[Samba] troule switching winbind to use a new AD 2008

John Stile john at stilen.com
Fri Nov 12 07:55:54 MST 2010 

It looks like samba <3.2.0 will not be able to use winbind with Windows
Server 2008 R2, which referenced:
https://bugzilla.redhat.com/show_bug.cgi?id=561325

I had a mistake in my initial post that I'm using Debian Lenny with
samba 3.0.24.  I actually have Debian Etch with samba 3.0.24.  In Debian
Lenny the version of samba is 3.2.5, and this works, which I have
verified on another system.

So the solution to my issue with winbind and Windows Server 2008 R2 is
to upgrade to samba <3.2.0.

On Thu, 2010-11-11 at 09:44 -0800, John Stile wrote:
> I forgot to mention that this AD is 2008 R2, if that makes a difference.
> 
> 
> On Thu, 2010-11-11 at 08:12 -0800, Ray Van Dolson wrote:
> > On Thu, Nov 11, 2010 at 08:09:50AM -0800, John Stile wrote:
> > > I have been using 2003 AD servers for winbind for many years, and now
> > > 2008 is phasing in, but I can't authenticate using the new servers, and
> > > I'm not sure what to do.  All advice very welcome.
> > > 
> > > This is a problem for me on both Gentoo (samba 3.0.33) and Debian Lenny
> > > (samba 3.0.24).
> > > 
> > > For debugging, I ran winbind interactively and piped output to a file
> > > (winbindd -d 3 -i).  
> > > 
> > > I have also posted the complete files to a pastebin: 
> > > Working AD:     http://pastebin.ca/1988167
> > > Non-working AD: http://pastebin.ca/1988169
> > > 
> > > I did this for working and non-working ADs, and each time, I exercised
> > > the winbind daemon with the same commands, and then diff'ed the files.
> > > 
> > > Both AD's behave the same for the following commands:
> > > wbinfo -g
> > > wbinfo -u
> > > net ads info
> > > 
> > > However, the following commands do not work using the 2008 AD.
> > > kinit john
> > >   kinit(v5): KDC has no support for encryption type while getting initial credentials
> > > wbinfo --all-domains
> > >   <empty>
> > > wbinfo -m
> > >   Could not list trusted domains
> > > wbinfo -t
> > >   checking the trust secret via RPC calls succeeded
> > > wbinfo -a MS+john%'mypasswd'
> > >    plaintext password authentication failed
> > >    error code was NT code 0x00000721 (0x721)
> > >    error messsage was: NT code 0x00000721
> > >    Could not authenticate user MS+john%mypasswd with plaintext password
> > >    challenge/response password authentication failed
> > >    error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0)
> > >    error messsage was: Named pipe dicconnected
> > >    Could not authenticate user MS+john with challenge/response
> > > 
> > > The winbind logs are long, and attaching to this email seems wrong, so I
> > > have a difference summery below.  
> > > 
> > > ---First:---
> > > The working AD shows this:
> > > get_dc_list: preferred server list: "192.168.50.11, 192.168.50.11"
> > > get_dc_list: preferred server list: "192.168.50.11, 192.168.50.11"
> > > Doing spnego session setup (blob length=104)
> > > 
> > > The non-working AD shows this:
> > > get_dc_list: preferred server list: ", 192.168.50.12"
> > > Connected to LDAP server 192.168.50.12
> > > get_dc_list: preferred server list: ", 192.168.50.12"
> > > Connected to LDAP server 192.168.50.12
> > > get_dc_list: preferred server list: ", 192.168.50.12"
> > > get_dc_list: preferred server list: ", 192.168.50.12"
> > > get_dc_list: preferred server list: ", 192.168.50.12"
> > > get_dc_list: preferred server list: ", 192.168.50.12"
> > > get_dc_list: preferred server list: ", 192.168.50.12"
> > > get_dc_list: preferred server list: ", 192.168.50.12"
> > > Doing spnego session setup (blob length=136)
> > > got OID=1 3 6 1 4 1 311 2 2 30
> > > 
> > > ---Second:---
> > > The working AD shows this:
> > > got principal=ad1$@MS.MYDOMAIN.COM
> > > 
> > > The non-working AD shows this:
> > > got principal=not_defined_in_RFC4178 at please_ignore
> > > cli_session_setup_spnego: got a bad server principal, trying to
> > > guess ...
> > > cli_session_setup_spnego: guessed server principal=AD4$@MS.MYDOMAIN.COM
> > > 
> > > ---Third:---
> > > The working AD shows this:
> > > got principal=ad1$@MS.MYDOMAIN.COM
> > > Doing kerberos session setup
> > > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 11 Nov 2010 06:53:02 PST
> > > rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \lsarpc fnum 0x4003 bind request returned ok.
> > > rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \lsarpc fnum 0x4002 bind request returned ok.
> > > 
> > > The non-working AD shows this:
> > > got principal=not_defined_in_RFC4178 at please_ignore
> > > Kinit failed: KDC has no support for encryption type
> > > Doing spnego session setup (blob length=136)
> > > got OID=1 3 6 1 4 1 311 2 2 30
> > > got OID=1 2 840 48018 1 2 2
> > > got OID=1 2 840 113554 1 2 2
> > > got OID=1 2 840 113554 1 2 2 3
> > > got OID=1 3 6 1 4 1 311 2 2 10
> > > got principal=not_defined_in_RFC4178 at please_ignore
> > > Got challenge flags:
> > > Got NTLMSSP neg_flags=0x62898215
> > > NTLMSSP: Set final flags:
> > > Got NTLMSSP neg_flags=0x60088215
> > > NTLMSSP Sign/Seal - Initialising with flags:
> > > Got NTLMSSP neg_flags=0x60088215
> > > rpc_pipe_bind: Remote machine AD4.ms.mydomain.com pipe \lsarpc fnum 0x800d bind request returned ok.
> > > rpc_pipe_bind: Remote machine AD4.ms.mydomain.com pipe \lsarpc fnum 0x800e bind request returned ok.
> > > 
> > > ---Fourth:---
> > > The working AD shows this:
> > > [ 4325]: pam auth MS+john
> > > [ 4318]: dual pam auth MS+john
> > > [ 4325]: request misc info
> > > [ 4325]: pam auth crap domain: [MS] user: john
> > > [ 4318]: pam auth crap domain: MS user: john
> > > [ 4327]: request interface version
> > > [ 4327]: request location of privileged pipe
> > > [ 4327]: check machine account
> > > [ 4318]: check machine account
> > > get_dc_list: preferred server list: "192.168.50.11, 192.168.50.11"
> > > get_dc_list: preferred server list: "192.168.50.11, 192.168.50.11"
> > > Doing spnego session setup (blob length=104)
> > > got OID=1 2 840 48018 1 2 2
> > > got OID=1 2 840 113554 1 2 2
> > > got OID=1 2 840 113554 1 2 2 3
> > > got OID=1 3 6 1 4 1 311 2 2 10
> > > got principal=ad1$@MS.MYDOMAIN.COM
> > > Doing kerberos session setup
> > > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 11 Nov 2010 16:43:26 PST
> > > rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \NETLOGON fnum 0x800c bind request returned ok.
> > > rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \NETLOGON fnum 0x8008 bind request returned ok.
> > > secret is good
> > > [ 4328]: request interface version
> > > [ 4328]: request location of privileged pipe
> > > [ 4328]: list trusted domains
> > > [ 4318]: list trusted domains
> > > [ 4330]: request interface version
> > > [ 4330]: request location of privileged pipe
> > > [ 4330]: list trusted domains
> > > [ 4318]: list trusted domains
> > > [ 4341]: request interface version
> > > [ 4341]: request location of privileged pipe
> > > [ 4341]: getgroups root
> > > [ 4318]: lookupname MS+root
> > > rpc: name_to_sid name=MS\root
> > > name_to_sid [rpc] MS\root for domain MS
> > > rpc_pipe_bind: Remote machine ad1.ms.mydomain.com pipe \lsarpc fnum 0xc004 bind request returned ok.
> > > Got challenge flags:
> > > Got NTLMSSP neg_flags=0x62898235
> > > NTLMSSP: Set final flags:
> > > Got NTLMSSP neg_flags=0x60088235
> > > NTLMSSP Sign/Seal - Initialising with flags:
> > > Got NTLMSSP neg_flags=0x60088235
> > > lsa_io_sec_qos: length c does not match size 8
> > > 
> > > The non-working AD shows this:
> > > [ 4503]: pam auth MS+johns
> > > [ 4441]: dual pam auth MS+johns
> > > cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from remote machine AD4.ms.mydomain.com pipe \NETLOGON fnum 0x400c!
> > > Plain-text authentication for user MS+johns returned NT code 0x00000721 (PAM: 4)
> > > [ 4503]: request misc info
> > > [ 4503]: pam auth crap domain: [MS] user: johns
> > > [ 4441]: pam auth crap domain: MS user: johns
> > > rpc_api_pipe: Remote machine AD4.ms.msli.com pipe \NETLOGON fnum 0x400creturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
> > > NTLM CRAP authentication for user [MS]\[johns] returned NT_STATUS_PIPE_DISCONNECTED (PAM: 4)
> > > [ 4505]: request interface version
> > > [ 4505]: request location of privileged pipe
> > > [ 4505]: check machine account
> > > [ 4441]: check machine account
> > > get_dc_list: preferred server list: "192.168.50.12, 192.168.50.12"
> > > get_dc_list: preferred server list: "192.168.50.12, 192.168.50.12"
> > > Doing spnego session setup (blob length=136)
> > > got OID=1 3 6 1 4 1 311 2 2 30
> > > got OID=1 2 840 48018 1 2 2
> > > got OID=1 2 840 113554 1 2 2
> > > got OID=1 2 840 113554 1 2 2 3
> > > got OID=1 3 6 1 4 1 311 2 2 10
> > > got principal=not_defined_in_RFC4178 at please_ignore
> > > cli_session_setup_spnego: got a bad server principal, trying to guess ...
> > > cli_session_setup_spnego: guessed server principal=AD4$@MS.MYDOMAIN.COM
> > > Doing kerberos session setup
> > > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 11 Nov 2010 16:46:46 PST
> > > rpc_pipe_bind: Remote machine AD4.ms.mydomain.com pipe \NETLOGON fnum 0xc002 bind request returned ok.
> > > rpc_pipe_bind: Remote machine AD4.ms.mydomain.com pipe \NETLOGON fnum 0xc005 bind request returned ok.
> > > secret is good
> > > [ 4506]: request interface version
> > > [ 4506]: request location of privileged pipe
> > > [ 4506]: list trusted domains
> > > [ 4441]: list trusted domains
> > > winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_INVALID_PARAMETER
> > > [ 4508]: request interface version
> > > [ 4508]: request location of privileged pipe
> > > [ 4508]: list trusted domains
> > > [ 4441]: list trusted domains
> > > winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_INVALID_PARAMETER
> > 
> > You may need to try some of the steps listed here:
> > 
> >     http://support.microsoft.com/kb/942564
> > 
> > Ray
> 
>

More information about the samba mailing list