Bug 1527 - Domain authentication has stopped working
Summary: Domain authentication has stopped working
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.6
Hardware: x86 Windows XP
: P3 regression
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL: http:/
Keywords:
Depends on:
Blocks:
 
Reported: 2004-07-14 04:39 UTC by olly
Modified: 2005-08-24 10:24 UTC (History)
0 users

See Also:


Attachments
Winbindd log (64.74 KB, application/octet-stream)
2004-07-14 04:41 UTC, olly
no flags Details
output of 'net join -U username%password -d 10 (100.94 KB, application/octet-stream)
2004-07-14 10:04 UTC, olly
no flags Details
Ethereal capture for net join (9.66 KB, application/octet-stream)
2004-07-14 10:09 UTC, olly
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description olly 2004-07-14 04:39:03 UTC
When upgrading from 3.0.4 SuSE rpms to 3.0.5rc1 I found that
all daemons started correctly, but all domain authentication failed. I am
running a samba server as a member server against a Windows 2000 mixed mode
domain. 'getent group' did return a correct list of all the groups, so
there was at least some level of connectivity (it was not cached because nscd
was stopped).

I tried to rejoin the domain, but joining the domain failed. When I reverted
back to 3.0.4, I joined the domain with no trouble. My config is as below:

[global]
        workgroup = FOO
        server string = Samba Server
        security = DOMAIN
        map to guest = Bad User
        obey pam restrictions = Yes
        restrict anonymous = 2
        log level = 8
        time server = Yes
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
        os level = 2
        local master = No
        domain master = No
        ldap ssl = no
        host msdfs = Yes
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        winbind use default domain = No
        admin users = '@Foo\Domain Admins'
        veto files = /*.eml/*.nws/riched20.dll/*.{*}/
Comment 1 olly 2004-07-14 04:41:15 UTC
Created attachment 565 [details]
Winbindd log
Comment 2 Volker Lendecke 2004-07-14 07:42:44 UTC
For the 3.0.5rc1 attempt to join the domain, could you add a debug level 10 log?
The output of 'net rpc join -U user%pass -d 10' might help, along with a network
trace.

Thanks,

Volker
Comment 3 olly 2004-07-14 10:04:06 UTC
Created attachment 567 [details]
output of  'net join -U username%password -d 10
Comment 4 olly 2004-07-14 10:09:26 UTC
Created attachment 568 [details]
Ethereal capture for net join

Here is the capture as requested. After trying a few times, it locked the
account out, so it must be trying to authenticate, but failing
Comment 5 Volker Lendecke 2004-07-15 03:02:23 UTC
This looks very like you mis-typed the password for "tempadmin". Could you try
to log in to a share on the DC with smbclient, for example

smbclient //genetix01/netlogon -U tempadmin -W genetix

Volker
Comment 6 olly 2004-07-15 04:10:49 UTC
Hi Volker,

I have just checked by bash history to make sure, but the command line executed was:

net rpc join -U tempadmin%tempadmin -d 10

I executed that same command twice, once with 3.0.5rc1, then stopped services,
installed 3.0.4 rpms, then executed the same command from my history again and
it worked correctly. Therefore I cannot have mistyped the passord. Don't worry I
have disabled tempadmin account since ;-).

When I have a chance later (the server is in use) I can upgrade it again and
execute the command you specified, if you still wish.
Comment 7 olly 2004-07-15 04:13:54 UTC
BTW, I tested the command below on 3.0.4 and it works, so the password must be
correct!

smbclient //genetix01/netlogon -U tempadmin%tempadmin -W genetix
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:57:43 UTC
originally against 3.0.5rc1pre1 (which became 3.0.6rc1 due to security release))
Please retest against 3.0.11 and reopen if still an issue.
Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:24:55 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.