[Samba] Samba 3.0.33, security = domain and Windows 2008 R2

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Nov 4 05:15:51 MDT 2010


Looking through the release notes for samba 3.0.28a - 3.0.37 there does not
seem to be mention on 2008 R2.    The following link may explain why it
doesn't work and a possible fix.

http://www.openg.info/entry/win-2008-r2-samba


But Samba 3.0.x. is end-of-lifed so I think your best off moving to Samba
3.4.x.





-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Ray Van Dolson
Sent: Wednesday, November 03, 2010 4:37 PM
To: samba at lists.samba.org
Subject: [Samba] Samba 3.0.33, security = domain and Windows 2008 R2

I have a number of Samba servers on RHEL (Samba 3.0.33) in an AD
environment using a mix of Windows 2008 and windows 2008 R2 servers.
Configuration file is pretty minimal:

  [global]
    workgroup = AVWORLD
    security = DOMAIN
    log file = /var/log/samba/samba.log
    max log size = 500
    wins server = 10.50.4.31
    dns proxy = no
    #log level = 10
    log level = 3 passdb:5 auth:10 winbind:2
    password server = *
    #username map = /etc/samba/username.map
    socket options = TCP_NODELAY

This works fine as long as the Samba server in question is talking to
one of the Windows 2008 servers.

Via some sort of SMB magic, from time to time, the domain controller
the Samba server communicates with changes to one of the Windows 2008
R2 servers.  At that point, problems begin:

  [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info_map(161)
    make_user_info_map: Mapping user [AVWORLD]\[ray5147] from workstation
[RAYXP]
  [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(75)
    attempting to make a user_info for ray5147 (ray5147)
  [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(85)
    making strings for ray5147's user_info struct
  [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(117)
    making blobs for ray5147's user_info struct
  [2010/11/03 10:25:44, 10] auth/auth_util.c:make_user_info(135)
    made an encrypted user_info for ray5147 (ray5147)
  [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(221)
    check_ntlm_password:  Checking password for unmapped user
[AVWORLD]\[ray5147]@[RAYXP] with the new password interface
  [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(224)
    check_ntlm_password:  mapped user is: [AVWORLD]\[ray5147]@[RAYXP]
  [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(233)
    check_ntlm_password: auth_context challenge created by NTLMSSP callback
(NTLM2)
  [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(235)
    challenge is:
  [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261)
    check_ntlm_password: guest had nothing to say
  [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415)
    check_samstrict_security: AVWORLD is not one of my local names
(ROLE_DOMAIN_MEMBER)
  [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261)
    check_ntlm_password: sam had nothing to say
  [2010/11/03 10:25:44, 0]
rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354)
    cli_pipe_verify_schannel: auth_len 56.
  [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260)
    domain_client_validate: unable to validate password for user ray5147 in
domain AVWORLD to Domain controller REDDC1. Error was
NT_STATUS_INVALID_PARAMETER.
  [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273)
    check_ntlm_password: winbind authentication for user [ray5147] FAILED
with error NT_STATUS_INVALID_PARAMETER
  [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319)
    check_ntlm_password:  Authentication for user [ray5147] -> [ray5147]
FAILED with error NT_STATUS_INVALID_PARAMETER
  [2010/11/03 10:25:44, 5] auth/auth_util.c:free_user_info(2108)
    attempting to free (and zero) a user_info structure
  [2010/11/03 10:25:44, 10] auth/auth_util.c:free_user_info(2112)
    structure was created for ray5147

(REDDC1 is one of the 2K8 R2 servers and ray5147 is my username).  If I
can convince the system to talk to one of the non-R2 servers again,
everything is fine.

Looking at the log, the "errors" that jump out are:

  [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415)
    check_samstrict_security: AVWORLD is not one of my local names
(ROLE_DOMAIN_MEMBER)
  [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260)
    domain_client_validate: unable to validate password for user ray5147 in
domain AVWORLD to Domain controller REDDC1. Error was
NT_STATUS_INVALID_PARAMETER.
  [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273)
    check_ntlm_password: winbind authentication for user [ray5147] FAILED
with error NT_STATUS_INVALID_PARAMETER
  [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319)
    check_ntlm_password:  Authentication for user [ray5147] -> [ray5147]
FAILED with error NT_STATUS_INVALID_PARAMETER

I'm not clear if the first error is a complaint from my Samba client or
if it's a message returned from the domain controller... the last error
message doesn't mean anything to me.

Anyone have any thoughts?  We've followed the instructions from this KB
article[1] to configure the R2 servers in the same way the non-R2
servers are configured.

I haven't yet reproduced the problem on a Samba 3.3 install so I'm
wondering if if the 3.0.x branch just has issues with Windows 2008 R2,
or if there's a patch out there that could be backported to help.
Maybe doing security = ads would work better for us....

This problem also has cropped up on our Solaris 10 hosts.  Sun provides
a Samba package based on 3.0.x as well.

Thanks in advance,
Ray

[1] http://support.microsoft.com/kb/942564
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list