[Samba] Winbind authentication issue on 3.2.13/14 and 3.4.0 (was: Crazied NTLM_AUTH on samba 3.4.0)

Alex Crow acrow at integrafin.co.uk
Wed Aug 19 02:32:57 MDT 2009 

On Tue, 2009-08-18 at 14:44 +0100, Alex Crow wrote:
> > . For example: 1 time
> > return 0xc00000c3 ( NT_STATUS_INVALID_NETWORK_RESPONSE) or 0x1c010002 (???)
> > and much others. I realized one thing: when the response is "Broken Pipe"
> > the ntlm responds "OK" on first after try and back to the errors after this
> > warning...
> > 
> 
> I am seeing similar problems with 3.2.13 on my Squid server.
> 
> If it happens again I will try to get a log.
> 
> Alex Crow

I have upgraded to 3.2.14 and the problem persists.

I am in a Samba Domain (pdc and bdc also running 3.2.14) and I have a
bidirectional trust set up to a remote Samba 3.2.14 domain.

A winbindd log at debug level 10 is available here:

http://www.nanogherkin.com/winbindd_autherrorlog.bz2

There were two instances of the issue, one shortly before 08:30 and the
other shortly before 09:24.

wbinfo authentication will also fail:

wbinfo -a ajc%xxxxxxxx
plaintext password authentication failed
Could not authenticate user ajc with plaintext password
challenge/response password authentication failed
error code was NT code 0x1c010002 (0x1c010002)
error messsage was: NT code 0x1c010002
Could not authenticate user ajc with challenge/response


I can also tell you that it can be immediately (if temporarily) restored
to operation by running "wbinfo -t". I am trying to keep my users happy
by running this every few seconds but obviously this isn't ideal!

smb.conf on the Squid server follows:

[global]
workgroup = IFA_NET
security = DOMAIN
netbios name = WEBPROXY
interfaces = eth2, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldaps://bdc.ifa.net
username map = /etc/samba/smbusers
log level = 10
syslog = 0
log file = /var/log/samba/%m
max log size = 1048576
smb ports = 139 445
name resolve order = wins lmhosts bcast hosts
time server = no
#printcap name = CUPS
show add printer wizard = Yes
enable privileges = yes
ldap suffix = dc=ifa,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=ifa,dc=net
ldap ssl = no
ldap timeout = 20
#idmap backend = ldap:ldap://192.168.20.137
idmap uid = 10000-20000
idmap gid = 10000-20000
#winbind nested groups = yes
winbind trusted domains only = no
winbind use default domain = yes
#winbind enum users = yes
#winbind enum groups = yes
allow trusted domains = yes
#winbind separator = +
map acl inherit = Yes
ea support = Yes
#printing = cups
#printer admin = root
wins server = 192.168.20.137
nt acl support = yes

> -- 
> This message is intended only for the addressee and may contain 
> confidential information.  Unless you are that person, you may not 
> disclose its contents or use it in any way and are requested to delete 
> the message along with any attachments and notify us immediately. 
> 
> "Transact" is operated by Integrated Financial Arrangements plc 
> Domain House, 5-7 Singer Street, London  EC2A 4BQ 
> Tel: (020) 7608 4900 Fax: (020) 7608 1200
> (Registered office: as above; Registered in England and Wales under
> number: 3727592) 
> Authorised and regulated by the Financial Services Authority (entered on
> the FSA Register; number: 190856)
> 
> 
-- 
This message is intended only for the addressee and may contain 
confidential information.  Unless you are that person, you may not 
disclose its contents or use it in any way and are requested to delete 
the message along with any attachments and notify us immediately. 

"Transact" is operated by Integrated Financial Arrangements plc 
Domain House, 5-7 Singer Street, London  EC2A 4BQ 
Tel: (020) 7608 4900 Fax: (020) 7608 1200
(Registered office: as above; Registered in England and Wales under
number: 3727592) 
Authorised and regulated by the Financial Services Authority (entered on
the FSA Register; number: 190856)

More information about the samba mailing list