NETLOGON auth against Longhorn problem.

iravi67 iRavi67 iravi67 at gmail.com
Tue Jul 22 12:37:54 GMT 2008 

Hi,
   I am using samba 3.0.20 for authenticating users and group lookup against
AD servers. Recently I needed to support Longhorn users. This lead me to
back port patches that are related to join operation against a Longhorn
server.

I referred to following patches from the samba mail thread and back ported
the same to samab-3.0.20 (which my company product uses)

 - patches from mail thread "SPNEGO in Samba - Longhorn Server interop
issues."
 - http://lists.samba.org/archive/samba-cvs/2006-October/071344.htm
 - and changes related to rpc_dce.h.
               #define NETLOGON_NEG_AUTH2_ADS_FLAGS (0x200fbffb |
NETLOGON_NEG_ARCFOUR | NETLOGON_NEG_128BIT | NETLOGON_NEG_SCHANNEL)
               #define NETLOGON_NEG_SELECT_AUTH2_FLAGS ((lp_security() ==
SEC_ADS) ? NETLOGON_NEG_AUTH2_ADS_FLAGS : NETLOGON_NEG_AUTH2_FLAGS)

I was able to join the domain. I could see the m/c account created in the
back end  Longhorn server. However, authentication of an user using winbind
API fails.
Specifically, it fails with the following messages.

***********
2008/07/22 12:41:27.642945 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[4] libsmb/credentials.c:cred_session_key(59)
2008/07/22 12:41:27.642980 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
cred_session_key
2008/07/22 12:41:27.643013 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] libsmb/credentials.c:cred_session_key(61)
2008/07/22 12:41:27.643047 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-      clnt_chal: 97C1214AC8833AD2
2008/07/22 12:41:27.643080 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] libsmb/credentials.c:cred_session_key(62)
2008/07/22 12:41:27.643115 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-      srv_chal : A465E7C952B65B2A
2008/07/22 12:41:27.643149 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] libsmb/credentials.c:cred_session_key(63)
2008/07/22 12:41:27.643184 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-      clnt+srv : 3B2709141A3A96FC
2008/07/22 12:41:27.643217 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] libsmb/credentials.c:cred_session_key(64)
2008/07/22 12:41:27.643251 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-      sess_key : 64BA052DB79FD890
2008/07/22 12:41:27.643354 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[4] libsmb/credentials.c:cred_create(90)
2008/07/22 12:41:27.643388 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
cred_create
2008/07/22 12:41:27.643421 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] libsmb/credentials.c:cred_create(92)
2008/07/22 12:41:27.643456 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-      sess_key : 64BA052DB79FD890
2008/07/22 12:41:27.643489 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] libsmb/credentials.c:cred_create(93)
2008/07/22 12:41:27.643523 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-      stor_cred: 97C1214AC8833AD2
2008/07/22 12:41:27.643556 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] libsmb/credentials.c:cred_create(94)
2008/07/22 12:41:27.643590 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-      timestamp: 0
2008/07/22 12:41:27.643622 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] libsmb/credentials.c:cred_create(95)
2008/07/22 12:41:27.643657 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-      timecred : 97C1214AC8833AD2
2008/07/22 12:41:27.643690 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] libsmb/credentials.c:cred_create(96)
2008/07/22 12:41:27.643725 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-      calc_cred: F3EEB913C39AA108
2008/07/22 12:41:27.643764 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[4] rpc_client/cli_netlogon.c:rpccli_net_auth2(231)
2008/07/22 12:41:27.643799 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
cli_net_auth2: srv:\\LH2 acct:NEW-LONG-9$ sc:2 mc: NEW-LONG-9 neg: 600fffff
2008/07/22 12:41:27.643845 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_net.c:init_q_auth_2(797)
2008/07/22 12:41:27.643879 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
init_q_auth_2: 797
2008/07/22 12:41:27.643913 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_misc.c:init_log_info(1407)
2008/07/22 12:41:27.643946 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
make_log_info 1407
2008/07/22 12:41:27.643986 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_net.c:init_q_auth_2(803)
2008/07/22 12:41:27.644021 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
init_q_auth_2: 803
2008/07/22 12:41:27.644054 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_prs.c:prs_debug(82)
2008/07/22 12:41:27.644088 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
000000 net_io_q_auth_2
2008/07/22 12:41:27.644123 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[6] rpc_parse/parse_prs.c:prs_debug(82)
2008/07/22 12:41:27.644157 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-       000000 smb_io_log_info

//....


2008/07/22 12:41:27.659270 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_prs.c:prs_uint32(669)
2008/07/22 12:41:27.659303 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-       000c call_id   : 00000008
2008/07/22 12:41:27.659339 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_prs.c:prs_debug(82)
2008/07/22 12:41:27.659373 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
000010 smb_io_rpc_hdr_resp rpc_hdr_resp
2008/07/22 12:41:27.659407 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_prs.c:prs_uint32(669)
2008/07/22 12:41:27.659441 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-       0010 alloc_hint: 00000010
2008/07/22 12:41:27.659475 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_prs.c:prs_uint16(640)
2008/07/22 12:41:27.659510 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-       0014 context_id: 0000
2008/07/22 12:41:27.659546 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_prs.c:prs_uint8(580)
2008/07/22 12:41:27.659579 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-       0016 cancel_ct : 00
2008/07/22 12:41:27.659612 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_prs.c:prs_uint8(580)
2008/07/22 12:41:27.659646 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-       0017 reserved  : 00
2008/07/22 12:41:27.659679 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_client/cli_pipe.c:rpc_api_pipe(499)
2008/07/22 12:41:27.659713 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
rpc_api_pipe: len left: 0 smbtrans read: 40
2008/07/22 12:41:27.659749 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[6] rpc_client/cli_pipe.c:rpc_api_pipe(541)
2008/07/22 12:41:27.659783 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
rpc_api_pipe: fragment first and last both set
2008/07/22 12:41:27.659822 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_prs.c:prs_debug(82)
2008/07/22 12:41:27.659868 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
000018 net_io_r_auth_2
2008/07/22 12:41:27.659903 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[6] rpc_parse/parse_prs.c:prs_debug(82)
2008/07/22 12:41:27.659938 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-       000018 smb_io_chal
2008/07/22 12:41:27.659973 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_prs.c:prs_uint8s(756)
2008/07/22 12:41:27.660011 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-           0018 data: 00 00 00 00 00 00 00 00
2008/07/22 12:41:27.660045 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[6] rpc_parse/parse_prs.c:prs_debug(82)
2008/07/22 12:41:27.660080 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-       000020 net_io_neg_flags
2008/07/22 12:41:27.660115 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_prs.c:prs_uint32(669)
2008/07/22 12:41:27.660149 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-           0020 neg_flags: 600fffff
2008/07/22 12:41:27.660182 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[5] rpc_parse/parse_prs.c:prs_ntstatus(699)
2008/07/22 12:41:27.660218 smbserver(28049) vc0 10 samba SMBUtils.cc:177
-       0024 status: NT_STATUS_ACCESS_DENIED
2008/07/22 12:41:27.660252 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(664)
2008/07/22 12:41:27.660287 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
could not open handle to NETLOGON pipe (error: NT_STATUS_ACCESS_DENIED)
2008/07/22 12:41:27.660338 smbserver(28049) vc0 10 samba SMBUtils.cc:153 -
[2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(798)
2008/07/22 12:41:27.660373 smbserver(28049) vc0 10 samba SMBUtils.cc:177 -
NTLM CRAP authentication for user [ROOK8]\[gcr] returned
NT_STATUS_ACCESS_DENIED (PAM: 4)
2008/07/22 12:41:27.660408 smbserver(28049) vc0 10 smbserver
SMBServer.cc:3847 - Crap authentication for user gcr returned
NT_STATUS_ACCESS_DENIED - -1073741790 (PAM: 4)

***********
Even the join operation verification using RPC method in function
net_rpc_join() in file "utils/net_rpc_join.c" also fails with the same error
message.

Note:  I am using the samba as part of a process and directly calling the
APIs instead of running as a daemon. It all works fine with older versions
of Windows server excpet Longhorn.
Also, user authentication using native kerberos and NTLM apis work fine
against Longhorn server after applying above mentioned patches. Only the
winbind pam auth fails.


Is there any other patch need to be applied?

Any help would be much appreciated.

thanks,
--iravi

More information about the samba-technical mailing list