Hello,
We are using Samba (3.5.6~dfsg-3squeeze8) with Winbind to join a
Debian server to our domain for the purpose of AD authentication in
Freeradius (using NTLM_AUTH). It is setup to the point where we
joined it to the domain and "wbinfo -a NETWORK\\<user>" and
ntlm_auth
--user --domain are working as expected. We are not using winbind
with nsswitch, which I think is called "netlogon proxy only mode".
Kerberos is also setup and I can kinit / klist / kdestroy properly,
though I'm not certain that matters.
Ever since it was setup, however, we have had an issue where the
authentication just stops working, every week, early on Sunday
morning. To 'fix' authentication again, I simply have to restart the
Winbind daemon. Once that's done, everything begins 'flowing'
again.
Here is my smb.conf
[global]
workgroup = NETWORK
server string = %h server
dns proxy = no
winbind use default domain = yes
idmap cache time = 900
log level = 10
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
encrypt passwords = true
obey pam restrictions = yes
password server = *
allow trusted domains = no
realm = NETWORK.FQDN.COM
I'm having some difficulty tracking down the error. And particularly,
I cannot figure out why it happens, seemingly, on a schedule. I've
been poking around in logs, 'net cache list' results, etc, and its
coming up empty.
So far, I am having difficulty pulling the actual error message of the
NTLM_AUTH command when its failing, but I do have the output of
FreeRadius when it attempts to run the following command:
/usr/bin/ntlm_auth --request-nt-key --username=jdoe --domain=NETWORK
--challenge=0a0a0a0a0a0a0a0a
--nt-response=0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a
Success:
Debug: Exec-Program output: NT_KEY: [SNIP]
Debug: Exec-Program-Wait: plaintext: NT_KEY: [SNIP]
Debug: Exec-Program: returned: 0
Info: [mschap_network] adding MS-CHAPv2 MPPE keys
Info: ++[mschap_network] returns ok
Failure:
Debug: Exec-Program output: Reading winbind reply failed! (0xc0000001)
Debug: Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
Debug: Exec-Program: returned: 1
Info: [mschap_network] External script failed.
Info: [mschap_network] FAILED: MS-CHAP2-Response is incorrect
Info: ++[mschap_network] returns reject
As I said, it is absolutely something going on with Winbind. Where
should I be looking to get this issue figured out?
Thanks in advance.
Jordan Dohms
