[Samba] Subsequent Authentication Failures

Markus Iturriaga Woelfel miturria at cs.utk.edu
Wed Jun 27 18:54:45 GMT 2007 

Hi all - I couldn't find an answer to this problem, so maybe someone  
out there can help me. I'd definitely appreciate it.

I've been running a domain using a Samba PDC for quite a while now  
and this appears to be a new problem. The PDC uses LDAP as the  
backend and that has worked fine; the version is 3.0.25a. I have a  
number of Samba servers that are members of this domain, also running  
3.0.25a. The domain name is CSSMB. Here is the problem which has just  
recently appeared. I'm guessing something has changed:

Say, I have a server set up like this:

[global]
     ; Tuning Parameters
     socket options = TCP_NODELAY IPTOS_LOWDELAY
     read raw = yes
     write raw = yes
     oplocks = yes
     max xmit = 65535

     workgroup = CSSMB
     os level = 33
     log level = 2
     security = domain
     password server = *

[images]
     comment = Images
     path = /export/unused5/images
     browseable = yes
     read only = no
     valid users = "CSSMB\miturria"

After I start the samba server I can authenticate just fine.

# smbclient -W CSSMB -U miturria \\\\anhur\\images
Password:
Domain=[CSSMB] OS=[Unix] Server=[Samba 3.0.25a]

However if I log out, any subsequent authentications just fail. The  
log on "anhur" shows:

[2007/06/27 14:50:41, 2] auth/auth.c:check_ntlm_password(319)
   check_ntlm_password:  Authentication for user [miturria] ->  
[miturria] FAILED with error NT_STATUS_NO_SUCH_USER

However, on the domain controller "thoth"

[2007/06/27 14:50:41, 2] auth/auth.c:check_ntlm_password(309)
   check_ntlm_password:  authentication for user [miturria] ->  
[miturria] -> [miturria] succeeded

Any ideas what's going on? I've removed anhur from the domain and  
removed it's machine account and re-added it. That didn't seem to  
help. If I restart Samba on anhur, it authenticates fine once and  
then no more. This happens whether I specify "valid users = miturria"  
or "valid users = CSSMB\miturria".

User "miturria" (me) works fine in Linux itself using pam_ldap on  
both client and domain controller.

Any hints would be appreciated.

Markus

---
Markus A. Iturriaga Woelfel, SysAdmin
Department of Computer Science
University of Tennessee, Knoxville
miturria at cs.utk.edu / (865) 974-3837

More information about the samba mailing list