samba - Jan 2008 - samba 3.0.24 works - samba 3.0.25 fails

Folks:

I've got several systems attached to a 2003 domain where we use
kerberos to authenticate.

When I upgraded a system to the latest greatest samba things stopped
working.  Just to find where it happened in the different versions of
samba I downloaded, built, & ran 3.0.23d to 3.0.25c using the same
smb.conf file.  Turns out the 2.0.23d and 3.0.24 works but from 3.0.25
on it fails.  When it fails it prompts users to login and the system
isn't in the proper domain any more so not sure where the issue is.
I've looked at the 25 change log but frankly don't see anything
obvious that would have caused this......

Here's the globals section of my smb.conf file:

[global]
workgroup = XYZ
interfaces = 1xx.2xx.9.5/24
comment = Timmy, Samba Server version %v
#status = yes
browseable = yes
guest account = nobody
invalid users = root, daemon
hosts allow = 1xx.2xx. 127.
lock directory = /var/lock/subsys/smb
log file = /var/log/samba/%m.log
syslog = 1
getwd cache = yes
socket options = TCP_NODELAY
keep alive = 3600
dead time = 30
locking = yes
security = server
#
ntlm auth = no
lanman auth = no
client lanmn auth = no
client ntlmv2 auth = yes
#
password server = xxxxxx.yyy.zzzzz.org
local master = no
os level = 33
domain master = no
preferred master = no
wins support = no
wins server = 1xx.2xx.181.100
dns proxy = no
#client code page = 437
netbios aliases = timmy

-----------------------------------------------------------------------------------------------
>From the log files..........
/var/log/samba/winxpclient.log file:

....when it works ......
[2008/01/16 17:21:13, 1] smbd/service.c:make_connection_snum(950)
  jarosa (1xx.2xx.9.58) connect to service MWFOLSOM initially as user
mwfolsom (uid=4231, gid=100) (pid 2914)
[2008/01/16 17:21:39, 1] smbd/service.c:close_cnum(1150)
  jarosa (1xx.2xx.9.58) closed connection to service MWFOLSOM
....when it fails .....
[2008/01/16 17:35:47, 1] auth/auth_server.c:check_smbserver_security(362)
  password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
NT_STATUS_LOGON_FAILURE
[2008/01/16 17:35:47, 1] auth/auth_server.c:check_smbserver_security(362)
  password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
NT_STATUS_LOGON_FAILURE
[2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
  password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
NT_STATUS_LOGON_FAILURE
[2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
  password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
NT_STATUS_LOGON_FAILURE
[2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
  password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
NT_STATUS_LOGON_FAILURE
[2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
  password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
NT_STATUS_LOGON_FAILURE
[2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
  password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
NT_STATUS_LOGON_FAILURE
[2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
  password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
NT_STATUS_ACCOUNT_LOCKED_OUT
[2008/01/16 17:36:00, 1] auth/auth_server.c:check_smbserver_security(362)
  password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
NT_STATUS_ACCOUNT_LOCKED_OUT
[2008/01/16 17:36:00, 1] auth/auth_server.c:check_smbserver_security(362)
  password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
NT_STATUS_ACCOUNT_LOCKED_OUT

/var/log/smbd.log
[2008/01/16 17:34:39, 0] smbd/server.c:main(986)
  standard input is not a socket, assuming -D option
[2008/01/16 17:34:40, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(241)
  startsmbfilepwent_internal: file /usr/local/samba/private/smbpasswd
did not exist. File successfully created.


Any and all help much appreciated!



Michael

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Folsom wrote:
> Folks:
> 
> I've got several systems attached to a 2003 domain where we use
> kerberos to authenticate.
> 
> When I upgraded a system to the latest greatest samba things stopped
> working.  Just to find where it happened in the different versions of
> samba I downloaded, built, & ran 3.0.23d to 3.0.25c using the same
> smb.conf file.  Turns out the 2.0.23d and 3.0.24 works but from 3.0.25
> on it fails.  When it fails it prompts users to login and the system
> isn't in the proper domain any more so not sure where the issue is.
> I've looked at the 25 change log but frankly don't see anything
> obvious that would have caused this......
> 
> Here's the globals section of my smb.conf file:
> 
> [global]
> workgroup = XYZ
> interfaces = 1xx.2xx.9.5/24
> comment = Timmy, Samba Server version %v
> #status = yes
> browseable = yes
> guest account = nobody
> invalid users = root, daemon
> hosts allow = 1xx.2xx. 127.
> lock directory = /var/lock/subsys/smb
> log file = /var/log/samba/%m.log
> syslog = 1
> getwd cache = yes
> socket options = TCP_NODELAY
> keep alive = 3600
> dead time = 30
> locking = yes
> security = server
> #
> ntlm auth = no
> lanman auth = no
> client lanmn auth = no
> client ntlmv2 auth = yes
> #
> password server = xxxxxx.yyy.zzzzz.org
> local master = no
> os level = 33
> domain master = no
> preferred master = no
> wins support = no
> wins server = 1xx.2xx.181.100
> dns proxy = no
> #client code page = 437
> netbios aliases = timmy
> 
>
-----------------------------------------------------------------------------------------------
>>From the log files..........
> /var/log/samba/winxpclient.log file:
> 
> ....when it works ......
> [2008/01/16 17:21:13, 1] smbd/service.c:make_connection_snum(950)
>   jarosa (1xx.2xx.9.58) connect to service MWFOLSOM initially as user
> mwfolsom (uid=4231, gid=100) (pid 2914)
> [2008/01/16 17:21:39, 1] smbd/service.c:close_cnum(1150)
>   jarosa (1xx.2xx.9.58) closed connection to service MWFOLSOM
> ....when it fails .....
> [2008/01/16 17:35:47, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:47, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_ACCOUNT_LOCKED_OUT
> [2008/01/16 17:36:00, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_ACCOUNT_LOCKED_OUT
> [2008/01/16 17:36:00, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_ACCOUNT_LOCKED_OUT
> 
> /var/log/smbd.log
> [2008/01/16 17:34:39, 0] smbd/server.c:main(986)
>   standard input is not a socket, assuming -D option
> [2008/01/16 17:34:40, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(241)
>   startsmbfilepwent_internal: file /usr/local/samba/private/smbpasswd
> did not exist. File successfully created.
Did you lose your domain SID somehow? I think this is held in secrets.tdb.

- --
 ---- _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFHj8bMmb+gadEcsb4RAnXrAJj+MIpmvPiDMNRuGkhIHGLHgPlyAJ9VUjRJ
7NKNzNRmJQFe2ybjiPupzg==rSSU
-----END PGP SIGNATURE-----

add msdfs root = yes to smb.conf. about 3.0.25 they changed the default 
to no and that caused all kinds of problems for me.

Michael Folsom wrote:
> Folks:
>
> I've got several systems attached to a 2003 domain where we use
> kerberos to authenticate.
>
> When I upgraded a system to the latest greatest samba things stopped
> working.  Just to find where it happened in the different versions of
> samba I downloaded, built, & ran 3.0.23d to 3.0.25c using the same
> smb.conf file.  Turns out the 2.0.23d and 3.0.24 works but from 3.0.25
> on it fails.  When it fails it prompts users to login and the system
> isn't in the proper domain any more so not sure where the issue is.
> I've looked at the 25 change log but frankly don't see anything
> obvious that would have caused this......
>
> Here's the globals section of my smb.conf file:
>
> [global]
> workgroup = XYZ
> interfaces = 1xx.2xx.9.5/24
> comment = Timmy, Samba Server version %v
> #status = yes
> browseable = yes
> guest account = nobody
> invalid users = root, daemon
> hosts allow = 1xx.2xx. 127.
> lock directory = /var/lock/subsys/smb
> log file = /var/log/samba/%m.log
> syslog = 1
> getwd cache = yes
> socket options = TCP_NODELAY
> keep alive = 3600
> dead time = 30
> locking = yes
> security = server
> #
> ntlm auth = no
> lanman auth = no
> client lanmn auth = no
> client ntlmv2 auth = yes
> #
> password server = xxxxxx.yyy.zzzzz.org
> local master = no
> os level = 33
> domain master = no
> preferred master = no
> wins support = no
> wins server = 1xx.2xx.181.100
> dns proxy = no
> #client code page = 437
> netbios aliases = timmy
>
>
-----------------------------------------------------------------------------------------------
> >From the log files..........
> /var/log/samba/winxpclient.log file:
>
> ....when it works ......
> [2008/01/16 17:21:13, 1] smbd/service.c:make_connection_snum(950)
>   jarosa (1xx.2xx.9.58) connect to service MWFOLSOM initially as user
> mwfolsom (uid=4231, gid=100) (pid 2914)
> [2008/01/16 17:21:39, 1] smbd/service.c:close_cnum(1150)
>   jarosa (1xx.2xx.9.58) closed connection to service MWFOLSOM
> ....when it fails .....
> [2008/01/16 17:35:47, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:47, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_LOGON_FAILURE
> [2008/01/16 17:35:50, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_ACCOUNT_LOCKED_OUT
> [2008/01/16 17:36:00, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_ACCOUNT_LOCKED_OUT
> [2008/01/16 17:36:00, 1] auth/auth_server.c:check_smbserver_security(362)
>   password server XXXXXX.YYY.ZZZZZZ.ORG rejected the password:
> NT_STATUS_ACCOUNT_LOCKED_OUT
>
> /var/log/smbd.log
> [2008/01/16 17:34:39, 0] smbd/server.c:main(986)
>   standard input is not a socket, assuming -D option
> [2008/01/16 17:34:40, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(241)
>   startsmbfilepwent_internal: file /usr/local/samba/private/smbpasswd
> did not exist. File successfully created.
>
>
> Any and all help much appreciated!
>
>
>
> Michael
>