[Samba] Intermittent Windows user authentication problem

Angela Cheng acheng at bycast.com
Thu Jan 11 05:47:52 GMT 2007 

Hi, 

Samba 3.0.8 installed on Debian Linux server and setup to authenticate
with Windows 2000 ADS. 
The samba config as follows.  
[global]
        workgroup = TEST_NT_DOMAIN
        realm = TEST-NT.ORG
        server string = TEST SAMBA
        security = ADS
        obey pam restrictions = Yes
        password server = 10.10.20.253 10.10.20.227
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        username map = /etc/samba/includes/usermap
        log level = 3
        syslog = 0
        log file = /var/local/log/samba/log.%m
        max log size = 204800
        name resolve order = wins bcast
        load printers = No
        show add printer wizard = No
        stat cache = No
        dns proxy = No
        wins server = 10.10.20.253, 10.10.20.120
        panic action = /usr/share/samba/panic-action %d
        invalid users = root
        create mask = 0700
        directory mask = 0700
        include = /etc/samba/includes/share-test.inc

2 userids are setup to have write access to the share.  These 2 userids
constantly accessing the share via an application.  Most of the time,
these 2 userids can access the share without any problem.  However, from
time to time, either userid will be denied access to the share.  From
samba log, the error is 'Wrong Password'.  However, the password is set
within an application and have been the same password and the userid can
successfully authenticated with the Domain Controller 99% of time.  And
all the instances (either successful or failed authentication) shows
that Samba is authenticating with the same Domain Controller (Connected
to LDAP server 10.10.20.253).  

I turn up the samba log level and found:
 
  domain_client_validate: unable to validate password for user user1 in
domain TEST_NT_DOMAIN to Domain controller \\14DOMSUP. Error was
NT_STATUS_WRONG_PASSWORD.
error packet at smbd/sesssetup.c(501) cmd=115 (SMBsesssetupX)
NT_STATUS_INVALID_PARAMETER

What does NT_STATUS_INVALID_PARAMETER mean, could it be the cause of
'NT_STATUS_WRONG_PASSWORD'?

Appreciate any help.  

Here is the complete log for the authentication failure:

[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2007/01/10 16:47:56, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
  Got user=[user1] domain=[TEST_NT_DOMAIN] workstation=[WKSTN1] len1=24
len2=24
[2007/01/10 16:47:56, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[TEST_NT_DOMAIN]\[user1]@[WKSTN1] with the new password interface
[2007/01/10 16:47:56, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is:
[TEST_NT_DOMAIN]\[user1]@[WKSTN1]
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/01/10 16:47:56, 3] smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/10 16:47:56, 3] libads/ldap.c:ads_connect(247)
  Connected to LDAP server 10.10.20.253
[2007/01/10 16:47:56, 3] libads/ldap.c:ads_server_info(2431)
  got ldap server name 14domsup at TEST-NT.ORG, using bind path:
dc=TEST-NT,dc=ORG
[2007/01/10 16:47:56, 3] libsmb/cliconnect.c:cli_start_connection(1382)
  Connecting to host=14DOMSUP
[2007/01/10 16:47:56, 3] lib/util_sock.c:open_socket_out(752)
  Connecting to 10.10.20.253 at port 445
[2007/01/10 16:47:56, 0] auth/auth_domain.c:domain_client_validate(199)
  domain_client_validate: unable to validate password for user user1 in
domain TEST_NT_DOMAIN to Domain controller \\14DOMSUP. Error was
NT_STATUS_WRONG_PASSWORD.
[2007/01/10 16:47:56, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [user1] -> [user1]
FAILED with error NT_STATUS_WRONG_PASSWORD
[2007/01/10 16:47:56, 3] smbd/process.c:process_smb(1092)
  Transaction 1048892 of length 350
[2007/01/10 16:47:56, 3] smbd/process.c:switch_message(887)
  switch message SMBsesssetupX (pid 7060) conn 0x0
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2007/01/10 16:47:56, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(501) cmd=115 (SMBsesssetupX)
NT_STATUS_INVALID_PARAMETER
[2007/01/10 16:47:56, 3] smbd/process.c:process_smb(1092)
  Transaction 1048893 of length 230
[2007/01/10 16:47:56, 3] smbd/process.c:switch_message(887)
  switch message SMBsesssetupX (pid 7060) conn 0x0
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
  Got secblob of size 61
[2007/01/10 16:47:56, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0xe208b297
[2007/01/10 16:47:56, 3] smbd/process.c:process_smb(1092)
  Transaction 1048894 of length 230
[2007/01/10 16:47:56, 3] smbd/process.c:switch_message(887)
  switch message SMBsesssetupX (pid 7060) conn 0x0
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
  Got secblob of size 61
[2007/01/10 16:47:56, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0xe208b297
[2007/01/10 16:47:56, 3] smbd/process.c:process_smb(1092)
  Transaction 1048895 of length 350
[2007/01/10 16:47:56, 3] smbd/process.c:switch_message(887)
  switch message SMBsesssetupX (pid 7060) conn 0x0
[2007/01/10 16:47:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/10 16:47:56, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2007/01/10 16:47:56, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]



Angela Cheng
Senior Solutions Architect
Bycast Inc.
(office) 604-692-2067
(cell) 778-238-2716

More information about the samba mailing list