Jonathan Heese
2014-Mar-24 15:47 UTC
[Samba] REPOST: Winbind logins failing after upgrade from Samba3 to Samba4
Hello,
(I'm reposting this after my first attempt about 25 minutes ago has not come
through to me. I am leaving out the looooooong debug log dump, in case the
listserv didn't like the massive content, but it will be provided upon
request.)
I have a RHEL 6.5 server that was configured to use Samba 3.6.9-167 to
authenticate against a Windows 2008 R2 Active Directory domain. The
authentication was working fine, but we needed users to log in to this RHEL box
with their AD credentials and then access files stored on a Windows file server
CIFS share globally mounted on the RHEL box. As such, we added the
"cifsacl" option to the mount options, but we're finding the
Windows ACL <-> UNIX ACL support to be quite lacking.
I've read that the Samba4 client does a much better job of respecting
Windows NTFS ACLs, so I took a snapshot of the server (just in case), removed
the samba3 packages and installed the samba4 ones (4.0.0-60). I didn't
truly expect my Samba 3-compliant smb.conf to work in Samba4, but I've
looked over it line by line and haven't found anything that's not
documented in the Samba4 smb.conf man page.
First, here's my smb.conf:
[global]
security = ads
realm = domain.local
workgroup = DOMAIN
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client NTLMv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
log level = 100
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000 - 49999
When attempting to authenticate to the domain, I get the following error:
[root at server:/root]# wbinfo -a user%password --verbose
plaintext password authentication failed
Could not authenticate user user%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user user with challenge/response
I get a very similar error in /var/log/secure when attempting to log in via SSH:
Mar 24 10:58:26 server sshd[17398]: Set /proc/self/oom_score_adj to -1000
Mar 24 10:58:26 server sshd[17398]: Connection from 172.25.1.11 port 64484
Mar 24 10:58:26 server sshd[17398]: Invalid user DOMAIN\\user from 172.25.1.11
Mar 24 10:58:26 server sshd[17399]: input_userauth_request: invalid user
DOMAIN\\user
Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): check pass; user
unknown
Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=172.25.1.11
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): getting password
(0x00000010)
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): pam_get_item
returned a password
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): request wbcLogonUser
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL (9), NTSTATUS:
NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon servers
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): internal module
error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'DOMAIN\user')
Mar 24 10:58:26 server sshd[17398]: pam_succeed_if(sshd:auth): error retrieving
information about user DOMAIN\user
Mar 24 10:58:28 server sshd[17398]: Failed password for invalid user
DOMAIN\\user from 172.25.1.11 port 64484 ssh2
Mar 24 10:58:30 server sshd[17399]: Received disconnect from 172.25.1.11: 13:
The user canceled authentication.
I enabled "log level = 100" in my smb.conf and 'tail -f'ed
/var/log/samba/* during a login attempt, stripping out the timestamp lines, and
saw the following:
[ MASSIVE LOG DUMP REDACTED ]
I can't seem to figure out exactly what's causing my
"NT_STATUS_NO_LOGON_SERVERS" error-and this worked perfectly before
switching from Samba 3 to Samba 4. I've tried searching around, but without
much to go on, it's hard to know exactly what to search for.
Oh, and I should probably mention that we have two "Sites" in AD,
which I've notated above as Site1 and Site2. The RHEL server is physically
in Site1, but I'm unsure how to tell AD that-it seems like it should be able
to tell this by its IP, but so far it doesn't show it being in any site in
the Computer properties, nor by looking at the log output above. (Edit:
Incidentally, the Linux box's site now shows properly in the Samba
logs-must've been a replication delay or something.)
Can anyone provide me with any ideas of things to look for/at? I will provide
(unobfuscated) logs and/or config files upon request. Thanks in advance!
Jon Heese
Systems Administrator
INetU Managed Hosting
P: 610.266.7441 x 261
F: 610.266.7434
www.inetu.net<https://www.inetu.net/>
** This message contains confidential information, which also may be privileged,
and is intended only for the person(s) addressed above. Any unauthorized use,
distribution, copying or disclosure of confidential and/or privileged
information is strictly prohibited. If you have received this communication in
error, please erase all copies of the message and its attachments and notify the
sender immediately via reply e-mail. **
Jonathan Heese
2014-Mar-24 15:52 UTC
[Samba] REPOST: Winbind logins failing after upgrade from Samba3 to Samba4
My apologies if anyone else is missing line breaks in the log dumps...
Reposting the logs again for readability:
[root at server:/root]# wbinfo -a user%password --verbose
plaintext password authentication failed
Could not authenticate user user%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user user with challenge/response
tail -f /var/log/secure:
Mar 24 10:58:26 server sshd[17398]: Set /proc/self/oom_score_adj to -1000
Mar 24 10:58:26 server sshd[17398]: Connection from 172.25.1.11 port 64484
Mar 24 10:58:26 server sshd[17398]: Invalid user DOMAIN\\user from 172.25.1.11
Mar 24 10:58:26 server sshd[17399]: input_userauth_request: invalid user
DOMAIN\\user
Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): check pass; user
unknown
Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=172.25.1.11
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): getting password
(0x00000010)
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): pam_get_item
returned a password
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): request wbcLogonUser
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL (9), NTSTATUS:
NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon servers
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): internal module
error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'DOMAIN\user')
Mar 24 10:58:26 server sshd[17398]: pam_succeed_if(sshd:auth): error retrieving
information about user DOMAIN\user
Mar 24 10:58:28 server sshd[17398]: Failed password for invalid user
DOMAIN\\user from 172.25.1.11 port 64484 ssh2
Mar 24 10:58:30 server sshd[17399]: Received disconnect from 172.25.1.11: 13:
The user canceled authentication.
Jon Heese
Systems Administrator
INetU Managed Hosting
P: 610.266.7441 x 261
F: 610.266.7434
www.inetu.net
** This message contains confidential information, which also may be privileged,
and is intended only for the person(s) addressed above. Any unauthorized use,
distribution, copying or disclosure of confidential and/or privileged
information is strictly prohibited. If you have received this communication in
error, please erase all copies of the message and its attachments and notify the
sender immediately via reply e-mail. **
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Jonathan Heese
Sent: Monday, March 24, 2014 11:48 AM
To: samba at lists.samba.org
Subject: [Samba] REPOST: Winbind logins failing after upgrade from Samba3 to
Samba4
Hello,
(I'm reposting this after my first attempt about 25 minutes ago has not come
through to me. I am leaving out the looooooong debug log dump, in case the
listserv didn't like the massive content, but it will be provided upon
request.)
I have a RHEL 6.5 server that was configured to use Samba 3.6.9-167 to
authenticate against a Windows 2008 R2 Active Directory domain. The
authentication was working fine, but we needed users to log in to this RHEL box
with their AD credentials and then access files stored on a Windows file server
CIFS share globally mounted on the RHEL box. As such, we added the
"cifsacl" option to the mount options, but we're finding the
Windows ACL <-> UNIX ACL support to be quite lacking.
I've read that the Samba4 client does a much better job of respecting
Windows NTFS ACLs, so I took a snapshot of the server (just in case), removed
the samba3 packages and installed the samba4 ones (4.0.0-60). I didn't
truly expect my Samba 3-compliant smb.conf to work in Samba4, but I've
looked over it line by line and haven't found anything that's not
documented in the Samba4 smb.conf man page.
First, here's my smb.conf:
[global]
security = ads
realm = domain.local
workgroup = DOMAIN
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client NTLMv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
log level = 100
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000 - 49999
When attempting to authenticate to the domain, I get the following error:
[root at server:/root]# wbinfo -a user%password --verbose plaintext password
authentication failed Could not authenticate user user%password with plaintext
password challenge/response password authentication failed error code was
NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No logon servers
Could not authenticate user user with challenge/response
I get a very similar error in /var/log/secure when attempting to log in via SSH:
Mar 24 10:58:26 server sshd[17398]: Set /proc/self/oom_score_adj to -1000 Mar 24
10:58:26 server sshd[17398]: Connection from 172.25.1.11 port 64484 Mar 24
10:58:26 server sshd[17398]: Invalid user DOMAIN\\user from 172.25.1.11 Mar 24
10:58:26 server sshd[17399]: input_userauth_request: invalid user DOMAIN\\user
Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): check pass; user
unknown Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.25.1.11 Mar 24 10:58:26
server sshd[17398]: pam_winbind(sshd:auth): getting password (0x00000010) Mar 24
10:58:26 server sshd[17398]: pam_winbind(sshd:auth): pam_get_item returned a
password Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL (9),
NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon servers Mar 24
10:58:26 server sshd[17398]: pam_winbind(sshd:auth): internal module error
(retval = PAM_AUTHINFO_UNAVAIL(9), user = 'DOMAIN\user') Mar 24 10:58:26
server sshd[17398]: pam_succeed_if(sshd:auth): error retrieving information
about user DOMAIN\user Mar 24 10:58:28 server sshd[17398]: Failed password for
invalid user DOMAIN\\user from 172.25.1.11 port 64484 ssh2 Mar 24 10:58:30
server sshd[17399]: Received disconnect from 172.25.1.11: 13: The user canceled
authentication.
I enabled "log level = 100" in my smb.conf and 'tail -f'ed
/var/log/samba/* during a login attempt, stripping out the timestamp lines, and
saw the following:
[ MASSIVE LOG DUMP REDACTED ]
I can't seem to figure out exactly what's causing my
"NT_STATUS_NO_LOGON_SERVERS" error-and this worked perfectly before
switching from Samba 3 to Samba 4. I've tried searching around, but without
much to go on, it's hard to know exactly what to search for.
Oh, and I should probably mention that we have two "Sites" in AD,
which I've notated above as Site1 and Site2. The RHEL server is physically
in Site1, but I'm unsure how to tell AD that-it seems like it should be able
to tell this by its IP, but so far it doesn't show it being in any site in
the Computer properties, nor by looking at the log output above. (Edit:
Incidentally, the Linux box's site now shows properly in the Samba
logs-must've been a replication delay or something.)
Can anyone provide me with any ideas of things to look for/at? I will provide
(unobfuscated) logs and/or config files upon request. Thanks in advance!
Jon Heese
Systems Administrator
INetU Managed Hosting
P: 610.266.7441 x 261
F: 610.266.7434
www.inetu.net<https://www.inetu.net/>
** This message contains confidential information, which also may be privileged,
and is intended only for the person(s) addressed above. Any unauthorized use,
distribution, copying or disclosure of confidential and/or privileged
information is strictly prohibited. If you have received this communication in
error, please erase all copies of the message and its attachments and notify the
sender immediately via reply e-mail. **
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba