Bug 158 - Cannot authenticate using Winbind
Cannot authenticate using Winbind
Status: RESOLVED INVALID
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.0preX
All Linux
: P2 regression
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-06-12 13:56 UTC by Tod Schmidt
Modified: 2005-11-14 09:30 UTC (History)
2 users (show)

See Also:


Attachments
Smb.conf (7.66 KB, text/plain)
2003-06-16 06:19 UTC, Tod Schmidt
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tod Schmidt 2003-06-12 13:56:42 UTC
Below is an email I was working on the list. I can authenticate using 
smbclient -k to a win2k box, but when trying to use winbind I get the error

[root@maildev root]# wbinfo -a tschmidt%XXXXXXX
plaintext password authentication failed
error code was NT_STATUS_INVALID_PARAMETER (0xc000000d)
error messsage was: Unexpected information received
Could not authenticate user tschmidt%XXXXXXX with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user tschmidt@TNCTEST.ORG with challenge/response


This is what I get in the log.winbind with loglevel set to 10 for auth and 
winbind.

[2003/06/12 16:54:24, 6] nsswitch/winbindd.c:new_connection(307)
  accepted socket 21
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 1312 bytes. Need 0 more for a full request.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:process_request(272)
  process_request: request fn INTERFACE_VERSION
[2003/06/12 16:54:24, 3] nsswitch/winbindd_misc.c:winbindd_interface_version
(207)
  [11591]: request interface version
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469)
  client_write: wrote 1300 bytes.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 1312 bytes. Need 0 more for a full request.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:process_request(272)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2003/06/12 16:54:24, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(243)
  [11591]: request location of privileged pipe
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469)
  client_write: wrote 1300 bytes.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(514)
  client_write: need to write 37 extra data bytes.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469)
  client_write: wrote 37 bytes.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(503)
  client_write: client_write: complete response written.
[2003/06/12 16:54:24, 6] nsswitch/winbindd.c:new_connection(307)
  accepted socket 22
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 0 bytes. Need 1312 more for a full request.
[2003/06/12 16:54:24, 5] nsswitch/winbindd.c:winbind_client_read(427)
  read failed on sock 21, pid 11591: EOF
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 1312 bytes. Need 0 more for a full request.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:process_request(272)
  process_request: request fn PAM_AUTH
[2003/06/12 16:54:24, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(80)
  [11591]: pam auth tschmidt
[2003/06/12 16:54:24, 5] nsswitch/winbindd_pam.c:winbindd_pam_auth(93)
  no domain separator (+) in username (tschmidt) - failing auth
[2003/06/12 16:54:24, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(167)
  Plain-text authentication for user tschmidt returned 
NT_STATUS_INVALID_PARAMETER (PAM: 4)
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469)
  client_write: wrote 1300 bytes.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 1312 bytes. Need 0 more for a full request.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:process_request(272)
  process_request: request fn INFO
[2003/06/12 16:54:24, 3] nsswitch/winbindd_misc.c:winbindd_info(194)
  [11591]: request misc info
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469)
  client_write: wrote 1300 bytes.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 1312 bytes. Need 0 more for a full request.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:process_request(272)
  process_request: request fn DOMAIN_NAME
[2003/06/12 16:54:24, 3] nsswitch/winbindd_misc.c:winbindd_domain_name(219)
  [11591]: request domain name
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469)
  client_write: wrote 1300 bytes.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 1312 bytes. Need 0 more for a full request.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:process_request(272)
  process_request: request fn AUTH_CRAP
[2003/06/12 16:54:24, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(237)
  [11591]: pam auth crap domain: TNCTEST user: tschmidt
[2003/06/12 16:54:24, 10] nsswitch/winbindd_cm.c:cm_get_dc_name(167)
  returning positive get_dc_name_cache entry for TNCTEST
[2003/06/12 16:54:24, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(238)
  IPC$ connections done by user TSCHMIDT\welcome123
[2003/06/12 16:54:24, 5] nsswitch/winbindd_cm.c:cm_open_connection(278)
  connecting to DCTEST from MAILDEV with username [TSCHMIDT]\[welcome123]
[2003/06/12 16:54:24, 0] rpc_parse/parse_prs.c:prs_mem_get(528)
  prs_mem_get: reading data of size 2 would overrun buffer.
[2003/06/12 16:54:24, 0] rpc_client/cli_pipe.c:rpc_pipe_bind(1484)
  rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.
[2003/06/12 16:54:24, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(292)
  could not open handle to NETLOGON pipe (error: NT_STATUS_UNSUCCESSFUL)
[2003/06/12 16:54:24, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(342)
  NTLM CRAP authentication for user [TNCTEST]\[tschmidt] returned 
NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469)
  client_write: wrote 1300 bytes.
[2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422)
  client_read: read 0 bytes. Need 1312 more for a full request.
[2003/06/12 16:54:24, 5] nsswitch/winbindd.c:winbind_client_read(427)
  read failed on sock 22, pid 11591: EOF
Comment 1 Volker Lendecke 2003-06-13 00:19:40 UTC
Hi, Tod!

I just set up W2k PDC with winbind, and for me it works fine. We need more
info to analyze this problem: Your smb.conf and a network sniff would be great.

Volker
Comment 2 Tod Schmidt 2003-06-16 06:19:17 UTC
Created attachment 30 [details]
Smb.conf
Comment 3 Ernie Cline 2003-06-16 07:23:46 UTC
I too am having similar problems.  However, I can 'su' to a user using the
following syntax:

su - DOMAIN/username
and I can then login.  However using sshd, I simply get Illegal User.  SSHD logs
spits out the following:
Jun 16 09:13:29 mccoy sshd[17948]: Illegal user LIGHTSPEED/jlally from 172.22.4.97
Jun 16 09:13:29 mccoy sshd[17948]: Illegal user LIGHTSPEED/jlally from 172.22.4.97
Jun 16 09:13:38 mccoy xinetd[30092]: START: telnet pid=17950 from=172.22.4.97
Jun 16 09:13:43 mccoy pam_winbind[17951]: request failed: Unexpected information
received, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER
Jun 16 09:13:43 mccoy pam_winbind[17951]: request failed: Unexpected information
received, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER
Jun 16 09:13:43 mccoy pam_winbind[17951]: internal module error (retval = 4,
user = `LIGHTSPEED/jlally'
Jun 16 09:13:43 mccoy pam_winbind[17951]: internal module error (retval = 4,
user = `LIGHTSPEED/jlally'
Jun 16 09:13:43 mccoy login(pam_unix)[17951]: check pass; user unknown
Jun 16 09:13:43 mccoy login(pam_unix)[17951]: check pass; user unknown
Jun 16 09:13:43 mccoy login(pam_unix)[17951]: authentication failure; logname=
uid=0 euid=0 tty=/dev/pts/5 ruser= rhost=impreza 
Jun 16 09:13:43 mccoy login(pam_unix)[17951]: authentication failure; logname=
uid=0 euid=0 tty=/dev/pts/5 ruser= rhost=impreza 
Jun 16 09:13:44 mccoy login(pam_unix)[17951]: check pass; user unknown
Jun 16 09:13:44 mccoy login(pam_unix)[17951]: check pass; user unknown
Jun 16 09:13:46 mccoy login[17951]: FAILED LOGIN 1 FROM impreza FOR UNKNOWN,
Authentication failure
Jun 16 09:13:46 mccoy login[17951]: FAILED LOGIN 1 FROM impreza FOR UNKNOWN,
Authentication failure

And yes, everything is always in the logs twice for some reason.  Here is my
/etc/pam.d/sshd:
#%PAM-1.0

auth       required     pam_stack.so service=system-auth
auth       sufficient   /lib/security/pam_winbind.so
auth       required     pam_shells.so
auth       required     pam_nologin.so
account    sufficient  /lib/security/pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

Also of possible interest, when I tried to initial join this linux machine to
the AD domain I got this output:
Administrator password: 
[2003/06/13 16:18:19, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267)
  krb5_cc_get_principal failed (No credentials cache found)
[2003/06/13 16:18:19, 0] libads/kerberos.c:ads_kinit_password(133)
  kerberos_kinit_password Administrator@LIGHTSPEEDRESEARCH.COM failed: KDC has
no support for encryption type
[2003/06/13 16:18:19, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267)
  krb5_cc_get_principal failed (No credentials cache found)
[2003/06/13 16:18:19, 0] libads/kerberos.c:ads_kinit_password(133)
  kerberos_kinit_password Administrator@LIGHTSPEEDRESEARCH.COM failed: KDC has
no support for encryption type
[2003/06/13 16:18:19, 1] libads/krb5_setpw.c:ads_krb5_set_password(520)
  Failed to get principal from ccache (No credentials cache found)
ads_set_machine_password: No credentials cache found
ADS join did not work, trying RPC...
[2003/06/13 16:18:20, 1] utils/net.c:net_find_server(243)
  no server to connect to

Unable to find a suitable server
[2003/06/13 16:18:21, 1] utils/net.c:net_find_server(243)
  no server to connect to

Unable to find a suitable server

BUT, if i looked on the pdc, my computer account seemed to be successfully
created.  This seemed to always happen, I would get the above errors, but the
command would succeed ...

Anything I can do to help, as I'd really like people to be able to authenticate
against the AD Domain controller, I'd be happy to provide.
Comment 4 Ernie Cline 2003-06-16 11:33:34 UTC
Also, when attempting to log in, via something like telnet or ssh, should I be
using:

DOMAIN<winbind separator>username
or
DOMAIN/username

Neither seems to work, sshd always says invalid user (twice, always), and
idealy, i'd like to just be able to use 'username' ... 
Comment 5 Jim McDonough 2003-06-18 05:30:53 UTC
For starters, always use the winbind separator when you're specifying a domain
on that samba box.  From windows, if you need it, the separator is always '\'. 
But if you want to use the username with no domain, see the "winbind use default
domain" parameter (and it seems to be spelled 'used' in some man pages, but it's
really 'use').  It will stick the smb.conf domain in front of any user that
doesn't specify one.
Comment 6 Jim McDonough 2003-06-18 06:01:16 UTC
Ok, you have at some point done a wbinfo -A, I believe, with a domain of
TSCHMIDT and userid of welcome123, so that's why it's failing to find a logon
server.  The log shows that it's trying to do its IPC$ connection using that
stored userid.

Try running 'wbinfo -A %' to clear it out and see if that fixes it.
Comment 7 Tod Schmidt 2003-06-18 07:06:03 UTC
Running wbinfo -A user%pass resolved this issue. I am now able to run wbinfo -
a, wbinfo -t without errors.
Comment 8 Gerald (Jerry) Carter 2005-02-07 08:38:59 UTC
originally reported against 3.0.0beta1.  CLeaning out 
non-production release versions.
Comment 9 Gerald (Jerry) Carter 2005-11-14 09:30:08 UTC
database cleanup