user authentication issues with samba4-beta5 as a member server

Jean Raby jraby at inverse.ca
Fri Sep 14 07:39:03 MDT 2012


On 12-09-14 9:38 AM, Jean Raby wrote:
> On 12-09-08 12:12 PM, Jean Raby wrote:
>> On 12-09-07 6:21 PM, Andrew Bartlett wrote:
>>> On Fri, 2012-09-07 at 17:46 -0400, Jean Raby wrote:
>>>> On 12-09-07 12:31 PM, Jean Raby wrote:
>>>>> On 12-09-06 6:02 PM, Andrew Bartlett wrote:
>>>>>> On Thu, 2012-09-06 at 09:59 -0400, Jean Raby wrote:
>>>>>>> On 12-09-05 7:17 PM, Andrew Bartlett wrote:
>>>>>>>>> Alright, I tested this again with beta8 and /usr/sbin/samba
>>>>>>>>> won't even
>>>>>>>>>> start when configured as a member server.
>>>>>>>>>> So I guess the release notes were right;-)
>>>>>>>>>>
>>>>>>>>>> We've been using samba as a DC along with openchange and sogo
>>>>>>>>>> and it
>>>>>>>>>> works pretty well for our development needs, but we're trying to
>>>>>>>>>> find a
>>>>>>>>>> way to integrate that with existing domains with a windows DC.
>>>>>>>>>>
>>>>>>>>>> At first I thought that we'd simply have to join samba as a
>>>>>>>>>> member
>>>>>>>>>> server, but obviously, that won't work for now.
>>>>>>>> It is meant to still permit a startup in this situation. Is there
>>>>>>>> any
>>>>>>>> chance you could debug the code in source4/smbd/server.c that
>>>>>>>> imposes
>>>>>>>> this restriction and work out why if doesn't allow you to start up?
>>>>>>> Indeed, samba will start if 'dcerpc endpoint servers' contains
>>>>>>> 'mapiproxy'.
>>>>>>> It didn't work in my tests since I was using a minimal smb.conf
>>>>>>> without
>>>>>>> this parameter.
>>>>>>>
>>>>>>> However, I get the same behavior when trying to authenticate a user
>>>>>>> using wbinfo -K :
>>>>>>
>>>>>> Ahh, this is simple. wbinfo -K is unimplemented in the winbind in the
>>>>>> 'samba' binary. wbinfo -a should work however.
>>>>>
>>>>> Unfortunately 'wbinfo -a' doesn't work either.
>>>>> I'll dive in with gdb and try to understand what's going on here.
>>>>>
>>>>> I've also attached the output from samba -d10, maybe that can be
>>>>> useful
>>>>> to understand what's wrong.
>>>>>
>>>> After digging for a while, it looks like the credentials are correctly
>>>> sent to the DC, but it refuses them with 'access denied' as can be seen
>>>> in the netlogon debug log:
>>>>
>>>> 09/07 16:13:04 [LOGON] OPENCHANGE: SamLogon: Network logon of
>>>> OPENCHANGE\sogo1 from (via SOGO) Entered
>>>> 09/07 16:13:04 [LOGON] OPENCHANGE: SamLogon: Network logon of
>>>> OPENCHANGE\sogo1 from (via SOGO) Returns 0xC000002
>>>>
>>>> Googling around for that kind of issue turned up some results stating
>>>> that this could happen if the machine doing the auth request (SOGO in
>>>> this case) is not correctly joined to the domain.
>>>>
>>>> So I went ahead and tried 'wbinfo -t' to test the shared secret
>>>> (which I
>>>> assume is the machine account password?) and that didn't work either.
>>>> Here's the netlogon log excerpt:
>>>> 09/07 16:14:41 [LOGON] OPENCHANGE: SamLogon: Network logon of
>>>> OPENCHANGE\SOGO$ from SOGO (via SOGO) Entered
>>>> 09/07 16:14:41 [LOGON] OPENCHANGE: SamLogon: Network logon of
>>>> OPENCHANGE\SOGO$ from SOGO (via SOGO) Returns 0xC0000022
>>>>
>>>> Is that expected at this time or should it work?
>>>>
>>>> I've also tested the machine password using wbinfo -a 'sogo$' from a
>>>> samba3 machine joined to the domain and it worked as expected...
>>>
>>> Very, very odd. This looks like a genuine bug, and I hope we can sort
>>> it out. Certainly is is something we can try and fix after the RC and
>>> before the release.
>>>
>>> Any more details you can get me for reproducing this (not so much the
>>> -d10, but you can send that in private if you like, but software
>>> versions, exact steps to reproduce etc) would be most helpful.
>>>
>> The test setup is as follows:
>> - Windows 2003 DC (domain: OPENCHANGE)
>> - Samba4 beta8 on ubuntu 12.04
>>
>> On the samba machine I have these settings:
>>
>> krb5.conf:
>> [libdefaults]
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> default_realm = OPENCHANGE.LOCAL
>>
>>
>> /etc/resolv.conf has only one nameserver entry which is the ip of the DC.
>>
>> smb.conf:
>> [global]
>> workgroup = OPENCHANGE
>> realm = OPENCHANGE.LOCAL
>> netbios name = SOGO
>> server role = member server
>> passdb backend = samba4
>> log level = 5
>>
>> ### Configuration required by OpenChange server ###
>> dcerpc endpoint servers = epmapper, mapiproxy
>> dcerpc_mapiproxy:server = true
>> dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp,
>> exchange_ds_rfr
>> ### Configuration required by OpenChange server ###
>>
>> /etc/resolv.conf has only one nameserver which is the ip of the DC.
>>
>> Then, I run these commands to prepare samba and join the domain:
>> kinit administrator
>> provision --server-role=member -k yes --domain=OPENCHANGE
>> --realm=openchange.local
>> samba-tool domain join OPENCHANGE.LOCAL MEMBER -k yes
>>
>> All these work without complaining.
>>
>> Then, I simply start samba (samba -d5 -M single -i) and run wbinfo.
>>
>> FWIW, I've also tested to join the domain without '-k yes' (using -U and
>> --password) with the same results.
>>
>> Let me know if there's any information missing, or if I can do anything
>> else to help debug this.
>>
>> Thanks.
>>
> As requested by Andrew on irc, here's the samba log and pcaps from my
> test setup.
>
> The DC is running W2003 SP2, the member server is running samba beta8 on
> ubuntu 12.04.
>
> During the capture, I ran these commands in the following order:
>
> 1347370568 (09:36) kinit administrator
> 09:37 provision --server-role=member -k yes --domain=OPENCHANGE
> --realm=openchange.local
> 1347370689 (09:38:09) samba-tool domain join OPENCHANGE.LOCAL MEMBER -k yes
> 1347371306 (09:48:26) wbinfo -u
> 1347371326 (09:48:46) wbinfo -t
> 1347371385 (09:49:45) wbinfo -a sogo1
>
> Let me know if I can provide more information.
>
> Thanks!
>
(missing samba side pcap)

-- 
Jean Raby
jraby at inverse.ca  ::  +1.514.447.4918 (x120) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-join+wbinfo.pcap.gz
Type: application/x-gzip
Size: 50380 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120914/af494236/attachment.bin>


More information about the samba-technical mailing list