Comment 0 for bug 479955

Binary package hint: samba

One of our users upgraded their Ubuntu workstation to 9.10 and they can no longer authenticate via pam_winbind with the domain controller (Samba 3.3.7).

# apt-cache policy winbind
winbind:
  Installed: 2:3.4.0-3ubuntu5
  Candidate: 2:3.4.0-3ubuntu5
  Version table:
 *** 2:3.4.0-3ubuntu5 0
        500 http://gb.archive.ubuntu.com karmic/main Packages
        100 /var/lib/dpkg/status

After the upgrade, the following messages appear in the winbind log every five minutes:

[2009/11/10 11:45:01, 0] libsmb/ntlmssp_sign.c:208(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2009/11/10 11:45:01, 0] rpc_client/cli_pipe.c:620(cli_pipe_verify_ntlmssp)
  cli_pipe_verify_ntlmssp: failed to unseal packet from host SKIPPY. Error was NT_STATUS_ACCESS_DENIED.

Attempting to authenticate results in the following:

# wbinfo -a chrisa
Enter chrisa's password:
plaintext password authentication failed
Could not authenticate user chrisa with plaintext password
Enter chrisa's password:
challenge/response password authentication failed
error code was NT code 0x1c010002 (0x1c010002)
error messsage was: NT code 0x1c010002
Could not authenticate user chrisa with challenge/response

And this message appears in the winbind log:

[2009/11/10 11:44:58, 1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pdu)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host SKIPPY!

This appears to match the behaviour mentioned in the upstream bug #6646 which was fixed in Samba 3.4.1:
  https://bugzilla.samba.org/show_bug.cgi?id=6646

Patch looks quite trivial. Would it be possible to backport it?

Thanks,
Chris