Red Hat Knowledgebase

Yes. Since the release of Windows 2003 Service Pack 1 and "Post-Service Pack 4 Security Rollup" updates for Windows 2000; compatibility problems between Windows 2000 or 2003 Domain Controllers (DC's) and Samba's winbind daemon were exhibited just soon after the installation of these Windows updates. Problems have been seen with all current and prior versions of Samba packages available for Red Hat Enterprise Linux versions 3 and 4.

Known Problems

Some of the specific problems known to occur with winbind are:

• Failure of Winbind to properly resolve domain SID's to a domain username or group, including those of trusted domains whose DC's have NOT had these Windows updates installed. These failures would be logged in /var/log/samba/winbindd.log with entries that look something like:

  [2005/04/29 19:07:06, 1] nsswitch/winbindd_user.c:winbindd_getpwuid(248)
    could not lookup sid S-1-5-21-1538550916-4051550271-1313386325-2000

• Failure to enumerate domain groups which do exist on the domain. These failures would also be logged in /var/log/samba/winbindd.log with entries which look something like:

  [2005/04/29 19:07:06, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)
    group Domain Admins in domain TESTDOMAIN does not exist

• pam_winbind-based system authentication is problematic or fails completely - Problems have been seen and reported such as:
  1. System authentication via pam_winbind for a console login with a domain username working (successful authentication), but failure of the username to be looked up properly, resulting in the logged-in user having no username set for the session ; and
  2. System authentication via pam_winbind failing completely.

The problems detailed above are specific known issues with winbind, however it should also be noted that Samba relies upon the user and group names winbind provides when winbind is in use. Therefore Samba may also exhibit problems as a result of winbind not functioning properly -- such as users being unable to access shares, or share permissions based upon domain group membership not working.

Problem Resolution

Two distinct components of the winbind compatibility problems introduced by these Windows updates exist:

• client schannel - Winbind can no longer communicate properly with Windows 2000 or 2003 DC's which have had these updates installed using client schannel (client secure channel). Samba and winbind use client schannel by default.


• Anonymous binds - Windows 2000 and 2003 DC's with these updates installed will no longer allow winbind to bind anonymously to enumerate domain user and group information. Winbind binds anonymously to DC's by default, emulating the behavior of legacy Windows operating systems.

Component Issue 1: client schannel

Upstream Samba developers implemented a patch in Samba 3.0.14 to turn off winbind's use of client schannel when Samba is joined to a domain in ADS (Active Directory Services) security mode. Red Hat released updated Samba packages in Red Hat Enterprise Linux 3 Update 6 and Red Hat Enterprise Linux 4 Update 2 which contain this patch. Therefore, customers with Samba servers joined to an Active Directory domain in ADS security mode must either update their Samba packages or use the client schannel workaround detailed below to address this part of the issue.

It is important to note that the patch only disables winbind's use of schannel for Samba servers joined to an Active Directory domain using ADS security mode. Samba servers joined to an Active Directory domain using DOMAIN security mode will need to use the client schannel workaround noted below, even with the latest samba packages available from the Red Hat Network at the time of this writing.

To update the Samba packages to the latest available from the Red Hat Network update channels, the following command should be run as the root user:

# up2date samba samba-client samba-common
 
Fetching Obsoletes list for channel: rhel-i386-as-3...
 
Fetching rpm headers...
########################################
 
Name                                    Version        Rel
----------------------------------------------------------
samba                                   3.0.9          1.3E.7            i386
samba-client                            3.0.9          1.3E.7            i386
samba-common                            3.0.9          1.3E.7            i386
 
 
Testing package set / solving RPM inter-dependencies...
########################################
samba-3.0.9-1.3E.7.i386.rpm ########################## Done.
samba-client-3.0.9-1.3E.7.i ########################## Done.
samba-common-3.0.9-1.3E.7.i ########################## Done.
Preparing              ########################################### [100%]
 
Installing...
   1:samba-common           ########################################### [100%]
   2:samba                  ########################################### [100%]
   3:samba-client           ########################################### [100%]
[root@samba-vmsrv1 samba]#

client schannel Workaround

For Samba servers joined to an Active Directory domain in DOMAIN security mode, or if updating the Samba packages on a server joined to a domain in ADS mode is not desired, the following workaround can be utilized to disable Samba's use of client schannel altogether:

Add the configuration statement client schannel = no to the [global] section of the /etc/samba/smb.conf file:

 
	[global]
	
	# W2K3-SP1 / W2K-SP4-SR1 COMPATIBILITY WORKAROUND
	# The following statement turns off Samba's attempts to use netlogon
	# schannel when connecting as a client to other SMB hosts.
	client schannel = no
	
	# GENERAL WINDOWS 2000, 2003, and XP-RELATED COMPATIBILITY SETTINGS
	# These two settings tend to improve Samba's compatibility with newer
	# Windows systems:
	client use spnego = no
	server signing = auto

Component Issue 2: Anonymous Binds

If these Windows updates have been installed on the DC('s), winbind MUST be configured to authenticate itself with a valid domain user account to function properly. Other articles in the Red Hat Knowledgebase contain details on performing this procedure.

For more information regarding winbind configuration, the following sources of information are recommended:

• The Samba documentation contained in /usr/share/doc/samba-<version>, on any Red Hat system with the base samba RPM installed. Complete illustrated reference manuals are provided in both PDF and HTML formats in this directory.
  
• The smb.conf man page, viewable by running the command man smb.conf.