samba - Feb 2011 - winbind stops working after first failed login

Here is my setup.

samba+winbind on OpenSuse 11.3 (samba 3.5.4).

Using winbind to auth to another samba+ldap server.

Authentication works until first failed login:

host:~ # wbinfo -a prod\\user%goodpass
plaintext password authentication succeeded
challenge/response password authentication succeeded

host:~ # wbinfo -a prod\\user%badpass
plaintext password authentication failed
Could not authenticate user prod\user%badpass with plaintext password
challenge/response password authentication failed
error code was NT code 0x1c010002 (0x1c010002)
error messsage was: NT code 0x1c010002
Could not authenticate user prod\user with challenge/response

test:~ # wbinfo -a prod\\user%goodpass
plaintext password authentication failed
Could not authenticate user prod\user%goodpass with plaintext password
challenge/response password authentication failed
error code was NT code 0x1c010002 (0x1c010002)
error messsage was: NT code 0x1c010002
Could not authenticate user prod\user with challenge/response

Then I make:
host:~ # wbinfo -t
checking the trust secret for domain PROD via RPC calls succeeded

And then the login works again, until first failed login again.

I authenticate with winbind to the same server with another
samba+winbind machine (3.0.23d) and it works ok.

Could this be some kind of bug in 3.5.4 samba or is there a workaround
for this?

this is my client side (winbind) samba config:

[global]
        workgroup = PROD
#       passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = Yes

        os level = 2
        time server = No
        local master = No
        preferred master = No
        unix extensions = Yes
        encrypt passwords = Yes
        log level = 3
        syslog = 0
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
        wins server = 192.168.103.100
        name resolve order = hosts lmhosts wins bcast
        veto files = /*.eml/*.nws/riched20.dll/*.{*}/
        security = domain
        password server = smblpp
#       winbind separator = +
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        template homedir = /home/%D/%U
        template shell = /bin/false



Any help would be appreciated.


-- 
Sebastijan ?ilec, sistemska podpora

Predlog! Obiscite prenovljeno spletno stran http://www.agenda.si

ODPRTA KODA IN LINUX
STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT :
IZOBRAZEVANJE : PROGRAMSKA OPREMA

Visit our updated web page at http://www.agenda.si

OPEN SOURCE AND LINUX
SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE :
TRAINING : SOFTWARE

On Fri, Feb 18, 2011 at 02:36:21PM +0100, Danilo Godec
wrote:
> Here is my setup.
> 
> samba+winbind on OpenSuse 11.3 (samba 3.5.4).
> 
> Using winbind to auth to another samba+ldap server.
While I don't remember the exact versions, this is
essentially a bug in Samba 3.0 when acting as a PDC. If you
upgrade your PDC as well, the problem should go away. If
needed, it should be possible to dig up patches that fix
exactly your PDC version.

With best regards,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen