[Samba] win bind authentication

Chere Zhou qzhou at isilon.com
Thu Jun 12 18:15:13 GMT 2003 

I am out of wits here with RPC and winbindd_pam stuff. 

What version of samba are you using?  Upgrade to 3.0beta1 if that's not the 
one you are using.  If it is, you probably want to file a bug.


On Thursday 12 June 2003 06:37 am, Tod B. Schmidt wrote:
> I set the logging for auth and winbind to 10 and this is what I am seeing.
> Could this possibly be a problem with the Win2K server looking for an SRV
> record or somesuch? It seems like just after it tries to connect to the dc
> I get these lines
>
> [2003/06/12 09:29:17, 0] rpc_parse/parse_prs.c:prs_mem_get(528)
>   prs_mem_get: reading data of size 2 would overrun buffer.
> [2003/06/12 09:29:17, 0] rpc_client/cli_pipe.c:rpc_pipe_bind(1484)
>   rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.
>
> Thanks for any help with this
> -Tod Schmidt
>
> The rest of the log...
>
> [2003/06/12 09:29:16, 10] nsswitch/winbindd.c:client_write(514)
>   client_write: need to write 37 extra data bytes.
> [2003/06/12 09:29:16, 10] nsswitch/winbindd.c:client_write(469)
>   client_write: wrote 37 bytes.
> [2003/06/12 09:29:16, 10] nsswitch/winbindd.c:client_write(503)
>   client_write: client_write: complete response written.
> [2003/06/12 09:29:16, 6] nsswitch/winbindd.c:new_connection(307)
>   accepted socket 16
> [2003/06/12 09:29:16, 10] nsswitch/winbindd.c:winbind_client_read(422)
>   client_read: read 0 bytes. Need 1312 more for a full request.
> [2003/06/12 09:29:16, 5] nsswitch/winbindd.c:winbind_client_read(427)
>   read failed on sock 15, pid 10953: EOF
> [2003/06/12 09:29:16, 10] nsswitch/winbindd.c:winbind_client_read(422)
>   client_read: read 1312 bytes. Need 0 more for a full request.
> [2003/06/12 09:29:16, 10] nsswitch/winbindd.c:process_request(272)
>   process_request: request fn PAM_AUTH
> [2003/06/12 09:29:16, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(80)
>   [10953]: pam auth tschmidt+xxxxxxx
> [2003/06/12 09:29:16, 10] nsswitch/winbindd_cm.c:cm_get_dc_name(178)
>   Creating get_dc_name_cache entry for TNCTEST
> [2003/06/12 09:29:16, 4] nsswitch/winbindd_cm.c:cm_ads_find_dc(112)
>   cm_ads_find_dc: domain=TNCTEST
> [2003/06/12 09:29:16, 4] nsswitch/winbindd_cm.c:cm_ads_find_dc(129)
>   cm_ads_find_dc: using server='DCTEST' IP=10.1.15.80
> [2003/06/12 09:29:16, 3] nsswitch/winbindd_cm.c:cm_get_dc_name(208)
>   cm_get_dc_name: Returning DC DCTEST (10.1.15.80) for domain TNCTEST
> [2003/06/12 09:29:16, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(238)
>   IPC$ connections done by user TSCHMIDT\xxxxxxx
> [2003/06/12 09:29:16, 5] nsswitch/winbindd_cm.c:cm_open_connection(364)
>   connecting to DCTEST from MAILDEV with username [TSCHMIDT]\[xxxxxxx]
> [2003/06/12 09:29:17, 0] rpc_parse/parse_prs.c:prs_mem_get(528)
>   prs_mem_get: reading data of size 2 would overrun buffer.
> [2003/06/12 09:29:17, 0] rpc_client/cli_pipe.c:rpc_pipe_bind(1484)
>   rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.
> [2003/06/12 09:29:17, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(133)
>   could not open handle to NETLOGON pipe
> [2003/06/12 09:29:17, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(167)
>   Plain-text authentication for user tschmidt+xxxxxxx returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
> [2003/06/12 09:29:17, 10] nsswitch/winbindd.c:client_write(469)
>   client_write: wrote 1300 bytes.
> [2003/06/12 09:29:17, 10] nsswitch/winbindd.c:winbind_client_read(422)
>   client_read: read 1312 bytes. Need 0 more for a full request.
> [2003/06/12 09:29:17, 10] nsswitch/winbindd.c:process_request(272)
>   process_request: request fn INFO
> [2003/06/12 09:29:17, 3] nsswitch/winbindd_misc.c:winbindd_info(196)
>   [10953]: request misc info
> [2003/06/12 09:29:17, 10] nsswitch/winbindd.c:client_write(469)
>   client_write: wrote 1300 bytes.
> [2003/06/12 09:29:17, 10] nsswitch/winbindd.c:winbind_client_read(422)
>   client_read: read 1312 bytes. Need 0 more for a full request.
> [2003/06/12 09:29:17, 10] nsswitch/winbindd.c:process_request(272)
>   process_request: request fn AUTH_CRAP
> [2003/06/12 09:29:17, 3]
> nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(237) [10953]: pam auth crap
> domain: TSCHMIDT user: xxxxxxx
> [2003/06/12 09:29:17, 10] nsswitch/winbindd_cm.c:cm_get_dc_name(167)
>   returning positive get_dc_name_cache entry for TNCTEST
> [2003/06/12 09:29:17, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(238)
>   IPC$ connections done by user TSCHMIDT\xxxxxxx
> [2003/06/12 09:29:17, 5] nsswitch/winbindd_cm.c:cm_open_connection(364)
>   connecting to DCTEST from MAILDEV with username [TSCHMIDT]\[xxxxxxx]
> [2003/06/12 09:29:17, 0] rpc_parse/parse_prs.c:prs_mem_get(528)
>   prs_mem_get: reading data of size 2 would overrun buffer.
> [2003/06/12 09:29:17, 0] rpc_client/cli_pipe.c:rpc_pipe_bind(1484)
>   rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.
> [2003/06/12 09:29:17, 3]
> nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(292) could not open handle
> to NETLOGON pipe (error: NT_STATUS_UNSUCCESSFUL) [2003/06/12 09:29:17, 2]
> nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(342) NTLM CRAP
> authentication for user [TSCHMIDT]\[xxxxxxx] returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
> [2003/06/12 09:29:17, 10] nsswitch/winbindd.c:client_write(469)
>   client_write: wrote 1300 bytes.
> [2003/06/12 09:29:17, 10] nsswitch/winbindd.c:winbind_client_read(422)
>   client_read: read 0 bytes. Need 1312 more for a full request.
> [2003/06/12 09:29:17, 5] nsswitch/winbindd.c:winbind_client_read(427)
>   read failed on sock 16, pid 10953: EOF
>
> -----Original Message-----
> From: Chere Zhou [mailto:qzhou at isilon.com]
> Sent: Wednesday, June 11, 2003 5:25 PM
> To: tschmidt at TNC.ORG; samba at lists.samba.org
> Subject: Re: [Samba] win bind authentication
>
>
> I looked back at your message, and it seems that you can ping, can list
> users
> and groups, but -t and user login always fail, is that right?  That's kind
> of
> strange to me.  Did you do -t and user login with the password server set
> too?  Maybe you should bump up debug level and send us the logs.
>
> On Wednesday 11 June 2003 12:51 pm, Tod B. Schmidt wrote:
> > I can ping the winbindd and I have tried both with and without the
>
> password
>
> > server set.
> >
> > -Tod
> >
> > -----Original Message-----
> > From: Chere Zhou [mailto:qzhou at isilon.com]
> > Sent: Wednesday, June 11, 2003 2:42 PM
> > To: tschmidt at tnc.org; samba at lists.samba.org
> > Subject: Re: [Samba] win bind authentication
> >
> >
> > Is "wbinfo -p" fine? if not, restart winbindd.  If still not, try put
> > "password server = pdc-name" into your smb.conf and restart again.
> >
> > On Wednesday 11 June 2003 11:09 am, Tod B. Schmidt wrote:
> > > Yes, I can do kinit and then log into my win2k machines with smbclient
> > > fine, but cannot log into my samba accounts from my win2k box.
> > >
> > > I think the fact that winbind -t fails is significant, but I can join
>
> the
>
> > > domain fine, so I am not sure what is happening here.
> > >
> > > [root at maildev etc]# net join
> > > [2003/06/11 14:01:38, 0] libads/ldap.c:ads_join_realm(1352)
> > >   Host account for maildev already exists - deleting old account
> > > Joined 'MAILDEV' to realm 'TNCTEST.ORG'
> > >
> > > [root at maildev etc]# wbinfo -t
> > > checking the trust secret via RPC calls failed
> > > error code was NT_STATUS_UNSUCCESSFUL (0xc0000001)
> > > Could not check secret
> > >
> > > Also, when I list wbinfo -u or getent passwd I get entries that start
> > > with TNCTEST and not TNCTEST.ORG, not sure if that is important.
>
> Kerberos
>
> > > will not authenticate against the realm TNCTEST so I think it has to be
> > > TNCTEST.ORG
> > >
> > > Thanks,
> > > Tod Schmidt
> > >
> > >
> > > -----Original Message-----
> > > From: Brandon Lederer [mailto:brandonl at hms4emc.com]
> > > Sent: Wednesday, June 11, 2003 1:41 PM
> > > To: 'tschmidt at tnc.org'; samba at lists.samba.org
> > > Subject: RE: [Samba] win bind authentication
> > >
> > >
> > > You guys got the encryption on?
> > >
> > > -----Original Message-----
> > > From: Tod B. Schmidt [mailto:tschmidt at tnc.org]
> > > Sent: Wednesday, June 11, 2003 12:38 PM
> > > To: samba at lists.samba.org
> > > Subject: Re: [Samba] winbind authentication
> > >
> > >
> > >
> > >
> > > I am getting this same error when trying to authenticate. Very
> > > frustrating because everything else works, wbinfo, getent. I can login
>
> to
>
> > > Win2K server wth kerberos, but I always see NT_STATUS_NO_LOGON_SERVERS
> > > when trying to authenticate.
> > >
> > > [root at maildev etc]# wbinfo -a user+password
> > > plaintext password authentication failed
> > > error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
> > > error messsage was: No logon servers
> > > Could not authenticate user user+password with plaintext password
> > > challenge/response password authentication failed
> > > error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
> > > error messsage was: No logon servers
> > > Could not authenticate user user+password with challenge/response
> > >
> > > The only other thing that fails is wbinfo -t
> > >
> > > [root at maildev etc]# wbinfo -t
> > > checking the trust secret via RPC calls failed
> > > error code was NT_STATUS_UNSUCCESSFUL (0xc0000001)
> > > Could not check secret
> > >
> > > I have joined the computer to the domain but am just beating my head
> > > against this issue.
> > >
> > > Any thoughts out there?
> > >
> > > TIA,
> > > T Schmidt
> > >
> > > >>I am having the same issue. I am running Samba 3 Alpha 24 trying to
> > >
> > > connect to a W2K3 Server with AD. If I getent or chown I can see all my
> > >
> > > >>domain users, but sshd, login, etc (PAM apps) cant see the accounts.
> >
> > When
> >
> > > I try to login to the console as a AD user or SSH I get the following
> > >
> > > >>in /var/log/messages Jun 2 20:38:58 gonzo pam_winbind[1900]: request
> > >
> > > failed: No logon servers, PAM error was 4, NT error was
> > >
> > > >>NT_STATUS_NO_LOGON_SERVERS The issue is when I do wbinfo I can see
> > >
> > > everything.... My config is as follows: [global]

More information about the samba mailing list