[Samba] Samba 4.0.6 update - login issues

Kristofer Pettijohn kristofer at cybernetik.net
Sat Jul 13 13:23:32 MDT 2013


Is it possible that this may be related to and fixed by the patch in this bug: https://bugzilla.samba.org/show_bug.cgi?id=9820 


----- Original Message -----

From: "Kristofer Pettijohn" <kristofer at cybernetik.net> 
To: "Andrew Bartlett" <abartlet at samba.org> 
Cc: samba at lists.samba.org 
Sent: Thursday, June 13, 2013 12:17:53 AM 
Subject: Re: [Samba] Samba 4.0.6 update - login issues 

It happened again. When it happens, it happens at exactly the top of the hour. Same symptoms and results as below. 

On Jun 11, 2013, at 12:08 AM, "Kristofer Pettijohn" < kristofer at cybernetik.net > wrote: 





<blockquote>
I would need logs and network traces to investigate this further. 

Could it be a kerberos ticket expiring? 

Does it still happen if you upgrade a test member server to 3.6 or 4.0 
(so we can narrow down the issue)? 




I have logs (debug 16 from the client) and a network trace. If you would like me to send them somewhere, let me know where you would like them. 


Received an alert that Radius authentication fails (ntlm) 

Log into Radius server via ssh, which uses winbind for auth - receive this error: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable 

Ran "net ads info" 

<blockquote>


[root at durad1 ~]# net ads info 
LDAP server: 10.9.10.81 
LDAP server name: brsad.ad.bigrocksports.com 
Realm: AD.BIGROCKSPORTS.COM 
Bind Path: dc=AD,dc=BIGROCKSPORTS,dc=COM 
LDAP port: 389 
Server time: Tue, 11 Jun 2013 00:42:44 EDT 
KDC server: 10.9.10.81 
Server time offset: 0 

</blockquote>


Ran "net ads lookup" 


<blockquote>

[root at durad1 ~]# net ads lookup 
Information for Domain Controller: 10.9.10.81 

Response Type: LOGON_SAM_LOGON_RESPONSE_EX 
GUID: 61b8eb21-20b7-459b-8d7e-224ea1fa85d5 
Flags: 

Is a PDC: yes 
Is a GC of the forest: yes 
Is an LDAP server: yes 
Supports DS: yes 
Is running a KDC: yes 
Is running time services: yes 
Is the closest DC: yes 
Is writable: yes 
Has a hardware clock: yes 
Is a non-domain NC serviced by LDAP server: no 
Is NT6 DC that has some secrets: no 
Is NT6 DC that has all secrets: no 
Forest: ad.bigrocksports.com 
Domain: ad.bigrocksports.com 
Domain Controller: brsad.ad.bigrocksports.com 
Pre-Win2k Domain: BRS 
Pre-Win2k Hostname: BRSAD 
Server Site Name : Default-First-Site-Name 
Client Site Name : Default-First-Site-Name 
NT Version: 5 
LMNT Token: ffff 
LM20 Token: ffff 

</blockquote>


tried a winbind ping 


<blockquote>

[root at durad1 ~]# wbinfo -p 
Ping to winbindd succeeded 

</blockquote>


id <username> fails with "No such user" 

kinit username at AD.BIGROCKSPORTS.COM works. 

Email server authenticates against LDAP - and that is working without an issue. 

Restarted winbind on Radius server, did not change failed results 

ntlm_auth fails 


<blockquote>

[root at durad1 ~]# /usr/bin/ntlm_auth --request-nt-key --domain= AD.BIGROCKSPORTS.COM --username=kpettijohn --password=<password> 
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e) 

</blockquote>


Attempted to leave and re-join the domain: 


<blockquote>

[root at durad1 samba]# net ads join -U Administrator 
Enter Administrator's password: 
Failed to join domain: failed to lookup DC info for domain ' AD.BIGROCKSPORTS.COM ' over rpc: The connection was refused 

</blockquote>


Restart samba DC on 10.9.10.81 ( brsad.ad.bigrocksports.com ), and machine can now join and ntlm_auth works. 




</blockquote>




More information about the samba mailing list