[Samba] another one of those "cannot authenticate against AD" posts :(

Razvan Cosma razvan.cosma at telemach.com
Thu Sep 25 20:14:36 GMT 2003 

   Hello,
 I had a perfectly good setup with samba being a domain member, and 
domain users accessing their shares, since beta1. A month and several 
updates from M$ later, clients were no longer able to log on to the 
samba machine. I know this must be related to the updates, since there 
have been absolutely no configuration / application modifications on the 
linux box, and clients who forgot to install the patches were still able 
to login.
 Hint for the docs: the bloody windows update rewrote the rtfm 
signorseal registry key, but that can be enforced globally from the 
domain controller.
 Now I'm trying with the latest beta - or first stable, as you call it 
since yesterday :)
Status:
- linux box joins fine the AD
- kinit -v, smbclient -k, net ads whatever work as expected, no errors
- no one can login to the samba box. Win 2k/xp report the 
username/password is incorrect, and the logs state:

[2003/09/25 20:20:01, 3] smbd/process.c:process_smb(890)
  Transaction 10 of length 250
[2003/09/25 20:20:01, 3] smbd/process.c:switch_message(685)
  switch message SMBsesssetupX (pid 343)
[2003/09/25 20:20:01, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X(579)
  wct=12 flg2=0xc807
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(476)
  Doing spnego session setup
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(500)
  NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 
5.1]
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_spnego_negotiate(388)
  Got secblob of size 50
[2003/09/25 20:20:01, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(33)
  Got NTLMSSP neg_flags=0xe008b297
[2003/09/25 20:20:01, 3] smbd/process.c:process_smb(890)
  Transaction 11 of length 338
[2003/09/25 20:20:01, 3] smbd/process.c:switch_message(685)
  switch message SMBsesssetupX (pid 343)
[2003/09/25 20:20:01, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X(579)
  wct=12 flg2=0xc807
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(476)
  Doing spnego session setup
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(500)
  NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 
5.1]
[2003/09/25 20:20:01, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286)
  Got user=[Thatsme] domain=[Mydomain] workstation=[Mine] len1=24 len2=24
[2003/09/25 20:20:01, 3] auth/auth.c:check_ntlm_password(216)
  check_ntlm_password:  Checking password for unmapped user 
[Mydomain]\[Thatsme]@[Mine] with the new password interface
[2003/09/25 20:20:01, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  mapped user is: [Mydomain]\[Thatsme]@[Mine]
[2003/09/25 20:20:01, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/09/25 20:20:01, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/09/25 20:20:01, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/09/25 20:20:01, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/09/25 20:20:01, 3] auth/auth_util.c:make_server_info_info3(1009)
  User Thatsme does not exist, trying to add it
[2003/09/25 20:20:01, 0] auth/auth_util.c:make_server_info_info3(1017)

  make_server_info_info3: pdb_init_sam failed!
... I don't understand this one ..

[2003/09/25 20:20:01, 2] auth/auth.c:check_ntlm_password(309)

  check_ntlm_password:  Authentication for user [Thatsme] -> [Thatsme] 
FAILED with error NT_STATUS_NO_SUCH_USER
... and I definitely have a domain logon ..

[2003/09/25 20:20:04, 3] smbd/process.c:timeout_processing(1099)
  timeout_processing: End of file from client (client has disconnected).

I tried raising the debug level info and got some interesting lines:

[2003/09/25 23:03:09, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
  ads_verify_ticket: enc type [16] failed to decrypt with error Bad 
encryption type
[2003/09/25 23:03:09, 10] libads/kerberos_verify.c:ads_verify_ticket(303)
  ads_verify_ticket: enc type [3] decrypted message !
[2003/09/25 23:03:09, 10] passdb/secrets.c:secrets_named_mutex_release(709)
  secrets_named_mutex: released mutex for replay cache mutex
[2003/09/25 23:03:09, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385)
  Got KRB5 session key of length 8
...

[2003/09/25 23:03:09, 3] smbd/sesssetup.c:reply_spnego_kerberos(178)
  Ticket name is [Thatsme at MYDOMAIN.COM]
[2003/09/25 23:03:09, 5] lib/username.c:Get_Pwnam(288)
  Finding user MYDOMAIN.COM\Thatsme
[2003/09/25 23:03:09, 5] lib/username.c:Get_Pwnam_internals(223)
  Trying _Get_Pwnam(), username as lowercase is mydomain.com\thatsme

..and uppercase, and combinations, with and without the domain name 
appended..

[2003/09/25 23:03:10, 1] smbd/sesssetup.c:reply_spnego_kerberos(218)
  Username Thatsme is invalid on this system
[2003/09/25 23:03:10, 3] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2003/09/25 23:03:10, 3] smbd/error.c:error_packet(113)
  error packet at smbd/sesssetup.c(220) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE

More information about the samba mailing list