We allow access to our Linux server shares to windows/OS X boxes via samba. For the TGT process to work properly (no password prompt), we "join" all of our Linux servers to the Domain (using "net ads join"). Our institution recently updated our Domain Controllers to Windows Server 2008 R2 which caused samba based authentication to our linux servers to fail with the following error (samba debug level 3):<br />
-----------------------------<br />
[2010/03/26 15:18:56, 0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354)<br />
cli_pipe_verify_schannel: auth_len 56. [2010/03/26 15:18:56, 0]<br />
auth/auth_domain.c:domain_client_validate(260)<br />
domain_client_validate: unable to validate password for user dattilo<br />
in domain CIT to Domain controller CITDCFL.CIT.UCAR.EDU. Error was<br />
NT_STATUS_INVALID_PARAMETER.<br />
-----------------------------<br />
<br />
It appears that our problem is related to Samba bug #6697:<br />
<br />
"The Schannel verifier (aka NL_AUTH_SIGNATURE) structure (32 byte)<br />
sent from a W2k8r2 DC is passed in a buffer with the size of a<br />
NL_AUTH_SHA2_SIGNATURE (56 byte). We should just ignore the remaining<br />
12 zeroed bytes and proceed."<br />
<br />
Versions prior to Samba 3.3.9 did not have this fix in place and would<br />
throw the "NT_STATUS_INVALID_PARAMETER" error when the extra "zeroed<br />
bytes" were received.<br />
<br />
Checking the code from the SRC RPM confirms that the bug fix was not<br />
applied to our Centos version 3.0.33-3 source code. Applying the following patch fixes the authentication problem by ignoring the extra bytes:<br />
<br />
<a href="https://bugzilla.samba.org/attachment.cgi?id=4658">https://bugzilla.samba.org/attachment.cgi?id=4658</a> [<a href="https://bugzilla.samba.org/attachment.cgi?id=4658" target="_blank">^</a>]<br />
<br />
Can the patch be added in the next update?<br />
<br />
Many thanks,<br />
Garth D'Attilo
↧