24 > [2004/05/13 17:49:41, 0] > rpc_client/cli_netlogon.c:cli_nt_setup_creds(249) > cli_nt_setup_creds: request challenge failed > [2004/05/13 17:49:41, 2] > nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98) > Checking the trust account password returned NT_STATUS_UNSUCCESSFUL > >I am using Samba 3.0.4, as distributed in Fedora Core 1 RPM format on the >main Samba website @ http://www.samba.org/. Here's the details: > > [root@nasone samba]# rpm -qa | grep ^samba > samba-common-3.0.4-2 > samba-client-3.0.4-2 > samba-3.0.4-2 > [root@nasone samba]# rpm -qa | grep ^krb5 > krb5-libs-1.3.1-6 > krb5-workstation-1.3.1-6 > [root@nasone samba]# > >The output of `wbinfo -a` produces the following: > > [root@nasone samba]# wbinfo -a Administrator > plaintext password authentication failed > error code was NT_STATUS_NO_SUCH_USER (0xc0000064) > error messsage was: No such user > Could not authenticate user Administrator with plaintext password > challenge/response password authentication failed > error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) > error messsage was: No logon servers > Could not authenticate user Administrator with challenge/response > [root@nasone samba]# > >And this results in the following in 'winbindd.log': > > [2004/05/13 17:53:04, 2] > libsmb/cliconnect.c:cli_session_setup_kerberos(535) > Doing kerberos session setup > [2004/05/13 17:53:04, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336) > rpc_auth_pipe: wrong schannel auth len 24 > [2004/05/13 17:53:04, 0] > rpc_client/cli_netlogon.c:cli_nt_setup_creds(249) > cli_nt_setup_creds: request challenge failed > [2004/05/13 17:53:04, 2] > nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(612) > NTLM CRAP authentication for user [ECHUDSON]\[Administrator] returned > NT_STATUS_NO_LOGON_SERVERS (PAM: 4) > >NTLM CRAP authentication is right -- this just doesn't want to work! ;) > >Here's the contents of my '/etc/samba/smb.conf' configuration file: > > [root@nasone samba]# grep -v ^\; /etc/samba/smb.conf > [global] > workgroup = ECHUDSON > realm = HUDSON-OFFICE.LOCAL > server string = NASONE > hosts allow = 10.0.0.0/24 > load printers = no > > security = ads > auth methods = winbind > password server = ARIEL > name resolve order = bcast wins host > wins server = 10.0.0.150 10.0.0.151 > > log level = 2 > log file = /var/log/samba/samba-global.log > log file = /var/log/samba/%m.log > max log size = 0 > > winbind separator = + > encrypt passwords = yes > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind cache time = 15 > template shell = /sbin/nologin > template homedir = /dev/null/%D/%U > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > interfaces = 10.0.0.180/24 10.0.1.180/24 > > os level = 33 > local master = no > domain master = no > preferred master = no > domain logons = no > > wins support = no > dns proxy = no > > [volume01] > comment = volume01 > path = /mnt/volumes/lv01 > public = no > writable = no > printable = no > valid users = @"ECHUDSON+Domain Admins" > write list = @"ECHUDSON+Domain Admins" > create mask = 0664 > directory mask = 0775 > nt acl support = yes > [root@nasone samba]# > >Here's a one example of other people having the same issue (I searched >long and hard for any resolutions many of these had found, to no avail!): > > http://lists.samba.org/archive/samba-technical/2003-July/030983.html > >I'd grab others, but I've already closed lots of browser windows. ;) > >Here's some additional Kerberos information this is probably pertinent: > > [root@nasone root]# kinit administrator@HUDSON-OFFICE.LOCAL > Password for administrator@HUDSON-OFFICE.LOCAL: > [root@nasone root]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator@HUDSON-OFFICE.LOCAL > > Valid starting Expires Service principal > 05/13/04 18:13:23 05/14/04 04:14:36 > krbtgt/HUDSON-OFFICE.ECEDIINC.COM@HUDSON-OFFICE.LOCAL > renew until 05/14/04 18:13:23 > 05/13/04 18:15:33 05/14/04 04:14:36 ariel$@HUDSON-OFFICE.LOCAL > renew until 05/14/04 18:13:23 > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > [root@nasone root]# > >And finally, let's get in a good test of Kerberos with the -k flag: > > [root@nasone root]# smbclient -U Administrator -k //10.0.0.150/GENSRVNT > OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] > smb: \> ls > . D 0 Thu Apr 1 15:37:04 2004 > .. D 0 Thu Apr 1 15:37:04 2004 > [ADDITIONAL DIRECTORY LISTING TRIMMED] > smb: \> quit > [root@nasone root]# > >Does anyone have any ideas?!?! > >-- _ >__ __ ___ _| | William R. Lorenz <wrl@express.org> >\ V V / '_| | http://www.clevelandlug.net/ ; "Every revolution was > \./\./|_| |_| first a thought in one man's mind." - Ralph Waldo Emerson > >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba***************************************************************** Denne fotnoten bekrefter at denne e-postmeldingen ble skannet av MailSweeper og funnet fri for virus. ***************************************************************** This footnote confirms that this email message has been swept by MailSweeper for the presence of computer viruses. *****************************************************************
Gerald (Jerry) Carter
2004-May-14 12:50 UTC
Bug 1315 -- wrong schannel auth len 24 [was Re: [Samba] Winbind ADS Issues w/ *TONS* of Pre-Research]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 William R. Lorenz wrote : | [2004/05/13 17:49:41, 2] | libsmb/cliconnect.c:cli_session_setup_kerberos(535) | Doing kerberos session setup | [2004/05/13 17:49:41, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336) | rpc_auth_pipe: wrong schannel auth len 24 Already fixed (everyone please listen this time!) This was a bug introduced in 3.0.3 and 3.0.4. It is only seen from what I can tell by using a DC that does not support 128 bit encryption for signing and sealing of rpc packets. This includes Windows 2000 with no patches and non-us service packs (i'm guessing on the second one). The fix for 3.0.4 is attached to https://bugzilla.samba.org/show_bug.cgi?id=1315 Anders, I posted this previsouly in response to one of the threads you referred to. http://lists.samba.org/archive/samba/2004-May/085842.html cheers, jerry - ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "...a hundred billion castaways looking for a home." ----------- Sting -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFApMCJIR7qMdg1EfYRAmcpAKCbOk3BkiBMOL9TSQ8lyTFpcew5KwCg7wK8 kUMW/OF0KOzdfKDG+WaF/+8=drqv -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | Samba Team, | | I've been trying to get my Samba server to authenticate users against a | Windows 2000 Active Directory domain controller, and it just doesn't work. | I've encountered a TREMENDOUS amount of postings from people who have run | into the same issue, and there's never any responses with a resolution. | I must have viewed more than 500 postings over the course of the day. | | I have a seemingly valid Samba configuration file. All of the `wbinfo | -u`, `wbinfo -g`, `getent passwd`, and `getent group` commands work just | fine. Howver, `wbinfo -t` and `wbinfo -a` don't work, and I can't | authenticate users against the domain controller. As an example: | | [root@nasone samba]# net ads join -U Administrator | Administrator's password: | [2004/05/13 17:49:30, 0] libads/ldap.c:ads_add_machine_acct(1006) | Host account for nasone already exists - modifying old account | Using short domain name -- ECHUDSON | Joined 'NASONE' to realm 'HUDSON-OFFICE.ECEDIINC.COM' | [root@nasone samba]# net rpc join -U Administrator | Password: | Joined domain ECHUDSON. ^^^ Surely this is redundant? | [root@nasone samba]# wbinfo -t | checking the trust secret via RPC calls failed | error code was NT_STATUS_UNSUCCESSFUL (0xc0000001) | Could not check secret | [root@nasone samba]# | | After trying to do the `wbinfo -t`, I see the following in 'winbindd.log': | | [2004/05/13 17:49:41, 2] | libsmb/cliconnect.c:cli_session_setup_kerberos(535) | Doing kerberos session setup | [2004/05/13 17:49:41, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336) | rpc_auth_pipe: wrong schannel auth len 24 This looks like https://bugzilla.samba.org/show_bug.cgi?id=1315, where you will find a patch that fixed it for everyone who has tried (including me). The patch is also in the 3.0.4-2mdk packages in Mandrake cooker (and the RPMS for Mandrake 9.1-10 that hopefully should be available soon on the samba mirrors). Regards, Buchan - -- Buchan Milne Senior Support Technician Obsidian Systems http://www.obsidian.co.za B.Eng RHCE (803004789010797) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFApNawrJK6UGDSBKcRAm1kAKC4oVmdGXxgDIKPehnslAEG0eED9ACfcXJe LDeLPWp3/Y/fafXfcVMwPmY=byBX -----END PGP SIGNATURE-----