Ubuntu
samba package

Bug #526464
Comment #30

Comment 30 for bug 526464

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2011-03-16:

#30

@Surbhi,

I uploaded two additional wireshark traces. These traces are for the same two machines, but from an earlier date. The two wireshark traces show sucessful auths and failures for both users(service_bhavnacrysta and crystaluser).

I also uploaded the samba log for this time period. The log file name is: crystal3.log.

In the logs, the error happened at 13:45

Here is some analysis I did for the system crystal3. The wireshark filename is crystal3_2011-01-25_1345.pcap.
Note, A useful way to only see failures is to use this filter:
smb.cmd == 0x73

Wireshark analisys for file crystal3_2011-01-25_1345.pcap:
Failures for user crystaluser(Packet No.):
14504 with response in 14507
14516 wiht response in 14519

Successful auths for user crystaluser(Packet No.):
24 with response in 25
402 with resposne in 506

Failures for user service_bhavnacrysta(Packet No.):
14904 with response in 14905
14910 with response in 14911

Successful auth for user service_bhavnacrysta(Packet No.):
11974 with response in 11976

I noticed one thing when comparing the succuessful auths with the failed auths. Under the SMB Header, the User ID for the successful auth has (SCHDY\crystaluser) and also reports the Primary Domain and Account. For the failed auth this field only reports the User ID. There is also many more fields under the "Sessioni Setup AndX Respons section for the successful login. Maybe this is just a sign that the login was unsucessful? I created a screenshot comparing a failed auth(On the left) and a successful auth(On the right of the screenshot). The screen shot is named wireshark_auth_comp_screenshot.png.

Wireshark analisys for file fs1_2011-01-25_1345.pcap
Failures for user crystaluser(Packet No.):
10485 with response in 10488
10497 with response in 10500

Successful auths for user crystaluser(Packet No.):
8 with a response in 9
151 with a response in 153

Failures for user service_bhavnacrysta(Packet No.):
10875 with response in 10876
10881 with response in 10882

Successful auth for user service_bhavnacrysta(Packet No.):
8715 with a response in 8717

One other thing I noticed in the Samba log file. All successful authentications have this(Notice fetch_gid_from_cache):
[2011/01/24 10:23:46, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
fetch gid from cache 10001 -> S-1-5-21-1870800502-1360593094-619646970-513
[2011/01/24 10:23:46, 3] auth/auth.c:check_ntlm_password(270)
check_ntlm_password: winbind authentication for user [crystaluser] succeeded

All the failures are missing this line. Maybe this indicates something cache related?

@Surbhi,

I uploaded two additional wireshark traces.  These traces are for the same two machines, but from an earlier date.  The two wireshark traces show sucessful auths and failures for both users(service_bhavnacrysta and crystaluser).

I also uploaded the samba log for this time period.  The log file name is: crystal3.log.

In the logs, the error happened at 13:45

Here is some analysis I did for the system crystal3.  The wireshark filename is crystal3_2011-01-25_1345.pcap.
Note, A useful way to only see failures is to use this filter:
smb.cmd == 0x73

Wireshark analisys for file crystal3_2011-01-25_1345.pcap:
Failures for user crystaluser(Packet No.):
14504 with response in 14507
14516 wiht response in 14519

Successful auths for user crystaluser(Packet No.):
24 with response in 25
402 with resposne in 506

Failures for user service_bhavnacrysta(Packet No.):
14904 with response in 14905
14910 with response in 14911

Successful auth for user service_bhavnacrysta(Packet No.):
11974 with response in 11976

I noticed one thing when comparing the succuessful auths with the failed auths.  Under the SMB Header, the User ID for the successful auth has (SCHDY\crystaluser) and also reports the Primary Domain and Account.  For the failed auth this field only reports the User ID.  There is also many more fields under the "Sessioni Setup AndX Respons section for the successful login.  Maybe this is just a sign that the login was unsucessful?  I created a screenshot comparing a failed auth(On the left) and a successful auth(On the right of the screenshot).  The screen shot is named wireshark_auth_comp_screenshot.png.

Wireshark analisys for file fs1_2011-01-25_1345.pcap
Failures for user crystaluser(Packet No.):
10485 with response in 10488
10497 with response in 10500

Successful auths for user crystaluser(Packet No.):
8 with a response in 9
151 with a response in 153

Failures for user service_bhavnacrysta(Packet No.):
10875 with response in 10876
10881 with response in 10882

Successful auth for user service_bhavnacrysta(Packet No.):
8715 with a response in 8717

One other thing I noticed in the Samba log file.  All successful authentications have this(Notice fetch_gid_from_cache):
[2011/01/24 10:23:46, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
  fetch gid from cache 10001 -> S-1-5-21-1870800502-1360593094-619646970-513
[2011/01/24 10:23:46, 3] auth/auth.c:check_ntlm_password(270)
  check_ntlm_password: winbind authentication for user [crystaluser] succeeded

All the failures are missing this line.  Maybe this indicates something cache related?

Ubuntusamba package

Comment 30 for bug 526464

Ubuntu
samba package