[Samba] Samba - PDC(Windows 2003) connection trouble

av.podrezov at stalcom.com av.podrezov at stalcom.com
Thu Sep 1 13:39:59 GMT 2005 

Hello.
We have squid proxy server with ntlm authentication and 20 trusted domains.
All work fine, but sometimes winbind stop authenticate users and squid restart.

OS: Linux 2.4.30
Samba: 3.0.14a 
Kerberos: krb5-1.4
Squid: 2.5.Stable10 


2005/08/31 at 17:02:30 run commands:

/usr/bin/wbinfo -a 'department\tmpuser'%'xxxxxx'
plaintext password authentication failed
Could not authenticate user department\tmpuser%xxxxxx with plaintext password

/usr/bin/ntlm_auth --username=tmpuser --domain=department --password=xxxxxx
could not obtain winbind separator!


After several minutes all work fine again.


winbind log:
...
[2005/08/31 17:02:30, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435)
  cli_pipe: return critical error. Error was Call timed out: server did not respond after 10000 milliseconds
[2005/08/31 17:02:30, 3] nsswitch/winbindd_cm.c:connection_ok(724)
  Connection to  for domain DEPARTMENT (pipe \PIPE\NETLOGON) has died or was never started (fd == -1)
...


windows 2003 log:
Event Type: Failure Audit 
Event Source: Security 
Event Category: Account Logon 
Event ID: 675 
Date: 31.08.2005 
Time: 17:02:30 
User: NT AUTHORITY\SYSTEM 
Computer: PDC 
Description: 
Pre-authentication failed: 
User Name: tmpuser$ 
User ID: DEPARTMENT\tmpuser$ 
Service Name: krbtgt/DEPARTMENT.COMPANY.COM 
Pre-Authentication Type: 0x0 
Failure Code: 0x19 
Client Address: 1.2.3.4


smb.conf:

[global]
   hosts allow = 1. 127.
   interfaces = 1.2.3.4/24 
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 
   load printers = no
   guest account = nobody
   log file = /var/log/samba.%m
   log level = 4 passdb:5 auth:10 winbind:4 
   max log size = 102400
   unix charset = UTF8
   display charset = ASCII
   syslog = 0
   server string = proxy
   netbios name = PROXY
   security = ads
   workgroup = DEPARTMENT
   realm = DEPARTMENT.COMPANY.COM
   password server = PDC BDC 
   allow trusted domains = yes
   client use spnego = yes 
   local master = no
   domain master = no
   preferred master = no
   domain logons = no
   wins support = no
   wins server = 1.2.3.5
   dns proxy = no
   disable netbios = no
   auth methods = winbind
   winbind use default domain = no
   winbind uid = 10000-100000
   winbind gid = 10000-100000
   winbind enum users = yes
   winbind enum groups = yes


krb5.conf:

[libdefaults]
        default_realm = DEPARTMENT.COMPANY.COM
        dns_lookup_realm = true
        dns_lookup_kdc = true
[realms]
        DEPARTMENT.COMPANY.COM = {
                tcp/kdc = pdc.department.company.com
                admin_server = pdc.department.company.com
        }
[domain_realms]
        .department.company.com = DEPARTMENT.COMPANY.COM

More information about the samba mailing list