[Samba] REPOST: Winbind logins failing after upgrade from Samba3 to Samba4

Jonathan Heese jheese at inetu.net
Mon Mar 24 09:58:15 MDT 2014 

Yeah, so I apologize if that still looks borked for anyone else, but I'm going to cut my losses and provide ASCII file attachments for any further logs requested.

Incidentally, I've also tried hard-coding the "password servers = " directive in smb.conf pointing to either or both of the two DCs with no change in the behavior.  I just can't tell what's causing the authentication operation to fail...

Thanks.

Jon Heese
Systems Administrator
INetU Managed Hosting
P: 610.266.7441 x 261
F: 610.266.7434
www.inetu.net
** This message contains confidential information, which also may be privileged, and is intended only for the person(s) addressed above. Any unauthorized use, distribution, copying or disclosure of confidential and/or privileged information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately via reply e-mail. **

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Jonathan Heese
Sent: Monday, March 24, 2014 11:54 AM
To: samba at lists.samba.org
Subject: Re: [Samba] REPOST: Winbind logins failing after upgrade from Samba3 to Samba4

Gah!  Cursed Microsoft mail client making me look like a dunce---

One more try, and then I give up:

[root at server:/root]# wbinfo -a user%password --verbose

plaintext password authentication failed

Could not authenticate user user%password with plaintext password

challenge/response password authentication failed

error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)

error message was: No logon servers

Could not authenticate user user with challenge/response

tail -f /var/log/secure:
Mar 24 10:58:26 server sshd[17398]: Set /proc/self/oom_score_adj to -1000 Mar 24 10:58:26 server sshd[17398]: Connection from 172.25.1.11 port 64484 Mar 24 10:58:26 server sshd[17398]: Invalid user DOMAIN\\user from 172.25.1.11 Mar 24 10:58:26 server sshd[17399]: input_userauth_request: invalid user DOMAIN\\user Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): check pass; user unknown Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.25.1.11 Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): getting password (0x00000010) Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): pam_get_item returned a password Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL (9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon servers Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'DOMAIN\user') Mar 24 10:58:26 server sshd[17398]: pam_succeed_if(sshd:auth): error retrieving information about user DOMAIN\user Mar 24 10:58:28 server sshd[17398]: Failed password for invalid user DOMAIN\\user from 172.25.1.11 port 64484 ssh2 Mar 24 10:58:30 server sshd[17399]: Received disconnect from 172.25.1.11: 13: The user canceled authentication.

Thanks.

Jon Heese
Systems Administrator
INetU Managed Hosting
P: 610.266.7441 x 261
F: 610.266.7434
www.inetu.net
** This message contains confidential information, which also may be privileged, and is intended only for the person(s) addressed above. Any unauthorized use, distribution, copying or disclosure of confidential and/or privileged information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately via reply e-mail. **

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Jonathan Heese
Sent: Monday, March 24, 2014 11:52 AM
To: samba at lists.samba.org
Subject: Re: [Samba] REPOST: Winbind logins failing after upgrade from Samba3 to Samba4

My apologies if anyone else is missing line breaks in the log dumps...  Reposting the logs again for readability:

[root at server:/root]# wbinfo -a user%password --verbose plaintext password authentication failed Could not authenticate user user%password with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No logon servers Could not authenticate user user with challenge/response

tail -f /var/log/secure:
Mar 24 10:58:26 server sshd[17398]: Set /proc/self/oom_score_adj to -1000 Mar 24 10:58:26 server sshd[17398]: Connection from 172.25.1.11 port 64484 Mar 24 10:58:26 server sshd[17398]: Invalid user DOMAIN\\user from 172.25.1.11 Mar 24 10:58:26 server sshd[17399]: input_userauth_request: invalid user DOMAIN\\user Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): check pass; user unknown Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.25.1.11 Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): getting password (0x00000010) Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): pam_get_item returned a password Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL (9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon servers Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:au
 th): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'DOMAIN\user') Mar 24 10:58:26 server sshd[17398]: pam_succeed_if(sshd:auth): error retrieving information about user DOMAIN\user Mar 24 10:58:28 server sshd[17398]: Failed password for invalid user DOMAIN\\user from 172.25.1.11 port 64484 ssh2 Mar 24 10:58:30 server sshd[17399]: Received disconnect from 172.25.1.11: 13: The user canceled authentication.

Jon Heese
Systems Administrator
INetU Managed Hosting
P: 610.266.7441 x 261
F: 610.266.7434
www.inetu.net
** This message contains confidential information, which also may be privileged, and is intended only for the person(s) addressed above. Any unauthorized use, distribution, copying or disclosure of confidential and/or privileged information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately via reply e-mail. **

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Jonathan Heese
Sent: Monday, March 24, 2014 11:48 AM
To: samba at lists.samba.org
Subject: [Samba] REPOST: Winbind logins failing after upgrade from Samba3 to Samba4

Hello,

(I'm reposting this after my first attempt about 25 minutes ago has not come through to me.  I am leaving out the looooooong debug log dump, in case the listserv didn't like the massive content, but it will be provided upon request.)

I have a RHEL 6.5 server that was configured to use Samba 3.6.9-167 to authenticate against a Windows 2008 R2 Active Directory domain.  The authentication was working fine, but we needed users to log in to this RHEL box with their AD credentials and then access files stored on a Windows file server CIFS share globally mounted on the RHEL box.  As such, we added the "cifsacl" option to the mount options, but we're finding the Windows ACL <-> UNIX ACL support to be quite lacking.

I've read that the Samba4 client does a much better job of respecting Windows NTFS ACLs, so I took a snapshot of the server (just in case), removed the samba3 packages and installed the samba4 ones (4.0.0-60).  I didn't truly expect my Samba 3-compliant smb.conf to work in Samba4, but I've looked over it line by line and haven't found anything that's not documented in the Samba4 smb.conf man page.

First, here's my smb.conf:

[global]
        security = ads
        realm = domain.local
        workgroup = DOMAIN
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%U
        template shell = /bin/bash
        client use spnego = yes
        client NTLMv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
       restrict anonymous = 2
        log level = 100
        idmap config * : backend        = tdb
        idmap config * : range          = 1000000-1999999
        idmap config DOMAIN : backend     = rid
        idmap config DOMAIN : range       = 10000 - 49999

When attempting to authenticate to the domain, I get the following error:

[root at server:/root]# wbinfo -a user%password --verbose plaintext password authentication failed Could not authenticate user user%password with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No logon servers Could not authenticate user user with challenge/response

I get a very similar error in /var/log/secure when attempting to log in via SSH:

Mar 24 10:58:26 server sshd[17398]: Set /proc/self/oom_score_adj to -1000 Mar 24 10:58:26 server sshd[17398]: Connection from 172.25.1.11 port 64484 Mar 24 10:58:26 server sshd[17398]: Invalid user DOMAIN\\user from 172.25.1.11 Mar 24 10:58:26 server sshd[17399]: input_userauth_request: invalid user DOMAIN\\user Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): check pass; user unknown Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.25.1.11 Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): getting password (0x00000010) Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): pam_get_item returned a password Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL (9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon servers Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:au
 th): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'DOMAIN\user') Mar 24 10:58:26 server sshd[17398]: pam_succeed_if(sshd:auth): error retrieving information about user DOMAIN\user Mar 24 10:58:28 server sshd[17398]: Failed password for invalid user DOMAIN\\user from 172.25.1.11 port 64484 ssh2 Mar 24 10:58:30 server sshd[17399]: Received disconnect from 172.25.1.11: 13: The user canceled authentication.

I enabled "log level = 100" in my smb.conf and 'tail -f'ed /var/log/samba/* during a login attempt, stripping out the timestamp lines, and saw the following:

[ MASSIVE LOG DUMP REDACTED ]

I can't seem to figure out exactly what's causing my "NT_STATUS_NO_LOGON_SERVERS" error-and this worked perfectly before switching from Samba 3 to Samba 4.  I've tried searching around, but without much to go on, it's hard to know exactly what to search for.

Oh, and I should probably mention that we have two "Sites" in AD, which I've notated above as Site1 and Site2.  The RHEL server is physically in Site1, but I'm unsure how to tell AD that-it seems like it should be able to tell this by its IP, but so far it doesn't show it being in any site in the Computer properties, nor by looking at the log output above.  (Edit: Incidentally, the Linux box's site now shows properly in the Samba logs-must've been a replication delay or something.)

Can anyone provide me with any ideas of things to look for/at?  I will provide (unobfuscated) logs and/or config files upon request.  Thanks in advance!
Jon Heese
Systems Administrator
INetU Managed Hosting
P: 610.266.7441 x 261
F: 610.266.7434
www.inetu.net<https://www.inetu.net/>
** This message contains confidential information, which also may be privileged, and is intended only for the person(s) addressed above. Any unauthorized use, distribution, copying or disclosure of confidential and/or privileged information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately via reply e-mail. **

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list