[Samba] Samba 3.0.33, security = domain and Windows 2008 R2

Robert Freeman-Day presgas at gmail.com
Thu Nov 4 07:06:03 MDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ray,

There was indeed an issue with the old RHEL samba packages and 2008r2.

There was a bug report issued about it and RHEL released a newer samba
package that can talk 2008r2:
https://bugzilla.redhat.com/show_bug.cgi?id=561325

I wrote a wiki on migrating to the samba3x package that has worked well
for our group:
https://uisapp2.iu.edu/confluence-prd/x/FgQCBw

Updating to the new package will work across all the Domain Controllers.

Hope that helps,
Robert

On 11/04/2010 07:15 AM, Gaiseric Vandal wrote:
> Looking through the release notes for samba 3.0.28a - 3.0.37 there does not
> seem to be mention on 2008 R2.    The following link may explain why it
> doesn't work and a possible fix.
> 
> http://www.openg.info/entry/win-2008-r2-samba
> 
> 
> But Samba 3.0.x. is end-of-lifed so I think your best off moving to Samba
> 3.4.x.
> 
> 
> 
> 
> 
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Ray Van Dolson
> Sent: Wednesday, November 03, 2010 4:37 PM
> To: samba at lists.samba.org
> Subject: [Samba] Samba 3.0.33, security = domain and Windows 2008 R2
> 
> I have a number of Samba servers on RHEL (Samba 3.0.33) in an AD
> environment using a mix of Windows 2008 and windows 2008 R2 servers.
> Configuration file is pretty minimal:
> 
>   [global]
>     workgroup = AVWORLD
>     security = DOMAIN
>     log file = /var/log/samba/samba.log
>     max log size = 500
>     wins server = 10.50.4.31
>     dns proxy = no
>     #log level = 10
>     log level = 3 passdb:5 auth:10 winbind:2
>     password server = *
>     #username map = /etc/samba/username.map
>     socket options = TCP_NODELAY
> 
> This works fine as long as the Samba server in question is talking to
> one of the Windows 2008 servers.
> 
> Via some sort of SMB magic, from time to time, the domain controller
> the Samba server communicates with changes to one of the Windows 2008
> R2 servers.  At that point, problems begin:
> 
>   [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info_map(161)
>     make_user_info_map: Mapping user [AVWORLD]\[ray5147] from workstation
> [RAYXP]
>   [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(75)
>     attempting to make a user_info for ray5147 (ray5147)
>   [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(85)
>     making strings for ray5147's user_info struct
>   [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(117)
>     making blobs for ray5147's user_info struct
>   [2010/11/03 10:25:44, 10] auth/auth_util.c:make_user_info(135)
>     made an encrypted user_info for ray5147 (ray5147)
>   [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(221)
>     check_ntlm_password:  Checking password for unmapped user
> [AVWORLD]\[ray5147]@[RAYXP] with the new password interface
>   [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(224)
>     check_ntlm_password:  mapped user is: [AVWORLD]\[ray5147]@[RAYXP]
>   [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(233)
>     check_ntlm_password: auth_context challenge created by NTLMSSP callback
> (NTLM2)
>   [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(235)
>     challenge is:
>   [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261)
>     check_ntlm_password: guest had nothing to say
>   [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415)
>     check_samstrict_security: AVWORLD is not one of my local names
> (ROLE_DOMAIN_MEMBER)
>   [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261)
>     check_ntlm_password: sam had nothing to say
>   [2010/11/03 10:25:44, 0]
> rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354)
>     cli_pipe_verify_schannel: auth_len 56.
>   [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260)
>     domain_client_validate: unable to validate password for user ray5147 in
> domain AVWORLD to Domain controller REDDC1. Error was
> NT_STATUS_INVALID_PARAMETER.
>   [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273)
>     check_ntlm_password: winbind authentication for user [ray5147] FAILED
> with error NT_STATUS_INVALID_PARAMETER
>   [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319)
>     check_ntlm_password:  Authentication for user [ray5147] -> [ray5147]
> FAILED with error NT_STATUS_INVALID_PARAMETER
>   [2010/11/03 10:25:44, 5] auth/auth_util.c:free_user_info(2108)
>     attempting to free (and zero) a user_info structure
>   [2010/11/03 10:25:44, 10] auth/auth_util.c:free_user_info(2112)
>     structure was created for ray5147
> 
> (REDDC1 is one of the 2K8 R2 servers and ray5147 is my username).  If I
> can convince the system to talk to one of the non-R2 servers again,
> everything is fine.
> 
> Looking at the log, the "errors" that jump out are:
> 
>   [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415)
>     check_samstrict_security: AVWORLD is not one of my local names
> (ROLE_DOMAIN_MEMBER)
>   [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260)
>     domain_client_validate: unable to validate password for user ray5147 in
> domain AVWORLD to Domain controller REDDC1. Error was
> NT_STATUS_INVALID_PARAMETER.
>   [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273)
>     check_ntlm_password: winbind authentication for user [ray5147] FAILED
> with error NT_STATUS_INVALID_PARAMETER
>   [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319)
>     check_ntlm_password:  Authentication for user [ray5147] -> [ray5147]
> FAILED with error NT_STATUS_INVALID_PARAMETER
> 
> I'm not clear if the first error is a complaint from my Samba client or
> if it's a message returned from the domain controller... the last error
> message doesn't mean anything to me.
> 
> Anyone have any thoughts?  We've followed the instructions from this KB
> article[1] to configure the R2 servers in the same way the non-R2
> servers are configured.
> 
> I haven't yet reproduced the problem on a Samba 3.3 install so I'm
> wondering if if the 3.0.x branch just has issues with Windows 2008 R2,
> or if there's a patch out there that could be backported to help.
> Maybe doing security = ads would work better for us....
> 
> This problem also has cropped up on our Solaris 10 hosts.  Sun provides
> a Samba package based on 3.0.x as well.
> 
> Thanks in advance,
> Ray
> 
> [1] http://support.microsoft.com/kb/942564


- -- 
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzSr7sACgkQup357T5MfTYnPgCfc32eUQRpNm2VCU1jdKu4Vzwa
Z0cAnjLIXcQFb3Ms+++OvKHJWrr+Feee
=nOWM
-----END PGP SIGNATURE-----

More information about the samba mailing list