[Samba] Domain Authentication Issue - Bug Found

Dalton Calford dcalford at distributel.ca
Wed Mar 19 17:07:40 GMT 2008 

Our company has many linux boxes, joined to our corporate domain
controllers.
Our users authenticate, via command line or via kdm against the windows
domain controller.

A few months ago, we discovered that new linux machines could not join
the domain, but existing boxes had no problems.

We performed an extensive study of the domain controller configuration
as well as the configuration of the linux boxes.

The problem seemed to be on one particular lan segment or another, but
we could not track down the problem.

In our Montreal Office, we had a machine that would join the domain, but
would not authenticate users.  An identical machine was working
perfectly in our Ottawa office, authenticating off of a domain
controller that was part of the same domain as the one in Montreal.

Cooincidentally, one of our techs in Montreal, complained about a couple
of windows XP boxes having some problem with the domain controller.
He discovered one of the windows 2003 boxes (not a domain controller)
had a time that was over 12 minutes different from the time server.
He fixed the faulty time by telling it to get it's time from the
corporate time server.

Now, two minutes before he made this change, the montreal linux box
would not authenticate.   Two minutes after he made his change, the
linux box started authenticating.

We did not know he was going to make the change, and in the intervening
time we had made no changes to our domain controllers, nor to the linux
box.

To confirm the faulty clock on the 2003 box was at fault, we set it's
clock back to the wrong time, and our problem with authentication
reappeared.

We then separated the linux boxes that would not join/authenticate off
of our domain controllers, and put them onto a separate lan segment.
They could now join the domain and authenticate users from the domain.

We are now tracking down any faulty windows boxes on our main lan
segment to find what machine(s) are causing the faults.

Now to clarify, the machine that has been shown to interfere with the
samba machines joining or authenticating had absolutely no direct
contact to the linux boxes.  It was able to authenticate from the domain
controller, but it was never used to connect to or from the linux boxes.
The only issue was that it was on the same lan segment as the linux box
to play havoc with the ability of samba to talk to the domain
controller.

This does not seem logical, it does not seem real, but the results have
proven themselves to be true.

So, I am willing to work with the developers of Samba to track down this
bug to discover what the exact problem is.

I am willing to even pay an active, samba dev member to work with us on
this issue to ensure the problem goes away.

I am at a loss as to how to enter this problem into bugzilla as the
problem seems to stem from outside machines causing problems on the
network and not with the configuration of the domain controller or the
samba box.

If anyone has any suggestions as to how I can ensure the dev team gets
the information they need, please contact me.

I am sure I am not the only end user who has been bitten by this sort of
strange bug.

best regards

Dalton

More information about the samba mailing list