[Samba] Samba 4.0.6 update - login issues

Kristofer Pettijohn kristofer at cybernetik.net
Wed Jun 12 23:17:53 MDT 2013


It happened again. When it happens, it happens at exactly the top of the hour. Same symptoms and results as below. 

On Jun 11, 2013, at 12:08 AM, "Kristofer Pettijohn" <kristofer at cybernetik.net> wrote:

>> I would need logs and network traces to investigate this further. 
>> 
>> Could it be a kerberos ticket expiring?
>> 
>> Does it still happen if you upgrade a test member server to 3.6 or 4.0
>> (so we can narrow down the issue)?
> 
> I have logs (debug 16 from the client) and a network trace.  If you would like me to send them somewhere, let me know where you would like them.
> 
> 
> Received an alert that Radius authentication fails (ntlm)
> 
> Log into Radius server via ssh, which uses winbind for auth - receive this error: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable
> 
> Ran "net ads info"
> 
> [root at durad1 ~]# net ads info
> LDAP server: 10.9.10.81
> LDAP server name: brsad.ad.bigrocksports.com
> Realm: AD.BIGROCKSPORTS.COM
> Bind Path: dc=AD,dc=BIGROCKSPORTS,dc=COM
> LDAP port: 389
> Server time: Tue, 11 Jun 2013 00:42:44 EDT
> KDC server: 10.9.10.81
> Server time offset: 0
> 
> Ran "net ads lookup"
> 
> [root at durad1 ~]# net ads lookup
> Information for Domain Controller: 10.9.10.81
> 
> Response Type: LOGON_SAM_LOGON_RESPONSE_EX
> GUID: 61b8eb21-20b7-459b-8d7e-224ea1fa85d5
> Flags:
> 	
> Is a PDC:                                   yes
> Is a GC of the forest:                      yes
> Is an LDAP server:                          yes
> Supports DS:                                yes
> Is running a KDC:                           yes
> Is running time services:                   yes
> Is the closest DC:                          yes
> Is writable:                                yes
> Has a hardware clock:                       yes
> Is a non-domain NC serviced by LDAP server: no
> Is NT6 DC that has some secrets:            no
> Is NT6 DC that has all secrets:             no
> Forest:			ad.bigrocksports.com
> Domain:			ad.bigrocksports.com
> Domain Controller:	brsad.ad.bigrocksports.com
> Pre-Win2k Domain:	BRS
> Pre-Win2k Hostname:	BRSAD
> Server Site Name :		Default-First-Site-Name
> Client Site Name :		Default-First-Site-Name
> NT Version: 5
> LMNT Token: ffff
> LM20 Token: ffff
> 
> tried a winbind ping
> 
> [root at durad1 ~]# wbinfo -p
> Ping to winbindd succeeded
> 
> id <username> fails with "No such user"
> 
> kinit username at AD.BIGROCKSPORTS.COM works.
> 
> Email server authenticates against LDAP - and that is working without an issue.
> 
> Restarted winbind on Radius server, did not change failed results
> 
> ntlm_auth fails
> 
> [root at durad1 ~]# /usr/bin/ntlm_auth --request-nt-key --domain=AD.BIGROCKSPORTS.COM --username=kpettijohn --password=<password>
> NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
> 
> Attempted to leave and re-join the domain:
> 
> [root at durad1 samba]# net ads join -U Administrator
> Enter Administrator's password:
> Failed to join domain: failed to lookup DC info for domain 'AD.BIGROCKSPORTS.COM' over rpc: The connection was refused
> 
> Restart samba DC on 10.9.10.81 (brsad.ad.bigrocksports.com), and machine can now join and ntlm_auth works.
> 
> 
> 



More information about the samba mailing list