dwhitlow1@wi.rr.com
2005-Aug-11 14:30 UTC
[Samba] Problem with AD/Samba and too many AD groups
I have a Redhat Enterprise Linux (v3.0) box running Samba 3.0.9-1.3E.3. This box only has two Samba shares created on it, each of them with a single "valid user" entry. The relevant smb.conf information is included below. The problem is that when user1 tries to connect to \\server\user1 and authenticate via AD, the connection fails with a "unknown username or bad password" error on their Windows box. On the Samba server, the error in the logs relates to NT_STATUS_WRONG_PASSWORD. Here's the catch though. When I remove that account from a couple of AD groups, the connection succeeds. It appears there is some limit on the number of groups that user1 can be a member of. wbinfo -G DOMAIN\\USER1 returns ~423 AD groups. When I get that number down under ~400, the connection works fine. As an aside, user2 belongs to ~180 groups and has no problems connecting. Is there some limit within Samba that can be increased to allow for a user to be a member of >400 AD groups? I don't want to remove the user from the groups they are a member of if at all possible. Some are dis lists, others needed for security and so on. NGROUPS_MAX is set to 32, but we are obviously way past that limit for both accounts, so I don't know if that setting comes into play or not. Any help on this would be greatly appreciated. Thanks in advance, Don # Global parameters [global] workgroup = QG realm = QG.COM security = ADS log file = /var/log/samba/%m.log dns proxy = no ldap ssl = no idmap uid = 10000-100000 idmap gid = 10000-100000 winbind cache time = 60 winbind enum users = no winbind enum groups = no log level = 3 [user1] path = /user1 valid users = DOMAIN\USER1 read only = No create mask = 0700 directory mask = 0700 browseable = No [user2] path = /user2 valid users = DOMAIN\USER2 read only = No create mask = 0700 directory mask = 0700 browseable = No ------ Log file output [2005/08/11 09:27:14, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [domain] \[user1]@[machinename] with the new password interface [2005/08/11 09:27:14, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [domain]\[user1]@[machinename] [2005/08/11 09:27:14, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2005/08/11 09:27:14, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2005/08/11 09:27:14, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2005/08/11 09:27:14, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2005/08/11 09:27:14, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [user1] -> [user1] FAILED with error NT_STATUS_WRONG_PASSWORD [2005/08/11 09:27:17, 3] smbd/process.c:process_smb(1091) Transaction 5 of length 16626
Reasonably Related Threads
- Intermittent Windows user authentication problem
- winbind joining NT4-style domain - two strange issues
- Half of visible AD user accounts have no info using wbinfo -i, logins fail
- Problems with smbpasswd: any local changes are discarted after connection request
- Trouble adding new users with samba 3.0