Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba 4.0.6 update - login issues
332 views
Skip to first unread message
Kristofer Pettijohn
Jun 6, 2013, 1:00:02 AM6/6/13
to
I updated all 14 of our Domain Controllers to 4.0.6, and now I am having random authentication issues.
Our radius server uses ntlm_auth to authenticate users. Every morning at 3AM since the update, ntlm_auth fails to authenticate. If I restart Samba 4 on the domain controller that the radius server connects to, then authentication works again.
In addition, I am running Samba 3.5.10-125.el6 with winbind on all of our file servers. Users randomly become unable to authenticate and connect to file shares. If I restart Samba 4 on the domain controller closest to the file server, they are able to authenticate again. Simply restarting winbind doesn't resolve it. I need to restart the samba daemons on the domain controller.
What might be causing this?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Our radius server uses ntlm_auth to authenticate users. Every morning at 3AM since the update, ntlm_auth fails to authenticate. If I restart Samba 4 on the domain controller that the radius server connects to, then authentication works again.
In addition, I am running Samba 3.5.10-125.el6 with winbind on all of our file servers. Users randomly become unable to authenticate and connect to file shares. If I restart Samba 4 on the domain controller closest to the file server, they are able to authenticate again. Simply restarting winbind doesn't resolve it. I need to restart the samba daemons on the domain controller.
What might be causing this?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
Jun 7, 2013, 8:40:01 PM6/7/13
to
On Wed, 2013-06-05 at 23:49 -0500, Kristofer Pettijohn wrote:
> I updated all 14 of our Domain Controllers to 4.0.6, and now I am having random authentication issues.
What version did you upgrade from?
> I updated all 14 of our Domain Controllers to 4.0.6, and now I am having random authentication issues.
> Our radius server uses ntlm_auth to authenticate users. Every morning
> at 3AM since the update, ntlm_auth fails to authenticate. If I
> restart Samba 4 on the domain controller that the radius server
> connects to, then authentication works again.
>
> In addition, I am running Samba 3.5.10-125.el6 with winbind on all of
> our file servers. Users randomly become unable to authenticate and
> connect to file shares. If I restart Samba 4 on the domain controller
> closest to the file server, they are able to authenticate again.
> Simply restarting winbind doesn't resolve it. I need to restart the
> samba daemons on the domain controller.
>
> What might be causing this?
Could it be a kerberos ticket expiring?
Does it still happen if you upgrade a test member server to 3.6 or 4.0
(so we can narrow down the issue)?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Kristofer Pettijohn
Jun 8, 2013, 8:30:02 PM6/8/13
to
I should also mention that I do not think it is the Samba version, because I have one of my DC's set up to use winbind to authenticate against the directory. and when this happens, I am unable to authenticate using my AD credentials until I restart the Samba DC processes.
Kristofer Pettijohn
Jun 11, 2013, 1:10:02 AM6/11/13
to
> I would need logs and network traces to investigate this further.
>
> Could it be a kerberos ticket expiring?
>
> Does it still happen if you upgrade a test member server to 3.6 or 4.0
> (so we can narrow down the issue)?
I have logs (debug 16 from the client) and a network trace. If you would like me to send them somewhere, let me know where you would like them.
>
> Could it be a kerberos ticket expiring?
>
> Does it still happen if you upgrade a test member server to 3.6 or 4.0
> (so we can narrow down the issue)?
Received an alert that Radius authentication fails (ntlm)
Log into Radius server via ssh, which uses winbind for auth - receive this error: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable
Ran "net ads info"
[root@durad1 ~]# net ads info
LDAP server: 10.9.10.81
LDAP server name: brsad.ad.bigrocksports.com
Realm: AD.BIGROCKSPORTS.COM
Bind Path: dc=AD,dc=BIGROCKSPORTS,dc=COM
LDAP port: 389
Server time: Tue, 11 Jun 2013 00:42:44 EDT
KDC server: 10.9.10.81
Server time offset: 0
Ran "net ads lookup"
[root@durad1 ~]# net ads lookup
Information for Domain Controller: 10.9.10.81
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 61b8eb21-20b7-459b-8d7e-224ea1fa85d5
Flags:
Is a PDC: yes
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: yes
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: no
Is NT6 DC that has all secrets: no
Forest: ad.bigrocksports.com
Domain: ad.bigrocksports.com
Domain Controller: brsad.ad.bigrocksports.com
Pre-Win2k Domain: BRS
Pre-Win2k Hostname: BRSAD
Server Site Name : Default-First-Site-Name
Client Site Name : Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
tried a winbind ping
[root@durad1 ~]# wbinfo -p
Ping to winbindd succeeded
id <username> fails with "No such user"
kinit user...@AD.BIGROCKSPORTS.COM works.
Email server authenticates against LDAP - and that is working without an issue.
Restarted winbind on Radius server, did not change failed results
ntlm_auth fails
[root@durad1 ~]# /usr/bin/ntlm_auth --request-nt-key --domain=AD.BIGROCKSPORTS.COM --username=kpettijohn --password=<password>
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
Attempted to leave and re-join the domain:
[root@durad1 samba]# net ads join -U Administrator
Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain 'AD.BIGROCKSPORTS.COM' over rpc: The connection was refused
Restart samba DC on 10.9.10.81 (brsad.ad.bigrocksports.com), and machine can now join and ntlm_auth works.
Kristofer Pettijohn
Jun 13, 2013, 1:20:02 AM6/13/13
to
It happened again. When it happens, it happens at exactly the top of the hour. Same symptoms and results as below.
Kristofer Pettijohn
Jul 13, 2013, 3:30:02 PM7/13/13
to
Is it possible that this may be related to and fixed by the patch in this bug: https://bugzilla.samba.org/show_bug.cgi?id=9820
----- Original Message -----
From: "Kristofer Pettijohn" <kris...@cybernetik.net>
To: "Andrew Bartlett" <abar...@samba.org>
Cc: sa...@lists.samba.org
Sent: Thursday, June 13, 2013 12:17:53 AM
Subject: Re: [Samba] Samba 4.0.6 update - login issues
[root@durad1 ~]# net ads info
LDAP server: 10.9.10.81
LDAP server name: brsad.ad.bigrocksports.com
Realm: AD.BIGROCKSPORTS.COM
Bind Path: dc=AD,dc=BIGROCKSPORTS,dc=COM
LDAP port: 389
Server time: Tue, 11 Jun 2013 00:42:44 EDT
KDC server: 10.9.10.81
Server time offset: 0
</blockquote>
Ran "net ads lookup"
<blockquote>
</blockquote>
tried a winbind ping
<blockquote>
[root@durad1 ~]# wbinfo -p
Ping to winbindd succeeded
</blockquote>
id <username> fails with "No such user"
kinit user...@AD.BIGROCKSPORTS.COM works.
Email server authenticates against LDAP - and that is working without an issue.
Restarted winbind on Radius server, did not change failed results
ntlm_auth fails
<blockquote>
[root@durad1 ~]# /usr/bin/ntlm_auth --request-nt-key --domain= AD.BIGROCKSPORTS.COM --username=kpettijohn --password=<password>
Attempted to leave and re-join the domain:
<blockquote>
[root@durad1 samba]# net ads join -U Administrator
Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain ' AD.BIGROCKSPORTS.COM ' over rpc: The connection was refused
</blockquote>
Restart samba DC on 10.9.10.81 ( brsad.ad.bigrocksports.com ), and machine can now join and ntlm_auth works.
</blockquote>
----- Original Message -----
From: "Kristofer Pettijohn" <kris...@cybernetik.net>
To: "Andrew Bartlett" <abar...@samba.org>
Cc: sa...@lists.samba.org
Sent: Thursday, June 13, 2013 12:17:53 AM
Subject: Re: [Samba] Samba 4.0.6 update - login issues
It happened again. When it happens, it happens at exactly the top of the hour. Same symptoms and results as below.
On Jun 11, 2013, at 12:08 AM, "Kristofer Pettijohn" < kris...@cybernetik.net > wrote:
<blockquote>
On Jun 11, 2013, at 12:08 AM, "Kristofer Pettijohn" < kris...@cybernetik.net > wrote:
I would need logs and network traces to investigate this further.
Could it be a kerberos ticket expiring?
Does it still happen if you upgrade a test member server to 3.6 or 4.0
(so we can narrow down the issue)?
I have logs (debug 16 from the client) and a network trace. If you would like me to send them somewhere, let me know where you would like them.
Received an alert that Radius authentication fails (ntlm)
Log into Radius server via ssh, which uses winbind for auth - receive this error: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable
Ran "net ads info"
<blockquote>
Could it be a kerberos ticket expiring?
Does it still happen if you upgrade a test member server to 3.6 or 4.0
(so we can narrow down the issue)?
I have logs (debug 16 from the client) and a network trace. If you would like me to send them somewhere, let me know where you would like them.
Received an alert that Radius authentication fails (ntlm)
Log into Radius server via ssh, which uses winbind for auth - receive this error: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable
Ran "net ads info"
[root@durad1 ~]# net ads info
LDAP server: 10.9.10.81
LDAP server name: brsad.ad.bigrocksports.com
Realm: AD.BIGROCKSPORTS.COM
Bind Path: dc=AD,dc=BIGROCKSPORTS,dc=COM
LDAP port: 389
Server time: Tue, 11 Jun 2013 00:42:44 EDT
KDC server: 10.9.10.81
Server time offset: 0
Ran "net ads lookup"
<blockquote>
tried a winbind ping
<blockquote>
[root@durad1 ~]# wbinfo -p
Ping to winbindd succeeded
id <username> fails with "No such user"
kinit user...@AD.BIGROCKSPORTS.COM works.
Email server authenticates against LDAP - and that is working without an issue.
Restarted winbind on Radius server, did not change failed results
ntlm_auth fails
[root@durad1 ~]# /usr/bin/ntlm_auth --request-nt-key --domain= AD.BIGROCKSPORTS.COM --username=kpettijohn --password=<password>
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
</blockquote>
Attempted to leave and re-join the domain:
[root@durad1 samba]# net ads join -U Administrator
Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain ' AD.BIGROCKSPORTS.COM ' over rpc: The connection was refused
Restart samba DC on 10.9.10.81 ( brsad.ad.bigrocksports.com ), and machine can now join and ntlm_auth works.
</blockquote>
Andrew Bartlett
Jul 13, 2013, 6:00:01 PM7/13/13
to
On Sat, 2013-07-13 at 14:23 -0500, Kristofer Pettijohn wrote:
> Is it possible that this may be related to and fixed by the patch in
> this bug: https://bugzilla.samba.org/show_bug.cgi?id=9820
I really need you to tell me that, not the other way around.
> Is it possible that this may be related to and fixed by the patch in
> this bug: https://bugzilla.samba.org/show_bug.cgi?id=9820
It seems unlikely however, but you are of course free to test.
Sorry,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
0 new messages