Ray Van Dolson
2010-Nov-03 20:37 UTC
[Samba] Samba 3.0.33, security = domain and Windows 2008 R2
I have a number of Samba servers on RHEL (Samba 3.0.33) in an AD environment using a mix of Windows 2008 and windows 2008 R2 servers. Configuration file is pretty minimal: [global] workgroup = AVWORLD security = DOMAIN log file = /var/log/samba/samba.log max log size = 500 wins server = 10.50.4.31 dns proxy = no #log level = 10 log level = 3 passdb:5 auth:10 winbind:2 password server = * #username map = /etc/samba/username.map socket options = TCP_NODELAY This works fine as long as the Samba server in question is talking to one of the Windows 2008 servers. Via some sort of SMB magic, from time to time, the domain controller the Samba server communicates with changes to one of the Windows 2008 R2 servers. At that point, problems begin: [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info_map(161) make_user_info_map: Mapping user [AVWORLD]\[ray5147] from workstation [RAYXP] [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(75) attempting to make a user_info for ray5147 (ray5147) [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(85) making strings for ray5147's user_info struct [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(117) making blobs for ray5147's user_info struct [2010/11/03 10:25:44, 10] auth/auth_util.c:make_user_info(135) made an encrypted user_info for ray5147 (ray5147) [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(221) check_ntlm_password: Checking password for unmapped user [AVWORLD]\[ray5147]@[RAYXP] with the new password interface [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(224) check_ntlm_password: mapped user is: [AVWORLD]\[ray5147]@[RAYXP] [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(233) check_ntlm_password: auth_context challenge created by NTLMSSP callback (NTLM2) [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(235) challenge is: [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261) check_ntlm_password: guest had nothing to say [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415) check_samstrict_security: AVWORLD is not one of my local names (ROLE_DOMAIN_MEMBER) [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261) check_ntlm_password: sam had nothing to say [2010/11/03 10:25:44, 0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354) cli_pipe_verify_schannel: auth_len 56. [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260) domain_client_validate: unable to validate password for user ray5147 in domain AVWORLD to Domain controller REDDC1. Error was NT_STATUS_INVALID_PARAMETER. [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273) check_ntlm_password: winbind authentication for user [ray5147] FAILED with error NT_STATUS_INVALID_PARAMETER [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [ray5147] -> [ray5147] FAILED with error NT_STATUS_INVALID_PARAMETER [2010/11/03 10:25:44, 5] auth/auth_util.c:free_user_info(2108) attempting to free (and zero) a user_info structure [2010/11/03 10:25:44, 10] auth/auth_util.c:free_user_info(2112) structure was created for ray5147 (REDDC1 is one of the 2K8 R2 servers and ray5147 is my username). If I can convince the system to talk to one of the non-R2 servers again, everything is fine. Looking at the log, the "errors" that jump out are: [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415) check_samstrict_security: AVWORLD is not one of my local names (ROLE_DOMAIN_MEMBER) [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260) domain_client_validate: unable to validate password for user ray5147 in domain AVWORLD to Domain controller REDDC1. Error was NT_STATUS_INVALID_PARAMETER. [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273) check_ntlm_password: winbind authentication for user [ray5147] FAILED with error NT_STATUS_INVALID_PARAMETER [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [ray5147] -> [ray5147] FAILED with error NT_STATUS_INVALID_PARAMETER I'm not clear if the first error is a complaint from my Samba client or if it's a message returned from the domain controller... the last error message doesn't mean anything to me. Anyone have any thoughts? We've followed the instructions from this KB article[1] to configure the R2 servers in the same way the non-R2 servers are configured. I haven't yet reproduced the problem on a Samba 3.3 install so I'm wondering if if the 3.0.x branch just has issues with Windows 2008 R2, or if there's a patch out there that could be backported to help. Maybe doing security = ads would work better for us.... This problem also has cropped up on our Solaris 10 hosts. Sun provides a Samba package based on 3.0.x as well. Thanks in advance, Ray [1] http://support.microsoft.com/kb/942564
Gaiseric Vandal
2010-Nov-04 11:15 UTC
[Samba] Samba 3.0.33, security = domain and Windows 2008 R2
Looking through the release notes for samba 3.0.28a - 3.0.37 there does not seem to be mention on 2008 R2. The following link may explain why it doesn't work and a possible fix. http://www.openg.info/entry/win-2008-r2-samba But Samba 3.0.x. is end-of-lifed so I think your best off moving to Samba 3.4.x. -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Ray Van Dolson Sent: Wednesday, November 03, 2010 4:37 PM To: samba at lists.samba.org Subject: [Samba] Samba 3.0.33, security = domain and Windows 2008 R2 I have a number of Samba servers on RHEL (Samba 3.0.33) in an AD environment using a mix of Windows 2008 and windows 2008 R2 servers. Configuration file is pretty minimal: [global] workgroup = AVWORLD security = DOMAIN log file = /var/log/samba/samba.log max log size = 500 wins server = 10.50.4.31 dns proxy = no #log level = 10 log level = 3 passdb:5 auth:10 winbind:2 password server = * #username map = /etc/samba/username.map socket options = TCP_NODELAY This works fine as long as the Samba server in question is talking to one of the Windows 2008 servers. Via some sort of SMB magic, from time to time, the domain controller the Samba server communicates with changes to one of the Windows 2008 R2 servers. At that point, problems begin: [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info_map(161) make_user_info_map: Mapping user [AVWORLD]\[ray5147] from workstation [RAYXP] [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(75) attempting to make a user_info for ray5147 (ray5147) [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(85) making strings for ray5147's user_info struct [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(117) making blobs for ray5147's user_info struct [2010/11/03 10:25:44, 10] auth/auth_util.c:make_user_info(135) made an encrypted user_info for ray5147 (ray5147) [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(221) check_ntlm_password: Checking password for unmapped user [AVWORLD]\[ray5147]@[RAYXP] with the new password interface [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(224) check_ntlm_password: mapped user is: [AVWORLD]\[ray5147]@[RAYXP] [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(233) check_ntlm_password: auth_context challenge created by NTLMSSP callback (NTLM2) [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(235) challenge is: [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261) check_ntlm_password: guest had nothing to say [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415) check_samstrict_security: AVWORLD is not one of my local names (ROLE_DOMAIN_MEMBER) [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261) check_ntlm_password: sam had nothing to say [2010/11/03 10:25:44, 0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354) cli_pipe_verify_schannel: auth_len 56. [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260) domain_client_validate: unable to validate password for user ray5147 in domain AVWORLD to Domain controller REDDC1. Error was NT_STATUS_INVALID_PARAMETER. [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273) check_ntlm_password: winbind authentication for user [ray5147] FAILED with error NT_STATUS_INVALID_PARAMETER [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [ray5147] -> [ray5147] FAILED with error NT_STATUS_INVALID_PARAMETER [2010/11/03 10:25:44, 5] auth/auth_util.c:free_user_info(2108) attempting to free (and zero) a user_info structure [2010/11/03 10:25:44, 10] auth/auth_util.c:free_user_info(2112) structure was created for ray5147 (REDDC1 is one of the 2K8 R2 servers and ray5147 is my username). If I can convince the system to talk to one of the non-R2 servers again, everything is fine. Looking at the log, the "errors" that jump out are: [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415) check_samstrict_security: AVWORLD is not one of my local names (ROLE_DOMAIN_MEMBER) [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260) domain_client_validate: unable to validate password for user ray5147 in domain AVWORLD to Domain controller REDDC1. Error was NT_STATUS_INVALID_PARAMETER. [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273) check_ntlm_password: winbind authentication for user [ray5147] FAILED with error NT_STATUS_INVALID_PARAMETER [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [ray5147] -> [ray5147] FAILED with error NT_STATUS_INVALID_PARAMETER I'm not clear if the first error is a complaint from my Samba client or if it's a message returned from the domain controller... the last error message doesn't mean anything to me. Anyone have any thoughts? We've followed the instructions from this KB article[1] to configure the R2 servers in the same way the non-R2 servers are configured. I haven't yet reproduced the problem on a Samba 3.3 install so I'm wondering if if the 3.0.x branch just has issues with Windows 2008 R2, or if there's a patch out there that could be backported to help. Maybe doing security = ads would work better for us.... This problem also has cropped up on our Solaris 10 hosts. Sun provides a Samba package based on 3.0.x as well. Thanks in advance, Ray [1] http://support.microsoft.com/kb/942564 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba