[Samba] Wireless Production Servers Authentication of Active Directory with Inconsistent NTLM Auth Failures

2011-09-19 Thread Paul Taylor 
Hi 

I work for a medium sized University and have recently set up some new 
infrastructure to authenticate our wireless users of Active Directory. Every 
thing was working as expected or so I thought. I set up a monitoring script 
that performs an ntlm_auth every minute and it shows that the authentication is 
failing inconsistently but for around 5 minutes at a time (see below). 

There are two development servers that I am trialling different configurations 
with to test.

The architecture is currently 5 RHEL5 64bit servers running Radiator 4.4 
authenticating off of Active Directory. The database resides on Oracle 11.2g 
RAC. The service is load balance behind a BIG-IP 6900.
 
DESIGN
All servers will be load balanced behind the BIG-IP. 
2 production servers Lismore
2 production servers Tweed
1 production server Coffs Harbour
Database residing on Oracle RAC 11.2g

CONFIGURATION
Radiator 4.4 using NTLM EAP PEAP
SAMBA 3.0.33-3.29 (ntlm_auth)

BIG-IP
Two Virtual Servers. One for auth port. One for accounting port.
Production Radius Pool = 5 servers
Load balanced method Round Robin
Monitors
1. Built in monitors for auth and accounting.

radiusdev1
smb.conf
[global]
workgroup = ROOT
realm = SCU.AD
security = ADS
password server = *

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SCU.AD
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 SCU.AD = {
  kdc = lp-server2-wv.scu.ad
  admin_server = lp-server2-wv.scu.ad
  default_domain = scu.ad
 }

[domain_realm]
 .kerberos.server = SCU.AD
 .scu.ad = SCU.AD

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Mon Sep 12 00:38:08
Mon Sep 12 00:38:09
Mon Sep 12 00:39:09
Mon Sep 12 00:39:09
Mon Sep 12 00:40:09
Mon Sep 12 00:40:09
Mon Sep 12 00:41:09
Mon Sep 12 00:41:09
Mon Sep 12 00:42:09
Mon Sep 12 00:42:09
Mon Sep 12 03:26:51
Mon Sep 12 03:26:51
Mon Sep 12 03:27:51
Mon Sep 12 03:27:51
Mon Sep 12 03:28:51
Mon Sep 12 03:28:51
Mon Sep 12 03:29:51
Mon Sep 12 03:29:51
Mon Sep 12 03:30:51
Mon Sep 12 03:30:51
Tue Sep 13 05:55:38
Tue Sep 13 05:55:38
Tue Sep 13 05:56:39
Tue Sep 13 05:56:39
Tue Sep 13 05:57:39
Tue Sep 13 05:57:39
Tue Sep 13 05:58:39
Tue Sep 13 05:58:39
Tue Sep 13 05:59:39
Tue Sep 13 05:59:39
Wed Sep 14 12:32:19
Wed Sep 14 12:32:19
Wed Sep 14 12:33:19
Wed Sep 14 12:33:19
Wed Sep 14 12:34:19
Wed Sep 14 12:34:19
Wed Sep 14 12:35:20
Wed Sep 14 12:35:20
Wed Sep 14 12:36:20
Wed Sep 14 12:36:20


radiusdev2
[global]
workgroup = ROOT
realm = SCU.AD
security = ADS
client schannel = Yes
server schannel = Yes
password server = 10.30.4.20, 10.30.4.21, *
client signing = required
server signing = required

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SCU.AD
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 SCU.AD = {
  kdc = lp-server2-wv.scu.ad
  admin_server = lp-server2-wv.scu.ad
  default_domain = scu.ad
 }

[domain_realm]
 .kerberos.server = SCU.AD
 .scu.ad = SCU.AD

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
Log of the failed NTLM auth
Mon Sep 12 05:03:38
Mon Sep 12 05:03:39
Mon Sep 12 05:04:39
Mon Sep 12 05:04:39
Mon Sep 12 05:05:39
Mon Sep 12 05:05:39
Mon Sep 12 05:06:39
Mon Sep 12 05:06:39
Mon Sep 12 05:07:39
Mon Sep 12 05:07:39
Mon Sep 12 19:35:32
Mon Sep 12 19:35:32
Mon Sep 12 19:36:32
Mon Sep 12 19:36:32
Mon Sep 12 19:37:32
Mon Sep 12 19:37:32
Mon Sep 12 19:38:32
Mon Sep 12 19:38:32
Mon Sep 12 19:39:32
Mon Sep 12 19:39:32
Mon Sep 12 20:22:42
Mon Sep 12 20:22:42
Mon Sep 12 20:23:42
Mon Sep 12 20:23:43
Mon Sep 12 20:24:43
Mon Sep 12 20:24:43
Mon Sep 12 20:25:43
Mon Sep 12 20:25:43
Mon Sep 12 20:26:43
Mon Sep 12 20:26:43
Mon Sep 12 20:27:43
Mon Sep 12 20:27:43
Mon Sep 12 20:28:43
Mon Sep 12 20:28:43
Mon Sep 12 20:29:43
Mon Sep 12 20:29:43
Mon Sep 12 20:30:43
Mon Sep 12 20:30:43
Mon Sep 12 20:31:43
Mon Sep 12 20:31:43
Tue Sep 13 11:52:40
Tue Sep 13 11:52:40
Tue Sep 13 11:53:40
Tue Sep 13 11:53:40
Tue Sep 13 11:54:40
Tue Sep 13 11:54:40
Tue Sep 13 11:55:40
Tue Sep 13 11:55:40
Tue Sep 13 11:56:40
Tue Sep 13 11:56:40
Tue Sep 13

[Samba] Inconsistent NT_STATUS_NO_LOGON_SERVERS with AD (muliti domain)

2011-09-19 Thread Paul Taylor 
Hi 

I work for a medium sized University and have recently set up some new 
infrastructure to authenticate our wireless users of Active Directory. Every 
thing was working as expected or so I thought. I set up a monitoring script 
that performs an ntlm_auth every minute and it shows that the authentication is 
failing inconsistently but for around 5 minutes at a time (see below). 

There are two development servers that I am trialling different configurations 
with to test.

The architecture is currently 5 RHEL5 64bit servers running Radiator 4.4 
authenticating off of Active Directory. The database resides on Oracle 11.2g 
RAC. The service is load balance behind a BIG-IP 6900.
 
DESIGN
All servers will be load balanced behind the BIG-IP. 
2 production servers site1
2 production servers site2
1 production server site3
Database residing on Oracle RAC 11.2g

CONFIGURATION
Radiator 4.4 using NTLM EAP PEAP
SAMBA 3.0.33-3.29 (ntlm_auth)

BIG-IP
Two Virtual Servers. One for auth port. One for accounting port.
Production Radius Pool = 5 servers
Load balanced method Round Robin
Monitors
1. Built in monitors for auth and accounting.

radiusdev1
smb.conf
[global]
workgroup = ROOT
realm = SCU.AD
security = ADS
password server = *

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SCU.AD
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 SCU.AD = {
  kdc = lp-server2-wv.scu.ad
  admin_server = lp-server2-wv.scu.ad
  default_domain = scu.ad
 }

[domain_realm]
 .kerberos.server = SCU.AD
 .scu.ad = SCU.AD

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Mon Sep 12 00:38:08
Mon Sep 12 00:38:09
Mon Sep 12 00:39:09
Mon Sep 12 00:39:09
Mon Sep 12 00:40:09
Mon Sep 12 00:40:09
Mon Sep 12 00:41:09
Mon Sep 12 00:41:09
Mon Sep 12 00:42:09
Mon Sep 12 00:42:09
Mon Sep 12 03:26:51
Mon Sep 12 03:26:51
Mon Sep 12 03:27:51
Mon Sep 12 03:27:51
Mon Sep 12 03:28:51
Mon Sep 12 03:28:51
Mon Sep 12 03:29:51
Mon Sep 12 03:29:51
Mon Sep 12 03:30:51
Mon Sep 12 03:30:51
Tue Sep 13 05:55:38
Tue Sep 13 05:55:38
Tue Sep 13 05:56:39
Tue Sep 13 05:56:39
Tue Sep 13 05:57:39
Tue Sep 13 05:57:39
Tue Sep 13 05:58:39
Tue Sep 13 05:58:39
Tue Sep 13 05:59:39
Tue Sep 13 05:59:39
Wed Sep 14 12:32:19
Wed Sep 14 12:32:19
Wed Sep 14 12:33:19
Wed Sep 14 12:33:19
Wed Sep 14 12:34:19
Wed Sep 14 12:34:19
Wed Sep 14 12:35:20
Wed Sep 14 12:35:20
Wed Sep 14 12:36:20
Wed Sep 14 12:36:20


radiusdev2
[global]
workgroup = ROOT
realm = SCU.AD
security = ADS
client schannel = Yes
server schannel = Yes
password server = 10.30.4.20, 10.30.4.21, *
client signing = required
server signing = required

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SCU.AD
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 SCU.AD = {
  kdc = lp-server2-wv.scu.ad
  admin_server = lp-server2-wv.scu.ad
  default_domain = scu.ad
 }

[domain_realm]
 .kerberos.server = SCU.AD
 .scu.ad = SCU.AD

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
Log of the failed NTLM auth
Mon Sep 12 05:03:38
Mon Sep 12 05:03:39
Mon Sep 12 05:04:39
Mon Sep 12 05:04:39
Mon Sep 12 05:05:39
Mon Sep 12 05:05:39
Mon Sep 12 05:06:39
Mon Sep 12 05:06:39
Mon Sep 12 05:07:39
Mon Sep 12 05:07:39
Mon Sep 12 19:35:32
Mon Sep 12 19:35:32
Mon Sep 12 19:36:32
Mon Sep 12 19:36:32
Mon Sep 12 19:37:32
Mon Sep 12 19:37:32
Mon Sep 12 19:38:32
Mon Sep 12 19:38:32
Mon Sep 12 19:39:32
Mon Sep 12 19:39:32
Mon Sep 12 20:22:42
Mon Sep 12 20:22:42
Mon Sep 12 20:23:42
Mon Sep 12 20:23:43
Mon Sep 12 20:24:43
Mon Sep 12 20:24:43
Mon Sep 12 20:25:43
Mon Sep 12 20:25:43
Mon Sep 12 20:26:43
Mon Sep 12 20:26:43
Mon Sep 12 20:27:43
Mon Sep 12 20:27:43
Mon Sep 12 20:28:43
Mon Sep 12 20:28:43
Mon Sep 12 20:29:43
Mon Sep 12 20:29:43
Mon Sep 12 20:30:43
Mon Sep 12 20:30:43
Mon Sep 12 20:31:43
Mon Sep 12 20:31:43
Tue Sep 13 11:52:40
Tue Sep 13 11:52:40
Tue Sep 13 11:53:40
Tue Sep 13 11:53:40
Tue Sep 13 11:54:40
Tue Sep 13 11:54:40
Tue Sep 13 11:55:40
Tue Sep 13 11:55:40
Tue Sep 13 11:56:40
Tue Sep 13 11:56:40
Tue Sep 13 14:36:01

[Samba] Samba 3 password changes

2004-05-19 Thread Paul Taylor 
I have Samba 3 running as a PDC on RedHat 9.0
15 XP, W2K and W98 workstations connect to it.

It is working fine.

However, the users cannot change their passwords from their workstations.
On XP, press ctrl-alt-del and select change password.
Enter old password and new password twice. Click OK and receive the
following message:

The server cannot change your password because the domain XXX is not
available.

There is no other problem connecting to the domain or any share contained
within it.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba 3 password changes

2004-05-19 Thread Paul Taylor 
I saw the thread on MS KB828741 and removed the patch via Control Panel.

Now the error I get when I attempt to change passwords is You do not have
permission to change your password.

The Samba log file for this machine shows the following entry;

[2004-05-20 13:46:51, 0] lib/util_sock.c:read_socket_with_timeout(279)
   read_socket_with_timeout: timeout read. read erro = Input/output error.




Paul Taylor [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 I have Samba 3 running as a PDC on RedHat 9.0
 15 XP, W2K and W98 workstations connect to it.

 It is working fine.

 However, the users cannot change their passwords from their workstations.
 On XP, press ctrl-alt-del and select change password.
 Enter old password and new password twice. Click OK and receive the
 following message:

 The server cannot change your password because the domain XXX is not
 available.

 There is no other problem connecting to the domain or any share contained
 within it.



 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  http://lists.samba.org/mailman/listinfo/samba




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Domain server member cannot locate logon server.

2004-05-09 Thread Paul Taylor 
I have a RH90 linux computer running Samba 3.0.3 that functions as a PDC.
Netbios name = MAIL
Everything runs fine.

I have another RH90 linux computer running Samba 3.0.3 as a Domain Server
member. Netbios name = WEB

I can browse to WEB, but cannot browse into WEB. Each time I try to connect
I get a message that indicates a logon server is not available.

If I execute 'smbclient -L web ' in a terminal window on web, I am asked for
a password. I enter the 'root' password and get the message session setup
failed: NT_STATUS_NO_LOGON_SERVERS.

I have searched high and low for an explanation.
Can anyone shed any light on my problem?

Thank you.
 
Paul Taylor


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Win2k DC no longer authenticates for Samba shares

2003-01-28 Thread Paul Taylor 
[snip]
Jan 27 19:25:51 mark smbd[13448]: [2003/01/27 19:25:51, 0]
rpc_client/cli_trust.c:change_trust_account_password(247)
Jan 27 19:25:51 mark smbd[13448]:   2003/01/27 19:25:51 :
change_trust_account_password: Failed to change password for domain
DOMAINNAME.

I've seen this error whenever I upgrade Samba; it appears to invalidate
the previous domain membership, even though I copy the secrets.tdb etc.
files across to the new version.

I think I've also seen it when I tried joining a domain that Samba was
already a member of - it cancels the previous membership?

The only workaround I've found to date is to delete the machine from the
domain on the domain controller, add it back and the join the domain
from Samba (smbpasswd -j domain.)  The last step may not be strictly
necessary, but it confirms that Samba and the DC are on speaking terms
again.

Any ideas on how to avoid these problems would be appreciated.

-- 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
   Paul Taylor
   [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] more info - NT_STATUS_ACCESS_DENIED opening remote file

2003-01-27 Thread Paul Taylor 
On Jan 27, 10:33, Ben Scarbeau wrote:
 Subject: [Samba] more info - NT_STATUS_ACCESS_DENIED opening remote file

 Thanks to those who had suggestions on my last post, but none of those
 seems to have worked.  I have narrowed down the problem a bit though,
 seems users can't write to a share that is not their primary group.
 For example:  Bob's primary group is Bob and secondary group is Sally.
 Bob can write to the Bob group share but not the Sally group share.
 Anymore thoughts/suggestions.  Thanks again in advance.

After upgrading to Samba 2.2.7a, a couple of users complained about not
being able to access directories via group access - it worked fine in 2.2.0
Both of the affected users had 14 or more secondary groups - removing them
from some unnecessary groups got around the problem.

The number of groups _doesn't_ seem to be the whole problem, though - when
I tried to reproduce the problem with a test user and groups, it worked
fine.  The length of the group(s) name may be significant - I didn't
investigate this.  (I tried using smbclient with a higher debug level,
but it just spewing a bunch of meaningless numbers etc.)

-- 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
   Paul Taylor
   [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba 2.2.7a - Unix groups bug?

2003-01-27 Thread Paul Taylor 
Further to comments made in another thread, Samba 2.2.7a appears to
limit the maximum number of Unix groups a user can have to 13
(NGROUPS_MAX - 3.)

The cause appears to be Samba adding to the groups list returned
by the getgroups() system call, such that a subsequent setgroups()
call has the number of groups set to (# of groups + 3).

For instance, my account has 12 groups; running truss against the smbd
thread for my account showed it calling setgroups(15, 0x.);
For another user who has 14 groups, the call is setgroups(17, 0x);
- this fails with Err#22 EINVAL, since 17 is greater than NGROUPS_MAX
(= 16 under Solaris.)

The difference of 3 groups may be environment/implementation specific.

This behaviour didn't occur under Samba 2.2.0, so I suspect that
one of the fixes to group handling mentioned in the Changelogs is
responsible.

Any ideas?

Thanks in advance.

-- 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
   Paul Taylor
   [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba upgrade and NT domain membership

2003-01-23 Thread Paul Taylor 
Hi all,

I have a number of Samba servers that are members of an NT domain
(i.e. the PDC/BDC runs NT.)  This works fine until I need to
upgrade Samba - then it loses it's membership of the domain.
(I take a copy of the current Samba directory and install the new
version over the top so that the secrets.tdb file etc. are retained.)

The only way I found to restore the domain membership is to delete the
Samba server from the domain on the PDC and add it back again, then run
smbpasswd -j domainname on the Samba server.

Is there a way to keep the previous domain membership across an upgrade?
Failing that, is there a simpler way to restore the domain membership?
(Preferably without needing access to the PDC.)

Thanks in advance.

-- 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
   Paul Taylor
   [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba