Angela Cheng
2007-Jan-11 17:39 UTC
[Samba] Intermittent Windows user authentication problem
Hi,
Samba 3.0.8 installed on Debian Linux server and setup to authenticate
with Windows 2000 ADS.
The samba config as follows.
[global]
workgroup = TEST_NT_DOMAIN
realm = TEST-NT.ORG
server string = TEST SAMBA
security = ADS
obey pam restrictions = Yes
password server = 10.10.20.253 10.10.20.227
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
username map = /etc/samba/includes/usermap
log level = 3
syslog = 0
log file = /var/local/log/samba/log.%m
max log size = 204800
name resolve order = wins bcast
load printers = No
show add printer wizard = No
stat cache = No
dns proxy = No
wins server = 10.10.20.253, 10.10.20.120
panic action = /usr/share/samba/panic-action %d
invalid users = root
create mask = 0700
directory mask = 0700
include = /etc/samba/includes/share-test.inc
2 userids are setup to have write access to the share. These 2 userids
constantly accessing the share via an application. Most of the time,
these 2 userids can access the share without any problem. However, from
time to time, either userid will be denied access to the share. From
samba log, the error is 'Wrong Password'. However, the password is set
within an application and have been the same password and the userid can
successfully authenticated with the Domain Controller 99% of time. And
all the instances (either successful or failed authentication) shows
that Samba is authenticating with the same Domain Controller (Connected
to LDAP server 10.10.20.253).
I turn up the samba log level and found:
domain_client_validate: unable to validate password for user user1 in
domain TEST_NT_DOMAIN to Domain controller \\14DOMSUP. Error was
NT_STATUS_WRONG_PASSWORD.
error packet at smbd/sesssetup.c(501) cmd=115 (SMBsesssetupX)
NT_STATUS_INVALID_PARAMETER
What does NT_STATUS_INVALID_PARAMETER mean, could it be the cause of
'NT_STATUS_WRONG_PASSWORD'?
Appreciate any help.
Here is the complete log for the authentication failure:
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2007/01/10 16:47:56, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
Got user=[user1] domain=[TEST_NT_DOMAIN] workstation=[WKSTN1] len1=24
len2=24
[2007/01/10 16:47:56, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[TEST_NT_DOMAIN]\[user1]@[WKSTN1] with the new password interface
[2007/01/10 16:47:56, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is:
[TEST_NT_DOMAIN]\[user1]@[WKSTN1]
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/01/10 16:47:56, 3] smbd/uid.c:push_conn_ctx(365)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/10 16:47:56, 3] libads/ldap.c:ads_connect(247)
Connected to LDAP server 10.10.20.253
[2007/01/10 16:47:56, 3] libads/ldap.c:ads_server_info(2431)
got ldap server name 14domsup@TEST-NT.ORG, using bind path:
dc=TEST-NT,dc=ORG
[2007/01/10 16:47:56, 3] libsmb/cliconnect.c:cli_start_connection(1382)
Connecting to host=14DOMSUP
[2007/01/10 16:47:56, 3] lib/util_sock.c:open_socket_out(752)
Connecting to 10.10.20.253 at port 445
[2007/01/10 16:47:56, 0] auth/auth_domain.c:domain_client_validate(199)
domain_client_validate: unable to validate password for user user1 in
domain TEST_NT_DOMAIN to Domain controller \\14DOMSUP. Error was
NT_STATUS_WRONG_PASSWORD.
[2007/01/10 16:47:56, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [user1] -> [user1]
FAILED with error NT_STATUS_WRONG_PASSWORD
[2007/01/10 16:47:56, 3] smbd/process.c:process_smb(1092)
Transaction 1048892 of length 350
[2007/01/10 16:47:56, 3] smbd/process.c:switch_message(887)
switch message SMBsesssetupX (pid 7060) conn 0x0
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
wct=12 flg2=0xc807
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2007/01/10 16:47:56, 3] smbd/error.c:error_packet(129)
error packet at smbd/sesssetup.c(501) cmd=115 (SMBsesssetupX)
NT_STATUS_INVALID_PARAMETER
[2007/01/10 16:47:56, 3] smbd/process.c:process_smb(1092)
Transaction 1048893 of length 230
[2007/01/10 16:47:56, 3] smbd/process.c:switch_message(887)
switch message SMBsesssetupX (pid 7060) conn 0x0
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
wct=12 flg2=0xc807
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 3 6 1 4 1 311 2 2 10
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
Got secblob of size 61
[2007/01/10 16:47:56, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xe208b297
[2007/01/10 16:47:56, 3] smbd/process.c:process_smb(1092)
Transaction 1048894 of length 230
[2007/01/10 16:47:56, 3] smbd/process.c:switch_message(887)
switch message SMBsesssetupX (pid 7060) conn 0x0
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
wct=12 flg2=0xc807
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 3 6 1 4 1 311 2 2 10
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
Got secblob of size 61
[2007/01/10 16:47:56, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xe208b297
[2007/01/10 16:47:56, 3] smbd/process.c:process_smb(1092)
Transaction 1048895 of length 350
[2007/01/10 16:47:56, 3] smbd/process.c:switch_message(887)
switch message SMBsesssetupX (pid 7060) conn 0x0
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
wct=12 flg2=0xc807
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
Angela Cheng
Senior Solutions Architect
Bycast Inc.
(office) 604-692-2067
(cell) 778-238-2716
Maybe Matching Threads
- Trouble with access permissions from W2K client to Samba 3.0.2 server
- intermittent authentication: check_ntlm_password: Authentication for user [someuser] -> [someuser] FAILED with error NT_STATUS_ACCESS_DENIED
- Session setup with machine account
- Problem: samba refuse my user with error message : NT_STATUS_NO_ SUCH_USER
- DFS not working on Win XP
Wisdom of the Ancients
