Client: x86 SuSE 9.1, winbind 3.0.4 (SuSE RPM,3.0.4 with #1259,#1315 & #1319) Server: Alpha Tru64 5.1B, Samba 2.2.9 After a YOU upgrade to the latest samba-* packages, I note that winbindd fails to authenticate against my 2.2.9 Samba server. This could be a problem with that server that is exposed by the new version (or it could be a SuSE issue) but in any case there is a change in behaviour that is worth reporting. # rpm -qa | grep winbind samba-winbind-3.0.4-1.12 # wbinfo -V Version 3.0.4-SUSE 'wbinfo -t' is "unstable" but never checks the secret; # wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_PIPE_NOT_AVAILABLE (0xc00000ac) Could not check secret # wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) Could not check secret Joining the domain again succeeds but the secret is still not verifiable. The server reports; rpc_server/srv_pipe.c:(828) api_pipe_bind_req: unknown auth type 44 requested. It looks like the value that should be NTLMSSP_AUTH_TYPE has been modified. A simple strace of 'wbinfo -t' shows that the request size also seems to have changed from 1568 to 1824; < write(4, " \6\0\0\30\0\0\0\351#\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1568) = 1568 < read(4, "\30\5\0\0\1\0\0\0\0\0\0\0NT_STATUS_OK\0\0\0\0\0\0\0\0"..., 1304) = 1304 < fstat(1, {st_mode=S_IFREG|0644, st_size=11743, ...}) = 0 < mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a95f48000 < write(1, "checking the trust secret via RP"..., 50checking the trust secret via RPC calls succeeded < ) = 50 < munmap(0x2a95f48000, 4096) = 0 < exit_group(0) = ? --- > write(4, " \7\0\0\31\0\0\0)$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1824) = 1824 > read(4, "\30\5\0\0\0\0\0\0003\2\0\300NT_STATUS_DOMAIN_CON"..., 1304) = 1304 > fstat(1, {st_mode=S_IFREG|0644, st_size=10397, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a9606b000 > write(1, "checking the trust secret via RP"..., 136checking the trust secret via RPC calls failed > error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) > Could not check secret > ) = 136 > munmap(0x2a9606b000, 4096) = 0 > exit_group(1) = ? Reverting back to the 3.0.2a packages restores the expected behaviour. Incidently, googling for "auth type 44" yields two hits - one under a WWW search and one under a Newsgroup search but neither were resolved. This usually means the problem is rare or that it is a thinko on the part of the posters ;-) There are a few more for "samba 1824" - one suggests 'you are running old wbinfo, pam_winbind or libnss_winbind clients'. This doesn't appear to be the case here as they are updated with winbind itself. Suggestions please! I am doing something really silly ?
Forgot to include relevant part of winbindd log; rpc_dc_name: Returning DC ALPHA (192.168.213.69) for domain GATSBY2 IPC$ connections done anonymously Connecting to host=ALPHA Connecting to 192.168.213.69 at port 445 error connecting to 192.168.213.69:445 (Connection refused) Connecting to 192.168.213.69 at port 139 Serverzone is -3600 bind_rpc_pipe: transfer syntax differs rpc_pipe_bind: check_bind_response failed. cli_nt_session_open: rpc bind to \PIPE\lsarpc failed rpc: trusted_domains Using cleartext machine password
This is a known bug in the schannel implementation that was actually fixed in 3.0.4. However, fixing it caused some compatibility issues with old Samba servers. You can set 'client schannel = no' in smb.conf on the 3.0.4. Or you can upgrade the DC to Samba 3.0.4 as well.