I have been using 2003 AD servers for winbind for many years, and now 2008 is phasing in, but I can't authenticate using the new servers, and I'm not sure what to do. All advice very welcome. This is a problem for me on both Gentoo (samba 3.0.33) and Debian Lenny (samba 3.0.24). For debugging, I ran winbind interactively and piped output to a file (winbindd -d 3 -i). I have also posted the complete files to a pastebin: Working AD: http://pastebin.ca/1988167 Non-working AD: http://pastebin.ca/1988169 I did this for working and non-working ADs, and each time, I exercised the winbind daemon with the same commands, and then diff'ed the files. Both AD's behave the same for the following commands: wbinfo -g wbinfo -u net ads info However, the following commands do not work using the 2008 AD. kinit john kinit(v5): KDC has no support for encryption type while getting initial credentials wbinfo --all-domains <empty> wbinfo -m Could not list trusted domains wbinfo -t checking the trust secret via RPC calls succeeded wbinfo -a MS+john%'mypasswd' plaintext password authentication failed error code was NT code 0x00000721 (0x721) error messsage was: NT code 0x00000721 Could not authenticate user MS+john%mypasswd with plaintext password challenge/response password authentication failed error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0) error messsage was: Named pipe dicconnected Could not authenticate user MS+john with challenge/response The winbind logs are long, and attaching to this email seems wrong, so I have a difference summery below. ---First:--- The working AD shows this: get_dc_list: preferred server list: "192.168.50.11, 192.168.50.11" get_dc_list: preferred server list: "192.168.50.11, 192.168.50.11" Doing spnego session setup (blob length=104) The non-working AD shows this: get_dc_list: preferred server list: ", 192.168.50.12" Connected to LDAP server 192.168.50.12 get_dc_list: preferred server list: ", 192.168.50.12" Connected to LDAP server 192.168.50.12 get_dc_list: preferred server list: ", 192.168.50.12" get_dc_list: preferred server list: ", 192.168.50.12" get_dc_list: preferred server list: ", 192.168.50.12" get_dc_list: preferred server list: ", 192.168.50.12" get_dc_list: preferred server list: ", 192.168.50.12" get_dc_list: preferred server list: ", 192.168.50.12" Doing spnego session setup (blob length=136) got OID=1 3 6 1 4 1 311 2 2 30 ---Second:--- The working AD shows this: got principal=ad1$@MS.MYDOMAIN.COM The non-working AD shows this: got principal=not_defined_in_RFC4178 at please_ignore cli_session_setup_spnego: got a bad server principal, trying to guess ... cli_session_setup_spnego: guessed server principal=AD4$@MS.MYDOMAIN.COM ---Third:--- The working AD shows this: got principal=ad1$@MS.MYDOMAIN.COM Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 11 Nov 2010 06:53:02 PST rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \lsarpc fnum 0x4003 bind request returned ok. rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \lsarpc fnum 0x4002 bind request returned ok. The non-working AD shows this: got principal=not_defined_in_RFC4178 at please_ignore Kinit failed: KDC has no support for encryption type Doing spnego session setup (blob length=136) got OID=1 3 6 1 4 1 311 2 2 30 got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=not_defined_in_RFC4178 at please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 rpc_pipe_bind: Remote machine AD4.ms.mydomain.com pipe \lsarpc fnum 0x800d bind request returned ok. rpc_pipe_bind: Remote machine AD4.ms.mydomain.com pipe \lsarpc fnum 0x800e bind request returned ok. ---Fourth:--- The working AD shows this: [ 4325]: pam auth MS+john [ 4318]: dual pam auth MS+john [ 4325]: request misc info [ 4325]: pam auth crap domain: [MS] user: john [ 4318]: pam auth crap domain: MS user: john [ 4327]: request interface version [ 4327]: request location of privileged pipe [ 4327]: check machine account [ 4318]: check machine account get_dc_list: preferred server list: "192.168.50.11, 192.168.50.11" get_dc_list: preferred server list: "192.168.50.11, 192.168.50.11" Doing spnego session setup (blob length=104) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=ad1$@MS.MYDOMAIN.COM Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 11 Nov 2010 16:43:26 PST rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \NETLOGON fnum 0x800c bind request returned ok. rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \NETLOGON fnum 0x8008 bind request returned ok. secret is good [ 4328]: request interface version [ 4328]: request location of privileged pipe [ 4328]: list trusted domains [ 4318]: list trusted domains [ 4330]: request interface version [ 4330]: request location of privileged pipe [ 4330]: list trusted domains [ 4318]: list trusted domains [ 4341]: request interface version [ 4341]: request location of privileged pipe [ 4341]: getgroups root [ 4318]: lookupname MS+root rpc: name_to_sid name=MS\root name_to_sid [rpc] MS\root for domain MS rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \lsarpc fnum 0xc004 bind request returned ok. Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088235 lsa_io_sec_qos: length c does not match size 8 The non-working AD shows this: [ 4503]: pam auth MS+johns [ 4441]: dual pam auth MS+johns cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from remote machine AD4.ms.mydomain.com pipe \NETLOGON fnum 0x400c! Plain-text authentication for user MS+johns returned NT code 0x00000721 (PAM: 4) [ 4503]: request misc info [ 4503]: pam auth crap domain: [MS] user: johns [ 4441]: pam auth crap domain: MS user: johns rpc_api_pipe: Remote machine AD4.ms.msli.com pipe \NETLOGON fnum 0x400creturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED NTLM CRAP authentication for user [MS]\[johns] returned NT_STATUS_PIPE_DISCONNECTED (PAM: 4) [ 4505]: request interface version [ 4505]: request location of privileged pipe [ 4505]: check machine account [ 4441]: check machine account get_dc_list: preferred server list: "192.168.50.12, 192.168.50.12" get_dc_list: preferred server list: "192.168.50.12, 192.168.50.12" Doing spnego session setup (blob length=136) got OID=1 3 6 1 4 1 311 2 2 30 got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=not_defined_in_RFC4178 at please_ignore cli_session_setup_spnego: got a bad server principal, trying to guess ... cli_session_setup_spnego: guessed server principal=AD4$@MS.MYDOMAIN.COM Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 11 Nov 2010 16:46:46 PST rpc_pipe_bind: Remote machine AD4.ms.mydomain.com pipe \NETLOGON fnum 0xc002 bind request returned ok. rpc_pipe_bind: Remote machine AD4.ms.mydomain.com pipe \NETLOGON fnum 0xc005 bind request returned ok. secret is good [ 4506]: request interface version [ 4506]: request location of privileged pipe [ 4506]: list trusted domains [ 4441]: list trusted domains winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_INVALID_PARAMETER [ 4508]: request interface version [ 4508]: request location of privileged pipe [ 4508]: list trusted domains [ 4441]: list trusted domains winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_INVALID_PARAMETER
Ray Van Dolson
2010-Nov-11 16:12 UTC
[Samba] troule switching winbind to use a new AD 2008
On Thu, Nov 11, 2010 at 08:09:50AM -0800, John Stile wrote:> I have been using 2003 AD servers for winbind for many years, and now > 2008 is phasing in, but I can't authenticate using the new servers, and > I'm not sure what to do. All advice very welcome. > > This is a problem for me on both Gentoo (samba 3.0.33) and Debian Lenny > (samba 3.0.24). > > For debugging, I ran winbind interactively and piped output to a file > (winbindd -d 3 -i). > > I have also posted the complete files to a pastebin: > Working AD: http://pastebin.ca/1988167 > Non-working AD: http://pastebin.ca/1988169 > > I did this for working and non-working ADs, and each time, I exercised > the winbind daemon with the same commands, and then diff'ed the files. > > Both AD's behave the same for the following commands: > wbinfo -g > wbinfo -u > net ads info > > However, the following commands do not work using the 2008 AD. > kinit john > kinit(v5): KDC has no support for encryption type while getting initial credentials > wbinfo --all-domains > <empty> > wbinfo -m > Could not list trusted domains > wbinfo -t > checking the trust secret via RPC calls succeeded > wbinfo -a MS+john%'mypasswd' > plaintext password authentication failed > error code was NT code 0x00000721 (0x721) > error messsage was: NT code 0x00000721 > Could not authenticate user MS+john%mypasswd with plaintext password > challenge/response password authentication failed > error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0) > error messsage was: Named pipe dicconnected > Could not authenticate user MS+john with challenge/response > > The winbind logs are long, and attaching to this email seems wrong, so I > have a difference summery below. > > ---First:--- > The working AD shows this: > get_dc_list: preferred server list: "192.168.50.11, 192.168.50.11" > get_dc_list: preferred server list: "192.168.50.11, 192.168.50.11" > Doing spnego session setup (blob length=104) > > The non-working AD shows this: > get_dc_list: preferred server list: ", 192.168.50.12" > Connected to LDAP server 192.168.50.12 > get_dc_list: preferred server list: ", 192.168.50.12" > Connected to LDAP server 192.168.50.12 > get_dc_list: preferred server list: ", 192.168.50.12" > get_dc_list: preferred server list: ", 192.168.50.12" > get_dc_list: preferred server list: ", 192.168.50.12" > get_dc_list: preferred server list: ", 192.168.50.12" > get_dc_list: preferred server list: ", 192.168.50.12" > get_dc_list: preferred server list: ", 192.168.50.12" > Doing spnego session setup (blob length=136) > got OID=1 3 6 1 4 1 311 2 2 30 > > ---Second:--- > The working AD shows this: > got principal=ad1$@MS.MYDOMAIN.COM > > The non-working AD shows this: > got principal=not_defined_in_RFC4178 at please_ignore > cli_session_setup_spnego: got a bad server principal, trying to > guess ... > cli_session_setup_spnego: guessed server principal=AD4$@MS.MYDOMAIN.COM > > ---Third:--- > The working AD shows this: > got principal=ad1$@MS.MYDOMAIN.COM > Doing kerberos session setup > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 11 Nov 2010 06:53:02 PST > rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \lsarpc fnum 0x4003 bind request returned ok. > rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \lsarpc fnum 0x4002 bind request returned ok. > > The non-working AD shows this: > got principal=not_defined_in_RFC4178 at please_ignore > Kinit failed: KDC has no support for encryption type > Doing spnego session setup (blob length=136) > got OID=1 3 6 1 4 1 311 2 2 30 > got OID=1 2 840 48018 1 2 2 > got OID=1 2 840 113554 1 2 2 > got OID=1 2 840 113554 1 2 2 3 > got OID=1 3 6 1 4 1 311 2 2 10 > got principal=not_defined_in_RFC4178 at please_ignore > Got challenge flags: > Got NTLMSSP neg_flags=0x62898215 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x60088215 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x60088215 > rpc_pipe_bind: Remote machine AD4.ms.mydomain.com pipe \lsarpc fnum 0x800d bind request returned ok. > rpc_pipe_bind: Remote machine AD4.ms.mydomain.com pipe \lsarpc fnum 0x800e bind request returned ok. > > ---Fourth:--- > The working AD shows this: > [ 4325]: pam auth MS+john > [ 4318]: dual pam auth MS+john > [ 4325]: request misc info > [ 4325]: pam auth crap domain: [MS] user: john > [ 4318]: pam auth crap domain: MS user: john > [ 4327]: request interface version > [ 4327]: request location of privileged pipe > [ 4327]: check machine account > [ 4318]: check machine account > get_dc_list: preferred server list: "192.168.50.11, 192.168.50.11" > get_dc_list: preferred server list: "192.168.50.11, 192.168.50.11" > Doing spnego session setup (blob length=104) > got OID=1 2 840 48018 1 2 2 > got OID=1 2 840 113554 1 2 2 > got OID=1 2 840 113554 1 2 2 3 > got OID=1 3 6 1 4 1 311 2 2 10 > got principal=ad1$@MS.MYDOMAIN.COM > Doing kerberos session setup > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 11 Nov 2010 16:43:26 PST > rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \NETLOGON fnum 0x800c bind request returned ok. > rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \NETLOGON fnum 0x8008 bind request returned ok. > secret is good > [ 4328]: request interface version > [ 4328]: request location of privileged pipe > [ 4328]: list trusted domains > [ 4318]: list trusted domains > [ 4330]: request interface version > [ 4330]: request location of privileged pipe > [ 4330]: list trusted domains > [ 4318]: list trusted domains > [ 4341]: request interface version > [ 4341]: request location of privileged pipe > [ 4341]: getgroups root > [ 4318]: lookupname MS+root > rpc: name_to_sid name=MS\root > name_to_sid [rpc] MS\root for domain MS > rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \lsarpc fnum 0xc004 bind request returned ok. > Got challenge flags: > Got NTLMSSP neg_flags=0x62898235 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x60088235 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x60088235 > lsa_io_sec_qos: length c does not match size 8 > > The non-working AD shows this: > [ 4503]: pam auth MS+johns > [ 4441]: dual pam auth MS+johns > cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from remote machine AD4.ms.mydomain.com pipe \NETLOGON fnum 0x400c! > Plain-text authentication for user MS+johns returned NT code 0x00000721 (PAM: 4) > [ 4503]: request misc info > [ 4503]: pam auth crap domain: [MS] user: johns > [ 4441]: pam auth crap domain: MS user: johns > rpc_api_pipe: Remote machine AD4.ms.msli.com pipe \NETLOGON fnum 0x400creturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED > NTLM CRAP authentication for user [MS]\[johns] returned NT_STATUS_PIPE_DISCONNECTED (PAM: 4) > [ 4505]: request interface version > [ 4505]: request location of privileged pipe > [ 4505]: check machine account > [ 4441]: check machine account > get_dc_list: preferred server list: "192.168.50.12, 192.168.50.12" > get_dc_list: preferred server list: "192.168.50.12, 192.168.50.12" > Doing spnego session setup (blob length=136) > got OID=1 3 6 1 4 1 311 2 2 30 > got OID=1 2 840 48018 1 2 2 > got OID=1 2 840 113554 1 2 2 > got OID=1 2 840 113554 1 2 2 3 > got OID=1 3 6 1 4 1 311 2 2 10 > got principal=not_defined_in_RFC4178 at please_ignore > cli_session_setup_spnego: got a bad server principal, trying to guess ... > cli_session_setup_spnego: guessed server principal=AD4$@MS.MYDOMAIN.COM > Doing kerberos session setup > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 11 Nov 2010 16:46:46 PST > rpc_pipe_bind: Remote machine AD4.ms.mydomain.com pipe \NETLOGON fnum 0xc002 bind request returned ok. > rpc_pipe_bind: Remote machine AD4.ms.mydomain.com pipe \NETLOGON fnum 0xc005 bind request returned ok. > secret is good > [ 4506]: request interface version > [ 4506]: request location of privileged pipe > [ 4506]: list trusted domains > [ 4441]: list trusted domains > winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_INVALID_PARAMETER > [ 4508]: request interface version > [ 4508]: request location of privileged pipe > [ 4508]: list trusted domains > [ 4441]: list trusted domains > winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_INVALID_PARAMETERYou may need to try some of the steps listed here: http://support.microsoft.com/kb/942564 Ray