[Samba] REPOST: Winbind logins failing after upgrade from Samba3 to Samba4

Jonathan Heese jheese at inetu.net
Mon Mar 24 09:47:43 MDT 2014


(I'm reposting this after my first attempt about 25 minutes ago has not come through to me.  I am leaving out the looooooong debug log dump, in case the listserv didn't like the massive content, but it will be provided upon request.)

I have a RHEL 6.5 server that was configured to use Samba 3.6.9-167 to authenticate against a Windows 2008 R2 Active Directory domain.  The authentication was working fine, but we needed users to log in to this RHEL box with their AD credentials and then access files stored on a Windows file server CIFS share globally mounted on the RHEL box.  As such, we added the "cifsacl" option to the mount options, but we're finding the Windows ACL <-> UNIX ACL support to be quite lacking.

I've read that the Samba4 client does a much better job of respecting Windows NTFS ACLs, so I took a snapshot of the server (just in case), removed the samba3 packages and installed the samba4 ones (4.0.0-60).  I didn't truly expect my Samba 3-compliant smb.conf to work in Samba4, but I've looked over it line by line and haven't found anything that's not documented in the Samba4 smb.conf man page.

First, here's my smb.conf:

        security = ads
        realm = domain.local
        workgroup = DOMAIN
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%U
        template shell = /bin/bash
        client use spnego = yes
        client NTLMv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
       restrict anonymous = 2
        log level = 100
        idmap config * : backend        = tdb
        idmap config * : range          = 1000000-1999999
        idmap config DOMAIN : backend     = rid
        idmap config DOMAIN : range       = 10000 - 49999

When attempting to authenticate to the domain, I get the following error:

[root at server:/root]# wbinfo -a user%password --verbose
plaintext password authentication failed
Could not authenticate user user%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user user with challenge/response

I get a very similar error in /var/log/secure when attempting to log in via SSH:

Mar 24 10:58:26 server sshd[17398]: Set /proc/self/oom_score_adj to -1000
Mar 24 10:58:26 server sshd[17398]: Connection from port 64484
Mar 24 10:58:26 server sshd[17398]: Invalid user DOMAIN\\user from
Mar 24 10:58:26 server sshd[17399]: input_userauth_request: invalid user DOMAIN\\user
Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): check pass; user unknown
Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): getting password (0x00000010)
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): pam_get_item returned a password
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL (9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon servers
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'DOMAIN\user')
Mar 24 10:58:26 server sshd[17398]: pam_succeed_if(sshd:auth): error retrieving information about user DOMAIN\user
Mar 24 10:58:28 server sshd[17398]: Failed password for invalid user DOMAIN\\user from port 64484 ssh2
Mar 24 10:58:30 server sshd[17399]: Received disconnect from 13: The user canceled authentication.

I enabled "log level = 100" in my smb.conf and 'tail -f'ed /var/log/samba/* during a login attempt, stripping out the timestamp lines, and saw the following:


I can't seem to figure out exactly what's causing my "NT_STATUS_NO_LOGON_SERVERS" error-and this worked perfectly before switching from Samba 3 to Samba 4.  I've tried searching around, but without much to go on, it's hard to know exactly what to search for.

Oh, and I should probably mention that we have two "Sites" in AD, which I've notated above as Site1 and Site2.  The RHEL server is physically in Site1, but I'm unsure how to tell AD that-it seems like it should be able to tell this by its IP, but so far it doesn't show it being in any site in the Computer properties, nor by looking at the log output above.  (Edit: Incidentally, the Linux box's site now shows properly in the Samba logs-must've been a replication delay or something.)

Can anyone provide me with any ideas of things to look for/at?  I will provide (unobfuscated) logs and/or config files upon request.  Thanks in advance!
Jon Heese
Systems Administrator
INetU Managed Hosting
P: 610.266.7441 x 261
F: 610.266.7434
** This message contains confidential information, which also may be privileged, and is intended only for the person(s) addressed above. Any unauthorized use, distribution, copying or disclosure of confidential and/or privileged information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately via reply e-mail. **

More information about the samba mailing list