Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Old, reliable samba 3.5 and Active directory suddenly not reliable
30 views
Skip to first unread message
Robert M. Martel - CSU
Oct 22, 2012, 11:40:03 AM10/22/12
to
Greetings,
I have an elderly installation of Samba 3.5.8 running on 10 Sparc
servers (and 3.5.12 on Solaris 9 servers with the same issue) set up as
Active Directory member servers. Since we've laid-off everyone else
around here I have not had the opportunity to update the Samba
installation - and have not needed to as it has been very solid.
Suddenly last Friday the Samba servers started having authentication
problems for the active directory users. Users were unable to map
drives, looking at files on the server I was seeing UID numbers rather
that the user's login ID for the files. Stopping and restarting Samba
did not help.
I took the machines out of Active Directory, and then re-added them -
which they did without a problem. After restarting Samba all was well,
for awhile.
This morning some folks that had left themselves looked in over the
weekend were okay, but others could not map their drives. interactive
logins for AD users did not work. I again left and rejoined the AD
domain and all was well for a bit, then I had to repeat the cycle.
I do not maintain or have access to the Active Directory servers or
configuration. The central IT people claim that they have not made any
changes to the AD servers...but they don't always tell me the whole truth.
I am building Samba 3.5.18 right now in the hope that it will make a
difference.
I've never had a problem like this since first "playing" with Samba and
Active directory more than 5 years ago - and certainly no issue like
this since putting it into production.
--
***********************************************************************
Robert M. Martel I met someone who looks a lot like you
System Administrator She does the things you do
Levin College of Urban Affairs But she is an IBM
Cleveland State University -Jeff Lynne
(216) 687-2214
r.ma...@csuohio.edu
***********************************************************************
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I have an elderly installation of Samba 3.5.8 running on 10 Sparc
servers (and 3.5.12 on Solaris 9 servers with the same issue) set up as
Active Directory member servers. Since we've laid-off everyone else
around here I have not had the opportunity to update the Samba
installation - and have not needed to as it has been very solid.
Suddenly last Friday the Samba servers started having authentication
problems for the active directory users. Users were unable to map
drives, looking at files on the server I was seeing UID numbers rather
that the user's login ID for the files. Stopping and restarting Samba
did not help.
I took the machines out of Active Directory, and then re-added them -
which they did without a problem. After restarting Samba all was well,
for awhile.
This morning some folks that had left themselves looked in over the
weekend were okay, but others could not map their drives. interactive
logins for AD users did not work. I again left and rejoined the AD
domain and all was well for a bit, then I had to repeat the cycle.
I do not maintain or have access to the Active Directory servers or
configuration. The central IT people claim that they have not made any
changes to the AD servers...but they don't always tell me the whole truth.
I am building Samba 3.5.18 right now in the hope that it will make a
difference.
I've never had a problem like this since first "playing" with Samba and
Active directory more than 5 years ago - and certainly no issue like
this since putting it into production.
--
***********************************************************************
Robert M. Martel I met someone who looks a lot like you
System Administrator She does the things you do
Levin College of Urban Affairs But she is an IBM
Cleveland State University -Jeff Lynne
(216) 687-2214
r.ma...@csuohio.edu
***********************************************************************
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Robert M. Martel - CSU
Oct 22, 2012, 11:50:03 AM10/22/12
to
Greetings,
something to add.
Had one of the Solaris 9 machines just stop working. I stopped samba
and restarted it, found the following in smblog.smbd
[2012/10/22 11:37:00.299787, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
I removed the machine from Active Directory and immediately re-added it
- I did NOT run kinit to get new credentials. started Samba and the
machine works fine...for now.
something to add.
Had one of the Solaris 9 machines just stop working. I stopped samba
and restarted it, found the following in smblog.smbd
[2012/10/22 11:37:00.299787, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
I removed the machine from Active Directory and immediately re-added it
- I did NOT run kinit to get new credentials. started Samba and the
machine works fine...for now.
Robert M. Martel - CSU
Oct 22, 2012, 2:50:01 PM10/22/12
to
Greetings,
More responding to my own thread - but no solution in sight.
Still having the problem with Samba 3.5.18. New and different error
message from net ads testjoin:
#webdevel# net ads testjoin
[2012/10/22 14:23:07.317109, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
credentials have been revoked
[2012/10/22 14:23:07.353280, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
credentials have been revoked
Join to domain is not valid: Access denied
The Active Directory admins are still saying that they have not changed
anything on their side.
More responding to my own thread - but no solution in sight.
Still having the problem with Samba 3.5.18. New and different error
message from net ads testjoin:
#webdevel# net ads testjoin
[2012/10/22 14:23:07.317109, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
credentials have been revoked
[2012/10/22 14:23:07.353280, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
credentials have been revoked
Join to domain is not valid: Access denied
The Active Directory admins are still saying that they have not changed
anything on their side.
Brian Campbell
Oct 22, 2012, 3:10:02 PM10/22/12
to
I'm not an expert in this, but I do know that one major cause of
Kerberos issues is clock skew. And that would explain the problem
kicking in suddenly when you've never seen it before. If the clocks
recently got out of sync with each other, you'd suddenly start hitting
mysterious problems.
Can you try checking the date and time on all of your machines,
including the Active Directory machines, and make sure that they
match?
-- Brian
Kerberos issues is clock skew. And that would explain the problem
kicking in suddenly when you've never seen it before. If the clocks
recently got out of sync with each other, you'd suddenly start hitting
mysterious problems.
Can you try checking the date and time on all of your machines,
including the Active Directory machines, and make sure that they
match?
-- Brian
Andrew Bartlett
Oct 22, 2012, 5:20:02 PM10/22/12
to
On Mon, 2012-10-22 at 14:51 -0400, Robert M. Martel - CSU wrote:
> Greetings,
>
> Greetings,
>
> More responding to my own thread - but no solution in sight.
>
> Still having the problem with Samba 3.5.18. New and different error
> message from net ads testjoin:
>
> #webdevel# net ads testjoin
> [2012/10/22 14:23:07.317109, 0] libads/kerberos.c:333(ads_kinit_password)
> kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
> credentials have been revoked
> [2012/10/22 14:23:07.353280, 0] libads/kerberos.c:333(ads_kinit_password)
> kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
> credentials have been revoked
> Join to domain is not valid: Access denied
>
>
> The Active Directory admins are still saying that they have not changed
> anything on their side.
It seems unlikely if you just re-joined, but in case we are talking
>
> Still having the problem with Samba 3.5.18. New and different error
> message from net ads testjoin:
>
> #webdevel# net ads testjoin
> [2012/10/22 14:23:07.317109, 0] libads/kerberos.c:333(ads_kinit_password)
> kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
> credentials have been revoked
> [2012/10/22 14:23:07.353280, 0] libads/kerberos.c:333(ads_kinit_password)
> kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
> credentials have been revoked
> Join to domain is not valid: Access denied
>
>
> The Active Directory admins are still saying that they have not changed
> anything on their side.
about multiple machines, could the password have been expired?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Robert M. Martel - CSU
Oct 23, 2012, 11:10:01 AM10/23/12
to
On 10/22/2012 05:10 PM, Andrew Bartlett wrote:
> On Mon, 2012-10-22 at 14:51 -0400, Robert M. Martel - CSU wrote:
>> [2012/10/22 14:23:07.353280, 0] libads/kerberos.c:333(ads_kinit_password)
>> kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
>> credentials have been revoked
>> Join to domain is not valid: Access denied
>>
>>
>> The Active Directory admins are still saying that they have not changed
>> anything on their side.
>
> It seems unlikely if you just re-joined, but in case we are talking
> about multiple machines, could the password have been expired?
After Brian Campbell's note I double-checked the clock-sync on the
servers and found it to be okay.
The Active Directory (AD) admins that "did not change anything" finally
reported having some vague problem with their domain server replication
that only seem to affect *my* Samba servers (I may be the only person on
campus running Samba servers that are members of the university's Active
Directory system.)
There was some more hand waving, reports of trying to get some support
out of Microsoft, and finally a mention that *someone* had been making
some changes to AD config in preparation of moving from Lotus Notes
Email to MS Exchange.
The AD admins then "did something else" and now the problem no longer
exists. I am still trying to get some real information as to what happened.
If I (ever) find out I will note it here. I always hate seeing problem
reports in Email archives that never talk about resolution.
Thank you!
At least I got my Samba versions less out of date. Have to see if
building 3.6 is as much of a pain on Solaris as 3.5 has been.
--
***********************************************************************
Robert M. Martel I met someone who looks a lot like you
System Administrator She does the things you do
Levin College of Urban Affairs But she is an IBM
Cleveland State University -Jeff Lynne
(216) 687-2214
r.ma...@csuohio.edu
***********************************************************************
Bart Janssens
Oct 23, 2012, 3:00:02 PM10/23/12
to
Hi Robert,
You may want to consider installing the Solaris 10 Samba patches:
119757-25 (sparc)
119758-25 (x86)
-25 updates the Solaris 10 Samba package to 3.6.7
Regards,
-Bart
You may want to consider installing the Solaris 10 Samba patches:
119757-25 (sparc)
119758-25 (x86)
-25 updates the Solaris 10 Samba package to 3.6.7
Regards,
-Bart
Andrew Bartlett
Oct 23, 2012, 8:40:01 PM10/23/12
to
We recently (fixed in latest 3.6) introduced a change to the timeout
applied when we change our machine account password. In short, when we
contacted AD, we would time out after 30 seconds, but it can take longer
than that for AD to change a machine account password, because (using
replication, the clue from the above) it must forward the change to the
PDC emulator before returning.
On the then boken connection the password is successfully changed but
the 'OK' is lost, so we still use the old pw (considering it a failure).
This then breaks the domain trust, quite possibly in the way you
describe.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
0 new messages