Latest December 9th update broke our AD authentication, rolling back to the previous version fixed AD auth. SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS Joined 'VSURFDATA' to realm 'AD.UCSD.EDU' DNS Update for vsurfdata.ucsd.edu failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL yum downgrade fix the issue. Previous version that works: Version 4.0.0rc4 From the redhat rhel-6 updates: ---> Package samba4.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-client.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-client.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-common.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-common.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-dc.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-dc.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-dc-libs.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-dc-libs.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-devel.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-devel.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-libs.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-libs.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-pidl.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-pidl.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-python.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-python.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-swat.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-swat.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-test.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-test.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-winbind.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-winbind.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-winbind-clients.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-winbind-clients.x86_64 0:4.0.0-60.el6_5.rc4 will be an update ---> Package samba4-winbind-krb5-locator.x86_64 0:4.0.0-58.el6.rc4 will be updated ---> Package samba4-winbind-krb5-locator.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
Is this bug being worked on? Not seeing any updates. Just encountered this myself, here are some console outputs: [root@lxapp128 ~]# wbinfo -t checking the trust secret for domain RDML via RPC calls failed error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR Could not check secret [root@lxapp128 ~]# wbinfo -a user Enter user's password: plaintext password authentication failed Could not authenticate user user with plaintext password Enter user's password: challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No logon servers Could not authenticate user ktigeris with challenge/response [root@lxapp128 ~]# wbinfo -K user Enter user's password: plaintext kerberos password authentication for [user] succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT credentials were put in: FILE:/tmp/krb5cc_0 wbinfo -u successfully lists all Active Directory users. getent passwd also succesfully lists all users, both local and AD. samba4 packages installed: [root@lxapp128 ~]# rpm -qa | grep samba samba4-common-4.0.0-60.el6_5.rc4.x86_64 samba4-libs-4.0.0-60.el6_5.rc4.x86_64 samba4-winbind-4.0.0-60.el6_5.rc4.x86_64 samba4-client-4.0.0-60.el6_5.rc4.x86_64 samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64 After performing this: [root@lxapp128 ~]# yum downgrade samba4-common samba4-winbind-clients samba4-libs samba4-client samba4-winbind Then everything works without issues, packages get downgraded to 4.0.0-58. Also, I'am running on CentOS 6.5. I don't know what happens if you try joining AD with version 4.0.0-60, in my case I already have all joined to AD when performing update.
(In reply to comment #0) > I don't know what happens if you try joining AD with version 4.0.0-60, in my > case I already have all joined to AD when performing update If you use v4.0.0-60 on a new system you can join AD but any winbind services don't work. I can also confirm that downgrading to v4.0.0-58 and everything works again. Where is the change log between patch 58 and patch 60? This now makes Samba4 unusable with AD Authentication. Rich
I might add that I have configured special share conditions to limit access to the different shares: valid users = +AD\ccelter [ccelter] comment = ccelter path = /vdata/project/ccelter browsable = Yes writeable = yes inherit permissions = no create mask = 0664 dos filemode = yes directory mask = 0775 oplocks = yes strict locking = no force group = ccelter valid users = +AD\ccelter This is the only difference between a server that works and one that does not work with AD authentication.
If you have issues with the differences between Red Hat patch releases on RHEL, you need to address these to Red Hat, via your support subscription. We really can't help here. Sorry,
When someone works out what in the patches causes the issue (you rebuild and try them one by one, or Red Hat support indicates the specific issue), and reproduces this on upstream Samba, we will be very happy to address this in upstream Samba, but for now I'm going to close this off as INVALID. Sorry,
u sck..
Even the latest 4.1.7 package from EnterpriseSamba.com suffers the same problem so I'm not sure its a RedHat fault.
As I said, please reproduce on a current Samba release, or even better isolate it down to the specific additional patch that is being applied, and test that reverted on top of a current release. That would makes it much easier to isolate the issue.
The RPM of Samba v4.1.4 from Enterprise Samba also has this problem... I have found from a quick google that the 4.0.0-60 release applied one patch for this: http://www.samba.org/samba/security/CVE-2013-4408 Info found here: http://linuxsoft.cern.ch/cern/slc65/x86_64/yum/updates/repoview/samba4.html I'm assuming this code is also in the latest release too??
I get lots of this in my logs: cli_negprot failed: NT_STATUS_INVALID_PARAMETER_MIX Reported by winbindd when ran as 'winbindd -SFd9'