[Samba] Winbind 3.5.6 Periodically Failing

Jordan Dohms wraezor at gmail.com
Tue Feb 5 15:53:46 MST 2013 

Hello,

We are using Samba (3.5.6~dfsg-3squeeze8) with Winbind to join a
Debian server to our domain for the purpose of AD authentication in
Freeradius (using NTLM_AUTH).  It is setup to the point where we
joined it to the domain and "wbinfo -a NETWORK\\<user>" and ntlm_auth
--user --domain are working as expected.  We are not using winbind
with nsswitch, which I think is called "netlogon proxy only mode".
Kerberos is also setup and I can kinit / klist / kdestroy properly,
though I'm not certain that matters.

Ever since it was setup, however, we have had an issue where the
authentication just stops working, every week, early on Sunday
morning.  To 'fix' authentication again, I simply have to restart the
Winbind daemon.  Once that's done, everything begins 'flowing' again.

Here is my smb.conf

[global]
   workgroup = NETWORK
   server string = %h server
   dns proxy = no
   winbind use default domain = yes
   idmap cache time = 900
   log level = 10

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   security = ads
   encrypt passwords = true
   obey pam restrictions = yes
   password server = *
   allow trusted domains = no
   realm = NETWORK.FQDN.COM

I'm having some difficulty tracking down the error.  And particularly,
I cannot figure out why it happens, seemingly, on a schedule.  I've
been poking around in logs, 'net cache list' results, etc, and its
coming up empty.

So far, I am having difficulty pulling the actual error message of the
NTLM_AUTH command when its failing, but I do have the output of
FreeRadius when it attempts to run the following command:

/usr/bin/ntlm_auth --request-nt-key --username=jdoe --domain=NETWORK
--challenge=0a0a0a0a0a0a0a0a
--nt-response=0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a

Success:
Debug: Exec-Program output: NT_KEY: [SNIP]
Debug: Exec-Program-Wait: plaintext: NT_KEY: [SNIP]
Debug: Exec-Program: returned: 0
Info: [mschap_network] adding MS-CHAPv2 MPPE keys
Info: ++[mschap_network] returns ok

Failure:
Debug: Exec-Program output: Reading winbind reply failed! (0xc0000001)
Debug: Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
Debug: Exec-Program: returned: 1
Info: [mschap_network] External script failed.
Info: [mschap_network] FAILED: MS-CHAP2-Response is incorrect
Info: ++[mschap_network] returns reject

As I said, it is absolutely something going on with Winbind.  Where
should I be looking to get this issue figured out?

Thanks in advance.
Jordan Dohms

More information about the samba mailing list