Problems with 3.4, 3.5 auth

Thomas J. Moore thomoore at iupui.edu
Wed Mar 10 14:07:37 MST 2010 

We were recently forced to upgrade from RHEL5's samba to a more recent
one because the university ADS servers were upgraded.  In the process,
we found a few problems.  One I have already reported in bugzilla
directly (#7157).  The other I have no idea what to make of.  Basically,
cifs (the Linux filesystem; various kernels 2.6.18-2.6.31) does not
appear to work with samba versions 3.4.1-3.5.1 and ntlmv2 authentication.

With log level = 2, samba 3.5.1, I get

[2010/03/10 15:46:41.617766,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/03/10 15:46:41.617959,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [thomoore] -> [thomoore]
FAILED with error NT_STATUS_LOGON_FAILURE

It works fine with 3.3.12:

[2010/03/10 15:49:29,  2] smbd/sesssetup.c:setup_new_vc_session(1368)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/03/10 15:49:29,  2] auth/auth.c:check_ntlm_password(308)
  check_ntlm_password:  authentication for user [thomoore] -> [thomoore]
-> [thomoore] succeeded
[2010/03/10 15:49:29,  1] smbd/service.c:make_connection_snum(1134)
  __ffff_149.166.132.202 (::ffff:149.166.132.202) connect to service
hpss-home initially as user thomoore (uid=534568, gid=214) (pid 32219)

It also works fine with smbclient and Windows and Mac clients on
3.4/3.5, and, if I can get it working on the client, with krb5 auth.
Perhaps it is due to the cifs module wanting to multiplex multiple
mounts on a single server connection.  We could just downgrade back to
3.3, but it would be nice if 3.4/3.5 would work as well.  This is
especially true since 3.3 is no longer even maintenance mode, and even
3.4 will apparently be dropped in 6 months.

I apologize if this has already been covered; it's hard for me to think
of an appropriate way of phrasing this issue that doesn't return results
from years ago that are completely unrelated.

Also, in a mostly unrelated note, does anyone build or test with
fake-kaserver at all?  I would think there would at least be attempts to
build, which would've caught the fact that the attempts at localizing
utils/net_afs.c broke it in 3.5.x.

 - Thomas J. Moore
   Research Technology - Research Storage
   University Information Technology Services
   Indiana University/IUPUI

More information about the samba-technical mailing list