Invalid Authenticator... i.e. "munged" nt-key from Winbindd ...

Robert Roll Robert.Roll at utah.edu
Mon Jul 30 17:14:14 CEST 2012


 Yes, I know this is really a Samba problem. I'm asking on this list
because I really feel that a number of the users of ntlm_auth, winbindd
are Radius admins.

 This is in regards to the "munged" nt-key bug in Winbindd. Most of
the suggestions have been to simply upgrade Samba. From my reading,
this all seems
to go back to Samba 3.2.X'ish ? Well we are(were) running Samba 3.5.6.
I figured that was relatively safe? Actually, I had noticed that the
bug did still seem to exist, but would only occur after running Winbindd
for a "while". I found other admins on the net reporting the same thing.
We all seemed to adopt the same solution. Simply re-start Winbindd when the
problem arose. 

 This scheme worked very well for over a year. Then around 16:40 last
Friday afternoon, something in our environment changed and this "bug" 
seemed to get tweaked all of the time. The radius servers just seemed to
start to melt down. Actually, after a few hours 4 of 10 of our backend
servers seemed to find a somewhat "stable" situation.

In any case, I tried installing an older version of Samba 3.0.31 as there
was some reference that nobody had seemed to see this problem with that
version. However, that version did not do authentication at all against our 
win2008R2 directories. I found a bug report about that, and it basically
said, "yes we know, we don't intend to fix it in 3.0.31 as that is an
old version, upgrade". So, in any case, I did upgrade to the latest
Samba 3.5.16 and things "seem" to be working now.

 After all said above, my real question is, has anybody seen anything somewhat
definitive on this bug that would indicate the source of the problem has
really been found and fixed ? Or, does it just seem that other changes
to Winbindd have just "seemed" to make this bug go away (or hide better) ?

 The reason I ask, is that we use Freeradius here and we are a large R1 University
with associated medical center. Our radius architecture is beginning to
support not only the Campus, but the medical center as well. The plan is to
really bring ALL of the medical center Wireless that requires authentication
into our Freeradius architecture. Believe it or not, there are becoming more
and more medical devices that are starting to have some wireless capabilities now.
>From what I can tell, most of the use is to simply gather data about the device
and ship it off to some master data gathering tool for analysis at a later time.
However, I'm not sure, but some EKG devices in the future might start using this
to actually ship the EKG results in real time to a doctor that is actually remotely 
located. This and other potential real time uses start to scare me a bit ???  I know
that these devices should have some other backup capabilities for transmitting
the data, but......

Thanks,

Robert

Robert Roll
Computer Professional
University of Utah
(801) 581-7655


More information about the Freeradius-Users mailing list