[Samba] ADS authentication stopped working

francis picabia fpicabia at gmail.com
Mon Oct 3 13:44:10 MDT 2011 

On Mon, Oct 3, 2011 at 4:27 PM, francis picabia <fpicabia at gmail.com> wrote:
> Running Samba mostly on Redhat 5 with version 3.5.4-0.83
> Also failed on Debian 3.5.6 and Solaris with a 3.5 version.
> Logging details here are from Redhat case.
>
> We have a similar problem on all Unix/Linux systems using
> ADS as the backend authentication for samba shares on Unix/Linux.
>
> It was working before today and we didn't change anything.
> Today, any time we try smbclient or a Windows drive map
> to connect, and the user is not in /etc/passwd,
> it fails.  Yet if they are in /etc/passwd, it succeeds.
>
> "net ads testjoin" returns OK.
>
> If I take the user not in /etc/passwd and use either:
>
> wbinfo -a username%password
>
> or
>
> kinit username at AD.MYDOMAIN.CA
>
> it works.
>
> Winbind and samba services have been restarted.
> SSH login using AD auth works fine.
>
> We have reduced to minimal /etc/pam.d/samba:
>
> auth        required      pam_env.so
> auth        sufficient    pam_winbind.so use_first_pass debug
> auth        required      pam_deny.so
> account     required      pam_permit.so
>
>
>
> Login attempt:
>
> $ smbclient -U username //www/test
> Enter username's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> Log level 10:
>
> [2011/10/03 15:22:03.546880,  6] param/loadparm.c:7133(lp_file_list_changed)
>  lp_file_list_changed()
>  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Mon
> Oct  3 15:21:45 2011
> [2011/10/03 15:22:03.546943,  5] auth/auth_util.c:211(make_user_info_map)
>  Mapping user [MYDOMAIN]\[username] from workstation [LABRADOR]
> [2011/10/03 15:22:03.547328,  5] auth/auth_util.c:122(make_user_info)
>  attempting to make a user_info for username (username)
> [2011/10/03 15:22:03.547351,  5] auth/auth_util.c:132(make_user_info)
>  making strings for username's user_info struct
> [2011/10/03 15:22:03.547370,  5] auth/auth_util.c:164(make_user_info)
>  making blobs for username's user_info struct
> [2011/10/03 15:22:03.547390, 10] auth/auth_util.c:182(make_user_info)
>  made an encrypted user_info for username (username)
> [2011/10/03 15:22:03.547411,  3] auth/auth.c:216(check_ntlm_password)
>  check_ntlm_password:  Checking password for unmapped user
> [MYDOMAIN]\[username]@[LABRADOR] with the new password interface
> [2011/10/03 15:22:03.547434,  3] auth/auth.c:219(check_ntlm_password)
>  check_ntlm_password:  mapped user is: [MYDOMAIN]\[username]@[LABRADOR]
> [2011/10/03 15:22:03.547453, 10] auth/auth.c:228(check_ntlm_password)
>  check_ntlm_password: auth_context challenge created by NTLMSSP
> callback (NTLM2)
> [2011/10/03 15:22:03.547473, 10] auth/auth.c:230(check_ntlm_password)
>  challenge is:
> [2011/10/03 15:22:03.547488,  5] ../lib/util/util.c:278(_dump_data)
>  [0000] 89 E2 DB 1A E5 3D A7 6C                            .....=.l
> [2011/10/03 15:22:03.547529, 10] auth/auth.c:256(check_ntlm_password)
>  check_ntlm_password: guest had nothing to say
> [2011/10/03 15:22:03.547560,  8] lib/util.c:1869(is_myname)
>  is_myname("MYDOMAIN") returns 0
> [2011/10/03 15:22:03.547580,  6] auth/auth_sam.c:556(check_samstrict_security)
>  check_samstrict_security: MYDOMAIN is not one of my local names
> (ROLE_DOMAIN_MEMBER)
> [2011/10/03 15:22:03.547603, 10] auth/auth.c:256(check_ntlm_password)
>  check_ntlm_password: sam had nothing to say
> [2011/10/03 15:22:03.547624,  3] smbd/sec_ctx.c:210(push_sec_ctx)
>  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2011/10/03 15:22:03.547646,  3] smbd/uid.c:429(push_conn_ctx)
>  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2011/10/03 15:22:03.547665,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2011/10/03 15:22:03.547685,  5] auth/token_util.c:525(debug_nt_user_token)
>  NT user token: (NULL)
> [2011/10/03 15:22:03.547702,  5] auth/token_util.c:551(debug_unix_user_token)
>  UNIX token of user 0
>  Primary group is 0 and contains 0 supplementary groups
> [2011/10/03 15:22:03.551090,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
>  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2011/10/03 15:22:03.551129,  5] lib/username.c:133(Get_Pwnam_alloc)
>  Finding user MYDOMAIN\username
> [2011/10/03 15:22:03.551148,  5] lib/username.c:77(Get_Pwnam_internals)
>  Trying _Get_Pwnam(), username as lowercase is acadia\username
> [2011/10/03 15:22:03.551276,  5] lib/username.c:85(Get_Pwnam_internals)
>  Trying _Get_Pwnam(), username as given is MYDOMAIN\username
> [2011/10/03 15:22:03.551388,  5] lib/username.c:95(Get_Pwnam_internals)
>  Trying _Get_Pwnam(), username as uppercase is MYDOMAIN\MPOWER
> [2011/10/03 15:22:03.551491,  5] lib/username.c:104(Get_Pwnam_internals)
>  Checking combinations of 0 uppercase letters in acadia\username
> [2011/10/03 15:22:03.551526,  5] lib/username.c:110(Get_Pwnam_internals)
>  Get_Pwnam_internals didn't find user [MYDOMAIN\username]!
> [2011/10/03 15:22:03.551546,  5] lib/username.c:133(Get_Pwnam_alloc)
>  Finding user username
> [2011/10/03 15:22:03.551564,  5] lib/username.c:77(Get_Pwnam_internals)
>  Trying _Get_Pwnam(), username as lowercase is username
> [2011/10/03 15:22:03.551666,  5] lib/username.c:95(Get_Pwnam_internals)
>  Trying _Get_Pwnam(), username as uppercase is MPOWER
> [2011/10/03 15:22:03.551779,  5] lib/username.c:104(Get_Pwnam_internals)
>  Checking combinations of 0 uppercase letters in username
> [2011/10/03 15:22:03.551799,  5] lib/username.c:110(Get_Pwnam_internals)
>  Get_Pwnam_internals didn't find user [username]!
> [2011/10/03 15:22:03.551861,  5] auth/auth.c:268(check_ntlm_password)
>  check_ntlm_password: winbind authentication for user [username]
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2011/10/03 15:22:03.551889,  2] auth/auth.c:314(check_ntlm_password)
>  check_ntlm_password:  Authentication for user [username] ->
> [username] FAILED with error NT_STATUS_NO_SUCH_USER
> [2011/10/03 15:22:03.551910,  5] auth/auth_util.c:2119(free_user_info)
>  attempting to free (and zero) a user_info structure
> [2011/10/03 15:22:03.551934, 10] auth/auth_util.c:2123(free_user_info)
>  structure was created for username
> [2011/10/03 15:22:03.551964,  3] smbd/error.c:80(error_packet_set)
>  error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2011/10/03 15:22:03.552000,  5] lib/util.c:617(show_msg)
> [2011/10/03 15:22:03.552013,  5] lib/util.c:627(show_msg)
>  size=35
>  smb_com=0x73
>  smb_rcls=109
>  smb_reh=0
>  smb_err=49152
>  smb_flg=136
>  smb_flg2=51203
>  smb_tid=0
>  smb_pid=6992
>  smb_uid=100
>  smb_mid=3
>  smt_wct=0
>  smb_bcc=0
> [2011/10/03 15:22:03.552941,  5] lib/util_sock.c:462(read_fd_with_timeout)
>  read_fd_with_timeout: blocking read. EOF from client.
> [2011/10/03 15:22:03.552994, 10] smbd/process.c:286(receive_smb_raw_talloc)
>  receive_smb_raw: NT_STATUS_END_OF_FILE
> [2011/10/03 15:22:03.553025,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2011/10/03 15:22:03.553046,  5] auth/token_util.c:525(debug_nt_user_token)
>  NT user token: (NULL)
> [2011/10/03 15:22:03.553066,  5] auth/token_util.c:551(debug_unix_user_token)
>  UNIX token of user 0
>  Primary group is 0 and contains 0 supplementary groups
> [2011/10/03 15:22:03.553105,  5] smbd/uid.c:369(change_to_root_user)
>  change_to_root_user: now uid=(0,0) gid=(0,0)
> [2011/10/03 15:22:03.553127,  3] smbd/connection.c:31(yield_connection)
>  Yielding connection to
> [2011/10/03 15:22:03.553179, 10] lib/dbwrap_tdb.c:100(db_tdb_fetch_locked)
>  Locking key B56E0000FFFFFFFFFFFF
> [2011/10/03 15:22:03.553204, 10] lib/dbwrap_tdb.c:129(db_tdb_fetch_locked)
> [2011/10/03 15:22:03.553204, 10] lib/dbwrap_tdb.c:129(db_tdb_fetch_locked)
>  Allocated locked data 0x0x7f9ba627a6f0
> [2011/10/03 15:22:03.553228, 10] lib/dbwrap_tdb.c:42(db_tdb_record_destr)
>  Unlocking key B56E0000FFFFFFFFFFFF
> [2011/10/03 15:22:03.553324,  3] smbd/server.c:906(exit_server_common)
>  Server exit (failed to receive smb request)
>
>
>
> The Windows admin doesn't believe they changed anything on their end.
>
> Where do we look next?

We never needed this before, but I've tried adding winbind in /etc/nsswitch.conf
for the passwd entry and restarting samba.  smbclient can connect.

I don't like using winbind next to passwd in nsswitch.conf as it makes use
of passwd command busted for changing local Unix passwords.

Is there another way to configure this or does this point to
something meaningful I can chase down?

More information about the samba mailing list