William R. Lorenz
2004-May-13 22:19 UTC
[Samba] Winbind ADS Issues w/ *TONS* of Pre-Research
Samba Team,
I've been trying to get my Samba server to authenticate users against a
Windows 2000 Active Directory domain controller, and it just doesn't work.
I've encountered a TREMENDOUS amount of postings from people who have run
into the same issue, and there's never any responses with a resolution.
I must have viewed more than 500 postings over the course of the day.
I have a seemingly valid Samba configuration file. All of the `wbinfo
-u`, `wbinfo -g`, `getent passwd`, and `getent group` commands work just
fine. Howver, `wbinfo -t` and `wbinfo -a` don't work, and I can't
authenticate users against the domain controller. As an example:
[root@nasone samba]# net ads join -U Administrator
Administrator's password:
[2004/05/13 17:49:30, 0] libads/ldap.c:ads_add_machine_acct(1006)
Host account for nasone already exists - modifying old account
Using short domain name -- ECHUDSON
Joined 'NASONE' to realm 'HUDSON-OFFICE.ECEDIINC.COM'
[root@nasone samba]# net rpc join -U Administrator
Password:
Joined domain ECHUDSON.
[root@nasone samba]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_UNSUCCESSFUL (0xc0000001)
Could not check secret
[root@nasone samba]#
After trying to do the `wbinfo -t`, I see the following in
'winbindd.log':
[2004/05/13 17:49:41, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/05/13 17:49:41, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336)
rpc_auth_pipe: wrong schannel auth len 24
[2004/05/13 17:49:41, 0]
rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
cli_nt_setup_creds: request challenge failed
[2004/05/13 17:49:41, 2]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98)
Checking the trust account password returned NT_STATUS_UNSUCCESSFUL
I am using Samba 3.0.4, as distributed in Fedora Core 1 RPM format on the
main Samba website @ http://www.samba.org/. Here's the details:
[root@nasone samba]# rpm -qa | grep ^samba
samba-common-3.0.4-2
samba-client-3.0.4-2
samba-3.0.4-2
[root@nasone samba]# rpm -qa | grep ^krb5
krb5-libs-1.3.1-6
krb5-workstation-1.3.1-6
[root@nasone samba]#
The output of `wbinfo -a` produces the following:
[root@nasone samba]# wbinfo -a Administrator
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user Administrator with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user Administrator with challenge/response
[root@nasone samba]#
And this results in the following in 'winbindd.log':
[2004/05/13 17:53:04, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/05/13 17:53:04, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336)
rpc_auth_pipe: wrong schannel auth len 24
[2004/05/13 17:53:04, 0]
rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
cli_nt_setup_creds: request challenge failed
[2004/05/13 17:53:04, 2]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(612)
NTLM CRAP authentication for user [ECHUDSON]\[Administrator] returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
NTLM CRAP authentication is right -- this just doesn't want to work! ;)
Here's the contents of my '/etc/samba/smb.conf' configuration file:
[root@nasone samba]# grep -v ^\; /etc/samba/smb.conf
[global]
workgroup = ECHUDSON
realm = HUDSON-OFFICE.LOCAL
server string = NASONE
hosts allow = 10.0.0.0/24
load printers = no
security = ads
auth methods = winbind
password server = ARIEL
name resolve order = bcast wins host
wins server = 10.0.0.150 10.0.0.151
log level = 2
log file = /var/log/samba/samba-global.log
log file = /var/log/samba/%m.log
max log size = 0
winbind separator = +
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 15
template shell = /sbin/nologin
template homedir = /dev/null/%D/%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = 10.0.0.180/24 10.0.1.180/24
os level = 33
local master = no
domain master = no
preferred master = no
domain logons = no
wins support = no
dns proxy = no
[volume01]
comment = volume01
path = /mnt/volumes/lv01
public = no
writable = no
printable = no
valid users = @"ECHUDSON+Domain Admins"
write list = @"ECHUDSON+Domain Admins"
create mask = 0664
directory mask = 0775
nt acl support = yes
[root@nasone samba]#
Here's a one example of other people having the same issue (I searched
long and hard for any resolutions many of these had found, to no avail!):
http://lists.samba.org/archive/samba-technical/2003-July/030983.html
I'd grab others, but I've already closed lots of browser windows. ;)
Here's some additional Kerberos information this is probably pertinent:
[root@nasone root]# kinit administrator@HUDSON-OFFICE.LOCAL
Password for administrator@HUDSON-OFFICE.LOCAL:
[root@nasone root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@HUDSON-OFFICE.LOCAL
Valid starting Expires Service principal
05/13/04 18:13:23 05/14/04 04:14:36
krbtgt/HUDSON-OFFICE.ECEDIINC.COM@HUDSON-OFFICE.LOCAL
renew until 05/14/04 18:13:23
05/13/04 18:15:33 05/14/04 04:14:36 ariel$@HUDSON-OFFICE.LOCAL
renew until 05/14/04 18:13:23
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@nasone root]#
And finally, let's get in a good test of Kerberos with the -k flag:
[root@nasone root]# smbclient -U Administrator -k //10.0.0.150/GENSRVNT
OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \> ls
. D 0 Thu Apr 1 15:37:04 2004
.. D 0 Thu Apr 1 15:37:04 2004
[ADDITIONAL DIRECTORY LISTING TRIMMED]
smb: \> quit
[root@nasone root]#
Does anyone have any ideas?!?!
-- _
__ __ ___ _| | William R. Lorenz <wrl@express.org>
\ V V / '_| | http://www.clevelandlug.net/ ; "Every revolution was
\./\./|_| |_| first a thought in one man's mind." - Ralph Waldo
Emerson
Hi, just like: http://lists.samba.org/archive/samba/2004-May/085521.html http://lists.samba.org/archive/samba/2004-May/085808.html huh? Another *just* came in also: http://lists.samba.org/archive/samba/2004-May/085881.html Well, this one has many persons puzzeled. The best place so far is: <http://www.linuxquestions.org/questions/showthread.php?s=&threadid=161506>http://www.linuxquestions.org/questions/showthread.php?s=&threadid=161506 I guess that the Samba community is still (which of course we are part of) does not have the solution for this problem, since it has not been answered/adressed by anybody in great lenght/detail. The HOWTO adresses it in: http://se.samba.org/samba/docs/man/howto/domain-member.html#ads-member but really that is no HOWTO. As long as it does not show you HOW-TO. I also guess that some people that have followed this thread for a while are starting to get bugged by me :) Sorry I can't help you, I have not figured it out either. YS Anders Berg At 18:18 13.05.2004 -0400, William R. Lorenz wrote:>Samba Team, > >I've been trying to get my Samba server to authenticate users against a >Windows 2000 Active Directory domain controller, and it just doesn't work. >I've encountered a TREMENDOUS amount of postings from people who have run >into the same issue, and there's never any responses with a resolution. >I must have viewed more than 500 postings over the course of the day. > >I have a seemingly valid Samba configuration file. All of the `wbinfo >-u`, `wbinfo -g`, `getent passwd`, and `getent group` commands work just >fine. Howver, `wbinfo -t` and `wbinfo -a` don't work, and I can't >authenticate users against the domain controller. As an example: > > [root@nasone samba]# net ads join -U Administrator > Administrator's password: > [2004/05/13 17:49:30, 0] libads/ldap.c:ads_add_machine_acct(1006) > Host account for nasone already exists - modifying old account > Using short domain name -- ECHUDSON > Joined 'NASONE' to realm 'HUDSON-OFFICE.ECEDIINC.COM' > [root@nasone samba]# net rpc join -U Administrator > Password: > Joined domain ECHUDSON. > [root@nasone samba]# wbinfo -t > checking the trust secret via RPC calls failed > error code was NT_STATUS_UNSUCCESSFUL (0xc0000001) > Could not check secret > [root@nasone samba]# > >After trying to do the `wbinfo -t`, I see the following in 'winbindd.log': > > [2004/05/13 17:49:41, 2] > libsmb/cliconnect.c:cli_session_setup_kerberos(535) > Doing kerberos session setup > [2004/05/13 17:49:41, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336) > rpc_auth_pipe: wrong schannel auth len 24 > [2004/05/13 17:49:41, 0] > rpc_client/cli_netlogon.c:cli_nt_setup_creds(249) > cli_nt_setup_creds: request challenge failed > [2004/05/13 17:49:41, 2] > nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98) > Checking the trust account password returned NT_STATUS_UNSUCCESSFUL > >I am using Samba 3.0.4, as distributed in Fedora Core 1 RPM format on the >main Samba website @ http://www.samba.org/. Here's the details: > > [root@nasone samba]# rpm -qa | grep ^samba > samba-common-3.0.4-2 > samba-client-3.0.4-2 > samba-3.0.4-2 > [root@nasone samba]# rpm -qa | grep ^krb5 > krb5-libs-1.3.1-6 > krb5-workstation-1.3.1-6 > [root@nasone samba]# > >The output of `wbinfo -a` produces the following: > > [root@nasone samba]# wbinfo -a Administrator > plaintext password authentication failed > error code was NT_STATUS_NO_SUCH_USER (0xc0000064) > error messsage was: No such user > Could not authenticate user Administrator with plaintext password > challenge/response password authentication failed > error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) > error messsage was: No logon servers > Could not authenticate user Administrator with challenge/response > [root@nasone samba]# > >And this results in the following in 'winbindd.log': > > [2004/05/13 17:53:04, 2] > libsmb/cliconnect.c:cli_session_setup_kerberos(535) > Doing kerberos session setup > [2004/05/13 17:53:04, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336) > rpc_auth_pipe: wrong schannel auth len 24 > [2004/05/13 17:53:04, 0] > rpc_client/cli_netlogon.c:cli_nt_setup_creds(249) > cli_nt_setup_creds: request challenge failed > [2004/05/13 17:53:04, 2] > nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(612) > NTLM CRAP authentication for user [ECHUDSON]\[Administrator] returned > NT_STATUS_NO_LOGON_SERVERS (PAM: 4) > >NTLM CRAP authentication is right -- this just doesn't want to work! ;) > >Here's the contents of my '/etc/samba/smb.conf' configuration file: > > [root@nasone samba]# grep -v ^\; /etc/samba/smb.conf > [global] > workgroup = ECHUDSON > realm = HUDSON-OFFICE.LOCAL > server string = NASONE > hosts allow = 10.0.0.0/24 > load printers = no > > security = ads > auth methods = winbind > password server = ARIEL > name resolve order = bcast wins host > wins server = 10.0.0.150 10.0.0.151 > > log level = 2 > log file = /var/log/samba/samba-global.log > log file = /var/log/samba/%m.log > max log size = 0 > > winbind separator = + > encrypt passwords = yes > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind cache time = 15 > template shell = /sbin/nologin > template homedir = /dev/null/%D/%U > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > interfaces = 10.0.0.180/24 10.0.1.180/24 > > os level = 33 > local master = no > domain master = no > preferred master = no > domain logons = no > > wins support = no > dns proxy = no > > [volume01] > comment = volume01 > path = /mnt/volumes/lv01 > public = no > writable = no > printable = no > valid users = @"ECHUDSON+Domain Admins" > write list = @"ECHUDSON+Domain Admins" > create mask = 0664 > directory mask = 0775 > nt acl support = yes > [root@nasone samba]# > >Here's a one example of other people having the same issue (I searched >long and hard for any resolutions many of these had found, to no avail!): > > http://lists.samba.org/archive/samba-technical/2003-July/030983.html > >I'd grab others, but I've already closed lots of browser windows. ;) > >Here's some additional Kerberos information this is probably pertinent: > > [root@nasone root]# kinit administrator@HUDSON-OFFICE.LOCAL > Password for administrator@HUDSON-OFFICE.LOCAL: > [root@nasone root]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator@HUDSON-OFFICE.LOCAL > > Valid starting Expires Service principal > 05/13/04 18:13:23 05/14/04 04:14:36 > krbtgt/HUDSON-OFFICE.ECEDIINC.COM@HUDSON-OFFICE.LOCAL > renew until 05/14/04 18:13:23 > 05/13/04 18:15:33 05/14/04 04:14:36 ariel$@HUDSON-OFFICE.LOCAL > renew until 05/14/04 18:13:23 > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > [root@nasone root]# > >And finally, let's get in a good test of Kerberos with the -k flag: > > [root@nasone root]# smbclient -U Administrator -k //10.0.0.150/GENSRVNT > OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] > smb: \> ls > . D 0 Thu Apr 1 15:37:04 2004 > .. D 0 Thu Apr 1 15:37:04 2004 > [ADDITIONAL DIRECTORY LISTING TRIMMED] > smb: \> quit > [root@nasone root]# > >Does anyone have any ideas?!?! > >-- _ >__ __ ___ _| | William R. Lorenz <wrl@express.org> >\ V V / '_| | http://www.clevelandlug.net/ ; "Every revolution was > \./\./|_| |_| first a thought in one man's mind." - Ralph Waldo Emerson > >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba***************************************************************** Denne fotnoten bekrefter at denne e-postmeldingen ble skannet av MailSweeper og funnet fri for virus. ***************************************************************** This footnote confirms that this email message has been swept by MailSweeper for the presence of computer viruses. *****************************************************************
Gerald (Jerry) Carter
2004-May-14 12:50 UTC
Bug 1315 -- wrong schannel auth len 24 [was Re: [Samba] Winbind ADS Issues w/ *TONS* of Pre-Research]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 William R. Lorenz wrote : | [2004/05/13 17:49:41, 2] | libsmb/cliconnect.c:cli_session_setup_kerberos(535) | Doing kerberos session setup | [2004/05/13 17:49:41, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336) | rpc_auth_pipe: wrong schannel auth len 24 Already fixed (everyone please listen this time!) This was a bug introduced in 3.0.3 and 3.0.4. It is only seen from what I can tell by using a DC that does not support 128 bit encryption for signing and sealing of rpc packets. This includes Windows 2000 with no patches and non-us service packs (i'm guessing on the second one). The fix for 3.0.4 is attached to https://bugzilla.samba.org/show_bug.cgi?id=1315 Anders, I posted this previsouly in response to one of the threads you referred to. http://lists.samba.org/archive/samba/2004-May/085842.html cheers, jerry - ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "...a hundred billion castaways looking for a home." ----------- Sting -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFApMCJIR7qMdg1EfYRAmcpAKCbOk3BkiBMOL9TSQ8lyTFpcew5KwCg7wK8 kUMW/OF0KOzdfKDG+WaF/+8=drqv -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | Samba Team, | | I've been trying to get my Samba server to authenticate users against a | Windows 2000 Active Directory domain controller, and it just doesn't work. | I've encountered a TREMENDOUS amount of postings from people who have run | into the same issue, and there's never any responses with a resolution. | I must have viewed more than 500 postings over the course of the day. | | I have a seemingly valid Samba configuration file. All of the `wbinfo | -u`, `wbinfo -g`, `getent passwd`, and `getent group` commands work just | fine. Howver, `wbinfo -t` and `wbinfo -a` don't work, and I can't | authenticate users against the domain controller. As an example: | | [root@nasone samba]# net ads join -U Administrator | Administrator's password: | [2004/05/13 17:49:30, 0] libads/ldap.c:ads_add_machine_acct(1006) | Host account for nasone already exists - modifying old account | Using short domain name -- ECHUDSON | Joined 'NASONE' to realm 'HUDSON-OFFICE.ECEDIINC.COM' | [root@nasone samba]# net rpc join -U Administrator | Password: | Joined domain ECHUDSON. ^^^ Surely this is redundant? | [root@nasone samba]# wbinfo -t | checking the trust secret via RPC calls failed | error code was NT_STATUS_UNSUCCESSFUL (0xc0000001) | Could not check secret | [root@nasone samba]# | | After trying to do the `wbinfo -t`, I see the following in 'winbindd.log': | | [2004/05/13 17:49:41, 2] | libsmb/cliconnect.c:cli_session_setup_kerberos(535) | Doing kerberos session setup | [2004/05/13 17:49:41, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336) | rpc_auth_pipe: wrong schannel auth len 24 This looks like https://bugzilla.samba.org/show_bug.cgi?id=1315, where you will find a patch that fixed it for everyone who has tried (including me). The patch is also in the 3.0.4-2mdk packages in Mandrake cooker (and the RPMS for Mandrake 9.1-10 that hopefully should be available soon on the samba mirrors). Regards, Buchan - -- Buchan Milne Senior Support Technician Obsidian Systems http://www.obsidian.co.za B.Eng RHCE (803004789010797) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFApNawrJK6UGDSBKcRAm1kAKC4oVmdGXxgDIKPehnslAEG0eED9ACfcXJe LDeLPWp3/Y/fafXfcVMwPmY=byBX -----END PGP SIGNATURE-----