A description of our environment: samba-3.0.9-1.3E.2 on redhat AS3 fully updated. We use winbind to authenticate users; we have a lot of domains (windows 2003), all trusted with one of them, which linux server is joined to. All works fine, and all users (both in domain to which linux server is joined to and all others domains) can authenticate. We have a strange problem with one (only one) user in one of the trusted domains. Authentication fails with error code "NT code 0x00000001" [root@server root]# wbinfo -a XXX\\xxxxxx%xxxxxx plaintext password authentication failed error code was NT code 0x00000001 (0x1) error messsage was: NT code 0x00000001 Could not authenticate user XXX\\xxxxxx%xxxxxx with plaintext password challenge/response password authentication failed error code was NT code 0x00000001 (0x1) error messsage was: NT code 0x00000001 Could not authenticate user XXX\\xxxxxx%xxxxxx with challenge/response or [root@server root]# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic -d3 XXX\\xxxxxx%xxxxxx [2005/01/14 17:44:11, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT code 0x00000001: NT code 0x00000001 (0x1) ERR 1) the password is OK, the user can logon the domain 2) if I use basic squid authentication helper, it works [root@ncsmp-e01 part1]# /usr/lib/squid/smb_auth.pl -c /tmp/bb.tmp Extern file number 1 = '/tmp/bb.tmp' Loading extern file /tmp/bb.tmp domain="DOM_1" pdc="PDC" bdc="BDC" DOM_1\user xxxxx domain: DOM_1, user: user, pass=xxxxxxxx DCs forced by user: DOM_1 => PDC,BDC querying 'PDC' and 'BDC' for user 'DOM_1\user', pass xxxxxxxx result is: (0) OK for user 'DOM_1\user' OK 3) all users in the same domain can authenticate without errors 4) looking into event viewer of the DC I see that, even in case of error, it logs a succesful authentication, and the entry in the event viewer is equal to a succesful authentication. This is our smb.conf: interfaces = lo log level = passdb:5 auth:10 winbind:10 workgroup = DOM security = ads encrypt passwords = Yes realm = DOM.DOMAIN.IT password server = * wins support = No wins server = DOM.DOMAIN.IT winbind uid = 10000-60000 winbind gid = 10000-60000 winbind enum users = no winbind enum groups = no winbind use default domain = No winbind cache time = 86400 lanman auth = No ntlm auth = No client NTLMv2 auth = yes client lanman auth = No client plaintext auth = yes client signing = yes client use spnego = no socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No domain master = No dns proxy = No We tried with samba 3.0.11pre1 also, but unsuccesfully. If you need other information I will send you soon.
We need a debug level 10 log of winbindd, and a dump of the traffic between winbind and the DC. Please start the dump before starting winbind. Volker
Created attachment 893 [details] network traffic and winbindd.log
Hi, I forwarded you network traffic (tcpdump-ethereal) from winbind server to DC and winbindd.log. The operations tracked in both files are: 1. service winbind start 2. wbinfo -a il\\ilnavtest%PWD (success) 3. wbinfo -a il\\il00222%PWD (fail) Marco
Thanks, this is exactly what we need. Except I forgot to ask you to set client schannel = no in the winbind smb.conf. With this option, the SamLogon Request that is failing is sent unencrypted. You don't want this in production, but for debugging purposes this helps a lot. Volker
Created attachment 894 [details] network traffic and winbind.log (now with "client schannel=No" in smb.conf)
Created attachment 906 [details] Proposed patch Could you try the attached patch? Please make sure you do a 'make clean' before recompiling. Thanks, Volker
Hello, now the error is: plaintext password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error messsage was: No logon servers Could not authenticate user xx\xx00222%xxpwdxx with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error messsage was: No logon servers Could not authenticate user xx\xx00222 with challenge/response
Hi! Same procedure as last time ... Logfile & dump (client schannel = no) please :-) The problem is that I could not thoroughly test that code, as I don't have a user on my DC that gives this kind of samlogon response. Thanks for your patience, Volker
Created attachment 907 [details] tcpdump & winbindd.log (logleve=10) client schannel=no
Comment on attachment 907 [details] tcpdump & winbindd.log (logleve=10) The operations tracked in both files are: 1. service winbind start wbinfo -a il\\il00222%PWD 2. (fail) 3. wbinfo -a il\\ilnavtest%PWD (success)
This looks more like 'client signing = no' set instead of 'client schannel = no'. Volker
Created attachment 908 [details] client schannel=no
Created attachment 910 [details] Next version of the patch Please find another attempt attached. Volker
Hello, now works only what before did not work!
I've committed subversion revision 4946 with something that works for all my test cases. If it still gives you errors, please re-open this bug. Thanks for reporting this! Volker
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.