[Samba] Samba 4.0.6 update - login issues
kristofer at cybernetik.net
Wed Jun 12 23:17:53 MDT 2013
It happened again. When it happens, it happens at exactly the top of the hour. Same symptoms and results as below.
On Jun 11, 2013, at 12:08 AM, "Kristofer Pettijohn" <kristofer at cybernetik.net> wrote:
>> I would need logs and network traces to investigate this further.
>> Could it be a kerberos ticket expiring?
>> Does it still happen if you upgrade a test member server to 3.6 or 4.0
>> (so we can narrow down the issue)?
> I have logs (debug 16 from the client) and a network trace. If you would like me to send them somewhere, let me know where you would like them.
> Received an alert that Radius authentication fails (ntlm)
> Log into Radius server via ssh, which uses winbind for auth - receive this error: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable
> Ran "net ads info"
> [root at durad1 ~]# net ads info
> LDAP server: 10.9.10.81
> LDAP server name: brsad.ad.bigrocksports.com
> Realm: AD.BIGROCKSPORTS.COM
> Bind Path: dc=AD,dc=BIGROCKSPORTS,dc=COM
> LDAP port: 389
> Server time: Tue, 11 Jun 2013 00:42:44 EDT
> KDC server: 10.9.10.81
> Server time offset: 0
> Ran "net ads lookup"
> [root at durad1 ~]# net ads lookup
> Information for Domain Controller: 10.9.10.81
> Response Type: LOGON_SAM_LOGON_RESPONSE_EX
> GUID: 61b8eb21-20b7-459b-8d7e-224ea1fa85d5
> Is a PDC: yes
> Is a GC of the forest: yes
> Is an LDAP server: yes
> Supports DS: yes
> Is running a KDC: yes
> Is running time services: yes
> Is the closest DC: yes
> Is writable: yes
> Has a hardware clock: yes
> Is a non-domain NC serviced by LDAP server: no
> Is NT6 DC that has some secrets: no
> Is NT6 DC that has all secrets: no
> Forest: ad.bigrocksports.com
> Domain: ad.bigrocksports.com
> Domain Controller: brsad.ad.bigrocksports.com
> Pre-Win2k Domain: BRS
> Pre-Win2k Hostname: BRSAD
> Server Site Name : Default-First-Site-Name
> Client Site Name : Default-First-Site-Name
> NT Version: 5
> LMNT Token: ffff
> LM20 Token: ffff
> tried a winbind ping
> [root at durad1 ~]# wbinfo -p
> Ping to winbindd succeeded
> id <username> fails with "No such user"
> kinit username at AD.BIGROCKSPORTS.COM works.
> Email server authenticates against LDAP - and that is working without an issue.
> Restarted winbind on Radius server, did not change failed results
> ntlm_auth fails
> [root at durad1 ~]# /usr/bin/ntlm_auth --request-nt-key --domain=AD.BIGROCKSPORTS.COM --username=kpettijohn --password=<password>
> NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
> Attempted to leave and re-join the domain:
> [root at durad1 samba]# net ads join -U Administrator
> Enter Administrator's password:
> Failed to join domain: failed to lookup DC info for domain 'AD.BIGROCKSPORTS.COM' over rpc: The connection was refused
> Restart samba DC on 10.9.10.81 (brsad.ad.bigrocksports.com), and machine can now join and ntlm_auth works.
More information about the samba