[Samba] Input/output error on attempting to authenticate

Madhusudan Singh singh.madhusudan at gmail.com
Tue Apr 12 15:22:47 MDT 2011 

Situation:

OpenSUSE 11.2 server with LDAP for authentication.
Authentication status: users CAN login using LDAP using ssh.
Additionally, I have kerberos setup and users can get kerberos tokens
without any problem.
Environment: ADS running on Windows. I do not control the ADS. I had to ask
an IT guy to come run a script that does the equivalent of net ads join and
a few other things needed for an OpenSUSE 11.2 server. I cannot upgrade to a
newer version of OpenSUSE 11.2 as a specific LDAP module needed for
authentication locally is distributed in a binary only format. I do not make
the rules here, just try to survive in this windows rich environment.

History: I had a working winbind based authentication working here, but
there was a change in the authentication setup at the ADS end that broke the
authentication. So, I am rebuilding the server as an LDAP + Samba box
without any use of winbind.

Attempts to authenticate against a samba share fail:

$ mount -v -t smbfs //user1 at servername.edu/user1 ./share/
Password:
mount_smbfs: server rejected the connection: Input/output error

(The funny thing is that the above message occurs whether or not I type in
the correct password.)

Log file on Samba:

[2011/04/12 16:13:08,  0]
rpc_client/cli_pipe.c:3853(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for
domain 'CAMPUS'
[2011/04/12 16:13:08,  0]
rpc_client/cli_pipe.c:4077(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server
CAMPUSDC10.CAMPUS.AD.CAMPUS.EDU for domain CAMPUS.
[2011/04/12 16:13:08,  0]
auth/auth_domain.c:187(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client
session to machine CAMPUSDC10.CAMPUS.AD.CAMPUS.EDU. Error was :
NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2011/04/12 16:13:08,  0] auth/auth_domain.c:288(domain_client_validate)
  domain_client_validate: Domain password server not available.
[2011/04/12 16:13:08,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [user1] -> [user1] FAILED
with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO

What could be a problem (this may explain the password independent response
above) ?

Part of my /etc/samba/smb.conf:

workgroup = CAMPUS
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
log level = 0 passdb:3 tdb:3 printdrivers:3 auth:3 sam:3 winbind:3
syslog = 0
panic action = /usr/share/samba/panic-action %d
security=ads
realm=CAMPUS.AD.CAMPUS.EDU
password server = campus.ad.campus.edu
workgroup = CAMPUS
idmap uid = 500-1000000
idmap gid = 500-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
encrypt passwords = true
passdb backend = tbdsam
obey pam restrictions = yes
unix password sync = yes
...

Thanks.

More information about the samba mailing list