Monday, June 21, 2010

NT_STATUS_PIPE_DISCONNECTED with Samba Winbind and Windows Server 2008 R2 Domain Controller

We recently upgraded our domain controllers to Windows Server 2008 R2, and our RHEL 5 authentication through our Windows domain immediately broke.
Here was the error:
[2010/06/21 09:32:57, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine adserver.my.edu pipe \NETLOGON fnum 0x8007returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
A little searching online shows a lot of people with this or related problems, but the solutions appear to be many, and there mostly isn’t a solution posited.
But there is this: https://bugzilla.redhat.com/show_bug.cgi?id=561325
In short: there's a bug in the samba package that prevents it from working with Windows Server 2008 R2 domains. If you’re running into this problem, the solution is to remove your existing samba installation and install, instead, the samba3x packages.
Note that samba3x was a "technology preview" from RedHat, which means that it offered little support for it. This has changed, and it's now a supported package in RHEL 5.
yum erase samba samba-common
yum install samba3x samba3x-client
You’ll have to re-do your configuration, so it might be worthwhile to back up your /etc/samba/smb.conf file.

11 comments:

  1. After days of searching errors on google and beating on Samba, I happened to finally come across your post. Thank you!!! Of course, one would think I would learn to search the buglists, but apparently that is way to easy.

    I was able to set up Samba3x and all my problems were solved (once I figured out Kerberos...).

    ReplyDelete
  2. You saved my ass! Thank you for this post!!

    ReplyDelete
  3. Ha! I'm really pleased to hear that, Mike. Thanks for the feedback.

    ReplyDelete
  4. This fixed my problem with winbind not resolving uid/gid, but now PAM/Kerberos authentication is broken.

    Every login attempt has unknown user. It seems like pam is no longer picking up the username being passed to it.

    Any clue how to fix Kerberos?

    ReplyDelete
  5. Hi, Chip,
    Are you able to enumerate groups and users with wbinfo? If so, that would suggest that Kerberos is working, and that you may well just have a PAM problem.

    I ran into a problem with my PAM configuration recently that I just couldn't track down. Rather than spin my wheels further, I just removed it (rpm -e pam_krb5, if I recall) and then re-installed it. That took care of my problem without a lot of work.

    ReplyDelete
  6. Ack. Sorry, Chip: it wasn't PAM that I erased; it was openssh. The PAM configuration for SSH was messed up, somehow, and it was easier to remove/reinstall than to figure out where the problem was.

    ReplyDelete
  7. I can enumerate domain users and groups with wbinfo. I can log in with --authenticate and --krb4auth. I can log in with kinit also. No matter what angle I use from pam it fails to lookup uid/gid with kerberos and winbind gets NT_STATUS_WRONG_PASSWORD.

    Tried reloading ssh and pam. Nothing changes.

    I have all this working under the default samba install but I'm having long delays at log in and uid/gid resolution, which is what got me to this blog in the first place.

    Every angle of log in results in pam modules having problems identifying uid/gid.

    Winbind will grant access bug the fail on retriving information about the user.

    I'm suspicious my problem may be related to being on a 64 bit centos.

    ReplyDelete
  8. We had some problems that went away when we disabled ipv6. The windows and linux boxes both came up with ipv6 and ipv4 addresses, but we aren't routing ipv6, so that apparently caused some problems. Removing the ipv6 modules got them working.

    ReplyDelete
  9. Anyone know if RHEL6 requires this version of Samba as well?

    ReplyDelete
  10. Step by step configuration of SAMBA server
    http://www.redhatlinux.info/2011/11/configure-samba-server.html

    ReplyDelete

Thanks for leaving a comment!