David Herselman
2017-Jun-12 13:56 UTC
[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth
Hi everyone,
We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be experiencing a
problem with authentication, when the RPC domain is not supplied as part of the
username.
I have two scenarios where this has cropped up:
RADIUS authentication using ntlm_auth
Apache HTTP using mod_auth_ntlm_winbind
RADIUS authentication:
We use the freeRADIUS 'mschap' module to provide centralise MS-CHAP2
based authentication for CheckPoint firewalls. The module really just passes
calls through to 'ntlm_auth' and has worked for over a year on 4.4.5.
With the migration to 4.6.5 we obtain the following error when attempting to
authenticate:
Mon Jun 12 08:57:55 2017 : Auth: Login incorrect (mschap: External script says
Memory allocation error (0xc0000017)): [davidh] (from client checkpoint_gaia
port 0) nas-ip:8.8.8.8 nas-id:
The following change of the freeRADIUS 'mschap' module works around the
issue by hard coding the domain:
- ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain}
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
+ ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{%{mschap:NT-Domain}:-DOMAIN-01}
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
Apache HTTP has been setup to use the mod_auth_ntlm_winbind module and works
perfectly when accessing the website from a user that is logged in to the domain
(NTLM authentication I presume). When attempting access from outside the
network, for example from my personal PC at home, I'm prompted for
authentication and can now only successfully authenticate when I prefix the
legacy RPC domain name to my username.
ie: Using just 'davidh' fails whereas 'DOMAIN-01\davidh'
works.
The web server logs the following error when attempting to authenticate without
the RPC domain prefix (domain-01\):
/var/log/httpd/localhost-error_log
GENSEC login failed: NT_STATUS_NO_MEMORY
Apache is running on one of the Samba AD servers, with the following .htaccess
file:
<Files index.pl>
require valid-user
AuthName "Windows Domain"
NTLMOmitDomain on
#NTLMDomainSeparator +
NTLMBasicAuth on
NTLMBasicAuthoritative on
NTLMBasicRealm "Windows Domain"
PlaintextAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic"
NTLMAuth on
AuthType NTLM
NTLMAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp"
NegotiateAuth off
AuthType Negotiate
NegotiateAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=gss-spnego"
</Files>
We have Samba configured to enable the 'winbind use default domain'
option and are attempting to reproduce the problem via command line. Whilst
authentication without the RPC domain prefixing the username works here, I get
the same NT_STATUS_NO_MEMMORY error when setting the RPC domain as something
invalid, such as the AD realm 'AD.LAIR.CO.ZA', in the following example:
[root at unix-01 samba]# wbinfo -a exam%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root at unix-01 samba]# ntlm_auth --helper-protocol=squid-2.5-basic
exam secret
OK
[root at unix-01 samba]# ntlm_auth --request-nt-key --username=exam
--password=secret
NT_STATUS_OK: Success (0x0)
[root at unix-01 samba]# ntlm_auth --domain=DOMAIN-01 --request-nt-key
--username=exam --password=secret
NT_STATUS_OK: Success (0x0)
[root at unix-01 samba]# ntlm_auth --domain=AD.LAIR.CO.ZA --request-nt-key
--username=exam --password=secret
NT_STATUS_NO_MEMORY: Memory allocation error (0xc0000017)
We would be extremely grateful for any pointers as to where we could start
turning up debugging and/or testing authentication on the command line to narrow
down where the issue originates from.
Additional information:
- We are using the default winbind separator '\'
- We have enabled NTLMv1 to provide necessary support for pppd, for PPTP VPN
tunnels
Our smb.conf file (excludes share definitions):
[global]
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = Domain-01
realm = ad.lair.co.za
netbios name = Unix-01
remote announce = 192.168.1.255 192.168.5.255 192.168.255.255
192.168.1.5
remote browse sync = 192.168.1.5
bind interfaces only = yes
interfaces = 127.0.0.1/8 192.168.1.3/24
ntlm auth = yes
guest account = nobody
idmap cache time = 300
idmap_ldb:use rfc2307 = yes
kerberos method = system keytab
allow dns updates = secure only
template homedir = /home/users/%U
template shell = /sbin/nologin
log level = 2 winbind:10
log file = /var/log/samba/%m.log
enable core files = no
max log size = 50
dont descend = /dev, /mirror, /proc
time server = yes
wins support = yes
printing = cups
cups options = raw
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 1
[netlogon]
path = /var/lib/samba/sysvol/ad.lair.co.za/scripts
comment = Network Logon Service
read only = no
[sysvol]
path = /var/lib/samba/sysvol
comment = Active Directory System Volume
read only = no
[nobody]
path = /dev/null
comment = Access denied - Guest
guest ok = no
printable = no
browseable = no
winbind debug information when running with 'log level = 2 winbind:10'.
The following is when attempting to browse to the Apache HTTP server and not
prefixing the RPC domain name to the username:
[2017/06/12 15:46:21.302872, 10, pid=31947, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:69(child_read_request)
Need to read 262 extra bytes
[2017/06/12 15:46:21.302893, 4, pid=31947, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:1386(child_handler)
child daemon request 14
[2017/06/12 15:46:21.302905, 10, pid=31947, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:512(child_process_request)
child_process_request: request fn AUTH_CRAP
[2017/06/12 15:46:21.302915, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:2061(winbindd_dual_pam_auth_crap)
[31938]: pam auth crap domain: user: davidh
[2017/06/12 15:46:21.303466, 1, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON
credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.303848, 1, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON
credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.303867, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts:
0)
[2017/06/12 15:46:21.303877, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop)
The connection to netlogon failed, retrying
[2017/06/12 15:46:21.304224, 1, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON
credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.304240, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts:
1)
[2017/06/12 15:46:21.304249, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop)
This is again a problem for this particular call, forcing the close of this
connection
[2017/06/12 15:46:21.304258, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop)
The connection to netlogon failed, retrying
[2017/06/12 15:46:21.304604, 1, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON
credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.304620, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts:
2)
[2017/06/12 15:46:21.304629, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop)
This is again a problem for this particular call, forcing the close of this
connection
[2017/06/12 15:46:21.304655, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1362(winbind_samlogon_retry_loop)
This is the third problem for this particular call, adding DC to the negative
cache list
[2017/06/12 15:46:21.307342, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop)
The connection to netlogon failed, retrying
[2017/06/12 15:46:21.307962, 1, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON
credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.307979, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts:
3)
[2017/06/12 15:46:21.307988, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop)
This is again a problem for this particular call, forcing the close of this
connection
[2017/06/12 15:46:21.307997, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1362(winbind_samlogon_retry_loop)
This is the third problem for this particular call, adding DC to the negative
cache list
[2017/06/12 15:46:21.308015, 2, pid=31947, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_pam.c:2033(winbind_dual_SamLogon)
NTLM CRAP authentication for user []\[davidh] returned NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.308028, 4, pid=31947, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:1394(child_handler)
Finished processing child request 14
[2017/06/12 15:46:21.308040, 10, pid=31947, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:104(child_write_response)
Writing 3496 bytes to parent
Regards
David Herselman
Rowland Penny
2017-Jun-12 15:52 UTC
[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth
On Mon, 12 Jun 2017 13:56:14 +0000 David Herselman via samba <samba at lists.samba.org> wrote:> Hi everyone, > > We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be > experiencing a problem with authentication, when the RPC domain is > not supplied as part of the username. >'winbind use default domain = yes' doesn't work on a DC I think your main problem can be explained by this extract from the release notes for 4.5.0: NTLMv1 authentication disabled by default ----------------------------------------- In order to improve security we have changed the default value for the "ntlm auth" option from "yes" to "no". This may have impact on very old clients which doesn't support NTLMv2 yet. The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. By default, Samba will only allow NTLMv2 via NTLMSSP now, as we have the following default "lanman auth = no", "ntlm auth = no" and "raw NTLMv2 auth = no". Rowland
David Herselman
2017-Jun-13 08:36 UTC
[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth
Hi again,
The winbind debug logs pertaining to this appear to be the following:
[2017/06/12 15:46:21.303848, 1, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON
credentials: NT_STATUS_NO_MEMORY
We have a further nuance with Samba 4.6.5, also relating to the 'winbind use
default domain' parameter, in that usernames are returned with the RPC
domain prefix. This is causing problems at a site which still runs legacy mail
using Dovecot (POP3/IMAP) and Sendmail.
There are two issues at this site, one is that Sendmail is now storing new
messages in a mailbox 'DOMAIN\user' instead of just 'user' and
the second is that Dovecot is incorrectly changing 'DOMAIN\user' to
'DOMAINuser' and subsequently creates an empty mailbox at login (the
second is probably a Dovecor issue where the winbind separator is being
interpreted):
[admin at unix-01 mail]# dir /var/spool/mail/GOLD*ananda
/var/spool/mail/ananda
-rw------- 1 GOLDENERA\ananda mail 1555636 Jun 10 16:07
/var/spool/mail/ananda
-rw------- 1 GOLDENERA\ananda mail 6283446 Jun 13 08:43
/var/spool/mail/GOLDENERAananda
-rw------- 1 GOLDENERA\ananda users 0 Jun 13 09:07
/var/spool/mail/GOLDENERA\ananda
I assume the root cause here also to be winbindd not honouring the 'winbind
use default domain' option having been set to 'yes'...
The Sendmail PAM configuration file (/etc/pam.d/smtp.sendmail):
#%PAM-1.0
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure
account sufficient pam_winbind.so use_first_pass
account required pam_unix.so
The original Sendmail PAM configuration file (/etc/pam.d/smtp.sendmail.orig):
#%PAM-1.0
auth include system-auth
account include system-auth
Regards
David Herselman
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of David
Herselman via samba
Sent: Monday, 12 June 2017 3:56 PM
To: samba at lists.samba.org
Subject: [Samba] 'winbind use default domain' doesn't appear to work
with ntlm_auth
Hi everyone,
We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be experiencing a
problem with authentication, when the RPC domain is not supplied as part of the
username.
I have two scenarios where this has cropped up:
RADIUS authentication using ntlm_auth
Apache HTTP using mod_auth_ntlm_winbind
RADIUS authentication:
We use the freeRADIUS 'mschap' module to provide centralise MS-CHAP2
based authentication for CheckPoint firewalls. The module really just passes
calls through to 'ntlm_auth' and has worked for over a year on 4.4.5.
With the migration to 4.6.5 we obtain the following error when attempting to
authenticate:
Mon Jun 12 08:57:55 2017 : Auth: Login incorrect (mschap: External script says
Memory allocation error (0xc0000017)): [davidh] (from client checkpoint_gaia
port 0) nas-ip:8.8.8.8 nas-id:
The following change of the freeRADIUS 'mschap' module works around the
issue by hard coding the domain:
- ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain}
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
+ ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{%{mschap:NT-Domain}:-DOMAIN-01}
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
Apache HTTP has been setup to use the mod_auth_ntlm_winbind module and works
perfectly when accessing the website from a user that is logged in to the domain
(NTLM authentication I presume). When attempting access from outside the
network, for example from my personal PC at home, I'm prompted for
authentication and can now only successfully authenticate when I prefix the
legacy RPC domain name to my username.
ie: Using just 'davidh' fails whereas 'DOMAIN-01\davidh'
works.
The web server logs the following error when attempting to authenticate without
the RPC domain prefix (domain-01\):
/var/log/httpd/localhost-error_log
GENSEC login failed: NT_STATUS_NO_MEMORY
Apache is running on one of the Samba AD servers, with the following .htaccess
file:
<Files index.pl>
require valid-user
AuthName "Windows Domain"
NTLMOmitDomain on
#NTLMDomainSeparator +
NTLMBasicAuth on
NTLMBasicAuthoritative on
NTLMBasicRealm "Windows Domain"
PlaintextAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic"
NTLMAuth on
AuthType NTLM
NTLMAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp"
NegotiateAuth off
AuthType Negotiate
NegotiateAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=gss-spnego"
</Files>
We have Samba configured to enable the 'winbind use default domain'
option and are attempting to reproduce the problem via command line. Whilst
authentication without the RPC domain prefixing the username works here, I get
the same NT_STATUS_NO_MEMMORY error when setting the RPC domain as something
invalid, such as the AD realm 'AD.LAIR.CO.ZA', in the following example:
[root at unix-01 samba]# wbinfo -a exam%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root at unix-01 samba]# ntlm_auth --helper-protocol=squid-2.5-basic
exam secret
OK
[root at unix-01 samba]# ntlm_auth --request-nt-key --username=exam
--password=secret
NT_STATUS_OK: Success (0x0)
[root at unix-01 samba]# ntlm_auth --domain=DOMAIN-01 --request-nt-key
--username=exam --password=secret
NT_STATUS_OK: Success (0x0)
[root at unix-01 samba]# ntlm_auth --domain=AD.LAIR.CO.ZA --request-nt-key
--username=exam --password=secret
NT_STATUS_NO_MEMORY: Memory allocation error (0xc0000017)
We would be extremely grateful for any pointers as to where we could start
turning up debugging and/or testing authentication on the command line to narrow
down where the issue originates from.
Additional information:
- We are using the default winbind separator '\'
- We have enabled NTLMv1 to provide necessary support for pppd, for PPTP VPN
tunnels
Our smb.conf file (excludes share definitions):
[global]
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = Domain-01
realm = ad.lair.co.za
netbios name = Unix-01
remote announce = 192.168.1.255 192.168.5.255 192.168.255.255
192.168.1.5
remote browse sync = 192.168.1.5
bind interfaces only = yes
interfaces = 127.0.0.1/8 192.168.1.3/24
ntlm auth = yes
guest account = nobody
idmap cache time = 300
idmap_ldb:use rfc2307 = yes
kerberos method = system keytab
allow dns updates = secure only
template homedir = /home/users/%U
template shell = /sbin/nologin
log level = 2 winbind:10
log file = /var/log/samba/%m.log
enable core files = no
max log size = 50
dont descend = /dev, /mirror, /proc
time server = yes
wins support = yes
printing = cups
cups options = raw
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 1
[netlogon]
path = /var/lib/samba/sysvol/ad.lair.co.za/scripts
comment = Network Logon Service
read only = no
[sysvol]
path = /var/lib/samba/sysvol
comment = Active Directory System Volume
read only = no
[nobody]
path = /dev/null
comment = Access denied - Guest
guest ok = no
printable = no
browseable = no
winbind debug information when running with 'log level = 2 winbind:10'.
The following is when attempting to browse to the Apache HTTP server and not
prefixing the RPC domain name to the username:
[2017/06/12 15:46:21.302872, 10, pid=31947, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:69(child_read_request)
Need to read 262 extra bytes
[2017/06/12 15:46:21.302893, 4, pid=31947, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:1386(child_handler)
child daemon request 14
[2017/06/12 15:46:21.302905, 10, pid=31947, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:512(child_process_request)
child_process_request: request fn AUTH_CRAP
[2017/06/12 15:46:21.302915, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:2061(winbindd_dual_pam_auth_crap)
[31938]: pam auth crap domain: user: davidh
[2017/06/12 15:46:21.303466, 1, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON
credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.303848, 1, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON
credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.303867, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts:
0)
[2017/06/12 15:46:21.303877, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop)
The connection to netlogon failed, retrying
[2017/06/12 15:46:21.304224, 1, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON
credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.304240, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts:
1)
[2017/06/12 15:46:21.304249, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop)
This is again a problem for this particular call, forcing the close of this
connection
[2017/06/12 15:46:21.304258, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop)
The connection to netlogon failed, retrying
[2017/06/12 15:46:21.304604, 1, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON
credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.304620, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts:
2)
[2017/06/12 15:46:21.304629, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop)
This is again a problem for this particular call, forcing the close of this
connection
[2017/06/12 15:46:21.304655, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1362(winbind_samlogon_retry_loop)
This is the third problem for this particular call, adding DC to the negative
cache list
[2017/06/12 15:46:21.307342, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop)
The connection to netlogon failed, retrying
[2017/06/12 15:46:21.307962, 1, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON
credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.307979, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts:
3)
[2017/06/12 15:46:21.307988, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop)
This is again a problem for this particular call, forcing the close of this
connection
[2017/06/12 15:46:21.307997, 3, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1362(winbind_samlogon_retry_loop)
This is the third problem for this particular call, adding DC to the negative
cache list
[2017/06/12 15:46:21.308015, 2, pid=31947, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_pam.c:2033(winbind_dual_SamLogon)
NTLM CRAP authentication for user []\[davidh] returned NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.308028, 4, pid=31947, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:1394(child_handler)
Finished processing child request 14
[2017/06/12 15:46:21.308040, 10, pid=31947, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:104(child_write_response)
Writing 3496 bytes to parent
Regards
David Herselman
Apparently Analagous Threads
- 'winbind use default domain' doesn't appear to work with ntlm_auth
- winbind trust account password management
- upg. CentOS 7.5 to 7.6: unable to mount smb shares - samba NT domain member using ldap
- upg. CentOS 7.5 to 7.6: unable to mount smb shares - samba NT domain member using ldap
- NTLM refuses to work on a DC