thr3ads.net - samba - [Samba] PDC: realm changed: authentication aborted [Oct 2012]

If this information is useful, please help other people find it:
Share via:
Sebastian Neustein
2012-Oct-11 13:00 UTC
[Samba] PDC: realm changed: authentication aborted

Hi list,

We have a network with some XP and some Windows 7 computer, we use samba 3.6.6
on debian 6.0.6 from debian-backports. It's a pdc with passdb backend =
ldapsam.

In our logs there are lots of:
ARCServer slapd[1263]: SASL [conn=46778] Failure: realm changed: authentication
aborted

I found out that at that time this emerges the tcpdump says:

12:59:54.656399 IP client.49551 > 192.168.43.202.ldap: Flags [S], seq
3802010171, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:59:54.656444 IP 192.168.43.202.ldap > client.49551: Flags [S.], seq
3999710145, ack 3802010172, win 5840, options [mss
1460,nop,nop,sackOK,nop,wscale 6], length 0
12:59:54.656831 IP client.49551 > 192.168.43.202.ldap: Flags [.], ack 1, win
256, length 0
12:59:54.665734 IP client.49551 > 192.168.43.202.ldap: Flags [P.], seq 1:351,
ack 1, win 256, length 350
12:59:54.665756 IP 192.168.43.202.ldap > client.49551: Flags [.], ack 351,
win
108, length 0
12:59:54.677914 IP 192.168.43.202.ldap > client.49551: Flags [P.], seq 1:377,
ack 351, win 108, length 376
12:59:54.678040 IP 192.168.43.202.ldap > client.49551: Flags [P.], seq
377:391,
ack 351, win 108, length 14
12:59:54.678316 IP client.49551 > 192.168.43.202.ldap: Flags [.], ack 391,
win
255, length 0
12:59:54.678707 IP client.49551 > 192.168.43.202.ldap: Flags [P.], seq
351:391,
ack 391, win 255, length 40
12:59:54.679001 IP 192.168.43.202.ldap > client.49551: Flags [P.], seq
391:672,
ack 391, win 108, length 281
12:59:54.679619 IP client.49551 > 192.168.43.202.ldap: Flags [P.], seq
391:678,
ack 672, win 254, length 287
12:59:54.679858 IP 192.168.43.202.ldap > client.49551: Flags [P.], seq
672:758,
ack 678, win 125, length 86
12:59:54.680464 IP client.49551 > 192.168.43.202.ldap: Flags [P.], seq
678:689,
ack 758, win 253, length 11
12:59:54.680480 IP client.49551 > 192.168.43.202.ldap: Flags [F.], seq 689,
ack
758, win 253, length 0
12:59:54.680710 IP 192.168.43.202.ldap > client.49551: Flags [F.], seq 758,
ack
690, win 125, length 0
12:59:54.680987 IP client.49551 > 192.168.43.202.ldap: Flags [.], ack 759,
win
253, length 0

This happens every 15 minutes per Win7 machine


on the client wireshark says:

//client->server
0?   X   c?   O  
  
       x   ? objectclass0?   +  subschemaSubentry 
dsServiceName  namingContexts  defaultNamingContext  schemaNamingContext 
configurationNamingContext  rootDomainNamingContext  supportedControl 
supportedLDAPVersion  supportedLDAPPolicies  supportedSASLMechanisms
dnsHostName  ldapServiceName 
serverName  supportedCapabilities 

//server ->client
0? t   d? m 0? g0'  namingContexts1   dc=arc-aachen,dc=de0?? 
supportedControl1??  2.16.840.1.113730.3.4.18  2.16.840.1.113730.3.4.2 
1.3.6.1.4.1.4203.1.10.1  1.2.840.113556.1.4.319  1.2.826.0.1.3344810.2.3 
1.3.6.1.1.13.2  1.3.6.1.1.13.1  1.3.6.1.1.120   supportedLDAPVersion1   307 
supportedSASLMechanisms1   CRAM-MD5 
DIGEST-MD5  NTLM0#  subschemaSubentry1   cn=Subschema0    e 
       
//client->server
0?   "   `?         ??     
DIGEST-MD5   

//server->client
0?     a?   
     @SASL(0): successful result: security flags do not match
required???nonce="cryptic1",realm="ARCServer.arc-aachen.de",qop="auth,auth-int,
auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=65536,charset=utf-8,
algorithm=md5-sess

//client->server
0?       `?         ??      
DIGEST-MD5 ? 
?username="client$",realm="arcd",nonce="cryptic1",digest-uri="ldap/ARCSERVER",
cnonce="cryptic2",nc=00000001,response=cryptic3,qop=auth-conf,cipher=3des,
charset=utf-8

//server->client
0T   aO 
 1   HSASL(-13): authentication failure: realm changed: authentication aborted

//client->server
0?       B  



I understand that the win7 machine tries to ask the server something concernig
the network, but the problem is, that the server expects a reply from
client.arc-aachen.de but gets a reply from client.arcd. But why?

extracts from smb.conf:
[global]
  workgroup = ARCD
  netbios name = ARCServer

  # domain settings
  domain master = yes
  domain logons = yes

  os level = 100
  preferred master = yes
  wins support = no

  passdb backend = ldapsam
  ldap suffix = dc=arc-aachen,dc=de
  ldap admin dn = cn=samba,dc=arc-aachen,dc=de
  ldap user suffix = ou=users
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap idmap suffix = ou=idmaps
[...]


I know this is a slapd problem if this server wouldn't be our samba file
server
this problem would not emerge.


Does anybody know what to do?

Thanks for your help
Sebastian
Possibly Parallel Threads

Search for more reasonably related threads
samba - Oct 2012 - PDC: realm changed: authentication aborted

[Samba] PDC: realm changed: authentication aborted

Possibly Parallel Threads

Wisdom of the Ancients
