[Samba] Wireless Production Servers Authentication of Active Directory with Inconsistent NTLM Auth Failures
Hi I work for a medium sized University and have recently set up some new infrastructure to authenticate our wireless users of Active Directory. Every thing was working as expected or so I thought. I set up a monitoring script that performs an ntlm_auth every minute and it shows that the authentication is failing inconsistently but for around 5 minutes at a time (see below). There are two development servers that I am trialling different configurations with to test. The architecture is currently 5 RHEL5 64bit servers running Radiator 4.4 authenticating off of Active Directory. The database resides on Oracle 11.2g RAC. The service is load balance behind a BIG-IP 6900. DESIGN All servers will be load balanced behind the BIG-IP. 2 production servers Lismore 2 production servers Tweed 1 production server Coffs Harbour Database residing on Oracle RAC 11.2g CONFIGURATION Radiator 4.4 using NTLM EAP PEAP SAMBA 3.0.33-3.29 (ntlm_auth) BIG-IP Two Virtual Servers. One for auth port. One for accounting port. Production Radius Pool = 5 servers Load balanced method Round Robin Monitors 1. Built in monitors for auth and accounting. radiusdev1 smb.conf [global] workgroup = ROOT realm = SCU.AD security = ADS password server = * [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SCU.AD dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] SCU.AD = { kdc = lp-server2-wv.scu.ad admin_server = lp-server2-wv.scu.ad default_domain = scu.ad } [domain_realm] .kerberos.server = SCU.AD .scu.ad = SCU.AD [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Mon Sep 12 00:38:08 Mon Sep 12 00:38:09 Mon Sep 12 00:39:09 Mon Sep 12 00:39:09 Mon Sep 12 00:40:09 Mon Sep 12 00:40:09 Mon Sep 12 00:41:09 Mon Sep 12 00:41:09 Mon Sep 12 00:42:09 Mon Sep 12 00:42:09 Mon Sep 12 03:26:51 Mon Sep 12 03:26:51 Mon Sep 12 03:27:51 Mon Sep 12 03:27:51 Mon Sep 12 03:28:51 Mon Sep 12 03:28:51 Mon Sep 12 03:29:51 Mon Sep 12 03:29:51 Mon Sep 12 03:30:51 Mon Sep 12 03:30:51 Tue Sep 13 05:55:38 Tue Sep 13 05:55:38 Tue Sep 13 05:56:39 Tue Sep 13 05:56:39 Tue Sep 13 05:57:39 Tue Sep 13 05:57:39 Tue Sep 13 05:58:39 Tue Sep 13 05:58:39 Tue Sep 13 05:59:39 Tue Sep 13 05:59:39 Wed Sep 14 12:32:19 Wed Sep 14 12:32:19 Wed Sep 14 12:33:19 Wed Sep 14 12:33:19 Wed Sep 14 12:34:19 Wed Sep 14 12:34:19 Wed Sep 14 12:35:20 Wed Sep 14 12:35:20 Wed Sep 14 12:36:20 Wed Sep 14 12:36:20 radiusdev2 [global] workgroup = ROOT realm = SCU.AD security = ADS client schannel = Yes server schannel = Yes password server = 10.30.4.20, 10.30.4.21, * client signing = required server signing = required [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SCU.AD dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] SCU.AD = { kdc = lp-server2-wv.scu.ad admin_server = lp-server2-wv.scu.ad default_domain = scu.ad } [domain_realm] .kerberos.server = SCU.AD .scu.ad = SCU.AD [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Log of the failed NTLM auth Mon Sep 12 05:03:38 Mon Sep 12 05:03:39 Mon Sep 12 05:04:39 Mon Sep 12 05:04:39 Mon Sep 12 05:05:39 Mon Sep 12 05:05:39 Mon Sep 12 05:06:39 Mon Sep 12 05:06:39 Mon Sep 12 05:07:39 Mon Sep 12 05:07:39 Mon Sep 12 19:35:32 Mon Sep 12 19:35:32 Mon Sep 12 19:36:32 Mon Sep 12 19:36:32 Mon Sep 12 19:37:32 Mon Sep 12 19:37:32 Mon Sep 12 19:38:32 Mon Sep 12 19:38:32 Mon Sep 12 19:39:32 Mon Sep 12 19:39:32 Mon Sep 12 20:22:42 Mon Sep 12 20:22:42 Mon Sep 12 20:23:42 Mon Sep 12 20:23:43 Mon Sep 12 20:24:43 Mon Sep 12 20:24:43 Mon Sep 12 20:25:43 Mon Sep 12 20:25:43 Mon Sep 12 20:26:43 Mon Sep 12 20:26:43 Mon Sep 12 20:27:43 Mon Sep 12 20:27:43 Mon Sep 12 20:28:43 Mon Sep 12 20:28:43 Mon Sep 12 20:29:43 Mon Sep 12 20:29:43 Mon Sep 12 20:30:43 Mon Sep 12 20:30:43 Mon Sep 12 20:31:43 Mon Sep 12 20:31:43 Tue Sep 13 11:52:40 Tue Sep 13 11:52:40 Tue Sep 13 11:53:40 Tue Sep 13 11:53:40 Tue Sep 13 11:54:40 Tue Sep 13 11:54:40 Tue Sep 13 11:55:40 Tue Sep 13 11:55:40 Tue Sep 13 11:56:40 Tue Sep 13 11:56:40 Tue Sep 13
[Samba] Inconsistent NT_STATUS_NO_LOGON_SERVERS with AD (muliti domain)
Hi I work for a medium sized University and have recently set up some new infrastructure to authenticate our wireless users of Active Directory. Every thing was working as expected or so I thought. I set up a monitoring script that performs an ntlm_auth every minute and it shows that the authentication is failing inconsistently but for around 5 minutes at a time (see below). There are two development servers that I am trialling different configurations with to test. The architecture is currently 5 RHEL5 64bit servers running Radiator 4.4 authenticating off of Active Directory. The database resides on Oracle 11.2g RAC. The service is load balance behind a BIG-IP 6900. DESIGN All servers will be load balanced behind the BIG-IP. 2 production servers site1 2 production servers site2 1 production server site3 Database residing on Oracle RAC 11.2g CONFIGURATION Radiator 4.4 using NTLM EAP PEAP SAMBA 3.0.33-3.29 (ntlm_auth) BIG-IP Two Virtual Servers. One for auth port. One for accounting port. Production Radius Pool = 5 servers Load balanced method Round Robin Monitors 1. Built in monitors for auth and accounting. radiusdev1 smb.conf [global] workgroup = ROOT realm = SCU.AD security = ADS password server = * [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SCU.AD dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] SCU.AD = { kdc = lp-server2-wv.scu.ad admin_server = lp-server2-wv.scu.ad default_domain = scu.ad } [domain_realm] .kerberos.server = SCU.AD .scu.ad = SCU.AD [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Mon Sep 12 00:38:08 Mon Sep 12 00:38:09 Mon Sep 12 00:39:09 Mon Sep 12 00:39:09 Mon Sep 12 00:40:09 Mon Sep 12 00:40:09 Mon Sep 12 00:41:09 Mon Sep 12 00:41:09 Mon Sep 12 00:42:09 Mon Sep 12 00:42:09 Mon Sep 12 03:26:51 Mon Sep 12 03:26:51 Mon Sep 12 03:27:51 Mon Sep 12 03:27:51 Mon Sep 12 03:28:51 Mon Sep 12 03:28:51 Mon Sep 12 03:29:51 Mon Sep 12 03:29:51 Mon Sep 12 03:30:51 Mon Sep 12 03:30:51 Tue Sep 13 05:55:38 Tue Sep 13 05:55:38 Tue Sep 13 05:56:39 Tue Sep 13 05:56:39 Tue Sep 13 05:57:39 Tue Sep 13 05:57:39 Tue Sep 13 05:58:39 Tue Sep 13 05:58:39 Tue Sep 13 05:59:39 Tue Sep 13 05:59:39 Wed Sep 14 12:32:19 Wed Sep 14 12:32:19 Wed Sep 14 12:33:19 Wed Sep 14 12:33:19 Wed Sep 14 12:34:19 Wed Sep 14 12:34:19 Wed Sep 14 12:35:20 Wed Sep 14 12:35:20 Wed Sep 14 12:36:20 Wed Sep 14 12:36:20 radiusdev2 [global] workgroup = ROOT realm = SCU.AD security = ADS client schannel = Yes server schannel = Yes password server = 10.30.4.20, 10.30.4.21, * client signing = required server signing = required [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SCU.AD dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] SCU.AD = { kdc = lp-server2-wv.scu.ad admin_server = lp-server2-wv.scu.ad default_domain = scu.ad } [domain_realm] .kerberos.server = SCU.AD .scu.ad = SCU.AD [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Log of the failed NTLM auth Mon Sep 12 05:03:38 Mon Sep 12 05:03:39 Mon Sep 12 05:04:39 Mon Sep 12 05:04:39 Mon Sep 12 05:05:39 Mon Sep 12 05:05:39 Mon Sep 12 05:06:39 Mon Sep 12 05:06:39 Mon Sep 12 05:07:39 Mon Sep 12 05:07:39 Mon Sep 12 19:35:32 Mon Sep 12 19:35:32 Mon Sep 12 19:36:32 Mon Sep 12 19:36:32 Mon Sep 12 19:37:32 Mon Sep 12 19:37:32 Mon Sep 12 19:38:32 Mon Sep 12 19:38:32 Mon Sep 12 19:39:32 Mon Sep 12 19:39:32 Mon Sep 12 20:22:42 Mon Sep 12 20:22:42 Mon Sep 12 20:23:42 Mon Sep 12 20:23:43 Mon Sep 12 20:24:43 Mon Sep 12 20:24:43 Mon Sep 12 20:25:43 Mon Sep 12 20:25:43 Mon Sep 12 20:26:43 Mon Sep 12 20:26:43 Mon Sep 12 20:27:43 Mon Sep 12 20:27:43 Mon Sep 12 20:28:43 Mon Sep 12 20:28:43 Mon Sep 12 20:29:43 Mon Sep 12 20:29:43 Mon Sep 12 20:30:43 Mon Sep 12 20:30:43 Mon Sep 12 20:31:43 Mon Sep 12 20:31:43 Tue Sep 13 11:52:40 Tue Sep 13 11:52:40 Tue Sep 13 11:53:40 Tue Sep 13 11:53:40 Tue Sep 13 11:54:40 Tue Sep 13 11:54:40 Tue Sep 13 11:55:40 Tue Sep 13 11:55:40 Tue Sep 13 11:56:40 Tue Sep 13 11:56:40 Tue Sep 13 14:36:01
[Samba] Samba 3 password changes
I have Samba 3 running as a PDC on RedHat 9.0 15 XP, W2K and W98 workstations connect to it. It is working fine. However, the users cannot change their passwords from their workstations. On XP, press ctrl-alt-del and select change password. Enter old password and new password twice. Click OK and receive the following message: The server cannot change your password because the domain XXX is not available. There is no other problem connecting to the domain or any share contained within it. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba 3 password changes
I saw the thread on MS KB828741 and removed the patch via Control Panel. Now the error I get when I attempt to change passwords is You do not have permission to change your password. The Samba log file for this machine shows the following entry; [2004-05-20 13:46:51, 0] lib/util_sock.c:read_socket_with_timeout(279) read_socket_with_timeout: timeout read. read erro = Input/output error. Paul Taylor [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have Samba 3 running as a PDC on RedHat 9.0 15 XP, W2K and W98 workstations connect to it. It is working fine. However, the users cannot change their passwords from their workstations. On XP, press ctrl-alt-del and select change password. Enter old password and new password twice. Click OK and receive the following message: The server cannot change your password because the domain XXX is not available. There is no other problem connecting to the domain or any share contained within it. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Domain server member cannot locate logon server.
I have a RH90 linux computer running Samba 3.0.3 that functions as a PDC. Netbios name = MAIL Everything runs fine. I have another RH90 linux computer running Samba 3.0.3 as a Domain Server member. Netbios name = WEB I can browse to WEB, but cannot browse into WEB. Each time I try to connect I get a message that indicates a logon server is not available. If I execute 'smbclient -L web ' in a terminal window on web, I am asked for a password. I enter the 'root' password and get the message session setup failed: NT_STATUS_NO_LOGON_SERVERS. I have searched high and low for an explanation. Can anyone shed any light on my problem? Thank you. Paul Taylor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Win2k DC no longer authenticates for Samba shares
[snip] Jan 27 19:25:51 mark smbd[13448]: [2003/01/27 19:25:51, 0] rpc_client/cli_trust.c:change_trust_account_password(247) Jan 27 19:25:51 mark smbd[13448]: 2003/01/27 19:25:51 : change_trust_account_password: Failed to change password for domain DOMAINNAME. I've seen this error whenever I upgrade Samba; it appears to invalidate the previous domain membership, even though I copy the secrets.tdb etc. files across to the new version. I think I've also seen it when I tried joining a domain that Samba was already a member of - it cancels the previous membership? The only workaround I've found to date is to delete the machine from the domain on the domain controller, add it back and the join the domain from Samba (smbpasswd -j domain.) The last step may not be strictly necessary, but it confirms that Samba and the DC are on speaking terms again. Any ideas on how to avoid these problems would be appreciated. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Paul Taylor [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] more info - NT_STATUS_ACCESS_DENIED opening remote file
On Jan 27, 10:33, Ben Scarbeau wrote: Subject: [Samba] more info - NT_STATUS_ACCESS_DENIED opening remote file Thanks to those who had suggestions on my last post, but none of those seems to have worked. I have narrowed down the problem a bit though, seems users can't write to a share that is not their primary group. For example: Bob's primary group is Bob and secondary group is Sally. Bob can write to the Bob group share but not the Sally group share. Anymore thoughts/suggestions. Thanks again in advance. After upgrading to Samba 2.2.7a, a couple of users complained about not being able to access directories via group access - it worked fine in 2.2.0 Both of the affected users had 14 or more secondary groups - removing them from some unnecessary groups got around the problem. The number of groups _doesn't_ seem to be the whole problem, though - when I tried to reproduce the problem with a test user and groups, it worked fine. The length of the group(s) name may be significant - I didn't investigate this. (I tried using smbclient with a higher debug level, but it just spewing a bunch of meaningless numbers etc.) -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Paul Taylor [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 2.2.7a - Unix groups bug?
Further to comments made in another thread, Samba 2.2.7a appears to limit the maximum number of Unix groups a user can have to 13 (NGROUPS_MAX - 3.) The cause appears to be Samba adding to the groups list returned by the getgroups() system call, such that a subsequent setgroups() call has the number of groups set to (# of groups + 3). For instance, my account has 12 groups; running truss against the smbd thread for my account showed it calling setgroups(15, 0x.); For another user who has 14 groups, the call is setgroups(17, 0x); - this fails with Err#22 EINVAL, since 17 is greater than NGROUPS_MAX (= 16 under Solaris.) The difference of 3 groups may be environment/implementation specific. This behaviour didn't occur under Samba 2.2.0, so I suspect that one of the fixes to group handling mentioned in the Changelogs is responsible. Any ideas? Thanks in advance. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Paul Taylor [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba upgrade and NT domain membership
Hi all, I have a number of Samba servers that are members of an NT domain (i.e. the PDC/BDC runs NT.) This works fine until I need to upgrade Samba - then it loses it's membership of the domain. (I take a copy of the current Samba directory and install the new version over the top so that the secrets.tdb file etc. are retained.) The only way I found to restore the domain membership is to delete the Samba server from the domain on the PDC and add it back again, then run smbpasswd -j domainname on the Samba server. Is there a way to keep the previous domain membership across an upgrade? Failing that, is there a simpler way to restore the domain membership? (Preferably without needing access to the PDC.) Thanks in advance. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Paul Taylor [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba