panic action in samba

Fri Mar 18 09:08:38 CET 2016

Hi,
I've been phasing in FR 3.0.11 on an Ubuntu 14.04 system with the default
version of samba (4.1.6) as one of our outward facing (ORPS) servers. The
intention is to migrate all of our 2.2.9 systems over to 3.0.11.

Up till now this servers main task has been to proxy eduroam visitor auths
to home institutions, but we do have a couple of monitoring systems
performing EAP based health checks against the server which authenticates
against our AD service using Samba. All this has been working fine.
Yesterday, after running a few more auth tests from inside and outside our
network using eapol_test, I reconfigured our inbound eduroam traffic (for
York users visiting external sites) to use this server instead of one of
our other 2.2.9 systems.

While most auths "just worked"  what we also saw were a flurry of

The Samba 'panic action' script, /usr/share/samba/panic-action,
was called for PID 22827 (/usr/sbin/winbindd).

with corresponding auth failure messages within FR of the form

Thu Mar 17 09:03:40 2016 : Auth: (66912)   Login OK: [gw791 at york.ac.uk]
(from client roaming2.ja.net port 13 cli 54-E4-3A-1F-C7-8A via TLS tunnel)
Thu Mar 17 09:03:41 2016 : Auth: (66916) Login OK: [gw791 at york.ac.uk] (from
client roaming2.ja.net port 13 cli 54-E4-3A-1F-C7-8A)
Thu Mar 17 09:03:41 2016 : ERROR: (66920) mschap: ERROR: Program returned
code (1) and output 'Account disabled (0xc0000072)'
Thu Mar 17 09:03:41 2016 : Auth: (66920)   Login incorrect (mschap: No
NT-Domain was found in the User-Name): [erf504 at york.ac.uk] (from client
roaming2.ja.net port 13 cli 00-26-B0-04-2B-8A via TLS tunnel)
Thu Mar 17 09:03:42 2016 : Info: (66923) eap_peap:   The users session was
previously rejected: returning reject (again.)
Thu Mar 17 09:03:42 2016 : Info: (66923) eap_peap:   This means you need to
read the PREVIOUS messages in the debug output
Thu Mar 17 09:03:42 2016 : Info: (66923) eap_peap:   to find out the reason
why the user was rejected
Thu Mar 17 09:03:42 2016 : Info: (66923) eap_peap:   Look for "reject" or
"fail".  Those earlier messages will tell you
Thu Mar 17 09:03:42 2016 : Info: (66923) eap_peap:   what went wrong, and
how to fix the problem
Thu Mar 17 09:03:42 2016 : Auth: (66923) Login incorrect (eap: Failed
continuing EAP PEAP (25) session.  EAP sub-module failed): [
erf504 at york.ac.uk] (from client roaming2.ja.net port 13 cli
00-26-B0-04-2B-8A)
Thu Mar 17 09:03:43 2016 : ERROR: (66928) mschap: ERROR: Program returned
code (1) and output 'Logon failure (0xc000006d)'
Thu Mar 17 09:03:43 2016 : Auth: (66928)   Login incorrect (mschap: No
NT-Domain was found in the User-Name): [clh553 at york.ac.uk] (from client
roaming2.ja.net port 13 cli A8-5B-78-74-D8-C9 via TLS tunnel)

As shown above, we do have successful york realm auths happening as well.

 Before I start looking at this in more detail (additional samba logging) I
was wondering if anyone has seen these  (samba) messages before.  Haven't
touched the samba config, its whatever the default settings are.

Rgds
Alex