David Herselman
2017-Jun-12 13:56 UTC
[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth
Hi everyone, We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be experiencing a problem with authentication, when the RPC domain is not supplied as part of the username. I have two scenarios where this has cropped up: RADIUS authentication using ntlm_auth Apache HTTP using mod_auth_ntlm_winbind RADIUS authentication: We use the freeRADIUS 'mschap' module to provide centralise MS-CHAP2 based authentication for CheckPoint firewalls. The module really just passes calls through to 'ntlm_auth' and has worked for over a year on 4.4.5. With the migration to 4.6.5 we obtain the following error when attempting to authenticate: Mon Jun 12 08:57:55 2017 : Auth: Login incorrect (mschap: External script says Memory allocation error (0xc0000017)): [davidh] (from client checkpoint_gaia port 0) nas-ip:8.8.8.8 nas-id: The following change of the freeRADIUS 'mschap' module works around the issue by hard coding the domain: - ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" + ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-DOMAIN-01} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" Apache HTTP has been setup to use the mod_auth_ntlm_winbind module and works perfectly when accessing the website from a user that is logged in to the domain (NTLM authentication I presume). When attempting access from outside the network, for example from my personal PC at home, I'm prompted for authentication and can now only successfully authenticate when I prefix the legacy RPC domain name to my username. ie: Using just 'davidh' fails whereas 'DOMAIN-01\davidh' works. The web server logs the following error when attempting to authenticate without the RPC domain prefix (domain-01\): /var/log/httpd/localhost-error_log GENSEC login failed: NT_STATUS_NO_MEMORY Apache is running on one of the Samba AD servers, with the following .htaccess file: <Files index.pl> require valid-user AuthName "Windows Domain" NTLMOmitDomain on #NTLMDomainSeparator + NTLMBasicAuth on NTLMBasicAuthoritative on NTLMBasicRealm "Windows Domain" PlaintextAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic" NTLMAuth on AuthType NTLM NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NegotiateAuth off AuthType Negotiate NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego" </Files> We have Samba configured to enable the 'winbind use default domain' option and are attempting to reproduce the problem via command line. Whilst authentication without the RPC domain prefixing the username works here, I get the same NT_STATUS_NO_MEMMORY error when setting the RPC domain as something invalid, such as the AD realm 'AD.LAIR.CO.ZA', in the following example: [root at unix-01 samba]# wbinfo -a exam%secret plaintext password authentication succeeded challenge/response password authentication succeeded [root at unix-01 samba]# ntlm_auth --helper-protocol=squid-2.5-basic exam secret OK [root at unix-01 samba]# ntlm_auth --request-nt-key --username=exam --password=secret NT_STATUS_OK: Success (0x0) [root at unix-01 samba]# ntlm_auth --domain=DOMAIN-01 --request-nt-key --username=exam --password=secret NT_STATUS_OK: Success (0x0) [root at unix-01 samba]# ntlm_auth --domain=AD.LAIR.CO.ZA --request-nt-key --username=exam --password=secret NT_STATUS_NO_MEMORY: Memory allocation error (0xc0000017) We would be extremely grateful for any pointers as to where we could start turning up debugging and/or testing authentication on the command line to narrow down where the issue originates from. Additional information: - We are using the default winbind separator '\' - We have enabled NTLMv1 to provide necessary support for pppd, for PPTP VPN tunnels Our smb.conf file (excludes share definitions): [global] server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = Domain-01 realm = ad.lair.co.za netbios name = Unix-01 remote announce = 192.168.1.255 192.168.5.255 192.168.255.255 192.168.1.5 remote browse sync = 192.168.1.5 bind interfaces only = yes interfaces = 127.0.0.1/8 192.168.1.3/24 ntlm auth = yes guest account = nobody idmap cache time = 300 idmap_ldb:use rfc2307 = yes kerberos method = system keytab allow dns updates = secure only template homedir = /home/users/%U template shell = /sbin/nologin log level = 2 winbind:10 log file = /var/log/samba/%m.log enable core files = no max log size = 50 dont descend = /dev, /mirror, /proc time server = yes wins support = yes printing = cups cups options = raw winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind expand groups = 1 [netlogon] path = /var/lib/samba/sysvol/ad.lair.co.za/scripts comment = Network Logon Service read only = no [sysvol] path = /var/lib/samba/sysvol comment = Active Directory System Volume read only = no [nobody] path = /dev/null comment = Access denied - Guest guest ok = no printable = no browseable = no winbind debug information when running with 'log level = 2 winbind:10'. The following is when attempting to browse to the Apache HTTP server and not prefixing the RPC domain name to the username: [2017/06/12 15:46:21.302872, 10, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:69(child_read_request) Need to read 262 extra bytes [2017/06/12 15:46:21.302893, 4, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1386(child_handler) child daemon request 14 [2017/06/12 15:46:21.302905, 10, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:512(child_process_request) child_process_request: request fn AUTH_CRAP [2017/06/12 15:46:21.302915, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:2061(winbindd_dual_pam_auth_crap) [31938]: pam auth crap domain: user: davidh [2017/06/12 15:46:21.303466, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY [2017/06/12 15:46:21.303848, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY [2017/06/12 15:46:21.303867, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop) Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 0) [2017/06/12 15:46:21.303877, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop) The connection to netlogon failed, retrying [2017/06/12 15:46:21.304224, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY [2017/06/12 15:46:21.304240, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop) Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 1) [2017/06/12 15:46:21.304249, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop) This is again a problem for this particular call, forcing the close of this connection [2017/06/12 15:46:21.304258, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop) The connection to netlogon failed, retrying [2017/06/12 15:46:21.304604, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY [2017/06/12 15:46:21.304620, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop) Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 2) [2017/06/12 15:46:21.304629, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop) This is again a problem for this particular call, forcing the close of this connection [2017/06/12 15:46:21.304655, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1362(winbind_samlogon_retry_loop) This is the third problem for this particular call, adding DC to the negative cache list [2017/06/12 15:46:21.307342, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop) The connection to netlogon failed, retrying [2017/06/12 15:46:21.307962, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY [2017/06/12 15:46:21.307979, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop) Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 3) [2017/06/12 15:46:21.307988, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop) This is again a problem for this particular call, forcing the close of this connection [2017/06/12 15:46:21.307997, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1362(winbind_samlogon_retry_loop) This is the third problem for this particular call, adding DC to the negative cache list [2017/06/12 15:46:21.308015, 2, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:2033(winbind_dual_SamLogon) NTLM CRAP authentication for user []\[davidh] returned NT_STATUS_NO_MEMORY [2017/06/12 15:46:21.308028, 4, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1394(child_handler) Finished processing child request 14 [2017/06/12 15:46:21.308040, 10, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:104(child_write_response) Writing 3496 bytes to parent Regards David Herselman
Rowland Penny
2017-Jun-12 15:52 UTC
[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth
On Mon, 12 Jun 2017 13:56:14 +0000 David Herselman via samba <samba at lists.samba.org> wrote:> Hi everyone, > > We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be > experiencing a problem with authentication, when the RPC domain is > not supplied as part of the username. >'winbind use default domain = yes' doesn't work on a DC I think your main problem can be explained by this extract from the release notes for 4.5.0: NTLMv1 authentication disabled by default ----------------------------------------- In order to improve security we have changed the default value for the "ntlm auth" option from "yes" to "no". This may have impact on very old clients which doesn't support NTLMv2 yet. The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. By default, Samba will only allow NTLMv2 via NTLMSSP now, as we have the following default "lanman auth = no", "ntlm auth = no" and "raw NTLMv2 auth = no". Rowland
David Herselman
2017-Jun-13 08:36 UTC
[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth
Hi again, The winbind debug logs pertaining to this appear to be the following: [2017/06/12 15:46:21.303848, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY We have a further nuance with Samba 4.6.5, also relating to the 'winbind use default domain' parameter, in that usernames are returned with the RPC domain prefix. This is causing problems at a site which still runs legacy mail using Dovecot (POP3/IMAP) and Sendmail. There are two issues at this site, one is that Sendmail is now storing new messages in a mailbox 'DOMAIN\user' instead of just 'user' and the second is that Dovecot is incorrectly changing 'DOMAIN\user' to 'DOMAINuser' and subsequently creates an empty mailbox at login (the second is probably a Dovecor issue where the winbind separator is being interpreted): [admin at unix-01 mail]# dir /var/spool/mail/GOLD*ananda /var/spool/mail/ananda -rw------- 1 GOLDENERA\ananda mail 1555636 Jun 10 16:07 /var/spool/mail/ananda -rw------- 1 GOLDENERA\ananda mail 6283446 Jun 13 08:43 /var/spool/mail/GOLDENERAananda -rw------- 1 GOLDENERA\ananda users 0 Jun 13 09:07 /var/spool/mail/GOLDENERA\ananda I assume the root cause here also to be winbindd not honouring the 'winbind use default domain' option having been set to 'yes'... The Sendmail PAM configuration file (/etc/pam.d/smtp.sendmail): #%PAM-1.0 auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure account sufficient pam_winbind.so use_first_pass account required pam_unix.so The original Sendmail PAM configuration file (/etc/pam.d/smtp.sendmail.orig): #%PAM-1.0 auth include system-auth account include system-auth Regards David Herselman -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of David Herselman via samba Sent: Monday, 12 June 2017 3:56 PM To: samba at lists.samba.org Subject: [Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth Hi everyone, We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be experiencing a problem with authentication, when the RPC domain is not supplied as part of the username. I have two scenarios where this has cropped up: RADIUS authentication using ntlm_auth Apache HTTP using mod_auth_ntlm_winbind RADIUS authentication: We use the freeRADIUS 'mschap' module to provide centralise MS-CHAP2 based authentication for CheckPoint firewalls. The module really just passes calls through to 'ntlm_auth' and has worked for over a year on 4.4.5. With the migration to 4.6.5 we obtain the following error when attempting to authenticate: Mon Jun 12 08:57:55 2017 : Auth: Login incorrect (mschap: External script says Memory allocation error (0xc0000017)): [davidh] (from client checkpoint_gaia port 0) nas-ip:8.8.8.8 nas-id: The following change of the freeRADIUS 'mschap' module works around the issue by hard coding the domain: - ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" + ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-DOMAIN-01} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" Apache HTTP has been setup to use the mod_auth_ntlm_winbind module and works perfectly when accessing the website from a user that is logged in to the domain (NTLM authentication I presume). When attempting access from outside the network, for example from my personal PC at home, I'm prompted for authentication and can now only successfully authenticate when I prefix the legacy RPC domain name to my username. ie: Using just 'davidh' fails whereas 'DOMAIN-01\davidh' works. The web server logs the following error when attempting to authenticate without the RPC domain prefix (domain-01\): /var/log/httpd/localhost-error_log GENSEC login failed: NT_STATUS_NO_MEMORY Apache is running on one of the Samba AD servers, with the following .htaccess file: <Files index.pl> require valid-user AuthName "Windows Domain" NTLMOmitDomain on #NTLMDomainSeparator + NTLMBasicAuth on NTLMBasicAuthoritative on NTLMBasicRealm "Windows Domain" PlaintextAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic" NTLMAuth on AuthType NTLM NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NegotiateAuth off AuthType Negotiate NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego" </Files> We have Samba configured to enable the 'winbind use default domain' option and are attempting to reproduce the problem via command line. Whilst authentication without the RPC domain prefixing the username works here, I get the same NT_STATUS_NO_MEMMORY error when setting the RPC domain as something invalid, such as the AD realm 'AD.LAIR.CO.ZA', in the following example: [root at unix-01 samba]# wbinfo -a exam%secret plaintext password authentication succeeded challenge/response password authentication succeeded [root at unix-01 samba]# ntlm_auth --helper-protocol=squid-2.5-basic exam secret OK [root at unix-01 samba]# ntlm_auth --request-nt-key --username=exam --password=secret NT_STATUS_OK: Success (0x0) [root at unix-01 samba]# ntlm_auth --domain=DOMAIN-01 --request-nt-key --username=exam --password=secret NT_STATUS_OK: Success (0x0) [root at unix-01 samba]# ntlm_auth --domain=AD.LAIR.CO.ZA --request-nt-key --username=exam --password=secret NT_STATUS_NO_MEMORY: Memory allocation error (0xc0000017) We would be extremely grateful for any pointers as to where we could start turning up debugging and/or testing authentication on the command line to narrow down where the issue originates from. Additional information: - We are using the default winbind separator '\' - We have enabled NTLMv1 to provide necessary support for pppd, for PPTP VPN tunnels Our smb.conf file (excludes share definitions): [global] server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = Domain-01 realm = ad.lair.co.za netbios name = Unix-01 remote announce = 192.168.1.255 192.168.5.255 192.168.255.255 192.168.1.5 remote browse sync = 192.168.1.5 bind interfaces only = yes interfaces = 127.0.0.1/8 192.168.1.3/24 ntlm auth = yes guest account = nobody idmap cache time = 300 idmap_ldb:use rfc2307 = yes kerberos method = system keytab allow dns updates = secure only template homedir = /home/users/%U template shell = /sbin/nologin log level = 2 winbind:10 log file = /var/log/samba/%m.log enable core files = no max log size = 50 dont descend = /dev, /mirror, /proc time server = yes wins support = yes printing = cups cups options = raw winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind expand groups = 1 [netlogon] path = /var/lib/samba/sysvol/ad.lair.co.za/scripts comment = Network Logon Service read only = no [sysvol] path = /var/lib/samba/sysvol comment = Active Directory System Volume read only = no [nobody] path = /dev/null comment = Access denied - Guest guest ok = no printable = no browseable = no winbind debug information when running with 'log level = 2 winbind:10'. The following is when attempting to browse to the Apache HTTP server and not prefixing the RPC domain name to the username: [2017/06/12 15:46:21.302872, 10, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:69(child_read_request) Need to read 262 extra bytes [2017/06/12 15:46:21.302893, 4, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1386(child_handler) child daemon request 14 [2017/06/12 15:46:21.302905, 10, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:512(child_process_request) child_process_request: request fn AUTH_CRAP [2017/06/12 15:46:21.302915, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:2061(winbindd_dual_pam_auth_crap) [31938]: pam auth crap domain: user: davidh [2017/06/12 15:46:21.303466, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY [2017/06/12 15:46:21.303848, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY [2017/06/12 15:46:21.303867, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop) Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 0) [2017/06/12 15:46:21.303877, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop) The connection to netlogon failed, retrying [2017/06/12 15:46:21.304224, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY [2017/06/12 15:46:21.304240, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop) Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 1) [2017/06/12 15:46:21.304249, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop) This is again a problem for this particular call, forcing the close of this connection [2017/06/12 15:46:21.304258, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop) The connection to netlogon failed, retrying [2017/06/12 15:46:21.304604, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY [2017/06/12 15:46:21.304620, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop) Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 2) [2017/06/12 15:46:21.304629, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop) This is again a problem for this particular call, forcing the close of this connection [2017/06/12 15:46:21.304655, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1362(winbind_samlogon_retry_loop) This is the third problem for this particular call, adding DC to the negative cache list [2017/06/12 15:46:21.307342, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop) The connection to netlogon failed, retrying [2017/06/12 15:46:21.307962, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY [2017/06/12 15:46:21.307979, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop) Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 3) [2017/06/12 15:46:21.307988, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop) This is again a problem for this particular call, forcing the close of this connection [2017/06/12 15:46:21.307997, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1362(winbind_samlogon_retry_loop) This is the third problem for this particular call, adding DC to the negative cache list [2017/06/12 15:46:21.308015, 2, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:2033(winbind_dual_SamLogon) NTLM CRAP authentication for user []\[davidh] returned NT_STATUS_NO_MEMORY [2017/06/12 15:46:21.308028, 4, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1394(child_handler) Finished processing child request 14 [2017/06/12 15:46:21.308040, 10, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:104(child_write_response) Writing 3496 bytes to parent Regards David Herselman
Maybe Matching Threads
- 'winbind use default domain' doesn't appear to work with ntlm_auth
- winbind trust account password management
- upg. CentOS 7.5 to 7.6: unable to mount smb shares - samba NT domain member using ldap
- upg. CentOS 7.5 to 7.6: unable to mount smb shares - samba NT domain member using ldap
- NTLM refuses to work on a DC