9700 – Authentication works for a limited period

Bug 9700 - Authentication works for a limited period

Summary: Authentication works for a limited period

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 3.6
Classification:	Unclassified
Component:	Config Files (show other bugs)
Version:	3.6.3
Hardware:	x64 Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	Jeremy Allison
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-03-06 03:11 UTC by Victor Duca
Modified:	2013-03-06 18:23 UTC (History)
CC List:	0 users

See Also:

Attachments
log files (94.49 KB, application/zip) 2013-03-06 03:11 UTC, Victor Duca	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Duca 2013-03-06 03:11:12 UTC

Created attachment 8611 [details]
log files

I have Samba 3.6.3 on Ubuntu 12.04 LTS Server witch is part of a AD domain.
I downloaded and installed PBIS Open from here:
http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True

Then joined the domain using the GUI, after that i installed
apt-get install system-config-samba
witch also installed samba and imported all the users and groups from the AD(it took 2 hours since there are a lot of users), after that i used /opt/pbis/bin/samba-interop-install witch(from what i understand) switched the databases Samba uses to the same ones it uses

After that i configured the smb.conf file to my needs and everything worked as expected. The next day it stopped working with this error:

root@tueilti-samba:~# smbclient -L localhost -U ga72vuk
Enter ga72vuk's password:
session setup failed: NT_STATUS_LOGON_FAILURE

restarting didn't do anything so i messed around with the configuration and it started working again, then the next day the same error.
I didn't set up any winbind or kerberos but is it possible this is due to a ticket expiring and not being renewed?(how can i test this?)

I wiped the logs and restarted the smbd and nmbd service and saved the immediate output to log.smbd0 and log.nmbd0 witch is attached here then i tried:

root@tueilti-samba:~# smbclient -L localhost -U ga72vuk *Anonymous login attempt*
Enter ga72vuk's password:
Anonymous login successful
Domain=[ADS] OS=[Unix] Server=[Samba 3.6.3]
tree connect failed: NT_STATUS_ACCESS_DENIED
root@tueilti-samba:~# smbclient -L localhost -U ga72vuk *login attempt with user ga72vuk*
Enter ga72vuk's password:
session setup failed: NT_STATUS_LOGON_FAILURE

and the new log data saved to log.smbd1 and log.nmbd1 i also included log.127.0.0.1 and smb.comf

Comment 1 Victor Duca 2013-03-06 14:23:15 UTC

I'm using PBIS Open for both samba and local log in and since the local log in was working just fine i assumed something is wrong with samba, but i just tried to leave and rejoin the domain and have run into error.
Seems like this configuration isn't as good as i initially tough...

Do you guys have a better suggestion as how to set up a Samba server on Ubuntu 12.04 LTS Server with AD authentication(Win2008R2)?

I just can't seem to find any up to date documentation or tutorials for this scenario.

Comment 2 Volker Lendecke 2013-03-06 14:27:59 UTC

PBIS Open -- if I read that right that is what Likewise initially developed, right?

Samba and winbind are quite capable on their own to join an AD domain. What are your specific requirements that winbind can not fulfill that make you use PBIS Open?

Comment 3 Victor Duca 2013-03-06 14:57:28 UTC

(In reply to comment #2)
> PBIS Open -- if I read that right that is what Likewise initially developed,
> right?
> 
> Samba and winbind are quite capable on their own to join an AD domain. What are
> your specific requirements that winbind can not fulfill that make you use PBIS
> Open?

Yes, PBIS Open was originally Likewise.
First of, i'm quite new to Windows AD, till now i just ran and maintained my own LDAP server and pointed Samba at it by specifying the IP and OU.(using these guides to set up everthing http://tuxnetworks.blogspot.de/2010/07/howto-samba-ldap-on-1004-lucid-short.html)
Now i want to make use of the existing Windows AD witch i don't maintain and only have partial admin rights for my OU.

All i require is to forward user homes(to use on other machines in my environment) and a public share and limit that to a specific group in the AD, no printing or anything else is required.

The PBIS Open guide made it clear and easy how to find and limit services to my AD group on the machine and Samba but the guide was actually done on Red Hat Enterprise Linux 5 desktop running Samba server version 3.0.33 but it was the only guide i could find

In short all i need is authentication limited to a specific AD group for Samba(and optionally the local log in).
If you have an up to date guide on how to do that on 12.04 LTS server im all for it

Comment 4 Jeremy Allison 2013-03-06 17:59:01 UTC

Sorry, none of the team uses PBIS and so we can't debug problems with it.

Re-open if you can reproduce the problem after using purely Samba code.

Jeremy.

Comment 5 Victor Duca 2013-03-06 18:03:53 UTC

(In reply to comment #4)
> Sorry, none of the team uses PBIS and so we can't debug problems with it.
> 
> Re-open if you can reproduce the problem after using purely Samba code.
> 
> Jeremy.

OK, but how do i make Samba use the AD as authentication back end? That was the purpose of PBIS

Comment 6 Jeremy Allison 2013-03-06 18:23:06 UTC

Read the docs and ask questions on the mailing list. This doesn't seem like a bug report to me, sorry.

Jeremy.