Is it possible that this may be related to and fixed by the patch in this bug: https://bugzilla.samba.org/show_bug.cgi?id=9820
----- Original Message ----- From: "Kristofer Pettijohn" <[email protected]> To: "Andrew Bartlett" <[email protected]> Cc: [email protected] Sent: Thursday, June 13, 2013 12:17:53 AM Subject: Re: [Samba] Samba 4.0.6 update - login issues It happened again. When it happens, it happens at exactly the top of the hour. Same symptoms and results as below. On Jun 11, 2013, at 12:08 AM, "Kristofer Pettijohn" < [email protected] > wrote: <blockquote> I would need logs and network traces to investigate this further. Could it be a kerberos ticket expiring? Does it still happen if you upgrade a test member server to 3.6 or 4.0 (so we can narrow down the issue)? I have logs (debug 16 from the client) and a network trace. If you would like me to send them somewhere, let me know where you would like them. Received an alert that Radius authentication fails (ntlm) Log into Radius server via ssh, which uses winbind for auth - receive this error: Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable Ran "net ads info" <blockquote> [root@durad1 ~]# net ads info LDAP server: 10.9.10.81 LDAP server name: brsad.ad.bigrocksports.com Realm: AD.BIGROCKSPORTS.COM Bind Path: dc=AD,dc=BIGROCKSPORTS,dc=COM LDAP port: 389 Server time: Tue, 11 Jun 2013 00:42:44 EDT KDC server: 10.9.10.81 Server time offset: 0 </blockquote> Ran "net ads lookup" <blockquote> [root@durad1 ~]# net ads lookup Information for Domain Controller: 10.9.10.81 Response Type: LOGON_SAM_LOGON_RESPONSE_EX GUID: 61b8eb21-20b7-459b-8d7e-224ea1fa85d5 Flags: Is a PDC: yes Is a GC of the forest: yes Is an LDAP server: yes Supports DS: yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable: yes Has a hardware clock: yes Is a non-domain NC serviced by LDAP server: no Is NT6 DC that has some secrets: no Is NT6 DC that has all secrets: no Forest: ad.bigrocksports.com Domain: ad.bigrocksports.com Domain Controller: brsad.ad.bigrocksports.com Pre-Win2k Domain: BRS Pre-Win2k Hostname: BRSAD Server Site Name : Default-First-Site-Name Client Site Name : Default-First-Site-Name NT Version: 5 LMNT Token: ffff LM20 Token: ffff </blockquote> tried a winbind ping <blockquote> [root@durad1 ~]# wbinfo -p Ping to winbindd succeeded </blockquote> id <username> fails with "No such user" kinit [email protected] works. Email server authenticates against LDAP - and that is working without an issue. Restarted winbind on Radius server, did not change failed results ntlm_auth fails <blockquote> [root@durad1 ~]# /usr/bin/ntlm_auth --request-nt-key --domain= AD.BIGROCKSPORTS.COM --username=kpettijohn --password=<password> NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e) </blockquote> Attempted to leave and re-join the domain: <blockquote> [root@durad1 samba]# net ads join -U Administrator Enter Administrator's password: Failed to join domain: failed to lookup DC info for domain ' AD.BIGROCKSPORTS.COM ' over rpc: The connection was refused </blockquote> Restart samba DC on 10.9.10.81 ( brsad.ad.bigrocksports.com ), and machine can now join and ntlm_auth works. </blockquote> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
