[Samba] Gentoo, Samba, Upgrade, Authentications now failing

I just updated Samba on Gentoo due to a security vulnerability and the
authentication for domain accounts is now failing. Has anyone else seen
this?
--
Jas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Tue, Jun 3, 2008 at 7:52 AM, Jason Gerfen <jason.gerfen@scl.utah.edu> wrote:
> I just updated Samba on Gentoo due to a security vulnerability and the
> authentication for domain accounts is now failing. Has anyone else seen
> this?
> --
I have upgraded a domain memberservers last week to
net-fs/samba-3.0.30 but not the PDC. No problems so far with that.

John
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

> I have upgraded a domain memberservers last week to
> net-fs/samba-3.0.30 but not the PDC. No problems so far with that.
>
It should have read all domain member servers.
John
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Hmm... I am on Version 3.0.28a using Gentoo's emerge utility.

In my logs I am recieving:
check_ntlm_password: Authentication for user [smb] -> [smb] FAILED with
error NT_STATUS_NO_SUCH_USER
....
ads_verify_ticket: smb_krb5_parse_name(thor$) failed (Configuration file
does not specify default realm)


But I can see all my information for the user with the following commands:

wbinfo -u smb
wbinfo -i smb
wbinfo -n smb
wbinfo -S <SID>
getent passwd smb

Everything shows the user in Active Directory but I cannot authenticate
them any longer since the upgrade. Any advice?



John Drescher wrote:
> On Tue, Jun 3, 2008 at 7:52 AM, Jason Gerfen <jason.gerfen@scl.utah.edu> wrote:
>> I just updated Samba on Gentoo due to a security vulnerability and the
>> authentication for domain accounts is now failing. Has anyone else seen
>> this?
>> --
> I have upgraded a domain memberservers last week to
> net-fs/samba-3.0.30 but not the PDC. No problems so far with that.
>
> John


--
Jas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Gentlemen,

The following links may or may not be of help.

http://bugs.gentoo.org/show_bug.cgi?id=224201
http://lists.samba.org/archive/samba...ne/141041.html


You can specify a default in /etc/krb5.conf like this:
..
..
[realms]
doma.com= {
kdc = DOMA.com:88
admin_server = doma.com:749
default_domain = doma.com
}
..
..

But I'm far from an expert.

Rob


Robert LR Mattson | La Trobe University |
PhD Candidate | Melbourne, Australia |
Dept. Computer Science |Phone:+(613) 9479 1408 |
Office: PS1-219 |Mob: +(61)417 515 695 |
-----Original Message-----
From: samba-bounces+r.mattson=latrobe.edu.au@lists.samba.org
[mailto:samba-bounces+r.mattson=latrobe.edu.au@lists.samba.org] On
Behalf Of Jason Gerfen
Sent: Tuesday, 3 June 2008 10:43 PM
Cc: samba@lists.samba.org
Subject: Re: [Samba] Gentoo, Samba, Upgrade, Authentications now failing

Hmm... I am on Version 3.0.28a using Gentoo's emerge utility.

In my logs I am recieving:
check_ntlm_password: Authentication for user [smb] -> [smb] FAILED with

error NT_STATUS_NO_SUCH_USER
....
ads_verify_ticket: smb_krb5_parse_name(thor$) failed (Configuration file

does not specify default realm)


But I can see all my information for the user with the following
commands:

wbinfo -u smb
wbinfo -i smb
wbinfo -n smb
wbinfo -S <SID>
getent passwd smb

Everything shows the user in Active Directory but I cannot authenticate
them any longer since the upgrade. Any advice?



John Drescher wrote:
> On Tue, Jun 3, 2008 at 7:52 AM, Jason Gerfen
<jason.gerfen@scl.utah.edu> wrote:
>> I just updated Samba on Gentoo due to a security vulnerability and
the
>> authentication for domain accounts is now failing. Has anyone else
seen
>> this?
>> --
> I have upgraded a domain memberservers last week to
> net-fs/samba-3.0.30 but not the PDC. No problems so far with that.
>
> John


--
Jas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

I tried that. After upgrading Samba yesterday using Gentoo's emerge
facility due to the vulnerability listed
http://www.samba.org/samba/security/CVE-2008-1105.html and
http://www.gentoo.org/security/en/gl...-200805-23.xml the
authentication of AD users has ceased working.

krb5.conf
[libdefaults]
default_realm = UTAH.EDU

[realms]
UTAH.EDU = {
kdc = 155.99.1.95
default_domain = scl.utah.edu
}

[domain_realm]
.utah.edu = UTAH.EDU
utah.edu = UTAH.EDU
scl.utah.edu = UTAH.EDU

[logging]
default = FILE:/var/log/krb5.log

[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
}

smb.conf
[global]
workgroup = SCL
realm = SCL.UTAH.EDU
server string = valhalla.scl.utah.edu
netbios name = valhalla

password server = *
encrypt passwords = true
security = ads

lanman auth = no
ntlm auth = no

os level = 20

allow trusted domains = yes
auth methods = winbind

ldap ssl = no
ldap suffix = dc=scl,dc=utah,dc=edu

interfaces = eth0, lo
bind interfaces only = yes
socket options = TCP_NODELAY

log level = 20
log file = /var/log/samba/log.%m
max log size = 50

client signing = yes
client schannel = no
client use spnego = yes
client lanman auth = no
client NTLMv2 auth = yes
client plaintext auth = no

preferred master = no
local master = no
domain master = no
wins proxy = no
dns proxy = No

obey pam restrictions = yes

template shell = /bin/bash
nt acl support = yes
inherit permissions = yes
create mask = 0022
template homedir = /home/samba/%U

winbind uid = 1000-2000000
winbind gid = 500-2000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind offline logon = true
# winbind nss info = sfu
winbind nss info = rfc2307

idmap uid = 1000-2000000
idmap gid = 500-2000000
idmap domains = SCL
idmap config SCL:backend = ad
idmap config SCL:default = yes
# idmap config SCL:schema_mode = sfu
idmap config SCL:schema_mode = rfc2307
idmap config SCL:range = 1000 - 300000000

Enumerating users, enumerating groups, SID to UID conversion, and lookup
of user information using getent and wbinfo all work.

Here is some abbreviated log data:
%> tail -f /var/log/samba/log.* | grep smb
[2008/06/03 07:02:36, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Tue
Jun 3 06:32:45 2008
make_user_info_map: Mapping user [VALHALLA]\[smb] from workstation [LOKI]
attempting to make a user_info for smb (smb)
making strings for smb's user_info struct
making blobs for smb's user_info struct
made an encrypted user_info for smb (smb)
check_ntlm_password: Checking password for unmapped user
[VALHALLA]\[smb]@[LOKI] with the new password interface
check_ntlm_password: mapped user is: [VALHALLA]\[smb]@[LOKI]
check_ntlm_password: Authentication for user [smb] -> [smb] FAILED
with error NT_STATUS_NO_SUCH_USER
structure was created for smb
[2008/06/03 07:02:36, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

As you can see from the logs it is showing the message
NT_STATUS_NO_SUCH_USER even though wbinfo -i smb works and shows the
user account in Active directory.

I did however notice this odd entry in the logs as well:
Attempting to register auth backend smbserver
[2008/06/03 07:02:36, 5] auth/auth.c:smb_register_auth(59)
Successfully added auth method 'smbserver'

Not sure if the auth method being 'smbserver' is accurate or not. Any
help, pointers etc. is greatly appreciated.

Robert Mattson wrote:
> Gentlemen,
>
> The following links may or may not be of help.
>
> http://bugs.gentoo.org/show_bug.cgi?id=224201
> http://lists.samba.org/archive/samba...ne/141041.html
>
>
......
clipped
......


>> net-fs/samba-3.0.30 but not the PDC. No problems so far with that.
>>
>> John
>
>


--
Jas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Tue, Jun 3, 2008 at 9:07 AM, Jason Gerfen <jason.gerfen@scl.utah.edu> wrote:
> I tried that. After upgrading Samba yesterday using Gentoo's emerge facility
> due to the vulnerability listed

Did you try 3.0.30? It is in portage now.

John
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Installing it now... it looks like the amd64 package is masked for samba
however.

John Drescher wrote:
> On Tue, Jun 3, 2008 at 9:07 AM, Jason Gerfen <jason.gerfen@scl.utah.edu> wrote:
>> I tried that. After upgrading Samba yesterday using Gentoo's emerge facility
>> due to the vulnerability listed
>
> Did you try 3.0.30? It is in portage now.
>
> John


--
Jas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

John Drescher wrote:
> On Tue, Jun 3, 2008 at 9:07 AM, Jason Gerfen <jason.gerfen@scl.utah.edu> wrote:
>> I tried that. After upgrading Samba yesterday using Gentoo's emerge facility
>> due to the vulnerability listed
>
> Did you try 3.0.30? It is in portage now.
>
> John
Ok I have updated it and am no able to authenticate. It seems that even
though my smb.conf shows 'client plaintext auth = no' in the logs when
performing a 'wbinfo --krb5auth=username%password' it shows

plaintext kerberos password authentication for [username%password]
failed (requesting cctype: FILE)

Any ideas? I do appreciate any help I can get on this. Here is some
version information: Version 3.0.30
--
Jas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

> Ok I have updated it and am no able to authenticate. It seems that even
> though my smb.conf shows 'client plaintext auth = no' in the logs when
> performing a 'wbinfo --krb5auth=username%password' it shows
>
> plaintext kerberos password authentication for [username%password] failed
> (requesting cctype: FILE)
>
> Any ideas? I do appreciate any help I can get on this. Here is some version
> information: Version 3.0.30
> --

Sorry that did not help. For now I am out of ideas. Hopefully someone
knows how to fix that soon otherwise I would go back to the last
version that worked.

John
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba