user authentication issues with samba4-beta5 as a member server

Jean Raby jraby at inverse.ca
Fri Sep 14 07:38:04 MDT 2012 

On 12-09-08 12:12 PM, Jean Raby wrote:
> On 12-09-07 6:21 PM, Andrew Bartlett wrote:
>> On Fri, 2012-09-07 at 17:46 -0400, Jean Raby wrote:
>>> On 12-09-07 12:31 PM, Jean Raby wrote:
>>>> On 12-09-06 6:02 PM, Andrew Bartlett wrote:
>>>>> On Thu, 2012-09-06 at 09:59 -0400, Jean Raby wrote:
>>>>>> On 12-09-05 7:17 PM, Andrew Bartlett wrote:
>>>>>>>> Alright, I tested this again with beta8 and /usr/sbin/samba
>>>>>>>> won't even
>>>>>>>>> start when configured as a member server.
>>>>>>>>> So I guess the release notes were right;-)
>>>>>>>>>
>>>>>>>>> We've been using samba as a DC along with openchange and sogo
>>>>>>>>> and it
>>>>>>>>> works pretty well for our development needs, but we're trying to
>>>>>>>>> find a
>>>>>>>>> way to integrate that with existing domains with a windows DC.
>>>>>>>>>
>>>>>>>>> At first I thought that we'd simply have to join samba as a member
>>>>>>>>> server, but obviously, that won't work for now.
>>>>>>> It is meant to still permit a startup in this situation. Is there
>>>>>>> any
>>>>>>> chance you could debug the code in source4/smbd/server.c that
>>>>>>> imposes
>>>>>>> this restriction and work out why if doesn't allow you to start up?
>>>>>> Indeed, samba will start if 'dcerpc endpoint servers' contains
>>>>>> 'mapiproxy'.
>>>>>> It didn't work in my tests since I was using a minimal smb.conf
>>>>>> without
>>>>>> this parameter.
>>>>>>
>>>>>> However, I get the same behavior when trying to authenticate a user
>>>>>> using wbinfo -K :
>>>>>
>>>>> Ahh, this is simple. wbinfo -K is unimplemented in the winbind in the
>>>>> 'samba' binary. wbinfo -a should work however.
>>>>
>>>> Unfortunately 'wbinfo -a' doesn't work either.
>>>> I'll dive in with gdb and try to understand what's going on here.
>>>>
>>>> I've also attached the output from samba -d10, maybe that can be useful
>>>> to understand what's wrong.
>>>>
>>> After digging for a while, it looks like the credentials are correctly
>>> sent to the DC, but it refuses them with 'access denied' as can be seen
>>> in the netlogon debug log:
>>>
>>> 09/07 16:13:04 [LOGON] OPENCHANGE: SamLogon: Network logon of
>>> OPENCHANGE\sogo1 from (via SOGO) Entered
>>> 09/07 16:13:04 [LOGON] OPENCHANGE: SamLogon: Network logon of
>>> OPENCHANGE\sogo1 from (via SOGO) Returns 0xC000002
>>>
>>> Googling around for that kind of issue turned up some results stating
>>> that this could happen if the machine doing the auth request (SOGO in
>>> this case) is not correctly joined to the domain.
>>>
>>> So I went ahead and tried 'wbinfo -t' to test the shared secret (which I
>>> assume is the machine account password?) and that didn't work either.
>>> Here's the netlogon log excerpt:
>>> 09/07 16:14:41 [LOGON] OPENCHANGE: SamLogon: Network logon of
>>> OPENCHANGE\SOGO$ from SOGO (via SOGO) Entered
>>> 09/07 16:14:41 [LOGON] OPENCHANGE: SamLogon: Network logon of
>>> OPENCHANGE\SOGO$ from SOGO (via SOGO) Returns 0xC0000022
>>>
>>> Is that expected at this time or should it work?
>>>
>>> I've also tested the machine password using wbinfo -a 'sogo$' from a
>>> samba3 machine joined to the domain and it worked as expected...
>>
>> Very, very odd. This looks like a genuine bug, and I hope we can sort
>> it out. Certainly is is something we can try and fix after the RC and
>> before the release.
>>
>> Any more details you can get me for reproducing this (not so much the
>> -d10, but you can send that in private if you like, but software
>> versions, exact steps to reproduce etc) would be most helpful.
>>
> The test setup is as follows:
> - Windows 2003 DC (domain: OPENCHANGE)
> - Samba4 beta8 on ubuntu 12.04
>
> On the samba machine I have these settings:
>
> krb5.conf:
> [libdefaults]
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = OPENCHANGE.LOCAL
>
>
> /etc/resolv.conf has only one nameserver entry which is the ip of the DC.
>
> smb.conf:
> [global]
> workgroup = OPENCHANGE
> realm = OPENCHANGE.LOCAL
> netbios name = SOGO
> server role = member server
> passdb backend = samba4
> log level = 5
>
> ### Configuration required by OpenChange server ###
> dcerpc endpoint servers = epmapper, mapiproxy
> dcerpc_mapiproxy:server = true
> dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp,
> exchange_ds_rfr
> ### Configuration required by OpenChange server ###
>
> /etc/resolv.conf has only one nameserver which is the ip of the DC.
>
> Then, I run these commands to prepare samba and join the domain:
> kinit administrator
> provision --server-role=member -k yes --domain=OPENCHANGE
> --realm=openchange.local
> samba-tool domain join OPENCHANGE.LOCAL MEMBER -k yes
>
> All these work without complaining.
>
> Then, I simply start samba (samba -d5 -M single -i) and run wbinfo.
>
> FWIW, I've also tested to join the domain without '-k yes' (using -U and
> --password) with the same results.
>
> Let me know if there's any information missing, or if I can do anything
> else to help debug this.
>
> Thanks.
>
As requested by Andrew on irc, here's the samba log and pcaps from my 
test setup.

The DC is running W2003 SP2, the member server is running samba beta8 on 
ubuntu 12.04.

During the capture, I ran these commands in the following order:

   1347370568 (09:36)  kinit administrator
   09:37  provision --server-role=member -k yes --domain=OPENCHANGE 
--realm=openchange.local
   1347370689 (09:38:09)  samba-tool domain join  OPENCHANGE.LOCAL 
MEMBER -k yes
   1347371306 (09:48:26)  wbinfo -u
   1347371326 (09:48:46)  wbinfo -t
   1347371385 (09:49:45)  wbinfo -a sogo1

Let me know if I can provide more information.

Thanks!

-- 
Jean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.samba.gz
Type: application/x-gzip
Size: 36674 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120914/f55460eb/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: windowsdc-wbinfo.pcap.gz
Type: application/x-gzip
Size: 25206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120914/f55460eb/attachment-0003.bin>

More information about the samba-technical mailing list