[Samba] Samba 3.0.33, security = domain and Windows 2008 R2
Robert Freeman-Day
presgas at gmail.com
Thu Nov 4 07:06:03 MDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ray,
There was indeed an issue with the old RHEL samba packages and 2008r2.
There was a bug report issued about it and RHEL released a newer samba
package that can talk 2008r2:
https://bugzilla.redhat.com/show_bug.cgi?id=561325
I wrote a wiki on migrating to the samba3x package that has worked well
for our group:
https://uisapp2.iu.edu/confluence-prd/x/FgQCBw
Updating to the new package will work across all the Domain Controllers.
Hope that helps,
Robert
On 11/04/2010 07:15 AM, Gaiseric Vandal wrote:
> Looking through the release notes for samba 3.0.28a - 3.0.37 there does not
> seem to be mention on 2008 R2. The following link may explain why it
> doesn't work and a possible fix.
>
> http://www.openg.info/entry/win-2008-r2-samba
>
>
> But Samba 3.0.x. is end-of-lifed so I think your best off moving to Samba
> 3.4.x.
>
>
>
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Ray Van Dolson
> Sent: Wednesday, November 03, 2010 4:37 PM
> To: samba at lists.samba.org
> Subject: [Samba] Samba 3.0.33, security = domain and Windows 2008 R2
>
> I have a number of Samba servers on RHEL (Samba 3.0.33) in an AD
> environment using a mix of Windows 2008 and windows 2008 R2 servers.
> Configuration file is pretty minimal:
>
> [global]
> workgroup = AVWORLD
> security = DOMAIN
> log file = /var/log/samba/samba.log
> max log size = 500
> wins server = 10.50.4.31
> dns proxy = no
> #log level = 10
> log level = 3 passdb:5 auth:10 winbind:2
> password server = *
> #username map = /etc/samba/username.map
> socket options = TCP_NODELAY
>
> This works fine as long as the Samba server in question is talking to
> one of the Windows 2008 servers.
>
> Via some sort of SMB magic, from time to time, the domain controller
> the Samba server communicates with changes to one of the Windows 2008
> R2 servers. At that point, problems begin:
>
> [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info_map(161)
> make_user_info_map: Mapping user [AVWORLD]\[ray5147] from workstation
> [RAYXP]
> [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(75)
> attempting to make a user_info for ray5147 (ray5147)
> [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(85)
> making strings for ray5147's user_info struct
> [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(117)
> making blobs for ray5147's user_info struct
> [2010/11/03 10:25:44, 10] auth/auth_util.c:make_user_info(135)
> made an encrypted user_info for ray5147 (ray5147)
> [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(221)
> check_ntlm_password: Checking password for unmapped user
> [AVWORLD]\[ray5147]@[RAYXP] with the new password interface
> [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(224)
> check_ntlm_password: mapped user is: [AVWORLD]\[ray5147]@[RAYXP]
> [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(233)
> check_ntlm_password: auth_context challenge created by NTLMSSP callback
> (NTLM2)
> [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(235)
> challenge is:
> [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261)
> check_ntlm_password: guest had nothing to say
> [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415)
> check_samstrict_security: AVWORLD is not one of my local names
> (ROLE_DOMAIN_MEMBER)
> [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261)
> check_ntlm_password: sam had nothing to say
> [2010/11/03 10:25:44, 0]
> rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354)
> cli_pipe_verify_schannel: auth_len 56.
> [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260)
> domain_client_validate: unable to validate password for user ray5147 in
> domain AVWORLD to Domain controller REDDC1. Error was
> NT_STATUS_INVALID_PARAMETER.
> [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273)
> check_ntlm_password: winbind authentication for user [ray5147] FAILED
> with error NT_STATUS_INVALID_PARAMETER
> [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319)
> check_ntlm_password: Authentication for user [ray5147] -> [ray5147]
> FAILED with error NT_STATUS_INVALID_PARAMETER
> [2010/11/03 10:25:44, 5] auth/auth_util.c:free_user_info(2108)
> attempting to free (and zero) a user_info structure
> [2010/11/03 10:25:44, 10] auth/auth_util.c:free_user_info(2112)
> structure was created for ray5147
>
> (REDDC1 is one of the 2K8 R2 servers and ray5147 is my username). If I
> can convince the system to talk to one of the non-R2 servers again,
> everything is fine.
>
> Looking at the log, the "errors" that jump out are:
>
> [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415)
> check_samstrict_security: AVWORLD is not one of my local names
> (ROLE_DOMAIN_MEMBER)
> [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260)
> domain_client_validate: unable to validate password for user ray5147 in
> domain AVWORLD to Domain controller REDDC1. Error was
> NT_STATUS_INVALID_PARAMETER.
> [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273)
> check_ntlm_password: winbind authentication for user [ray5147] FAILED
> with error NT_STATUS_INVALID_PARAMETER
> [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319)
> check_ntlm_password: Authentication for user [ray5147] -> [ray5147]
> FAILED with error NT_STATUS_INVALID_PARAMETER
>
> I'm not clear if the first error is a complaint from my Samba client or
> if it's a message returned from the domain controller... the last error
> message doesn't mean anything to me.
>
> Anyone have any thoughts? We've followed the instructions from this KB
> article[1] to configure the R2 servers in the same way the non-R2
> servers are configured.
>
> I haven't yet reproduced the problem on a Samba 3.3 install so I'm
> wondering if if the 3.0.x branch just has issues with Windows 2008 R2,
> or if there's a patch out there that could be backported to help.
> Maybe doing security = ads would work better for us....
>
> This problem also has cropped up on our Solaris 10 hosts. Sun provides
> a Samba package based on 3.0.x as well.
>
> Thanks in advance,
> Ray
>
> [1] http://support.microsoft.com/kb/942564
- --
________
Robert Freeman-Day
https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkzSr7sACgkQup357T5MfTYnPgCfc32eUQRpNm2VCU1jdKu4Vzwa
Z0cAnjLIXcQFb3Ms+++OvKHJWrr+Feee
=nOWM
-----END PGP SIGNATURE-----
More information about the samba
mailing list