[Samba] ADS authentication stopped working

francis picabia fpicabia at gmail.com
Mon Oct 3 13:27:47 MDT 2011 

Running Samba mostly on Redhat 5 with version 3.5.4-0.83
Also failed on Debian 3.5.6 and Solaris with a 3.5 version.
Logging details here are from Redhat case.

We have a similar problem on all Unix/Linux systems using
ADS as the backend authentication for samba shares on Unix/Linux.

It was working before today and we didn't change anything.
Today, any time we try smbclient or a Windows drive map
to connect, and the user is not in /etc/passwd,
it fails.  Yet if they are in /etc/passwd, it succeeds.

"net ads testjoin" returns OK.

If I take the user not in /etc/passwd and use either:

wbinfo -a username%password

or

kinit username at AD.MYDOMAIN.CA

it works.

Winbind and samba services have been restarted.
SSH login using AD auth works fine.

We have reduced to minimal /etc/pam.d/samba:

auth        required      pam_env.so
auth        sufficient    pam_winbind.so use_first_pass debug
auth        required      pam_deny.so
account     required      pam_permit.so



Login attempt:

$ smbclient -U username //www/test
Enter username's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Log level 10:

[2011/10/03 15:22:03.546880,  6] param/loadparm.c:7133(lp_file_list_changed)
  lp_file_list_changed()
  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Mon
Oct  3 15:21:45 2011
[2011/10/03 15:22:03.546943,  5] auth/auth_util.c:211(make_user_info_map)
  Mapping user [MYDOMAIN]\[username] from workstation [LABRADOR]
[2011/10/03 15:22:03.547328,  5] auth/auth_util.c:122(make_user_info)
  attempting to make a user_info for username (username)
[2011/10/03 15:22:03.547351,  5] auth/auth_util.c:132(make_user_info)
  making strings for username's user_info struct
[2011/10/03 15:22:03.547370,  5] auth/auth_util.c:164(make_user_info)
  making blobs for username's user_info struct
[2011/10/03 15:22:03.547390, 10] auth/auth_util.c:182(make_user_info)
  made an encrypted user_info for username (username)
[2011/10/03 15:22:03.547411,  3] auth/auth.c:216(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[MYDOMAIN]\[username]@[LABRADOR] with the new password interface
[2011/10/03 15:22:03.547434,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: [MYDOMAIN]\[username]@[LABRADOR]
[2011/10/03 15:22:03.547453, 10] auth/auth.c:228(check_ntlm_password)
  check_ntlm_password: auth_context challenge created by NTLMSSP
callback (NTLM2)
[2011/10/03 15:22:03.547473, 10] auth/auth.c:230(check_ntlm_password)
  challenge is:
[2011/10/03 15:22:03.547488,  5] ../lib/util/util.c:278(_dump_data)
  [0000] 89 E2 DB 1A E5 3D A7 6C                            .....=.l
[2011/10/03 15:22:03.547529, 10] auth/auth.c:256(check_ntlm_password)
  check_ntlm_password: guest had nothing to say
[2011/10/03 15:22:03.547560,  8] lib/util.c:1869(is_myname)
  is_myname("MYDOMAIN") returns 0
[2011/10/03 15:22:03.547580,  6] auth/auth_sam.c:556(check_samstrict_security)
  check_samstrict_security: MYDOMAIN is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2011/10/03 15:22:03.547603, 10] auth/auth.c:256(check_ntlm_password)
  check_ntlm_password: sam had nothing to say
[2011/10/03 15:22:03.547624,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/10/03 15:22:03.547646,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/10/03 15:22:03.547665,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/10/03 15:22:03.547685,  5] auth/token_util.c:525(debug_nt_user_token)
  NT user token: (NULL)
[2011/10/03 15:22:03.547702,  5] auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2011/10/03 15:22:03.551090,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/10/03 15:22:03.551129,  5] lib/username.c:133(Get_Pwnam_alloc)
  Finding user MYDOMAIN\username
[2011/10/03 15:22:03.551148,  5] lib/username.c:77(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is acadia\username
[2011/10/03 15:22:03.551276,  5] lib/username.c:85(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is MYDOMAIN\username
[2011/10/03 15:22:03.551388,  5] lib/username.c:95(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is MYDOMAIN\MPOWER
[2011/10/03 15:22:03.551491,  5] lib/username.c:104(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in acadia\username
[2011/10/03 15:22:03.551526,  5] lib/username.c:110(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [MYDOMAIN\username]!
[2011/10/03 15:22:03.551546,  5] lib/username.c:133(Get_Pwnam_alloc)
  Finding user username
[2011/10/03 15:22:03.551564,  5] lib/username.c:77(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is username
[2011/10/03 15:22:03.551666,  5] lib/username.c:95(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is MPOWER
[2011/10/03 15:22:03.551779,  5] lib/username.c:104(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in username
[2011/10/03 15:22:03.551799,  5] lib/username.c:110(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [username]!
[2011/10/03 15:22:03.551861,  5] auth/auth.c:268(check_ntlm_password)
  check_ntlm_password: winbind authentication for user [username]
FAILED with error NT_STATUS_NO_SUCH_USER
[2011/10/03 15:22:03.551889,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [username] ->
[username] FAILED with error NT_STATUS_NO_SUCH_USER
[2011/10/03 15:22:03.551910,  5] auth/auth_util.c:2119(free_user_info)
  attempting to free (and zero) a user_info structure
[2011/10/03 15:22:03.551934, 10] auth/auth_util.c:2123(free_user_info)
  structure was created for username
[2011/10/03 15:22:03.551964,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2011/10/03 15:22:03.552000,  5] lib/util.c:617(show_msg)
[2011/10/03 15:22:03.552013,  5] lib/util.c:627(show_msg)
  size=35
  smb_com=0x73
  smb_rcls=109
  smb_reh=0
  smb_err=49152
  smb_flg=136
  smb_flg2=51203
  smb_tid=0
  smb_pid=6992
  smb_uid=100
  smb_mid=3
  smt_wct=0
  smb_bcc=0
[2011/10/03 15:22:03.552941,  5] lib/util_sock.c:462(read_fd_with_timeout)
  read_fd_with_timeout: blocking read. EOF from client.
[2011/10/03 15:22:03.552994, 10] smbd/process.c:286(receive_smb_raw_talloc)
  receive_smb_raw: NT_STATUS_END_OF_FILE
[2011/10/03 15:22:03.553025,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/10/03 15:22:03.553046,  5] auth/token_util.c:525(debug_nt_user_token)
  NT user token: (NULL)
[2011/10/03 15:22:03.553066,  5] auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2011/10/03 15:22:03.553105,  5] smbd/uid.c:369(change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2011/10/03 15:22:03.553127,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to
[2011/10/03 15:22:03.553179, 10] lib/dbwrap_tdb.c:100(db_tdb_fetch_locked)
  Locking key B56E0000FFFFFFFFFFFF
[2011/10/03 15:22:03.553204, 10] lib/dbwrap_tdb.c:129(db_tdb_fetch_locked)
[2011/10/03 15:22:03.553204, 10] lib/dbwrap_tdb.c:129(db_tdb_fetch_locked)
  Allocated locked data 0x0x7f9ba627a6f0
[2011/10/03 15:22:03.553228, 10] lib/dbwrap_tdb.c:42(db_tdb_record_destr)
  Unlocking key B56E0000FFFFFFFFFFFF
[2011/10/03 15:22:03.553324,  3] smbd/server.c:906(exit_server_common)
  Server exit (failed to receive smb request)



The Windows admin doesn't believe they changed anything on their end.

Where do we look next?

More information about the samba mailing list