Bug 2245 - error code was NT code 0x00000001
Summary: error code was NT code 0x00000001
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.9
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-15 03:21 UTC by Francesco Defilippo
Modified: 2005-08-24 10:26 UTC (History)
1 user (show)

See Also:

Attachments
network traffic and winbindd.log (108.05 KB, application/gz)
2005-01-17 01:32 UTC, Francesco Defilippo 		no flags Details
network traffic and winbind.log (now with "client schannel=No" in smb.conf) (85.56 KB, application/gz)
2005-01-17 05:55 UTC, Francesco Defilippo 		no flags Details
Proposed patch (1.68 KB, patch)
2005-01-22 10:54 UTC, Volker Lendecke 		no flags Details
tcpdump & winbindd.log (logleve=10) (18.89 KB, application/gz)
2005-01-23 03:04 UTC, Francesco Defilippo 		no flags Details
client schannel=no (79.05 KB, application/gz)
2005-01-23 03:57 UTC, Francesco Defilippo 		no flags Details
Next version of the patch (1.76 KB, patch)
2005-01-23 04:38 UTC, Volker Lendecke 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Francesco Defilippo 2005-01-15 03:21:34 UTC 
A description of our environment:
samba-3.0.9-1.3E.2 on redhat AS3 fully updated.

We use winbind to authenticate users; we have a lot of domains (windows
2003), all trusted with one of them, which linux server is joined to.

All works fine, and all users (both in domain to which linux server is
joined to and all others domains) can authenticate.
We have a strange problem with one (only one) user in one of the trusted
domains. Authentication fails with error code "NT code 0x00000001"

[root@server root]# wbinfo -a XXX\\xxxxxx%xxxxxx
plaintext password authentication failed
error code was NT code 0x00000001 (0x1)
error messsage was: NT code 0x00000001
Could not authenticate user XXX\\xxxxxx%xxxxxx with plaintext password
challenge/response password authentication failed
error code was NT code 0x00000001 (0x1)
error messsage was: NT code 0x00000001
Could not authenticate user XXX\\xxxxxx%xxxxxx with challenge/response

or

[root@server root]# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
-d3 XXX\\xxxxxx%xxxxxx
[2005/01/14 17:44:11, 3] utils/ntlm_auth.c:check_plaintext_auth(292)
  NT code 0x00000001: NT code 0x00000001 (0x1)
ERR

1) the password is OK, the user can logon the domain

2) if I use basic squid authentication helper, it works
[root@ncsmp-e01 part1]# /usr/lib/squid/smb_auth.pl -c /tmp/bb.tmp
Extern file number 1 = '/tmp/bb.tmp'
Loading extern file /tmp/bb.tmp
domain="DOM_1"  pdc="PDC"  bdc="BDC"
DOM_1\user xxxxx
domain: DOM_1, user: user, pass=xxxxxxxx
DCs forced by user: DOM_1 => PDC,BDC
querying 'PDC' and 'BDC' for user 'DOM_1\user', pass xxxxxxxx
result is:  (0)
OK for user 'DOM_1\user'
OK

3) all users in the same domain can authenticate without errors

4) looking into event viewer of the DC I see that, even in case of error,
it logs a succesful authentication, and the entry in the event viewer is
equal to a succesful authentication.


This is our smb.conf:
        interfaces = lo
        log level = passdb:5 auth:10 winbind:10
        workgroup = DOM
        security = ads
        encrypt passwords = Yes
        realm = DOM.DOMAIN.IT
        password server = *
        wins support = No
        wins server =  DOM.DOMAIN.IT
        winbind uid = 10000-60000
        winbind gid = 10000-60000
        winbind enum users = no
        winbind enum groups = no
        winbind use default domain = No
        winbind cache time = 86400
        lanman auth = No
        ntlm auth = No
        client NTLMv2 auth = yes
        client lanman auth = No
        client plaintext auth = yes
        client signing = yes
        client use spnego = no
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        local master = No
        domain master = No
        dns proxy = No

We tried with samba 3.0.11pre1 also, but unsuccesfully.

If you need other information I will send you soon.
Comment 1 Volker Lendecke 2005-01-15 04:08:29 UTC 
We need a debug level 10 log of winbindd, and a dump of the traffic between
winbind and the DC. Please start the dump before starting winbind.

Volker
Comment 2 Francesco Defilippo 2005-01-17 01:32:45 UTC 
Created attachment 893 [details]
network traffic and winbindd.log
Comment 3 Francesco Defilippo 2005-01-17 01:33:53 UTC 
Hi,
I forwarded you network traffic (tcpdump-ethereal) from winbind server to DC and
winbindd.log.
The operations tracked in both files are:
1. service winbind start
2. wbinfo -a il\\ilnavtest%PWD     (success)
3. wbinfo -a il\\il00222%PWD       (fail)
                                                                                
Marco
Comment 4 Volker Lendecke 2005-01-17 04:13:55 UTC 
Thanks, this is exactly what we need. Except I forgot to ask you to set 

client schannel = no

in the winbind smb.conf. With this option, the SamLogon Request that is failing
is sent unencrypted. You don't want this in production, but for debugging
purposes this helps a lot.

Volker
Comment 5 Francesco Defilippo 2005-01-17 05:55:34 UTC 
Created attachment 894 [details]
network traffic and winbind.log (now with "client schannel=No" in smb.conf)
Comment 6 Volker Lendecke 2005-01-22 10:54:17 UTC 
Created attachment 906 [details]
Proposed patch

Could you try the attached patch? Please make sure you do a 'make clean' before
recompiling.

Thanks,

Volker
Comment 7 Francesco Defilippo 2005-01-23 01:51:14 UTC 
Hello, now the error is:

plaintext password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user xx\xx00222%xxpwdxx with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user xx\xx00222 with challenge/response
Comment 8 Volker Lendecke 2005-01-23 02:21:59 UTC 
Hi!

Same procedure as last time ... Logfile & dump (client schannel = no) please :-)

The problem is that I could not thoroughly test that code, as I don't have a
user on my DC that gives this kind of samlogon response.

Thanks for your patience,

Volker
Comment 9 Francesco Defilippo 2005-01-23 03:04:44 UTC 
Created attachment 907 [details]
tcpdump & winbindd.log (logleve=10)

client schannel=no
Comment 10 Francesco Defilippo 2005-01-23 03:08:18 UTC 
Comment on attachment 907 [details]
tcpdump & winbindd.log (logleve=10)

The operations tracked in both files are:
1. service winbind start
wbinfo -a il\\il00222%PWD	2. (fail)
3. wbinfo -a il\\ilnavtest%PWD	   (success)
Comment 11 Volker Lendecke 2005-01-23 03:24:30 UTC 
This looks more like 'client signing = no' set instead of 'client schannel = no'.

Volker
Comment 12 Francesco Defilippo 2005-01-23 03:57:17 UTC 
Created attachment 908 [details]
client schannel=no
Comment 13 Volker Lendecke 2005-01-23 04:38:32 UTC 
Created attachment 910 [details]
Next version of the patch

Please find another attempt attached.

Volker
Comment 14 Francesco Defilippo 2005-01-23 06:03:30 UTC 
Hello, now works only what before did not work!
Comment 15 Volker Lendecke 2005-01-23 07:15:01 UTC 
I've committed subversion revision 4946 with something that works for all my
test cases. If it still gives you errors, please re-open this bug.

Thanks for reporting this!

Volker
Comment 16 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:26:35 UTC 
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.