[Samba] ntlm_auth = NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)

Rowley, Mathew Mathew_Rowley at cable.comcast.com
Thu Nov 11 14:28:17 MST 2010 

security = ads

I am really just trying to get ntlm_auth to work in order to proxy AD
requests with FreeRadius...
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO




On 11/11/10 2:26 PM, "Aaron E." <ssureshot at gmail.com> wrote:

>security = domain or security = user?
>
>I had problems with winbind using security = user.. I can't remember
>properly it's been a while..
>
>On 11/11/2010 04:22 PM, Rowley, Mathew wrote:
>> I had to downgrade samba on a rh5.5 instance due to ntlm_auth not
>>working properly:
>>https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=561325
>>
>> Now, when I add the computer to the domain ('net ads join ­U
>>Administrator') it seems to work, is visible on the AD interface, but
>>the logs show an error:
>> Nov 11 16:03:22 rhclient winbindd[4483]: [2010/11/11 16:03:22,  0]
>>winbindd/idmap.c:idmap_alloc_init(589)
>> Nov 11 16:03:22 rhclient winbindd[4483]:   ERROR: Initialization failed
>>for alloc backend, deferred!
>> Nov 11 16:03:22 rhclient winbindd[4483]: [2010/11/11 16:03:22,  0]
>>winbindd/idmap.c:smb_register_idmap_alloc(201)
>> Nov 11 16:03:22 rhclient winbindd[4483]:   idmap_alloc module ldap
>>already registered!
>> Nov 11 16:03:22 rhclient winbindd[4483]: [2010/11/11 16:03:22,  0]
>>winbindd/idmap.c:smb_register_idmap_alloc(201)
>> Nov 11 16:03:22 rhclient winbindd[4483]:   idmap_alloc module tdb
>>already registered!
>> Nov 11 16:03:22 rhclient winbindd[4483]: [2010/11/11 16:03:22,  0]
>>winbindd/idmap.c:smb_register_idmap(149)
>> Nov 11 16:03:22 rhclient winbindd[4483]:   Idmap module passdb already
>>registered!
>> Nov 11 16:03:22 rhclient winbindd[4483]: [2010/11/11 16:03:22,  0]
>>winbindd/idmap.c:smb_register_idmap(149)
>> Nov 11 16:03:22 rhclient winbindd[4483]:   Idmap module nss already
>>registered!
>> Nov 11 16:03:22 rhclient winbindd[4483]: [2010/11/11 16:03:22,  0]
>>winbindd/idmap.c:idmap_alloc_init(589)
>> Nov 11 16:03:22 rhclient winbindd[4483]:   ERROR: Initialization failed
>>for alloc backend, deferred!
>> Nov 11 16:03:22 rhclient pcscd: winscard.c:304:SCardConnect() Reader
>>E-Gate 0 0 Not Found
>>
>> And wbinfo gives me nothing ­ so I am assuming there is a problem:
>> [root at rhclient samba]# wbinfo -u
>> [root at rhclient samba]# wbinfo -g
>> [root at rhclient samba]#
>>
>> When trying to do a ntlm_auth, I get a funky error as well:
>> [root at rhclient samba]# ntlm_auth --request-nt-key
>>--domain=VMSECLAB.CABLE.COMCAST.COM --username=user
>> password:
>> NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
>>
>> Yet, there is a login server in the samba.conf, and dns/reverse dns
>>works:
>> [root at rhclient samba]# grep 'password server' /etc/samba/smb.conf
>> password server = ad.vmseclab.cable.com
>> [root at rhclient samba]# nslookup ad.vmseclab.cable.com
>> Server: 10.252.159.138
>> Address: 10.252.159.138#53
>>
>> Name: ad.vmseclab.cable.com
>> Address: 10.252.159.138
>>
>> [root at rhclient samba]# nslookup 10.252.159.138
>> Server: 10.252.159.138
>> Address: 10.252.159.138#53
>>
>> 138.159.252.10.in-addr.arpa name = ad.vmseclab.cable.com.
>>
>> The samba logs show this when trying to ntlm_auth:
>> ==>  /var/log/samba/log.winbindd-dc-connect<==
>> [2010/11/11 16:16:55,  1] libads/cldap.c:recv_cldap_netlogon(157)
>>    no reply received to cldap netlogon
>> [2010/11/11 16:16:55,  1] libads/ldap.c:ads_find_dc(427)
>>    ads_find_dc: failed to find a valid DC on our site
>>(Default-First-Site-Name), trying to find another DC
>> [2010/11/11 16:16:55,  1] libads/ldap.c:ads_find_dc(427)
>>    ads_find_dc: failed to find a valid DC on our site
>>(Default-First-Site-Name), trying to find another DC
>> [2010/11/11 16:17:25,  1] libads/cldap.c:recv_cldap_netlogon(157)
>>    no reply received to cldap netlogon
>> [2010/11/11 16:17:25,  1] libads/ldap.c:ads_find_dc(427)
>>    ads_find_dc: failed to find a valid DC on our site
>>(Default-First-Site-Name), trying to find another DC
>> [2010/11/11 16:17:25,  1] libads/ldap.c:ads_find_dc(427)
>>    ads_find_dc: failed to find a valid DC on our site
>>(Default-First-Site-Name), trying to find another DC
>>
>>
>> Has anyone seen this, or have any clue what could be happening? It
>>seems like my DC does not have cldap open/working? What port does that
>>run over? If its normal ldap(389), I can telnet to that fine.
>>
>> I am out of ideas, any help would be appreciated.  Thanks.
>>
>>
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list