Bug 396 - Winbind can't authenticate to Windows 2003 domain controller
Summary: Winbind can't authenticate to Windows 2003 domain controller
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.0
Hardware: All Linux
: P4 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-09-03 12:00 UTC by Jared S. Kelly
Modified: 2005-11-14 09:26 UTC (History)
0 users

See Also:


Attachments
Winbind log (Level 9), Wbinfo -t (4.23 KB, text/plain)
2003-09-22 17:00 UTC, Jared S. Kelly
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jared S. Kelly 2003-09-03 12:00:10 UTC
I'm running into a NT_STATUS_NO_LOGON_SERVERS while trying to authenticate 
using winbind. I've tried this using four machines, all of which worked under 
Samba3.0-Alpha23.

wbinfo -u returns with a valid user list, the net ads testjoin works correctly.

wbinfo -t fails as well as a manual attempt to authenticate using wbinfo -a.

I've already sent my smb.conf and log.winbindd to Jeremy. This is pretty much a 
showstopper for our implementation.

Thanks!

Jared
Ask Jeeves
Comment 1 Jared S. Kelly 2003-09-03 12:05:22 UTC
Another useful bit of info...it DOES in fact attempt a connection to the 
correct domain controller...tons of smb signing errors in the winbind log.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2003-09-22 11:57:53 UTC
What version of Kerberos are you using?  You need one 
that supports a working RC4-HMAC implementation like
MIT kerb5 1.3.  I've tested locally with MIT 
Kerb5 1.3.1 and everything works correctly.
Comment 3 Jared S. Kelly 2003-09-22 17:00:48 UTC
Created attachment 162 [details]
Winbind log (Level 9), Wbinfo -t
Comment 4 Jared S. Kelly 2003-09-22 17:02:19 UTC
Tried it with MIT Keberos 1.3.1, still no success.... Wbinfo -u still works
however the wbinfo -t command still fails as well as authentication when trying
to conenct to a share.....

I've flushed my logs and created a clean winbindd log for the wbinfo -t command.
Hopefully this helps...

Thank you very much for your attention to this!

Comment 5 Gerald (Jerry) Carter (dead mail address) 2003-10-01 10:05:05 UTC
The log file shows signing errors.  I'm pretty sure that 
this is going to turn out to be a local configuration issue.
Are you sure that the resulting smbd is linked with the 
correct version of the MIT libs?
Comment 6 Jared S. Kelly 2003-10-01 16:36:57 UTC
Jerry-

I'm inclined to agree. I re-compiled the 3.0.0 version and am able to 
authenticate using winbind and the wbinfo -a command. Wbinfo -t works as well. 
However, now when a user tries to connect to the share i have set up, winbind 
still fails out with the NT_STATUS_NO_LOGON_SERVERS. Any ideas? Because I'm 
using RedHat 9, I can't out and out replace my kerberos with 1.3, rather i've 
compiled and installed it into /usr, and kept the red hat one in place 
under /usr/kerberos.

As always, thanks for your assistance.
Comment 7 Jared S. Kelly 2003-10-02 15:17:49 UTC
OK, i've gotten past the NO_LOGON_SERVERS issue...but the only way i can get 
this beast to work (authenticating inbound users using ADS) is to maintain user 
accounts on the host....it does check their password against the AD, but if 
there isn't already a matching username on the linux machine, it comes back and 
challenges over and over. This was not the behaviour in alpha23, which was the 
last working version i've used.
Comment 8 Jared S. Kelly 2003-10-02 16:21:36 UTC
Jerry-
 
After doing tons of comparision between my working install and the 3.0.0 
version, I discovered that I was missing the libnss_winbind.so.2 and 
pam_winbind.so libraries!
 
I'm not sure why they're not compiling on my system, but i was able to take 
them from the RPM and set up the links myself. It is now behaving as I expect 
it to!

please close this one out!
 
I realize that I may have already taken up too much of your time, and I really 
appreciate it! Thanks for your help on this issue!
Comment 9 Jared S. Kelly 2003-10-02 16:21:48 UTC
Jerry-
 
After doing tons of comparision between my working install and the 3.0.0 
version, I discovered that I was missing the libnss_winbind.so.2 and 
pam_winbind.so libraries!
 
I'm not sure why they're not compiling on my system, but i was able to take 
them from the RPM and set up the links myself. It is now behaving as I expect 
it to!

please close this one out!
 
I realize that I may have already taken up too much of your time, and I really 
appreciate it! Thanks for your help on this issue!
Comment 10 Gerald (Jerry) Carter (dead mail address) 2003-10-03 07:02:50 UTC
w00t!  configuration issues.  Closing this one out.  Thanks 
for letting me know.
Comment 11 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:26:18 UTC
database cleanup