-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ray,
There was indeed an issue with the old RHEL samba packages and 2008r2. There was a bug report issued about it and RHEL released a newer samba package that can talk 2008r2: https://bugzilla.redhat.com/show_bug.cgi?id=561325 I wrote a wiki on migrating to the samba3x package that has worked well for our group: https://uisapp2.iu.edu/confluence-prd/x/FgQCBw Updating to the new package will work across all the Domain Controllers. Hope that helps, Robert On 11/04/2010 07:15 AM, Gaiseric Vandal wrote: > Looking through the release notes for samba 3.0.28a - 3.0.37 there does not > seem to be mention on 2008 R2. The following link may explain why it > doesn't work and a possible fix. > > http://www.openg.info/entry/win-2008-r2-samba > > > But Samba 3.0.x. is end-of-lifed so I think your best off moving to Samba > 3.4.x. > > > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Ray Van Dolson > Sent: Wednesday, November 03, 2010 4:37 PM > To: [email protected] > Subject: [Samba] Samba 3.0.33, security = domain and Windows 2008 R2 > > I have a number of Samba servers on RHEL (Samba 3.0.33) in an AD > environment using a mix of Windows 2008 and windows 2008 R2 servers. > Configuration file is pretty minimal: > > [global] > workgroup = AVWORLD > security = DOMAIN > log file = /var/log/samba/samba.log > max log size = 500 > wins server = 10.50.4.31 > dns proxy = no > #log level = 10 > log level = 3 passdb:5 auth:10 winbind:2 > password server = * > #username map = /etc/samba/username.map > socket options = TCP_NODELAY > > This works fine as long as the Samba server in question is talking to > one of the Windows 2008 servers. > > Via some sort of SMB magic, from time to time, the domain controller > the Samba server communicates with changes to one of the Windows 2008 > R2 servers. At that point, problems begin: > > [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info_map(161) > make_user_info_map: Mapping user [AVWORLD]\[ray5147] from workstation > [RAYXP] > [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(75) > attempting to make a user_info for ray5147 (ray5147) > [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(85) > making strings for ray5147's user_info struct > [2010/11/03 10:25:44, 5] auth/auth_util.c:make_user_info(117) > making blobs for ray5147's user_info struct > [2010/11/03 10:25:44, 10] auth/auth_util.c:make_user_info(135) > made an encrypted user_info for ray5147 (ray5147) > [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(221) > check_ntlm_password: Checking password for unmapped user > [avworld]\[ray51...@[rayxp] with the new password interface > [2010/11/03 10:25:44, 3] auth/auth.c:check_ntlm_password(224) > check_ntlm_password: mapped user is: [avworld]\[ray51...@[rayxp] > [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(233) > check_ntlm_password: auth_context challenge created by NTLMSSP callback > (NTLM2) > [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(235) > challenge is: > [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261) > check_ntlm_password: guest had nothing to say > [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415) > check_samstrict_security: AVWORLD is not one of my local names > (ROLE_DOMAIN_MEMBER) > [2010/11/03 10:25:44, 10] auth/auth.c:check_ntlm_password(261) > check_ntlm_password: sam had nothing to say > [2010/11/03 10:25:44, 0] > rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354) > cli_pipe_verify_schannel: auth_len 56. > [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260) > domain_client_validate: unable to validate password for user ray5147 in > domain AVWORLD to Domain controller REDDC1. Error was > NT_STATUS_INVALID_PARAMETER. > [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273) > check_ntlm_password: winbind authentication for user [ray5147] FAILED > with error NT_STATUS_INVALID_PARAMETER > [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [ray5147] -> [ray5147] > FAILED with error NT_STATUS_INVALID_PARAMETER > [2010/11/03 10:25:44, 5] auth/auth_util.c:free_user_info(2108) > attempting to free (and zero) a user_info structure > [2010/11/03 10:25:44, 10] auth/auth_util.c:free_user_info(2112) > structure was created for ray5147 > > (REDDC1 is one of the 2K8 R2 servers and ray5147 is my username). If I > can convince the system to talk to one of the non-R2 servers again, > everything is fine. > > Looking at the log, the "errors" that jump out are: > > [2010/11/03 10:25:44, 6] auth/auth_sam.c:check_samstrict_security(415) > check_samstrict_security: AVWORLD is not one of my local names > (ROLE_DOMAIN_MEMBER) > [2010/11/03 10:25:44, 0] auth/auth_domain.c:domain_client_validate(260) > domain_client_validate: unable to validate password for user ray5147 in > domain AVWORLD to Domain controller REDDC1. Error was > NT_STATUS_INVALID_PARAMETER. > [2010/11/03 10:25:44, 5] auth/auth.c:check_ntlm_password(273) > check_ntlm_password: winbind authentication for user [ray5147] FAILED > with error NT_STATUS_INVALID_PARAMETER > [2010/11/03 10:25:44, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [ray5147] -> [ray5147] > FAILED with error NT_STATUS_INVALID_PARAMETER > > I'm not clear if the first error is a complaint from my Samba client or > if it's a message returned from the domain controller... the last error > message doesn't mean anything to me. > > Anyone have any thoughts? We've followed the instructions from this KB > article[1] to configure the R2 servers in the same way the non-R2 > servers are configured. > > I haven't yet reproduced the problem on a Samba 3.3 install so I'm > wondering if if the 3.0.x branch just has issues with Windows 2008 R2, > or if there's a patch out there that could be backported to help. > Maybe doing security = ads would work better for us.... > > This problem also has cropped up on our Solaris 10 hosts. Sun provides > a Samba package based on 3.0.x as well. > > Thanks in advance, > Ray > > [1] http://support.microsoft.com/kb/942564 - -- ________ Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzSr7sACgkQup357T5MfTYnPgCfc32eUQRpNm2VCU1jdKu4Vzwa Z0cAnjLIXcQFb3Ms+++OvKHJWrr+Feee =nOWM -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
