[Samba] Samba 4.0.6 update - login issues
Kristofer Pettijohn
kristofer at cybernetik.net
Sat Jul 13 13:23:32 MDT 2013
Is it possible that this may be related to and fixed by the patch in this bug: https://bugzilla.samba.org/show_bug.cgi?id=9820
----- Original Message -----
From: "Kristofer Pettijohn" <kristofer at cybernetik.net>
To: "Andrew Bartlett" <abartlet at samba.org>
Cc: samba at lists.samba.org
Sent: Thursday, June 13, 2013 12:17:53 AM
Subject: Re: [Samba] Samba 4.0.6 update - login issues
It happened again. When it happens, it happens at exactly the top of the hour. Same symptoms and results as below.
On Jun 11, 2013, at 12:08 AM, "Kristofer Pettijohn" < kristofer at cybernetik.net > wrote:
<blockquote>
I would need logs and network traces to investigate this further.
Could it be a kerberos ticket expiring?
Does it still happen if you upgrade a test member server to 3.6 or 4.0
(so we can narrow down the issue)?
I have logs (debug 16 from the client) and a network trace. If you would like me to send them somewhere, let me know where you would like them.
Received an alert that Radius authentication fails (ntlm)
Log into Radius server via ssh, which uses winbind for auth - receive this error: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable
Ran "net ads info"
<blockquote>
[root at durad1 ~]# net ads info
LDAP server: 10.9.10.81
LDAP server name: brsad.ad.bigrocksports.com
Realm: AD.BIGROCKSPORTS.COM
Bind Path: dc=AD,dc=BIGROCKSPORTS,dc=COM
LDAP port: 389
Server time: Tue, 11 Jun 2013 00:42:44 EDT
KDC server: 10.9.10.81
Server time offset: 0
</blockquote>
Ran "net ads lookup"
<blockquote>
[root at durad1 ~]# net ads lookup
Information for Domain Controller: 10.9.10.81
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 61b8eb21-20b7-459b-8d7e-224ea1fa85d5
Flags:
Is a PDC: yes
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: yes
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: no
Is NT6 DC that has all secrets: no
Forest: ad.bigrocksports.com
Domain: ad.bigrocksports.com
Domain Controller: brsad.ad.bigrocksports.com
Pre-Win2k Domain: BRS
Pre-Win2k Hostname: BRSAD
Server Site Name : Default-First-Site-Name
Client Site Name : Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
</blockquote>
tried a winbind ping
<blockquote>
[root at durad1 ~]# wbinfo -p
Ping to winbindd succeeded
</blockquote>
id <username> fails with "No such user"
kinit username at AD.BIGROCKSPORTS.COM works.
Email server authenticates against LDAP - and that is working without an issue.
Restarted winbind on Radius server, did not change failed results
ntlm_auth fails
<blockquote>
[root at durad1 ~]# /usr/bin/ntlm_auth --request-nt-key --domain= AD.BIGROCKSPORTS.COM --username=kpettijohn --password=<password>
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
</blockquote>
Attempted to leave and re-join the domain:
<blockquote>
[root at durad1 samba]# net ads join -U Administrator
Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain ' AD.BIGROCKSPORTS.COM ' over rpc: The connection was refused
</blockquote>
Restart samba DC on 10.9.10.81 ( brsad.ad.bigrocksports.com ), and machine can now join and ntlm_auth works.
</blockquote>
More information about the samba
mailing list