Bug 2953 - Samba DC credential chain problem with NO_SUCH_USER
Summary: Samba DC credential chain problem with NO_SUCH_USER
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.20
Hardware: All All
: P3 major
Target Milestone: none
Assignee: Jim McDonough
QA Contact: Samba QA Contact
Depends on:
Reported: 2005-08-03 08:08 UTC by Bill Marshall
Modified: 2005-08-24 10:28 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Bill Marshall 2005-08-03 08:08:05 UTC
Problem description:
With a samba 3.0.20 additional server in a Samba domain, when an invalid user
connects to the additional server, the communications between the Samba domain
controller and the additional server "get out of whack" and no new connections
are then allowed on the samba additional server.

To reproduce:
Setup a samba domain. Samba DC should be any recent release. Setup an
additional server w/ 3.0.20rc1 or latest from svn

Connect to the additional server from windows w/ an invalid userid.

C:\temp>net use \\as1lnx1\ipc$ /user:junk
System error 1311 has occurred.

There are currently no logon servers available to service the logon request.

-- Then ALL attempts are rejected:
C:\temp>net use k:  \\as1lnx1\bmarsh
System error 1311 has occurred.

There are currently no logon servers available to service the logon request.

You will see things like this in the log.wb-DOMAIN logs

[2005/08/03 08:54:07, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(795)
635816800:  NTLM CRAP authentication for user [DOMAIN]\[wit6] returned

JMCD states - Basically, the credentials chain involves each side computing the
next credential from the previous one, and what happens is that a samba DC (yes,
it's your DC that is broken, 3.0.20 is simply what made it show up) assumes that
it should go to the next step, but that's not correct in certain cases (like
NO_SUCH_USER).  The winbindd client correctly assumes that it will pickup where
it left off, which works against windows.  

I'm assuming that winbind just used to close connections more often.  Also, the
existence of the user was checked first, so a samlogon wasn't done in this
case...we already knew from the normal nsswitch call that the user didn't exist.
Comment 1 Jim McDonough 2005-08-03 08:23:29 UTC
I'll take this one.  I've got a hack that patches it, but I'll clean it up.
Comment 2 Jim McDonough 2005-08-05 05:33:25 UTC
Fixed by only updating credentials after we logon the user.  r9112
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-08-07 08:26:27 UTC
updating version for future searches
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:28:10 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.