Bug 4622 - authentication always fail with security = server on 3.0.25
Summary: authentication always fail with security = server on 3.0.25
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.25
Hardware: All All
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
: 4638 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-05-16 05:19 UTC by WS Chan
Modified: 2007-06-10 20:14 UTC (History)
2 users (show)

See Also:

Attachments
Patch (659 bytes, patch)
2007-05-16 17:50 UTC, Jeremy Allison 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description WS Chan 2007-05-16 05:19:20 UTC 
We use security = server to authenticate with an Active Directory server:
security = server
password server = NAME_OF_AD_SERVER
workgroup = DOMAIN_NAME_OF_AD

With 3.0.25, authentication always fails:
[2007/05/16 17:52:30, 2] samba-3.0.25/source/auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [wschan] -> [wschan] FAILED with
 error NT_STATUS_NO_SUCH_USER

I compared the log of this version and that of the previous version and noticed the mapped user names are different:
With 3.0.25:
[2007/05/16 17:52:30, 3] samba-3.0.25/source/auth/auth.c:check_ntlm_password(224)
  check_ntlm_password:  mapped user is: [NAME_OF_SMB_SERVER]\[wschan]@[NAME_OF_PC]

With 3.0.23a:
[2007/05/16 17:52:30, 3] samba-3.0.23a/source/auth/auth.c:check_ntlm_password(224)
  check_ntlm_password:  mapped user is: [DOMAIN_NAME_OF_AD]\[wschan]@[NAME_OF_PC]

I guessed authentications had failed because of an incorrect domain name submitted to the AD server. Instead of the DOMAIN_NAME_OF_AD, NAME_OF_SMB_SERVER was submitted by 3.0.25 to the AD server.

Tracing the source code a bit, I found that a difference in the set_server_role function in param/loadparm.c may be the cause:
In 3.0.25:
                case SEC_SERVER:
                        if (lp_domain_logons())
                                DEBUG(0, ("Server's Role (logon server) conflict
s with server-level security\n"));
                        /* this used to be considered ROLE_DOMAIN_MEMBER but tha
t's just wrong */
                        server_role = ROLE_STANDALONE;

In 3.0.23a:
                case SEC_SERVER:
                        if (lp_domain_logons())
                                DEBUG(0, ("Server's Role (logon server) conflict
s with server-level security\n"));
                        server_role = ROLE_DOMAIN_MEMBER;
                        break;

Then I changed that segment of code in param/loadparm.c of 3.0.25 to make it look like that of 3.0.23a. Authentications worked again.
Comment 1 Volker Lendecke 2007-05-16 09:42:25 UTC 
Thanks for that hint. But to me it seems that this ROLE_STANDALONE is the right thing at that place, it influences other stuff as well. The fix must be somewhere else.

Looking.

Volker
Comment 2 Jeremy Allison 2007-05-16 17:50:09 UTC 
Created attachment 2697 [details]
Patch

This is Volker's patch I'm committing for 3.0.25a.
Jeremy.
Comment 3 WS Chan 2007-05-16 21:00:17 UTC 
(In reply to comment #1)
> Thanks for that hint. But to me it seems that this ROLE_STANDALONE is the right
> thing at that place, it influences other stuff as well. The fix must be
> somewhere else.
> 
> Looking.
> 
> Volker
> 

Yes, I worried that too. Instead of changing param/loadparm.c, I did a temporary workaround by patching passdb/passdb.c:
42c42
<       if ( lp_server_role() == ROLE_STANDALONE )
---
>       if ( lp_server_role() == ROLE_STANDALONE && lp_security() != SEC_SERVER )

so that I could continue to try it with Vista in our site.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2007-05-18 11:05:42 UTC 
*** Bug 4638 has been marked as a duplicate of this bug. ***
Comment 5 Gerald (Jerry) Carter (dead mail address) 2007-05-18 11:06:29 UTC 
Fixed for 3.0.25a