[Samba] Upgrade from 3.0.7 to 3.0.8 breaks winbind

Jim Barber jim.barber at filmlessfuture.com
Wed Nov 24 08:29:36 GMT 2004 

This is my first post to this list.
The domain names etc have been changed slightly in the examples below, but you 
should get the idea.

For a long time now (since 3.0.2a?), I have been using the samba 3.0.x series at 
one of our client sites.
The Linux server is joined to a Win2k3 Active Directory.
All users are created in the ADS, and the Linux server is able to authenticate 
them, etc.

I recently upgraded from 3.0.7 to 3.0.8
At this point winbind was partially broken.

The following commands still worked fine after the upgrade:

	wbinfo -u
	wbinfo -g
	getent passwd
	getent group

However the following commands now failed:

	wbinfo -t
	wbinfo -a user%password

Also authentication is now failing for our POP daemon and SQUID proxy software.

The POP daemon is using the pam pam_winbind.so method of authenticating.
Messages from the syslog daemon related to the POP failures are as follows:

	popa3d[15772]: Authentication failed for UNKNOWN USER

Squid 2.5.7 uses winbind to authenticate our users to the proxy via ntlm.
When a user called 'dineshbh' tried to authenticate, the following was logged by 
syslog:

	squid[15114]: authenticateNTLMHandleReply: Error validating user via NTLM. 
Error returned 'BH NT_STATUS_ACCESS_DENIED'

The relevent config in squid.conf for this is like so:

	auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
	auth_param ntlm children 5
	auth_param ntlm max_challenge_reuses 0
	auth_param ntlm max_challenge_lifetime 2 minutes
	auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
	auth_param basic children 5
	auth_param basic realm Squid proxy-caching web server
	auth_param basic credentialsttl 2 hours

So I checked to see if kerberos was working still.
Running 'kinit adminstrator at SITE.COM.AU' prompted me for a password and worked 
properly.
So I decided to try and rejoin the ADS again with 'net ads join -U administrator'
It successfully joined saying the machine account already existed, and that it 
has updated it.

The wbinfo and getent commands behave as before.
Commands that fetch group and user info all work, but the authentication 
commands failed.

After downgrading back to 3.0.7 again, everything started to work correctly again.

Unfortunately I've lost the window that I was working in, so I don't have exact 
responses from the failure of the 'wbinfo -t' and 'wbinfo -a' commands, however 
I can show my config and error messages that appeared in logs.

When I ran the wbinfo -t command the following appeared in the log.winbindd file:

	[2004/11/24 18:38:23, 1] nsswitch/winbindd_cm.c:cm_open_connection(333)
	  failed tcon_X with NT_STATUS_ACCESS_DENIED
	[2004/11/24 18:38:23, 1] nsswitch/winbindd_cm.c:cm_open_connection(333)
	  failed tcon_X with NT_STATUS_ACCESS_DENIED
	[2004/11/24 18:38:23, 1] nsswitch/winbindd_cm.c:cm_open_connection(333)
	  failed tcon_X with NT_STATUS_ACCESS_DENIED

There were no other error messages in logs, and samba, winbind, etc seem to 
start just fine with no error messages.

The config is as follows:

The /etc/krb5.conf contains the following relevent entries:

	[libdefaults]
		default_realm = SITE.COM.AU

	[realms]
		SITE.COM.AU = {
			kdc = sitepdc
			admin_server = sitepdc
		}

	[domain_realm]
		site.com.au = SITE.COM.AU
		.site.com.au = SITE.COM.AU

The /etc/smb.conf contains the following relevent entries:

	[global]
		workgroup = site
		password server = sitepdc
		realm = site.com.au
		security = ads
		 idmap uid = 10000-20000
		 idmap gid = 10000-20000
		template homedir = /home/%u
		winbind cache time = 120
		winbind use default domain = yes

		# Disable weak LANMAN hash (only required for Win95/98 boxes).
		client lanman auth = no
		lanman auth = no

		# Only allow NTLMv2 authentication (disables NTLMv1) for the best security.
		client ntlmv2 auth = yes
		ntlm auth = no

		# Do not allow anonymous users to collect user and group lists.
		restrict anonymous = 2

I have an entry like so in the /etc/samba/lmhosts file:

	172.16.0.10	sitepdc.site.com.au	sitepdc

Any ideas why the trust used for authenticating users no longer works in 3.0.8?

-- 
Jim Barber
Digital Diagnostic Imaging (The Filmless Future)

More information about the samba mailing list