Samba Bug #6563
Sallee, Stephen (Jake)
Jake.Sallee at umhb.edu
Mon Aug 2 21:25:39 CEST 2010
We will be moving to Server 2008 R2 very soon, thanks for the heads up.
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-----Original Message-----
From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.o
rg] On Behalf Of Colantuoni, Robert
Sent: Monday, August 02, 2010 12:16 PM
To: freeradius-users at lists.freeradius.org
Subject: Samba Bug #6563
Our AD team recently upgraded their servers from Windows 2003 to 2008
and broke the Samba 3.0.34 installation we had been using for ntlm_auth.
We couldn't get this version of Samba to join the upgraded servers, so
we were forced to look into patching Samba 3.5.4 (latest) to fix the
issue where ntlm_auth returns an invalid NT_KEY. I believe this issue
has been open for about 2 years and hasn't moved much in the Samba bug
list:
https://bugzilla.samba.org/show_bug.cgi?id=6563
A committer named Volker Lendecke suggested that the source was
SamLogonEx... by using SamLogon instead, you can get around the issue.
This seems to stem from the SamLogonEx function using session keys
versus credentials... but I'd like to ask a windows/samba expert for a
better opinion.
I've attached a patch to the bug report above which adds the
--force-samlogon option to winbind. If winbind is started without this
flag, it operates "normally" and we get an invalid NT_KEY returned. If
it's started with the flag, the issue is resolved.
We've been running this in production and haven't run into any issues
with a few thousand 802.1x users. I hope this helps a few people who
have been stuck in Samba purgatory.
Rob Colantuoni
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list