[Samba] Upgrade from 3.0.7 to 3.0.8 breaks winbind
Jim Barber
jim.barber at filmlessfuture.com
Wed Nov 24 08:29:36 GMT 2004
This is my first post to this list.
The domain names etc have been changed slightly in the examples below, but you
should get the idea.
For a long time now (since 3.0.2a?), I have been using the samba 3.0.x series at
one of our client sites.
The Linux server is joined to a Win2k3 Active Directory.
All users are created in the ADS, and the Linux server is able to authenticate
them, etc.
I recently upgraded from 3.0.7 to 3.0.8
At this point winbind was partially broken.
The following commands still worked fine after the upgrade:
wbinfo -u
wbinfo -g
getent passwd
getent group
However the following commands now failed:
wbinfo -t
wbinfo -a user%password
Also authentication is now failing for our POP daemon and SQUID proxy software.
The POP daemon is using the pam pam_winbind.so method of authenticating.
Messages from the syslog daemon related to the POP failures are as follows:
popa3d[15772]: Authentication failed for UNKNOWN USER
Squid 2.5.7 uses winbind to authenticate our users to the proxy via ntlm.
When a user called 'dineshbh' tried to authenticate, the following was logged by
syslog:
squid[15114]: authenticateNTLMHandleReply: Error validating user via NTLM.
Error returned 'BH NT_STATUS_ACCESS_DENIED'
The relevent config in squid.conf for this is like so:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
So I checked to see if kerberos was working still.
Running 'kinit adminstrator at SITE.COM.AU' prompted me for a password and worked
properly.
So I decided to try and rejoin the ADS again with 'net ads join -U administrator'
It successfully joined saying the machine account already existed, and that it
has updated it.
The wbinfo and getent commands behave as before.
Commands that fetch group and user info all work, but the authentication
commands failed.
After downgrading back to 3.0.7 again, everything started to work correctly again.
Unfortunately I've lost the window that I was working in, so I don't have exact
responses from the failure of the 'wbinfo -t' and 'wbinfo -a' commands, however
I can show my config and error messages that appeared in logs.
When I ran the wbinfo -t command the following appeared in the log.winbindd file:
[2004/11/24 18:38:23, 1] nsswitch/winbindd_cm.c:cm_open_connection(333)
failed tcon_X with NT_STATUS_ACCESS_DENIED
[2004/11/24 18:38:23, 1] nsswitch/winbindd_cm.c:cm_open_connection(333)
failed tcon_X with NT_STATUS_ACCESS_DENIED
[2004/11/24 18:38:23, 1] nsswitch/winbindd_cm.c:cm_open_connection(333)
failed tcon_X with NT_STATUS_ACCESS_DENIED
There were no other error messages in logs, and samba, winbind, etc seem to
start just fine with no error messages.
The config is as follows:
The /etc/krb5.conf contains the following relevent entries:
[libdefaults]
default_realm = SITE.COM.AU
[realms]
SITE.COM.AU = {
kdc = sitepdc
admin_server = sitepdc
}
[domain_realm]
site.com.au = SITE.COM.AU
.site.com.au = SITE.COM.AU
The /etc/smb.conf contains the following relevent entries:
[global]
workgroup = site
password server = sitepdc
realm = site.com.au
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%u
winbind cache time = 120
winbind use default domain = yes
# Disable weak LANMAN hash (only required for Win95/98 boxes).
client lanman auth = no
lanman auth = no
# Only allow NTLMv2 authentication (disables NTLMv1) for the best security.
client ntlmv2 auth = yes
ntlm auth = no
# Do not allow anonymous users to collect user and group lists.
restrict anonymous = 2
I have an entry like so in the /etc/samba/lmhosts file:
172.16.0.10 sitepdc.site.com.au sitepdc
Any ideas why the trust used for authenticating users no longer works in 3.0.8?
--
Jim Barber
Digital Diagnostic Imaging (The Filmless Future)
More information about the samba
mailing list