Lamar.Saxon@americredit.com
2007-Oct-25 15:01 UTC
[Samba] Samba 3.0.25c and Samba 3.0.26a on AIX 5.3 - Windows Service Accounts & smbclient issues...
Just the beginning of a question to anyone who might have experienced the following issue with Samba 3.0.2[5-6] series. We currently have service accounts accessing Samba shares on AIX 5.3 servers ( from TL04 - TL06 ). Most of the processes access the shares via UNC rather than mapped drives. After completing the upgrade to Samba 3.0.26a on the production side, the service accounts started getting locked out of the domain due to invalid logins; but in most instances we could connect to the share using the user ID and password with no issues. A roll back to Samba 3.0.24 fixed the issue. Regular users/accounts are having no issues mapping to shares and working as normal. We are using SECURITY = SERVER and specified a DC as the password server. From the global settings of the smb.conf: [global] workgroup = AMERICREDIT server string = BCERPDB1 AIX SAMBA Server interfaces = 10.193.3.138/24 bind interfaces only = Yes security = SERVER update encrypted = Yes password server = srvdcbnt01.acf.americredit.com username map = /usr/local/samba/var/users.map restrict anonymous = 2 lanman auth = No ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log file = /usr/local/samba/var/log/log.%m max log size = 1024 socket options load printers = No wins server = 10.193.7.90 ldap ssl = no socket address = 10.193.3.138 admin users = mgipso1, tcato1, bhock1, amunoz1, lsaxon1 create mask = 0664 directory mask = 0775 preserve case = No short preserve case = No delete veto files = Yes veto files = /*.eml/ mangled names = No browseable = No restrict anonymous = 2 In the logs we see the following: [2007/10/17 07:29:28, 1] auth/auth_server.c:check_smbserver_security(362) password server SRVDCBNT01.ACF.AMERICREDIT.COM rejected the password: NT_STATUS_LOGON_FAILURE [2007/10/17 07:29:28, 0] lib/access.c:check_access(327) Denied connection from (10.192.7.210) [2007/10/17 07:29:28, 1] auth/auth_server.c:check_smbserver_security(362) password server SRVDCBNT01.ACF.AMERICREDIT.COM rejected the password: NT_STATUS_LOGON_FAILURE [2007/10/17 07:29:34, 0] lib/access.c:check_access(327) Denied connection from (10.192.7.210) [2007/10/17 07:29:34, 1] auth/auth_server.c:check_smbserver_security(362) password server SRVDCBNT01.ACF.AMERICREDIT.COM rejected the password: NT_STATUS_LOGON_FAILURE [2007/10/17 07:29:34, 0] lib/access.c:check_access(327) Denied connection from (10.192.7.210) [2007/10/17 07:29:34, 1] auth/auth_server.c:check_smbserver_security(362) password server SRVDCBNT01.ACF.AMERICREDIT.COM rejected the password: NT_STATUS_LOGON_FAILURE [2007/10/17 07:29:43, 0] lib/access.c:check_access(327) Denied connection from (10.192.7.210) [2007/10/17 07:29:43, 1] auth/auth_server.c:check_smbserver_security(362) password server SRVDCBNT01.ACF.AMERICREDIT.COM rejected the password: NT_STATUS_LOGON_FAILURE [2007/10/17 07:29:43, 0] lib/access.c:check_access(327) Denied connection from (10.192.7.210) [2007/10/17 07:29:43, 1] auth/auth_server.c:check_smbserver_security(362) password server SRVDCBNT01.ACF.AMERICREDIT.COM rejected the password: NT_STATUS_ACCOUNT_LOCKED_OUT Also, on the same note after upgrading Samba to 3.0.26a; smbclient has issues connecting to the same shares while 3.0.24 has none... 3.0.24 smbclient cannot connect to 3.0.26 servers nor can 3.0.26 smbclient connect to 3.0.26 servers. 3.0.24 smbclient to 3.0.24 Samba Server: root@bcerpdb1:/usr/local/samba/var/log:> /usr/local/samba/sbin/smbd -V Version 3.0.24 root@bcerpdb1:/usr/local/samba/var/log:> /usr/local/samba/bin/smbclient -U lsaxon1 //aoccdw1/datarepos Password: Domain=[AMERICREDIT] OS=[Unix] Server=[Samba 3.0.24] smb: \> quit 3.0.24 smbclient to 3.0.26a Samba Server: root@bcerpdb1:/usr/local/samba/var/log:> /usr/local/samba/bin/smbclient -U lsaxon1 //aoctoolbox/instimages Password: session setup failed: NT_STATUS_LOGON_FAILURE root@bcerpdb1:/usr/local/samba/var/log:> With debug 5: root@bcerpdb1:/usr/local/samba/var/log:> /usr/local/samba/bin/smbclient -d 5 -U lsaxon1 //aoctoolbox/instimages INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf" Processing section "[global]" doing parameter workgroup = AMERICREDIT doing parameter server string = BCERPDB1 AIX SAMBA Server doing parameter interfaces = 10.193.3.138/24 doing parameter bind interfaces only = Yes doing parameter security = SERVER doing parameter update encrypted = Yes doing parameter password server = srvdcbnt01.acf.americredit.com doing parameter username map = /usr/local/samba/var/users.map doing parameter restrict anonymous = 2 doing parameter lanman auth = No doing parameter ntlm auth = No doing parameter client NTLMv2 auth = Yes doing parameter client lanman auth = No doing parameter client plaintext auth = No doing parameter log file = /usr/local/samba/var/log/log.%m doing parameter max log size = 1024 doing parameter socket options doing parameter load printers = No doing parameter wins server = 10.193.7.90 doing parameter ldap ssl = no doing parameter socket address = 10.193.3.138 doing parameter admin users = mgipso1, tcato1, bhock1, amunoz1, lsaxon1 doing parameter create mask = 0664 doing parameter directory mask = 0775 doing parameter preserve case = No doing parameter short preserve case = No doing parameter delete veto files = Yes doing parameter veto files = /*.eml/ doing parameter mangled names = No doing parameter browseable = No doing parameter restrict anonymous = 2 pm_process() returned Yes Attempting to register new charset UCS-2LE Registered charset UCS-2LE Attempting to register new charset UTF-16LE Registered charset UTF-16LE Attempting to register new charset UCS-2BE Registered charset UCS-2BE Attempting to register new charset UTF-16BE Registered charset UTF-16BE Attempting to register new charset UTF8 Registered charset UTF8 Attempting to register new charset UTF-8 Registered charset UTF-8 Attempting to register new charset ASCII Registered charset ASCII Attempting to register new charset 646 Registered charset 646 Attempting to register new charset ISO-8859-1 Registered charset ISO-8859-1 Attempting to register new charset UCS2-HEX Registered charset UCS2-HEX Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE added interface ip=10.193.3.138 bcast=10.193.3.255 nmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="BCERPDB1" Client started (version 3.0.24). Opening cache file at /usr/local/samba/var/locks/gencache.tdb name aoctoolbox#20 found. Connecting to 10.253.148.11 at port 445 socket option SO_KEEPALIVE = 0 socket option SO_REUSEADDR = 0 socket option SO_BROADCAST = 0 socket option TCP_NODELAY = 0 socket option TCP_KEEPCNT = 8 socket option TCP_KEEPIDLE = 360 socket option TCP_KEEPINTVL = 75 socket option IPTOS_LOWDELAY = 0 socket option IPTOS_THROUGHPUT = 0 socket option SO_REUSEPORT = 0 socket option SO_SNDBUF = 262088 socket option SO_RCVBUF = 130320 socket option SO_SNDLOWAT = 16383 socket option SO_RCVLOWAT = 1 socket option SO_SNDTIMEO = 0 socket option SO_RCVTIMEO = 0 session request ok size=127 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=36418 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 7 (0x7) smb_vwv[ 1]=12803 (0x3203) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 9216 (0x2400) smb_vwv[ 8]= 108 (0x6C) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]=33011 (0x80F3) smb_vwv[11]= 128 (0x80) smb_vwv[12]=49166 (0xC00E) smb_vwv[13]= 5095 (0x13E7) smb_vwv[14]=51223 (0xC817) smb_vwv[15]=11265 (0x2C01) smb_vwv[16]= 1 (0x1) smb_bcc=58 size=127 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=36418 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 7 (0x7) smb_vwv[ 1]=12803 (0x3203) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 9216 (0x2400) smb_vwv[ 8]= 108 (0x6C) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]=33011 (0x80F3) smb_vwv[11]= 128 (0x80) smb_vwv[12]=49166 (0xC00E) smb_vwv[13]= 5095 (0x13E7) smb_vwv[14]=51223 (0xC817) smb_vwv[15]=11265 (0x2C01) smb_vwv[16]= 1 (0x1) smb_bcc=58 Password: Doing spnego session setup (blob length=58) got OID=1 3 6 1 4 1 311 2 2 10 got principal=NONE size=346 smb_com=0x73 smb_rcls=22 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=36418 smb_uid=100 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 241 (0xF1) smb_bcc=303 size=346 smb_com=0x73 smb_rcls=22 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=36418 smb_uid=100 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 241 (0xF1) smb_bcc=303 Got challenge flags: Got NTLMSSP neg_flags=0x60820215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_CHAL_ACCEPT_RESPONSE NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60000215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60000215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - using NTLM1 size=35 smb_com=0x73 smb_rcls=109 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=36418 smb_uid=100 smb_mid=3 smt_wct=0 smb_bcc=0 size=35 smb_com=0x73 smb_rcls=109 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=36418 smb_uid=100 smb_mid=3 smt_wct=0 smb_bcc=0 SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE 3.0.26a smbclient to Samba 3.0.24 server is okay: lsaxon1@aoctoolbox:/home/lsaxon1:> /usr/local/samba/sbin/smbd -V Version 3.0.26a lsaxon1@aoctoolbox:/home/lsaxon1:> /usr/local/samba/bin/smbclient -U lsaxon1 //aoccdw1/datarepos Password: Domain=[AMERICREDIT] OS=[Unix] Server=[Samba 3.0.24] smb: \> 3.0.26a smbclient to Samba 3.0.26a server does not work: lsaxon1@aoctoolbox:/home/lsaxon1:> /usr/local/samba/bin/smbclient -U lsaxon1 //aoctoolbox/instimages Password: session setup failed: NT_STATUS_LOGON_FAILURE lsaxon1@aoctoolbox:/home/lsaxon1:> with basically the same messages in the debug log from the other attempt. I will assist in any way to help resolve this issue or configuration problem. Just wondering if anyone else might be experiencing these issues. Due to security concerns with 3.0.24, I was hoping to complete the upgrade to 3.0.26a. Thanks, Lamar Privileged and Confidential. This e-mail, and any attachments there to, is intended only for use by the addressee(s) named herein and may contain privileged or confidential information. If you have received this e-mail in error, please notify me immediately by a return e-mail and delete this e-mail. You are hereby notified that any dissemination, distribution or copying of this e-mail and/or any attachments thereto, is strictly prohibited.