[Samba] Samba 3.0.33, security = domain and Windows 2008 R2

Ray Van Dolson rvandolson at esri.com
Wed Nov 3 14:37:29 MDT 2010 

I have a number of Samba servers on RHEL (Samba 3.0.33) in an AD
environment using a mix of Windows 2008 and windows 2008 R2 servers.
Configuration file is pretty minimal:

  [global]
    workgroup = AVWORLD
    security = DOMAIN
    log file = /var/log/samba/samba.log
    max log size = 500
    wins server = 10.50.4.31
    dns proxy = no
    #log level = 10
    log level = 3 passdb:5 auth:10 winbind:2
    password server = *
    #username map = /etc/samba/username.map
    socket options = TCP_NODELAY

This works fine as long as the Samba server in question is talking to
one of the Windows 2008 servers.

Via some sort of SMB magic, from time to time, the domain controller
the Samba server communicates with changes to one of the Windows 2008
R2 servers.  At that point, problems begin:

  [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info_map(161)
    make_user_info_map: Mapping user [AVWORLD]\[ray5147] from workstation [RAYXP]
  [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(75)
    attempting to make a user_info for ray5147 (ray5147)
  [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(85)
    making strings for ray5147's user_info struct
  [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(117)
    making blobs for ray5147's user_info struct
  [2010/11/03 10:25:44, 10] auth/auth_util.c:make_user_info(135)
    made an encrypted user_info for ray5147 (ray5147)
  [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(221)
    check_ntlm_password:  Checking password for unmapped user [AVWORLD]\[ray5147]@[RAYXP] with the new password interface
  [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(224)
    check_ntlm_password:  mapped user is: [AVWORLD]\[ray5147]@[RAYXP]
  [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(233)
    check_ntlm_password: auth_context challenge created by NTLMSSP callback (NTLM2)
  [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(235)
    challenge is:
  [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261)
    check_ntlm_password: guest had nothing to say
  [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415)
    check_samstrict_security: AVWORLD is not one of my local names (ROLE_DOMAIN_MEMBER)
  [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261)
    check_ntlm_password: sam had nothing to say
  [2010/11/03 10:25:44, 0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354)
    cli_pipe_verify_schannel: auth_len 56.
  [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260)
    domain_client_validate: unable to validate password for user ray5147 in domain AVWORLD to Domain controller REDDC1. Error was NT_STATUS_INVALID_PARAMETER.
  [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273)
    check_ntlm_password: winbind authentication for user [ray5147] FAILED with error NT_STATUS_INVALID_PARAMETER
  [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319)
    check_ntlm_password:  Authentication for user [ray5147] -> [ray5147] FAILED with error NT_STATUS_INVALID_PARAMETER
  [2010/11/03 10:25:44, 5] auth/auth_util.c:free_user_info(2108)
    attempting to free (and zero) a user_info structure
  [2010/11/03 10:25:44, 10] auth/auth_util.c:free_user_info(2112)
    structure was created for ray5147

(REDDC1 is one of the 2K8 R2 servers and ray5147 is my username).  If I
can convince the system to talk to one of the non-R2 servers again,
everything is fine.

Looking at the log, the "errors" that jump out are:

  [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415)
    check_samstrict_security: AVWORLD is not one of my local names (ROLE_DOMAIN_MEMBER)
  [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260)
    domain_client_validate: unable to validate password for user ray5147 in domain AVWORLD to Domain controller REDDC1. Error was NT_STATUS_INVALID_PARAMETER.
  [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273)
    check_ntlm_password: winbind authentication for user [ray5147] FAILED with error NT_STATUS_INVALID_PARAMETER
  [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319)
    check_ntlm_password:  Authentication for user [ray5147] -> [ray5147] FAILED with error NT_STATUS_INVALID_PARAMETER

I'm not clear if the first error is a complaint from my Samba client or
if it's a message returned from the domain controller... the last error
message doesn't mean anything to me.

Anyone have any thoughts?  We've followed the instructions from this KB
article[1] to configure the R2 servers in the same way the non-R2
servers are configured.

I haven't yet reproduced the problem on a Samba 3.3 install so I'm
wondering if if the 3.0.x branch just has issues with Windows 2008 R2,
or if there's a patch out there that could be backported to help.
Maybe doing security = ads would work better for us....

This problem also has cropped up on our Solaris 10 hosts.  Sun provides
a Samba package based on 3.0.x as well.

Thanks in advance,
Ray

[1] http://support.microsoft.com/kb/942564

More information about the samba mailing list