[Samba] win bind authentication

Tod B. Schmidt tschmidt at tnc.org
Thu Jun 12 13:37:35 GMT 2003 

I set the logging for auth and winbind to 10 and this is what I am seeing.
Could this possibly be a problem with the Win2K server looking for an SRV
record or somesuch? It seems like just after it tries to connect to the dc I
get these lines

[2003/06/12 09:29:17, 0] rpc_parse/parse_prs.c:prs_mem_get(528)
  prs_mem_get: reading data of size 2 would overrun buffer.
[2003/06/12 09:29:17, 0] rpc_client/cli_pipe.c:rpc_pipe_bind(1484)
  rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.

Thanks for any help with this
-Tod Schmidt

The rest of the log...

[2003/06/12 09:29:16, 10] nsswitch/winbindd.c:client_write(514)
  client_write: need to write 37 extra data bytes.
[2003/06/12 09:29:16, 10] nsswitch/winbindd.c:client_write(469)
  client_write: wrote 37 bytes.
[2003/06/12 09:29:16, 10] nsswitch/winbindd.c:client_write(503)
  client_write: client_write: complete response written.
[2003/06/12 09:29:16, 6] nsswitch/winbindd.c:new_connection(307)
  accepted socket 16
[2003/06/12 09:29:16, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 0 bytes. Need 1312 more for a full request.
[2003/06/12 09:29:16, 5] nsswitch/winbindd.c:winbind_client_read(427)
  read failed on sock 15, pid 10953: EOF
[2003/06/12 09:29:16, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 1312 bytes. Need 0 more for a full request.
[2003/06/12 09:29:16, 10] nsswitch/winbindd.c:process_request(272)
  process_request: request fn PAM_AUTH
[2003/06/12 09:29:16, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(80)
  [10953]: pam auth tschmidt+xxxxxxx
[2003/06/12 09:29:16, 10] nsswitch/winbindd_cm.c:cm_get_dc_name(178)
  Creating get_dc_name_cache entry for TNCTEST
[2003/06/12 09:29:16, 4] nsswitch/winbindd_cm.c:cm_ads_find_dc(112)
  cm_ads_find_dc: domain=TNCTEST
[2003/06/12 09:29:16, 4] nsswitch/winbindd_cm.c:cm_ads_find_dc(129)
  cm_ads_find_dc: using server='DCTEST' IP=10.1.15.80
[2003/06/12 09:29:16, 3] nsswitch/winbindd_cm.c:cm_get_dc_name(208)
  cm_get_dc_name: Returning DC DCTEST (10.1.15.80) for domain TNCTEST
[2003/06/12 09:29:16, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(238)
  IPC$ connections done by user TSCHMIDT\xxxxxxx
[2003/06/12 09:29:16, 5] nsswitch/winbindd_cm.c:cm_open_connection(364)
  connecting to DCTEST from MAILDEV with username [TSCHMIDT]\[xxxxxxx]
[2003/06/12 09:29:17, 0] rpc_parse/parse_prs.c:prs_mem_get(528)
  prs_mem_get: reading data of size 2 would overrun buffer.
[2003/06/12 09:29:17, 0] rpc_client/cli_pipe.c:rpc_pipe_bind(1484)
  rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.
[2003/06/12 09:29:17, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(133)
  could not open handle to NETLOGON pipe
[2003/06/12 09:29:17, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(167)
  Plain-text authentication for user tschmidt+xxxxxxx returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
[2003/06/12 09:29:17, 10] nsswitch/winbindd.c:client_write(469)
  client_write: wrote 1300 bytes.
[2003/06/12 09:29:17, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 1312 bytes. Need 0 more for a full request.
[2003/06/12 09:29:17, 10] nsswitch/winbindd.c:process_request(272)
  process_request: request fn INFO
[2003/06/12 09:29:17, 3] nsswitch/winbindd_misc.c:winbindd_info(196)
  [10953]: request misc info
[2003/06/12 09:29:17, 10] nsswitch/winbindd.c:client_write(469)
  client_write: wrote 1300 bytes.
[2003/06/12 09:29:17, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 1312 bytes. Need 0 more for a full request.
[2003/06/12 09:29:17, 10] nsswitch/winbindd.c:process_request(272)
  process_request: request fn AUTH_CRAP
[2003/06/12 09:29:17, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(237)
  [10953]: pam auth crap domain: TSCHMIDT user: xxxxxxx
[2003/06/12 09:29:17, 10] nsswitch/winbindd_cm.c:cm_get_dc_name(167)
  returning positive get_dc_name_cache entry for TNCTEST
[2003/06/12 09:29:17, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(238)
  IPC$ connections done by user TSCHMIDT\xxxxxxx
[2003/06/12 09:29:17, 5] nsswitch/winbindd_cm.c:cm_open_connection(364)
  connecting to DCTEST from MAILDEV with username [TSCHMIDT]\[xxxxxxx]
[2003/06/12 09:29:17, 0] rpc_parse/parse_prs.c:prs_mem_get(528)
  prs_mem_get: reading data of size 2 would overrun buffer.
[2003/06/12 09:29:17, 0] rpc_client/cli_pipe.c:rpc_pipe_bind(1484)
  rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.
[2003/06/12 09:29:17, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(292)
  could not open handle to NETLOGON pipe (error: NT_STATUS_UNSUCCESSFUL)
[2003/06/12 09:29:17, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(342)
  NTLM CRAP authentication for user [TSCHMIDT]\[xxxxxxx] returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
[2003/06/12 09:29:17, 10] nsswitch/winbindd.c:client_write(469)
  client_write: wrote 1300 bytes.
[2003/06/12 09:29:17, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 0 bytes. Need 1312 more for a full request.
[2003/06/12 09:29:17, 5] nsswitch/winbindd.c:winbind_client_read(427)
  read failed on sock 16, pid 10953: EOF

-----Original Message-----
From: Chere Zhou [mailto:qzhou at isilon.com]
Sent: Wednesday, June 11, 2003 5:25 PM
To: tschmidt at TNC.ORG; samba at lists.samba.org
Subject: Re: [Samba] win bind authentication


I looked back at your message, and it seems that you can ping, can list
users
and groups, but -t and user login always fail, is that right?  That's kind
of
strange to me.  Did you do -t and user login with the password server set
too?  Maybe you should bump up debug level and send us the logs.


On Wednesday 11 June 2003 12:51 pm, Tod B. Schmidt wrote:
> I can ping the winbindd and I have tried both with and without the
password
> server set.
>
> -Tod
>
> -----Original Message-----
> From: Chere Zhou [mailto:qzhou at isilon.com]
> Sent: Wednesday, June 11, 2003 2:42 PM
> To: tschmidt at tnc.org; samba at lists.samba.org
> Subject: Re: [Samba] win bind authentication
>
>
> Is "wbinfo -p" fine? if not, restart winbindd.  If still not, try put
> "password server = pdc-name" into your smb.conf and restart again.
>
> On Wednesday 11 June 2003 11:09 am, Tod B. Schmidt wrote:
> > Yes, I can do kinit and then log into my win2k machines with smbclient
> > fine, but cannot log into my samba accounts from my win2k box.
> >
> > I think the fact that winbind -t fails is significant, but I can join
the
> > domain fine, so I am not sure what is happening here.
> >
> > [root at maildev etc]# net join
> > [2003/06/11 14:01:38, 0] libads/ldap.c:ads_join_realm(1352)
> >   Host account for maildev already exists - deleting old account
> > Joined 'MAILDEV' to realm 'TNCTEST.ORG'
> >
> > [root at maildev etc]# wbinfo -t
> > checking the trust secret via RPC calls failed
> > error code was NT_STATUS_UNSUCCESSFUL (0xc0000001)
> > Could not check secret
> >
> > Also, when I list wbinfo -u or getent passwd I get entries that start
> > with TNCTEST and not TNCTEST.ORG, not sure if that is important.
Kerberos
> > will not authenticate against the realm TNCTEST so I think it has to be
> > TNCTEST.ORG
> >
> > Thanks,
> > Tod Schmidt
> >
> >
> > -----Original Message-----
> > From: Brandon Lederer [mailto:brandonl at hms4emc.com]
> > Sent: Wednesday, June 11, 2003 1:41 PM
> > To: 'tschmidt at tnc.org'; samba at lists.samba.org
> > Subject: RE: [Samba] win bind authentication
> >
> >
> > You guys got the encryption on?
> >
> > -----Original Message-----
> > From: Tod B. Schmidt [mailto:tschmidt at tnc.org]
> > Sent: Wednesday, June 11, 2003 12:38 PM
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] winbind authentication
> >
> >
> >
> >
> > I am getting this same error when trying to authenticate. Very
> > frustrating because everything else works, wbinfo, getent. I can login
to
> > Win2K server wth kerberos, but I always see NT_STATUS_NO_LOGON_SERVERS
> > when trying to authenticate.
> >
> > [root at maildev etc]# wbinfo -a user+password
> > plaintext password authentication failed
> > error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
> > error messsage was: No logon servers
> > Could not authenticate user user+password with plaintext password
> > challenge/response password authentication failed
> > error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
> > error messsage was: No logon servers
> > Could not authenticate user user+password with challenge/response
> >
> > The only other thing that fails is wbinfo -t
> >
> > [root at maildev etc]# wbinfo -t
> > checking the trust secret via RPC calls failed
> > error code was NT_STATUS_UNSUCCESSFUL (0xc0000001)
> > Could not check secret
> >
> > I have joined the computer to the domain but am just beating my head
> > against this issue.
> >
> > Any thoughts out there?
> >
> > TIA,
> > T Schmidt
> >
> > >>I am having the same issue. I am running Samba 3 Alpha 24 trying to
> >
> > connect to a W2K3 Server with AD. If I getent or chown I can see all my
> >
> > >>domain users, but sshd, login, etc (PAM apps) cant see the accounts.
>
> When
>
> > I try to login to the console as a AD user or SSH I get the following
> > >>in /var/log/messages Jun 2 20:38:58 gonzo pam_winbind[1900]: request
> > failed: No logon servers, PAM error was 4, NT error was
> >
> > >>NT_STATUS_NO_LOGON_SERVERS The issue is when I do wbinfo I can see
> >
> > everything.... My config is as follows: [global]

More information about the samba mailing list