[Samba] Problem authenticating from standalone servers via Samba 3.0.34 domain member servers to Samba 3.2.5 domain controller
Michael Lenaghan
michaell at dazzit.com
Sun Jan 24 14:33:00 MST 2010
We recently upgraded our PDC from Debian 4 to Debian 5. That entailed
an upgrade of Samba from 3.0.24 to 3.2.5. Since the upgrade we've had
a very specific problem connecting to shares on a commercial NAS
running Samba 3.0.34.
The problem happens when users try to connect to shares from
standalone servers--e.g., Windows XP Pro boxes that we use for
testing. From those boxes users should be able to expand the domain in
My Network Places\Entire Network\Microsoft Windows Network, navigate
to the NAS, click on it and then get a login dialog where they can
supply domain credentials. What instead happens is that they're told
"There are currently no logon servers available…".
I have run across problems connecting one version of Samba to another
in the past. In those cases I've been able to track down a bug report.
In this case I haven't been able to find a report that matches my test
case so I'm looking for a possible mis-configuration that may have
lain dormant until the PDC was upgraded. (Of course, it's possible
that I just missed a bug report; I'm still looking.)
In order to investigate this problem I configured two Debian boxes as
domain member servers--one with Debian 4 (Samba 3.0.24) and one with
Debian 5 (Samba 3.2.5). On each box I installed nothing but samba and
winbind. I copied the smb.conf [global] section from the NAS and just
did the essential configuration: smbpsswd -a root, net rpc join,
winbind in nsswitch.conf. (Actually, I'm not sure winbind has anything
to do with this--but I was trying to replicate the NAS setup.) After
those steps I selected both boxes in Explorer from a standalone
server. The Debian 4 box showed the same problem as the NAS while the
Debian 5 box worked as expected. (In both cases the PDC was the newly
upgraded box running Samba 3.2.5.)
Everything I've tried seems to indicate that things are properly
configured--with the exception of "wbinfo --getdcname HQ" which
returns "Could not get dc name for HQ" and "wbinfo -a ..." which also
fails. Those two things are probably related--but as you can see below
all other wbinfo commands work correctly.
Is this a known issue that I missed? Any thoughts on where to look further?
Thanks.
===
smb.conf from Debian 5 domain controller (partial):
[global]
security = user
workgroup = HQ
domain logons = yes
domain master = yes
local master = yes
preferred master = yes
os level = 65
wins support = yes
dns proxy = no
name resolve order = lmhosts wins host bcast
smb ports = 139
time server = yes
panic action = /usr/share/samba/panic-action %d
log file = /var/log/samba/log.%m
log level = 2
passdb backend = ldapsam:ldap://srv....
ldapsam:trusted = yes
ldap ssl = start_tls
ldap suffix = ...
...
username map = /etc/samba/smbusers
...scripts...
logon path =
logon drive = H:
logon home = \\nas\%U
logon script = logon.bat
encrypt passwords = yes
admin users = root
guest account = Guest
map to guest = bad user
...printing...
idmap alloc backend = ldap
...
idmap config HQ:default = yes
idmap config HQ:backend = ldap
...
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
browseable = no
read only = yes
guest ok = yes
[printers]
...
===
smb.conf from Debian 4 domain member server:
[global]
allow trusted domains = 1
delete readonly = 1
delete veto files = 1
dos charset = CP437
encrypt passwords = 1
follow symlinks = 1
force unknown acl user = 1
force writeback = 1
guest account = nobody
hostname lookups = 1
idmap gid = 35000-65000
idmap uid = 35000-65000
level2 oplocks = 0
load printers = 1
log level = 2 auth:10 lanman:10 smb:10 rpc_parse_:10 rpc_srv:10
rpc_cli:10 passdb:10 sam: 10 winbind:10 idmap:10
map acl inherit = 1
max log size = 256
name resolve order = lmhosts host wins bcast
null passwords = 1
obey pam restrictions = 1
oplocks = 0
orgunit =
passwd program = "/usr/bin/passwd %u"
password server = 192.168.10.10
preserve case = 1
security = domain
server string = %h
short preserve case = 1
store dos attributes = 1
syslog = 0
syslog only = 0
template homedir = /c/home/%D/%U
unix charset = UTF-8
unix password sync = 1
veto files = "/.AppleDouble/.AppleDB/.AppleDesktop/:2eDS_Store/:2eTemporaryItem
winbind enum groups = 1
winbind enum users = 1
winbind use default domain = 1
wins server = 192.168.10.10
workgroup = HQ
===
tests run from Debian 4 domain member server:
# wbinfo --getdcname=HQ
Could not get dc name for HQ
# wbinfo -t
checking the trust secret via RPC calls succeeded
# wbinfo --own-domain
HQ
# wbinfo --trusted-domains
# wbinfo --all-domains
HQ
# wbinfo -u
michaell
...
# wbinfo -g
BUILTIN\administrators
BUILTIN\users
domain admins
domain users
domain guests
domain computers
...
# wbinfo -N srv
192.168.10.10 srv
# wbinfo -I 192.168.10.10
192.168.10.10 SRV
# wbinfo -n michaell
S-1-5-21-675904651-409210946-1000085797-1004 User (1)
# wbinfo -s S-1-5-21-675904651-409210946-1000085797-1004
HQ\michaell 1
# wbinfo -i michaell
michaell:*:6004:5513:...:/c/home/HQ/michaell:/bin/false
# wbinfo -S S-1-5-21-675904651-409210946-1000085797-1004
6004
# wbinfo -U 6004
S-1-5-21-675904651-409210946-1000085797-1004
# wbinfo -r michaell
5513
10001
10003
35001
# wbinfo -G 5513
S-1-5-21-675904651-409210946-1000085797-513
# wbinfo -Y S-1-5-21-675904651-409210946-1000085797-513
5513
# net lookup dc
192.168.10.10
# net lookup master
192.168.10.10
# net lookup srv
192.168.10.10
# net cache list
Key: SAF/DOMAIN/HQ Timeout: 10:19:31 Value: SRV
Key: NBT/HQ#1D Timeout: 10:23:12 Value: 192.168.10.10:0
Key: NBT/SRV#20 Timeout: 10:13:04 Value: 192.168.10.10:0 (expired)
Key: NBT/HQ#1C Timeout: 10:23:03 Value: 192.168.10.10:0
Key: NBT/HQ#1B Timeout: 10:23:03 Value: 192.168.10.10:0
# nmblookup -M HQ
added interface ip=192.168.10.120 bcast=192.168.10.255 nmask=255.255.255.0
querying HQ on 192.168.10.255
Got a positive name query response from 192.168.10.10 ( 192.168.10.10 )
192.168.10.10 HQ<1d>
# nmblookup -A 192.168.10.10
added interface ip=192.168.10.120 bcast=192.168.10.255 nmask=255.255.255.0
Looking up status of 192.168.10.10
SRV <00> - H <ACTIVE>
SRV <03> - H <ACTIVE>
SRV <20> - H <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>
HQ <1d> - H <ACTIVE>
HQ <1b> - H <ACTIVE>
HQ <1c> - <GROUP> H <ACTIVE>
HQ <1e> - <GROUP> H <ACTIVE>
HQ <00> - <GROUP> H <ACTIVE>
MAC Address = 00-00-00-00-00-00
# nmblookup -S SRV
added interface ip=192.168.10.120 bcast=192.168.10.255 nmask=255.255.255.0
querying SRV on 192.168.10.255
Got a positive name query response from 192.168.10.10 ( 192.168.10.10 )
192.168.10.10 SRV<00>
Looking up status of 192.168.10.10
SRV <00> - H <ACTIVE>
SRV <03> - H <ACTIVE>
SRV <20> - H <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>
HQ <1d> - H <ACTIVE>
HQ <1b> - H <ACTIVE>
HQ <1c> - <GROUP> H <ACTIVE>
HQ <1e> - <GROUP> H <ACTIVE>
HQ <00> - <GROUP> H <ACTIVE>
MAC Address = 00-00-00-00-00-00
===
selected log excerpts from Debian 4 domain member server when user
selects the box in Explorer:
==> log.smbd <==
[2010/01/24 10:50:23, 2] smbd/reply.c:reply_special(496)
netbios connect: name1=DEBIAN4TEST name2=ML-WINXP
...
[2010/01/24 10:50:23, 5] auth/auth_util.c:make_user_info_map(161)
make_user_info_map: Mapping user [ML-WINXP]\[Administrator] from
workstation [ML-WINXP]
...
[2010/01/24 10:50:23, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user
[ML-WINXP]\[Administrator]@[ML-WINXP] with the new password interface
[2010/01/24 10:50:23, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [HQ]\[Administrator]@[ML-WINXP]
[2010/01/24 10:50:23, 10] auth/auth.c:check_ntlm_password(233)
check_ntlm_password: auth_context challenge created by NTLMSSP
callback (NTLM2)
[2010/01/24 10:50:23, 10] auth/auth.c:check_ntlm_password(235)
challenge is:
[2010/01/24 10:50:23, 10] auth/auth.c:check_ntlm_password(261)
check_ntlm_password: guest had nothing to say
[2010/01/24 10:50:23, 6] auth/auth_sam.c:check_samstrict_security(414)
check_samstrict_security: HQ is not one of my local names (ROLE_DOMAIN_MEMBER)
[2010/01/24 10:50:23, 10] auth/auth.c:check_ntlm_password(261)
check_ntlm_password: sam had nothing to say
[2010/01/24 10:50:23, 5] auth/auth.c:check_ntlm_password(273)
check_ntlm_password: winbind authentication for user [Administrator]
FAILED with error NT_STATUS_NO_LOGON_SERVERS
[2010/01/24 10:50:23, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [Administrator] ->
[Administrator] FAILED with error NT_STATUS_NO_LOGON_SERVERS
*** Note: The above login *should* fail, but it's failing for the
wrong reason. I'm logged into a non-domain member server as
Administrator. That account has a different password than the
Administrator on the domain. Presumably the failure should be an
invalid password, which would then bring up the login dialog on the
client; instead NT_STATUS_NO_LOGON_SERVERS is being passed to the
client, preventing any login attempt. ***
===
# wbinfo -a HQ\\michaell%...
plaintext password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user HQ\michaell%... with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user HQ\michaell with challenge/response
log for above:
[2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357)
add_schannel_auth_footer: SCHANNEL seq_num=41
[2010/01/24 11:10:57, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770)
rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4
[2010/01/24 11:10:57, 10]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577)
cli_pipe_validate_current_pdu: got pdu len 304, data_len 236, ss_len 4
[2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843)
rpc_api_pipe: got PDU len of 304 at offset 0
[2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894)
rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 returned
472 bytes.
[2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357)
add_schannel_auth_footer: SCHANNEL seq_num=43
[2010/01/24 11:10:57, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770)
rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4
[2010/01/24 11:10:57, 10]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577)
cli_pipe_validate_current_pdu: got pdu len 304, data_len 236, ss_len 4
[2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843)
rpc_api_pipe: got PDU len of 304 at offset 0
[2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894)
rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 returned
472 bytes.
[2010/01/24 11:10:57, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1290)
Plain-text authentication for user HQ\michaell returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
[2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357)
add_schannel_auth_footer: SCHANNEL seq_num=45
[2010/01/24 11:10:57, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770)
rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4
[2010/01/24 11:10:57, 10]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577)
cli_pipe_validate_current_pdu: got pdu len 304, data_len 236, ss_len 4
[2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843)
rpc_api_pipe: got PDU len of 304 at offset 0
[2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894)
rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 returned
472 bytes.
[2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357)
add_schannel_auth_footer: SCHANNEL seq_num=47
[2010/01/24 11:10:57, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770)
rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4
[2010/01/24 11:10:57, 10]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577)
cli_pipe_validate_current_pdu: got pdu len 304, data_len 236, ss_len 4
[2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843)
rpc_api_pipe: got PDU len of 304 at offset 0
[2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894)
rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 returned
472 bytes.
[2010/01/24 11:10:57, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1635)
NTLM CRAP authentication for user [HQ]\[michaell] returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
More information about the samba
mailing list