samba - Nov 2004 - Domain authentication failing after a period of time

I am having an unusual bit of behavior with a recently upgraded 3.0.8
installation (from 3.0.2a). I upgraded the server and retained the
secrets.tdb file. The server itself is using security = domain, and it had
been joined to the domain prior to the upgrade. Now, once I started the
new version, I couldn't log on, and would get the error "There are no
logon servers available to service the logon request". If I
"rejoin" the
domain (using the net join command), I can access the shares, but only for
a period of time. After a few minutes (there doesn't seem to be a specific
interval), that same message is returned. Running a smbclient -L against
the system yields "session setup failed: NT_STATUS_NO_LOGON_SERVERS".

I haven't tried failing back to 3.0.2a yet, but I will if that will help
in any diagnoses.

Thanks in advance for any help anyone may be able to give.

			Bill Knox
			Lead Operating Systems Programmer/Analyst
			The MITRE Corporation

Adding a little bit more detail:

It still happens with a just upgraded 3.0.9 install

The period of time appears to be 15 minutes (tested twice, connecting
every 30 seconds, 15 minutes both times) - until then, connections work
fine. After that, see below.

Here is the output from a debug level 3 smbclient connection:

$ smbclient -d 3 -L \\\\server_name -U user%pass
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/path/to/smb.conf"
Processing section "[global]"
added interface ip=XXX.XXX.XXX.XXX bcast=XXX.XXX.XXX.XXX nmask=255.255.255.0
Client started (version 3.0.9).
resolve_lmhosts: Attempting lmhosts lookup for name server_name<0x20>
resolve_wins: Attempting wins lookup for name server_name<0x20>
resolve_wins: using WINS server XXX.XXX.XXX.XXX and tag '*'
Got a positive name query response from XXX.XXX.XXX.XXX ( XXX.XXX.XXX.XXX )
Connecting to XXX.XXX.XXX.XXX at port 445
Doing spnego session setup (blob length=58)
got OID=1 3 6 1 4 1 311 2 2 10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x60890215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080215
SPNEGO login failed: No logon servers
session setup failed: NT_STATUS_NO_LOGON_SERVERS

			Bill Knox
			Lead Operating Systems Programmer/Analyst
			The MITRE Corporation

On Thu, 18 Nov 2004, William R. Knox wrote:
> Date: Thu, 18 Nov 2004 14:36:53 -0500 (EST)
> From: William R. Knox <wknox@mitre.org>
> To: samba@lists.samba.org
> Subject: [Samba] Domain authentication failing after a period of time
>
> I am having an unusual bit of behavior with a recently upgraded 3.0.8
> installation (from 3.0.2a). I upgraded the server and retained the
> secrets.tdb file. The server itself is using security = domain, and it had
> been joined to the domain prior to the upgrade. Now, once I started the
> new version, I couldn't log on, and would get the error "There are
no
> logon servers available to service the logon request". If I
"rejoin" the
> domain (using the net join command), I can access the shares, but only for
> a period of time. After a few minutes (there doesn't seem to be a
specific
> interval), that same message is returned. Running a smbclient -L against
> the system yields "session setup failed:
NT_STATUS_NO_LOGON_SERVERS".
>
> I haven't tried failing back to 3.0.2a yet, but I will if that will
help
> in any diagnoses.
>
> Thanks in advance for any help anyone may be able to give.
>
> 			Bill Knox
> 			Lead Operating Systems Programmer/Analyst
> 			The MITRE Corporation
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

Thanks for the advice - unfortunately, I don't think it applies, as we are
not in an Active Directory domain (or at least the NT compatibility is
turned on). And we aren't using winbind - this is strictly CIFS access
from Windows or via smbclient that is failing.

(Forwarded to list after contacting original sender off list).

			Bill Knox
			Lead Operating Systems Programmer/Analyst
			The MITRE Corporation

On Wed, 24 Nov 2004, brucehohl@access-4-free.com wrote:
> Date: Wed, 24 Nov 2004 08:38:32 -1200
> From: "brucehohl@access-4-free.com"
<brucehohl@access-4-free.com>
> To: William R. Knox <wknox@mitre.org>
> Subject: Re: [Samba] Domain authentication failing after a period of time
>
> > Anyone else seeing anything like this? Anyone have any
> > ideas? At this point, I'll try nearly anything. As I said,
> > everything had been working like a charm under 3.0.2a,
> > through a few upgrades and everything.
> >
> >             Bill Knox
> >             Lead Operating Systems Programmer/Analyst
> >             The MITRE Corporation
> >
>
> I had a similar problem with my test box of SuSE 9.1 + WinAD
> in that authentication would fail after some hours with
> 3.0.4.  I finally have the system stable as follows:  I
> updated to all the Samba 3.0.9 packages for Suse including
> heimdal kerberos update.  Authentication then failed so I
> reverted to samba-winbind-3.0.8 and all has been working for
> well since Monday.  But now I have a mix of samba-*
> packages.  As I can't risk these problems on a production
> box I ordered SLES 9.
>
> If you have not yet done so I suggest you check that you
> have any available patches for your version of kerberos.
> Good luck.
>

I didn't see that the "1c" server wasn't being queried until
after 15
minutes (thanks to Jeremy for taking hold of my hand and pointing this out
- I will never, EVER get my head wrapped around Windows browsing and why
that isn't queried until fifteen minutes after I join the domain). It
turned out that I was able to alert my Windows admin brethren to a problem
wherein one of their domain controller had a "tombstone" for their
"logon
server (1c)" records, and so were not responding properly.

One final note - though I hadn't had it before, during the course of some
testing, I put in a second domain controller that did have the 1c entries,
and that didn't help the situation, i.e. only the first "wins
server"
parameter entry seems to get queried for the DOMAIN#1C servers. I don't
know if this is a bug or the expected behavior, but I thought I would
mention it as part of the final wrap-up.

Thanks again to Jeremy for picking up my calls for help and pointing out
the flaw in my investigation.

			Bill Knox
			Lead Operating Systems Programmer/Analyst
			The MITRE Corporation

On Tue, 30 Nov 2004, Jeremy Allison wrote:
> Date: Tue, 30 Nov 2004 10:06:41 -0800
> From: Jeremy Allison <jra@samba.org>
> To: William R. Knox <wknox@mitre.org>
> Cc: Jeremy Allison <jra@samba.org>
> Subject: Re: [Samba] Domain authentication failing after a period of time
>
> On Tue, Nov 30, 2004 at 12:47:52PM -0500, William R. Knox wrote:
> > Here is the session - I ran the following commands during the session:
> >
> > 12:11:46 net join -U username%password
> > 12:11:51 smbclient -L \\\\corpdev2 -U username (prompted for and typed
in
> > password) - success
> > 12:25:54 same smbclient command as above - success
> > 12:27:01 same smbclient command as above, but this time it fails with
the
> > session setup failed: NT_STATUS_NO_LOGON_SERVERS error
>
> Your problem is that the NetBIOS name MITRE<1C> (ie. the
> NetBIOS name of the primary domain controller) can't
> be found. You can see these queries in packets 1489
> onwards. The client domain join isn't broken, it's fine,
> you've got a problem with name resolution.
>
> What are you using for name resolution ? Wins ?
>
> Jeremy.
>