Bug 1462 - winbind 3.0.4 fails, server says "auth type 44"
winbind 3.0.4 fails, server says "auth type 44"
Status: RESOLVED WONTFIX
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.4
All Linux
: P3 major
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-16 03:43 UTC by J Pelan
Modified: 2004-07-20 06:26 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description J Pelan 2004-06-16 03:43:14 UTC
Client:  x86 SuSE 9.1, winbind 3.0.4 (SuSE RPM,3.0.4 with #1259,#1315 & #1319)
Server:  Alpha Tru64 5.1B, Samba 2.2.9

After a YOU upgrade to the latest samba-* packages, I note that winbindd
fails to authenticate against my 2.2.9 Samba server. This could be a
problem with that server that is exposed by the new version (or it could be a 
SuSE issue) but in any case there is a change in behaviour that is worth 
reporting.

# rpm -qa | grep winbind
samba-winbind-3.0.4-1.12

# wbinfo -V
Version 3.0.4-SUSE

'wbinfo -t' is "unstable" but never checks the secret;

# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_PIPE_NOT_AVAILABLE (0xc00000ac)
Could not check secret

# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
Could not check secret


Joining the domain again succeeds but the secret is still not verifiable.

The server reports;

  rpc_server/srv_pipe.c:(828)
  api_pipe_bind_req: unknown auth type 44 requested.

It looks like the value that should be NTLMSSP_AUTH_TYPE has been modified.

A simple strace of 'wbinfo -t' shows that the request size also seems to have 
changed from 1568 to 1824;

< write(4, " \6\0\0\30\0\0\0\351#\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1568) 
= 1568
< read(4, "\30\5\0\0\1\0\0\0\0\0\0\0NT_STATUS_OK\0\0\0\0\0\0\0\0"..., 1304) = 
1304
< fstat(1, {st_mode=S_IFREG|0644, st_size=11743, ...}) = 0
< mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2a95f48000
< write(1, "checking the trust secret via RP"..., 50checking the trust secret 
via RPC calls succeeded
< ) = 50
< munmap(0x2a95f48000, 4096)              = 0
< exit_group(0)                           = ?
---
> write(4, " \7\0\0\31\0\0\0)$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1824) 
= 1824
> read(4, "\30\5\0\0\0\0\0\0003\2\0\300NT_STATUS_DOMAIN_CON"..., 1304) = 1304
> fstat(1, {st_mode=S_IFREG|0644, st_size=10397, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2a9606b000
> write(1, "checking the trust secret via RP"..., 136checking the trust secret 
via RPC calls failed
> error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
> Could not check secret
> ) = 136
> munmap(0x2a9606b000, 4096)              = 0
> exit_group(1)                           = ?

Reverting back to the 3.0.2a packages restores the expected behaviour.

Incidently, googling for "auth type 44" yields two hits - one under
a WWW search and one under a Newsgroup search but neither were resolved.
This usually means the problem is rare or that it is a thinko on the part
of the posters ;-)

There are a few more for "samba 1824" - one suggests 'you are running old 
wbinfo, pam_winbind or libnss_winbind clients'. This doesn't appear to be
the case here as they are updated with winbind itself.

Suggestions please! I am doing something really silly ?
Comment 1 J Pelan 2004-06-16 04:20:15 UTC
Forgot to include relevant part of winbindd log;

rpc_dc_name: Returning DC ALPHA (192.168.213.69) for domain GATSBY2
IPC$ connections done anonymously
Connecting to host=ALPHA
Connecting to 192.168.213.69 at port 445
error connecting to 192.168.213.69:445 (Connection refused)
Connecting to 192.168.213.69 at port 139
Serverzone is -3600
bind_rpc_pipe: transfer syntax differs
rpc_pipe_bind: check_bind_response failed.
cli_nt_session_open: rpc bind to \PIPE\lsarpc failed
rpc: trusted_domains
Using cleartext machine password

Comment 2 Gerald (Jerry) Carter 2004-07-20 06:26:14 UTC
This is a known bug in the schannel implementation that was actually 
fixed in 3.0.4.  However, fixing it caused some compatibility issues with old
Samba servers. 

You can set 'client schannel = no' in smb.conf on the 3.0.4.

Or you can upgrade the DC to Samba 3.0.4 as well.