ASW Global
2019-Oct-15 12:56 UTC
[Samba] Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
I've read the documentation that domain trusts should be fully supported
with both Kerberos and NTLM authentication. I've created a new 2016 domain
on a Windows box and created a Samba domain on a Linux box with a BIND9_DLZ
backend. Both servers can resolve both DNS domains forwards and backwards and I
am able to connect a Windows 10 client to the Samba domain without any issues.
The problem occurs when create a full external trust between the two domains.
The trust is created successfully with samba-tool however the verify fails with
TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED.
The end result is a trust relation that fully works with Kerberos authentication
(such as logging in on the trusted domain from a domain connected to the other)
but this won't work with NTLM authentication outside of it's realm. I am
constantly getting this error message in the wb-DOMAIN logs:
Starting GENSEC submechanism ntlmssp
[2019/10/15 07:06:26.589018, 1, pid=12457, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
[2019/10/15 07:06:26.589188, 10, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
gensec_update_send: ntlmssp[0x5625297aa300]: subreq: 0x5625299b9330
[2019/10/15 07:06:26.589207, 10, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
gensec_update_send: spnego[0x56252a561b00]: subreq: 0x562529ff3510
[2019/10/15 07:06:26.589223, 10, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
gensec_update_done: ntlmssp[0x5625297aa300]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5625299b9330/../../auth/ntlmssp/ntlmssp.c:180]: state[2] error[0
(0x0)] state[struct gensec_ntlmssp_update_state (0x5625299b94e0)] timer[(nil)]
finish[../../auth/ntlmssp/ntlmssp.c:215]
[2019/10/15 07:06:26.589246, 10, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
gensec_update_done: spnego[0x56252a561b00]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x562529ff3510/../../auth/gensec/spnego.c:1600]: state[2] error[0
(0x0)] state[struct gensec_spnego_update_state (0x562529ff36c0)] timer[(nil)]
finish[../../auth/gensec/spnego.c:2070]
[2019/10/15 07:06:26.589508, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_client.c:273(ntlmssp_client_challenge)
Got challenge flags:
[2019/10/15 07:06:26.589527, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2019/10/15 07:06:26.589577, 1, pid=12457, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
challenge: struct CHALLENGE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmChallenge (0x2)
TargetNameLen : 0x0008 (8)
TargetNameMaxLen : 0x0008 (8)
TargetName : *
TargetName : 'ASW'
NegotiateFlags : 0x62898215 (1653178901)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
1: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
1: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
ServerChallenge : 9577d49bcff93241
Reserved : 0000000000000000
TargetInfoLen : 0x00c2 (194)
TargetInfoMaxLen : 0x00c2 (194)
TargetInfo : *
TargetInfo: struct AV_PAIR_LIST
count : 0x00000007 (7)
pair: ARRAY(7)
pair: struct AV_PAIR
AvId : MsvAvNbDomainName (0x2)
AvLen : 0x0008 (8)
Value : union ntlmssp_AvValue(case
0x2)
AvNbDomainName : 'ASW'
pair: struct AV_PAIR
AvId : MsvAvNbComputerName (0x1)
AvLen : 0x0014 (20)
Value : union ntlmssp_AvValue(case
0x1)
AvNbComputerName : 'ASWSERVER'
pair: struct AV_PAIR
AvId : MsvAvDnsDomainName (0x4)
AvLen : 0x0024 (36)
Value : union ntlmssp_AvValue(case
0x4)
AvDnsDomainName : 'ASW.aswglobal.net'
pair: struct AV_PAIR
AvId : MsvAvDnsComputerName (0x3)
AvLen : 0x003a (58)
Value : union ntlmssp_AvValue(case
0x3)
AvDnsComputerName :
'aswserver.asw.aswglobal.net'
pair: struct AV_PAIR
AvId : MsvAvDnsTreeName (0x5)
AvLen : 0x0024 (36)
Value : union ntlmssp_AvValue(case
0x5)
AvDnsTreeName : 'ASW.aswglobal.net'
pair: struct AV_PAIR
AvDnsTreeName : 'ASW.aswglobal.net'
pair: struct AV_PAIR
AvId : MsvAvTimestamp (0x7)
AvLen : 0x0008 (8)
Value : union ntlmssp_AvValue(case
0x7)
AvTimestamp : Tue Oct 15 07:06:27 2019
EDT
pair: struct AV_PAIR
AvId : MsvAvEOL (0x0)
AvLen : 0x0000 (0)
Value : union ntlmssp_AvValue(case
0x0)
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_10 (0xA)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0x0)
ProductBuild : 0x3839 (14393)
Reserved : 000000
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (0xF)
[2019/10/15 07:06:26.589905, 1, pid=12457, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
authenticate: struct AUTHENTICATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmAuthenticate (3)
LmChallengeResponseLen : 0x0000 (0)
LmChallengeResponseMaxLen: 0x0000 (0)
LmChallengeResponse : *
LmChallengeResponse : union ntlmssp_LM_RESPONSE_with_len(case
0)
NtChallengeResponseLen : 0x0000 (0)
NtChallengeResponseMaxLen: 0x0000 (0)
NtChallengeResponse : *
NtChallengeResponse : union
ntlmssp_NTLM_RESPONSE_with_len(case 0)
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
UserNameLen : 0x0000 (0)
UserNameMaxLen : 0x0000 (0)
UserName : *
UserName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
EncryptedRandomSessionKeyLen: 0x0010 (16)
EncryptedRandomSessionKeyMaxLen: 0x0010 (16)
EncryptedRandomSessionKey: *
EncryptedRandomSessionKey: DATA_BLOB length=16
[0000] 81 EE CC 4D B3 48 F7 A9 57 E9 E6 94 B7 55 59 DE ...M.H.. W....UY.
NegotiateFlags : 0x62008a15 (1644202517)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
1: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
0: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
[2019/10/15 07:06:26.590148, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_client.c:761(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2019/10/15 07:06:26.590160, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2019/10/15 07:06:26.590195, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2019/10/15 07:06:26.590195, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2019/10/15 07:06:26.590206, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2019/10/15 07:06:26.590240, 5, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:638(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - using NTLM1
[2019/10/15 07:06:26.590268, 10, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
gensec_update_send: ntlmssp[0x5625297aa300]: subreq: 0x562529bcbfd0
[2019/10/15 07:06:26.590283, 10, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
gensec_update_send: spnego[0x56252a561b00]: subreq: 0x562529ff3510
[2019/10/15 07:06:26.590298, 10, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
gensec_update_done: ntlmssp[0x5625297aa300]: NT_STATUS_OK
tevent_req[0x562529bcbfd0/../../auth/ntlmssp/ntlmssp.c:180]: state[2] error[0
(0x0)] state[struct gensec_ntlmssp_update_state (0x562529bcc180)] timer[(nil)]
finish[../../auth/ntlmssp/ntlmssp.c:222]
[2019/10/15 07:06:26.590320, 10, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
gensec_update_done: spnego[0x56252a561b00]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x562529ff3510/../../auth/gensec/spnego.c:1600]: state[2] error[0
(0x0)] state[struct gensec_spnego_update_state (0x562529ff36c0)] timer[(nil)]
finish[../../auth/gensec/spnego.c:2070]
[2019/10/15 07:06:26.590744, 3, pid=12457, effective(0, 0), real(0, 0)]
../../source3/libsmb/cliconnect.c:1693(cli_session_setup_creds_done_spnego)
SPNEGO login failed: {Access Denied} A process has requested access to an
object but has not been granted those access rights.
[2019/10/15 07:06:26.590770, 1, pid=12457, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd_cm.c:1255(cm_prepare_connection)
anonymous session setup to aswserver.asw.aswglobal.net failed with
NT_STATUS_ACCESS_DENIED
[2019/10/15 07:06:26.590799, 1, pid=12457, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd_cm.c:1305(cm_prepare_connection)
Failed to prepare SMB connection to aswserver.asw.aswglobal.net:
NT_STATUS_ACCESS_DENIED
[2019/10/15 07:06:26.590817, 10, pid=12457, effective(0, 0), real(0, 0),
class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
gencache_set_data_blob: Adding cache entry with
key=[NEG_CONN_CACHE/ASW,aswserver.asw.aswglobal.net] and timeout=[Tue Oct 15
07:07:26 2019 EDT] (60 seconds ahead)
[2019/10/15 07:06:26.590838, 9, pid=12457, effective(0, 0), real(0, 0)]
../../source3/libsmb/conncache.c:189(add_failed_connection_entry)
add_failed_connection_entry: added domain ASW (aswserver.asw.aswglobal.net) to
failed conn cache
[2019/10/15 07:06:26.590851, 10, pid=12457, effective(0, 0), real(0, 0),
class=tdb] ../../source3/lib/gencache.c:276(gencache_del)
Deleting cache entry (key=[SAFJOIN/DOMAIN/ASW])
[2019/10/15 07:06:26.590864, 10, pid=12457, effective(0, 0), real(0, 0),
class=tdb] ../../source3/lib/gencache.c:276(gencache_del)
Deleting cache entry (key=[SAF/DOMAIN/ASW])
[2019/10/15 07:06:26.590876, 10, pid=12457, effective(0, 0), real(0, 0),
class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
gencache_set_data_blob: Adding cache entry with
key=[NEG_CONN_CACHE/ASW.aswglobal.net,aswserver.asw.aswglobal.net] and
timeout=[Tue Oct 15 07:07:26 2019 EDT] (60 seconds ahead)
[2019/10/15 07:06:26.590893, 9, pid=12457, effective(0, 0), real(0, 0)]
../../source3/libsmb/conncache.c:189(add_failed_connection_entry)
add_failed_connection_entry: added domain asw.aswglobal.net
(aswserver.asw.aswglobal.net) to failed conn cache
[2019/10/15 07:06:26.590906, 10, pid=12457, effective(0, 0), real(0, 0),
class=tdb] ../../source3/lib/gencache.c:276(gencache_del)
Deleting cache entry (key=[SAFJOIN/DOMAIN/ASW.ASWGLOBAL.NET])
[2019/10/15 07:06:26.590918, 10, pid=12457, effective(0, 0), real(0, 0),
class=tdb] ../../source3/lib/gencache.c:276(gencache_del)
Deleting cache entry (key=[SAF/DOMAIN/ASW.ASWGLOBAL.NET])
[2019/10/15 07:06:26.590958, 10, pid=12457, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd_cm.c:406(set_domain_offline)
I have a simple out of box smb.conf:
[global]
bind interfaces only = yes
interfaces = 127.0.0.1 10.0.0.40
netbios name = ASW-OTHER
realm = OTHER.ASWGLOBAL.NET
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = OTHER
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/ops.aswglobal.net/scripts
read only = No
wbinfo --online-status
BUILTIN : active connection
OTHER : active connection
ASW : no active connection
Rowland penny
2019-Oct-15 13:23 UTC
[Samba] Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
On 15/10/2019 13:56, ASW Global via samba wrote:> I've read the documentation that domain trusts should be fully supported with both Kerberos and NTLM authentication. I've created a new 2016 domain on a Windows box and created a Samba domain on a Linux box with a BIND9_DLZ backend. Both servers can resolve both DNS domains forwards and backwards and I am able to connect a Windows 10 client to the Samba domain without any issues. The problem occurs when create a full external trust between the two domains. The trust is created successfully with samba-tool however the verify fails with TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED. > > The end result is a trust relation that fully works with Kerberos authentication (such as logging in on the trusted domain from a domain connected to the other) but this won't work with NTLM authentication outside of it's realm. I am constantly getting this error message in the wb-DOMAIN logs: > > Starting GENSEC submechanism ntlmssp > [2019/10/15 07:06:26.589018, 1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug) > negotiate: struct NEGOTIATE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmNegotiate (1) > NegotiateFlags : 0x62088215 (1644724757) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 0: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 0: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > 1: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > DomainNameLen : 0x0000 (0) > DomainNameMaxLen : 0x0000 (0) > DomainName : * > DomainName : '' > WorkstationLen : 0x0000 (0) > WorkstationMaxLen : 0x0000 (0) > Workstation : * > Workstation : '' > Version: struct ntlmssp_VERSION > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > ProductBuild : 0x0000 (0) > Reserved: ARRAY(3) > [0] : 0x00 (0) > [1] : 0x00 (0) > [2] : 0x00 (0) > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > [2] : 0x00 (0) > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > [2019/10/15 07:06:26.589188, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send) > gensec_update_send: ntlmssp[0x5625297aa300]: subreq: 0x5625299b9330 > [2019/10/15 07:06:26.589207, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send) > gensec_update_send: spnego[0x56252a561b00]: subreq: 0x562529ff3510 > [2019/10/15 07:06:26.589223, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done) > gensec_update_done: ntlmssp[0x5625297aa300]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5625299b9330/../../auth/ntlmssp/ntlmssp.c:180]: state[2] error[0 (0x0)] state[struct gensec_ntlmssp_update_state (0x5625299b94e0)] timer[(nil)] finish[../../auth/ntlmssp/ntlmssp.c:215] > [2019/10/15 07:06:26.589246, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done) > gensec_update_done: spnego[0x56252a561b00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x562529ff3510/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x562529ff36c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2070] > [2019/10/15 07:06:26.589508, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_client.c:273(ntlmssp_client_challenge) > Got challenge flags: > [2019/10/15 07:06:26.589527, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62898215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_DOMAIN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > [2019/10/15 07:06:26.589577, 1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug) > challenge: struct CHALLENGE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmChallenge (0x2) > TargetNameLen : 0x0008 (8) > TargetNameMaxLen : 0x0008 (8) > TargetName : * > TargetName : 'ASW' > NegotiateFlags : 0x62898215 (1653178901) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 0: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 1: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 1: NTLMSSP_NEGOTIATE_TARGET_INFO > 1: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > ServerChallenge : 9577d49bcff93241 > Reserved : 0000000000000000 > TargetInfoLen : 0x00c2 (194) > TargetInfoMaxLen : 0x00c2 (194) > TargetInfo : * > TargetInfo: struct AV_PAIR_LIST > count : 0x00000007 (7) > pair: ARRAY(7) > pair: struct AV_PAIR > AvId : MsvAvNbDomainName (0x2) > AvLen : 0x0008 (8) > Value : union ntlmssp_AvValue(case 0x2) > AvNbDomainName : 'ASW' > pair: struct AV_PAIR > AvId : MsvAvNbComputerName (0x1) > AvLen : 0x0014 (20) > Value : union ntlmssp_AvValue(case 0x1) > AvNbComputerName : 'ASWSERVER' > pair: struct AV_PAIR > AvId : MsvAvDnsDomainName (0x4) > AvLen : 0x0024 (36) > Value : union ntlmssp_AvValue(case 0x4) > AvDnsDomainName : 'ASW.aswglobal.net' > pair: struct AV_PAIR > AvId : MsvAvDnsComputerName (0x3) > AvLen : 0x003a (58) > Value : union ntlmssp_AvValue(case 0x3) > AvDnsComputerName : 'aswserver.asw.aswglobal.net' > pair: struct AV_PAIR > AvId : MsvAvDnsTreeName (0x5) > AvLen : 0x0024 (36) > Value : union ntlmssp_AvValue(case 0x5) > AvDnsTreeName : 'ASW.aswglobal.net' > pair: struct AV_PAIR > AvDnsTreeName : 'ASW.aswglobal.net' > pair: struct AV_PAIR > AvId : MsvAvTimestamp (0x7) > AvLen : 0x0008 (8) > Value : union ntlmssp_AvValue(case 0x7) > AvTimestamp : Tue Oct 15 07:06:27 2019 EDT > pair: struct AV_PAIR > AvId : MsvAvEOL (0x0) > AvLen : 0x0000 (0) > Value : union ntlmssp_AvValue(case 0x0) > Version: struct ntlmssp_VERSION > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_10 (0xA) > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0x0) > ProductBuild : 0x3839 (14393) > Reserved : 000000 > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (0xF) > [2019/10/15 07:06:26.589905, 1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug) > authenticate: struct AUTHENTICATE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmAuthenticate (3) > LmChallengeResponseLen : 0x0000 (0) > LmChallengeResponseMaxLen: 0x0000 (0) > LmChallengeResponse : * > LmChallengeResponse : union ntlmssp_LM_RESPONSE_with_len(case 0) > NtChallengeResponseLen : 0x0000 (0) > NtChallengeResponseMaxLen: 0x0000 (0) > NtChallengeResponse : * > NtChallengeResponse : union ntlmssp_NTLM_RESPONSE_with_len(case 0) > DomainNameLen : 0x0000 (0) > DomainNameMaxLen : 0x0000 (0) > DomainName : * > DomainName : '' > UserNameLen : 0x0000 (0) > UserNameMaxLen : 0x0000 (0) > UserName : * > UserName : '' > WorkstationLen : 0x0000 (0) > WorkstationMaxLen : 0x0000 (0) > Workstation : * > Workstation : '' > EncryptedRandomSessionKeyLen: 0x0010 (16) > EncryptedRandomSessionKeyMaxLen: 0x0010 (16) > EncryptedRandomSessionKey: * > EncryptedRandomSessionKey: DATA_BLOB length=16 > [0000] 81 EE CC 4D B3 48 F7 A9 57 E9 E6 94 B7 55 59 DE ...M.H.. W....UY. > NegotiateFlags : 0x62008a15 (1644202517) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 1: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 0: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 0: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > 1: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > Version: struct ntlmssp_VERSION > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > ProductBuild : 0x0000 (0) > Reserved: ARRAY(3) > [0] : 0x00 (0) > [1] : 0x00 (0) > [2] : 0x00 (0) > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > [2019/10/15 07:06:26.590148, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_client.c:761(ntlmssp_client_challenge) > NTLMSSP: Set final flags: > [2019/10/15 07:06:26.590160, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_ANONYMOUS > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > [2019/10/15 07:06:26.590195, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2019/10/15 07:06:26.590195, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2019/10/15 07:06:26.590206, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_ANONYMOUS > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > [2019/10/15 07:06:26.590240, 5, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:638(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - using NTLM1What version of Samba are you using ? It looks like it using NTLM1 , but the Windows domain probably isn't, try adding these lines to your smb.conf: client min protocol = SMB2_02 server min protocol = SMB2_02 Rowland
ASW Global
2019-Oct-16 12:40 UTC
[Samba] Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
Hi Rowland,
I made the change to my smb.conf but I still get that error message that talks
about NTLM1. Here is the full error I get when creating the domain trust. I am
going to try creating the trust on a computer with the latest version of SAMBA+
to see if that works.
# samba-tool domain trust create asw.aswglobal.net --quarantined=yes
-U"Administrator at ASW.ASWGLOBAL.NET"
--local-dc-username=Administrator at OTHER.ASWGLOBAL.NET -d 10
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncalrpc:ASW-RSX[,auth_type=ncalrpc_as_system]
Mapped to DCERPC endpoint EPMAPPER
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
Starting GENSEC mechanism naclrpc_as_system
gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2475220
gensec_update_done: naclrpc_as_system[0x2485a60]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x2475220/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]
state[struct gensec_ncalrpc_update_state (0x24753d0)] timer[(nil)]
finish[../../auth/gensec/ncalrpc.c:116]
dcerpc_pull_auth_trailer: auth_pad_length 0
gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2486740
gensec_update_done: naclrpc_as_system[0x2485a60]: NT_STATUS_OK
tevent_req[0x2486740/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]
state[struct gensec_ncalrpc_update_state (0x24868f0)] timer[(nil)]
finish[../../auth/gensec/ncalrpc.c:116]
rpc request data:
[0000] 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
(...garbage...)
[0070] 00 00 00 00 00 00 00 00 01 00 00 00 ........ ....
rpc reply data:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
(...garbage...)
Mapped to DCERPC endpoint DEFAULT
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
Starting GENSEC mechanism naclrpc_as_system
gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2475220
gensec_update_done: naclrpc_as_system[0x2485a60]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x2475220/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]
state[struct gensec_ncalrpc_update_state (0x24753d0)] timer[(nil)]
finish[../../auth/gensec/ncalrpc.c:116]
dcerpc_pull_auth_trailer: auth_pad_length 0
gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2486dc0
gensec_update_done: naclrpc_as_system[0x2485a60]: NT_STATUS_OK
tevent_req[0x2486dc0/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]
state[struct gensec_ncalrpc_update_state (0x2486f70)] timer[(nil)]
finish[../../auth/gensec/ncalrpc.c:116]
rpc request data:
[0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 ........ ........
(...garbage...)
[0030] 00 00 00 00 29 00 00 00 ....)...
rpc reply data:
[0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85 ..... .x ..DF....
(...garbage...)
rpc request data:
[0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85 ..... .x ..DF....
(...garbage...)
rpc reply data:
[0000] 00 00 02 00 0C 00 00 00 06 00 08 00 04 00 02 00 ........ ........
(...garbage...)
[00C0] 5B CF 86 04 00 00 00 00 [.......
LocalDomain Netbios[OTHER] DNS[other.aswglobal.net]
SID[S-1-5-21-1812336436-162148099-75943771]
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
finddcs: searching for a DC by DNS domain asw.aswglobal.net
finddcs: looking for SRV records for _ldap._tcp.asw.aswglobal.net
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.asw.aswglobal.net<0x0>
getlmhostsent: lmhost entry: 10.0.0.42 ASW#1C
getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET
getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET#1C
getlmhostsent: lmhost entry: 10.0.0.40 OTHER#1C
getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET
getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET#1C
dns_lookup_send_next: Sending DNS request #0 to 127.0.0.53
dns_cli_request_send: Asking 127.0.0.53 for _ldap._tcp.asw.aswglobal.net./1/33
via UDP
[0000] 9F F2 01 00 00 01 00 00 00 00 00 00 05 5F 6C 64 ........ ....._ld
(...garbage...)
dns_lookup_send_next: cancelling wait_subreq
[0000] 9F F2 81 80 00 01 00 01 00 00 00 00 05 5F 6C 64 ........ ....._ld
(...garbage...)
dns_cli_request_udp_done: Got op=8180 1/1/0/0 recs
finddcs: DNS SRV response 0 at '10.0.0.42'
finddcs: performing CLDAP query on 10.0.0.42
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0001f1fd (127485)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
1: NBT_SERVER_DS_8
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : ba3d2257-3ed3-4a7e-b58a-244488d8a6db
forest : 'asw.aswglobal.net'
dns_domain : 'asw.aswglobal.net'
pdc_dns_name : 'aswserver.asw.aswglobal.net'
domain_name : 'ASW'
pdc_name : 'ASWSERVER'
user_name : ''
server_site : 'Default-First-Site-Name'
client_site : 'Default-First-Site-Name'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
finddcs: Found matching DC 10.0.0.42 with server_type=0x0001f1fd
RemoteDC Netbios[ASWSERVER] DNS[aswserver.asw.aswglobal.net]
ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8,__unknown_00018000__]
Using binding ncacn_np:aswserver.asw.aswglobal.net
Mapped to DCERPC endpoint \pipe\lsarpc
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
resolve_lmhosts: Attempting lmhosts lookup for name
aswserver.asw.aswglobal.net<0x20>
getlmhostsent: lmhost entry: 10.0.0.42 ASW#1C
getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET
getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET#1C
getlmhostsent: lmhost entry: 10.0.0.40 OTHER#1C
getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET
getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET#1C
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 131072
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [Administrator at ASW.ASWGLOBAL.NET]:
Received smb_krb5 packet of length 169
Received smb_krb5 packet of length 108
kinit for Administrator at ASW.ASWGLOBAL.NET succeeded
gensec_update_send: gssapi_krb5[0x2486130]: subreq: 0x2486dc0
gensec_update_send: spnego[0x249da80]: subreq: 0x24a3cc0
gensec_update_done: gssapi_krb5[0x2486130]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x2486dc0/../../source4/auth/gensec/gensec_gssapi.c:1054]: state[2]
error[0 (0x0)] state[struct gensec_gssapi_update_state (0x2486f70)]
timer[(nil)] finish[../../source4/auth/gensec/gensec_gssapi.c:1065]
gensec_update_done: spnego[0x249da80]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x24a3cc0/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)]
state[struct gensec_spnego_update_state (0x24a3e70)] timer[(nil)]
finish[../../auth/gensec/spnego.c:2070]
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
gensec_update_send: gssapi_krb5[0x2486130]: subreq: 0x24ab540
gensec_update_send: spnego[0x249da80]: subreq: 0x24ada20
gensec_update_done: gssapi_krb5[0x2486130]: NT_STATUS_OK
tevent_req[0x24ab540/../../source4/auth/gensec/gensec_gssapi.c:1054]: state[2]
error[0 (0x0)] state[struct gensec_gssapi_update_state (0x24ab6f0)]
timer[(nil)] finish[../../source4/auth/gensec/gensec_gssapi.c:1072]
gensec_update_done: spnego[0x249da80]: NT_STATUS_OK
tevent_req[0x24ada20/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)]
state[struct gensec_spnego_update_state (0x24adbd0)] timer[(nil)]
finish[../../auth/gensec/spnego.c:2070]
signed SMB2 message
signed SMB2 message
signed SMB2 message
rpc request data:
[0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 ........ ........
(...garbage...)
[0030] 00 00 00 00 29 00 00 00 ....)...
signed SMB2 message
rpc reply data:
(...garbage...)
rpc request data:
(...garbage...)
signed SMB2 message
rpc reply data:
[0000] 00 00 02 00 0C 00 00 00 08 00 0A 00 04 00 02 00 ........ ........
(...garbage...)
[00C0] AF B2 B1 5B 00 00 00 00 ...[....
RemoteDomain Netbios[ASW] DNS[asw.aswglobal.net]
SID[S-1-5-21-822572291-61738364-1538372271]
rpc request data:
[0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85 ..... .x ..DF....
(...garbage...)
[0040] 61 00 6C 00 2E 00 6E 00 65 00 74 00 08 00 a.l...n. e.t...
rpc reply data:
[0000] 00 00 00 00 34 00 00 C0 ....4...
rpc request data:
[0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85 ..... .x ..DF....
(...garbage...)
[0030] 08 00 ..
rpc reply data:
[0000] 00 00 00 00 34 00 00 C0 ....4...
rpc request data:
[0000] 00 00 00 00 D2 23 8F A2 E0 F9 0F 40 A0 98 2A BD .....#.. ... at ..*.
(...garbage...)
[0040] 6C 00 2E 00 6E 00 65 00 74 00 08 00 l...n.e. t...
signed SMB2 message
rpc reply data:
[0000] 00 00 00 00 34 00 00 C0 ....4...
rpc request data:
[0000] 00 00 00 00 D2 23 8F A2 E0 F9 0F 40 A0 98 2A BD .....#.. ... at ..*.
(...garbage...)
signed SMB2 message
rpc reply data:
[0000] 00 00 00 00 34 00 00 C0 ....4...
Using binding ncalrpc:ASW-RSX[,auth_type=ncalrpc_as_system]
Mapped to DCERPC endpoint EPMAPPER
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
Starting GENSEC mechanism naclrpc_as_system
gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x2486dc0
gensec_update_done: naclrpc_as_system[0x24a3fa0]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x2486dc0/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]
state[struct gensec_ncalrpc_update_state (0x2486f70)] timer[(nil)]
finish[../../auth/gensec/ncalrpc.c:116]
dcerpc_pull_auth_trailer: auth_pad_length 0
gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x2486a80
gensec_update_done: naclrpc_as_system[0x24a3fa0]: NT_STATUS_OK
tevent_req[0x2486a80/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]
state[struct gensec_ncalrpc_update_state (0x2486c30)] timer[(nil)]
finish[../../auth/gensec/ncalrpc.c:116]
rpc request data:
[0000] 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
(...garbage...)
rpc reply data:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
(...garbage...)
Mapped to DCERPC endpoint DEFAULT
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
Starting GENSEC mechanism naclrpc_as_system
gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x2486dc0
gensec_update_done: naclrpc_as_system[0x24a3fa0]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x2486dc0/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]
state[struct gensec_ncalrpc_update_state (0x2486f70)] timer[(nil)]
finish[../../auth/gensec/ncalrpc.c:116]
dcerpc_pull_auth_trailer: auth_pad_length 0
gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x24ab540
gensec_update_done: naclrpc_as_system[0x24a3fa0]: NT_STATUS_OK
tevent_req[0x24ab540/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]
state[struct gensec_ncalrpc_update_state (0x24ab6f0)] timer[(nil)]
finish[../../auth/gensec/ncalrpc.c:116]
rpc request data:
[0000] 00 00 02 00 08 00 00 00 00 00 00 00 08 00 00 00 ........ ........
(...garbage...)
[0030] 00 00 00 00 00 00 00 40 .......@
rpc reply data:
[0000] 04 00 02 00 08 00 02 00 0C 00 02 00 01 00 00 00 ........ ........
(...garbage...)
[0170] 65 00 00 00 00 00 00 00 e.......
Using binding ncacn_np:aswserver.asw.aswglobal.net
Mapped to DCERPC endpoint \pipe\netlogon
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
resolve_lmhosts: Attempting lmhosts lookup for name
aswserver.asw.aswglobal.net<0x20>
getlmhostsent: lmhost entry: 10.0.0.42 ASW#1C
getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET
getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET#1C
getlmhostsent: lmhost entry: 10.0.0.40 OTHER#1C
getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET
getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET#1C
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 131072
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for Administrator at ASW.ASWGLOBAL.NET will expire in 36000
secs
gensec_update_send: gssapi_krb5[0x24b7e90]: subreq: 0x24ab540
gensec_update_send: spnego[0x249dd90]: subreq: 0x24b6710
gensec_update_done: gssapi_krb5[0x24b7e90]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x24ab540/../../source4/auth/gensec/gensec_gssapi.c:1054]: state[2]
error[0 (0x0)] state[struct gensec_gssapi_update_state (0x24ab6f0)]
timer[(nil)] finish[../../source4/auth/gensec/gensec_gssapi.c:1065]
gensec_update_done: spnego[0x249dd90]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x24b6710/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)]
state[struct gensec_spnego_update_state (0x24b68c0)] timer[(nil)]
finish[../../auth/gensec/spnego.c:2070]
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
gensec_update_send: gssapi_krb5[0x24b7e90]: subreq: 0x2141650
gensec_update_send: spnego[0x249dd90]: subreq: 0x24b6710
gensec_update_done: gssapi_krb5[0x24b7e90]: NT_STATUS_OK
tevent_req[0x2141650/../../source4/auth/gensec/gensec_gssapi.c:1054]: state[2]
error[0 (0x0)] state[struct gensec_gssapi_update_state (0x2141800)]
timer[(nil)] finish[../../source4/auth/gensec/gensec_gssapi.c:1072]
gensec_update_done: spnego[0x249dd90]: NT_STATUS_OK
tevent_req[0x24b6710/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)]
state[struct gensec_spnego_update_state (0x24b68c0)] timer[(nil)]
finish[../../auth/gensec/spnego.c:2070]
signed SMB2 message
signed SMB2 message
signed SMB2 message
rpc request data:
[0000] 00 00 02 00 1E 00 00 00 00 00 00 00 1E 00 00 00 ........ ........
(...garbage...)
[0060] 00 00 00 40 ...@
signed SMB2 message
rpc reply data:
[0000] 00 00 02 00 04 00 02 00 08 00 02 00 01 00 00 00 ........ ........
(...garbage...)
[0180] 65 00 00 00 00 00 00 00 e.......
Creating remote TDO.
rpc request data:
[0000] 00 00 00 00 D2 23 8F A2 E0 F9 0F 40 A0 98 2A BD .....#.. ... at ..*.
(...garbage...)
[04C0] 7F 00 0F 00 ....
signed SMB2 message
rpc reply data:
[0000] 00 00 00 00 E6 07 5D 60 F1 A0 66 40 AC 41 65 15 ......]` ..f at .Ae.
[0010] A7 97 42 7B 00 00 00 00 ..B{....
Remote TDO created.
Setting supported encryption types on remote TDO.
rpc request data:
[0000] 00 00 00 00 E6 07 5D 60 F1 A0 66 40 AC 41 65 15 ......]` ..f at .Ae.
[0010] A7 97 42 7B 0D 00 0D 00 18 00 00 00 ..B{.... ....
signed SMB2 message
rpc reply data:
[0000] 00 00 00 00 ....
Creating local TDO.
rpc request data:
[0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85 ..... .x ..DF....
(...garbage...)
[04C0] 7F 00 0F 00 ....
rpc reply data:
[0000] 03 00 00 00 D8 84 B1 B4 EF 1F B6 45 BC 4E DC 36 ........ ...E.N.6
[0010] 31 C7 21 9F 00 00 00 00 1.!.....
Local TDO created
Setting supported encryption types on local TDO.
rpc request data:
[0000] 03 00 00 00 D8 84 B1 B4 EF 1F B6 45 BC 4E DC 36 ........ ...E.N.6
[0010] 31 C7 21 9F 0D 00 0D 00 18 00 00 00 1.!..... ....
rpc reply data:
[0000] 00 00 00 00 ....
Validating outgoing trust...
rpc request data:
(...garbage...)
[0060] 74 00 00 00 00 00 00 00 t.......
ERROR: LocalValidation: DC[\\aswserver.asw.aswglobal.net]
CONNECTION[WERR_NO_LOGON_SERVERS] TRUST[WERR_NO_LOGON_SERVERS]
VERIFY_STATUS_RETURNED
signed SMB2 message
signed SMB2 message
Thanks
________________________________
From: Rowland penny <rpenny at samba.org>
Sent: Tuesday, October 15, 2019 9:23 AM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] Problem with SPNEGO on full trust 2016 DC <> Samba
4.10.7 AD
On 15/10/2019 13:56, ASW Global via samba wrote:> I've read the documentation that domain trusts should be fully
supported with both Kerberos and NTLM authentication. I've created a new
2016 domain on a Windows box and created a Samba domain on a Linux box with a
BIND9_DLZ backend. Both servers can resolve both DNS domains forwards and
backwards and I am able to connect a Windows 10 client to the Samba domain
without any issues. The problem occurs when create a full external trust
between the two domains. The trust is created successfully with samba-tool
however the verify fails with TRUST[WERR_NO_LOGON_SERVERS]
VERIFY_STATUS_RETURNED.
>
> The end result is a trust relation that fully works with Kerberos
authentication (such as logging in on the trusted domain from a domain connected
to the other) but this won't work with NTLM authentication outside of
it's realm. I am constantly getting this error message in the wb-DOMAIN
logs:
>
> Starting GENSEC submechanism ntlmssp
> [2019/10/15 07:06:26.589018, 1, pid=12457, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
> negotiate: struct NEGOTIATE_MESSAGE
> Signature : 'NTLMSSP'
> MessageType : NtLmNegotiate (1)
> NegotiateFlags : 0x62088215 (1644724757)
> 1: NTLMSSP_NEGOTIATE_UNICODE
> 0: NTLMSSP_NEGOTIATE_OEM
> 1: NTLMSSP_REQUEST_TARGET
> 1: NTLMSSP_NEGOTIATE_SIGN
> 0: NTLMSSP_NEGOTIATE_SEAL
> 0: NTLMSSP_NEGOTIATE_DATAGRAM
> 0: NTLMSSP_NEGOTIATE_LM_KEY
> 0: NTLMSSP_NEGOTIATE_NETWARE
> 1: NTLMSSP_NEGOTIATE_NTLM
> 0: NTLMSSP_NEGOTIATE_NT_ONLY
> 0: NTLMSSP_ANONYMOUS
> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> 0: NTLMSSP_TARGET_TYPE_DOMAIN
> 0: NTLMSSP_TARGET_TYPE_SERVER
> 0: NTLMSSP_TARGET_TYPE_SHARE
> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> 0: NTLMSSP_NEGOTIATE_IDENTIFY
> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> 0: NTLMSSP_NEGOTIATE_TARGET_INFO
> 1: NTLMSSP_NEGOTIATE_VERSION
> 1: NTLMSSP_NEGOTIATE_128
> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> 0: NTLMSSP_NEGOTIATE_56
> DomainNameLen : 0x0000 (0)
> DomainNameMaxLen : 0x0000 (0)
> DomainName : *
> DomainName : ''
> WorkstationLen : 0x0000 (0)
> WorkstationMaxLen : 0x0000 (0)
> Workstation : *
> Workstation : ''
> Version: struct ntlmssp_VERSION
> ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6
(6)
> ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1
(1)
> ProductBuild : 0x0000 (0)
> Reserved: ARRAY(3)
> [0] : 0x00 (0)
> [1] : 0x00 (0)
> [2] : 0x00 (0)
> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
> [2] : 0x00 (0)
> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
> [2019/10/15 07:06:26.589188, 10, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
> gensec_update_send: ntlmssp[0x5625297aa300]: subreq: 0x5625299b9330
> [2019/10/15 07:06:26.589207, 10, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
> gensec_update_send: spnego[0x56252a561b00]: subreq: 0x562529ff3510
> [2019/10/15 07:06:26.589223, 10, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
> gensec_update_done: ntlmssp[0x5625297aa300]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5625299b9330/../../auth/ntlmssp/ntlmssp.c:180]: state[2] error[0
(0x0)] state[struct gensec_ntlmssp_update_state (0x5625299b94e0)] timer[(nil)]
finish[../../auth/ntlmssp/ntlmssp.c:215]
> [2019/10/15 07:06:26.589246, 10, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
> gensec_update_done: spnego[0x56252a561b00]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x562529ff3510/../../auth/gensec/spnego.c:1600]: state[2] error[0
(0x0)] state[struct gensec_spnego_update_state (0x562529ff36c0)] timer[(nil)]
finish[../../auth/gensec/spnego.c:2070]
> [2019/10/15 07:06:26.589508, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_client.c:273(ntlmssp_client_challenge)
> Got challenge flags:
> [2019/10/15 07:06:26.589527, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_TARGET_TYPE_DOMAIN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_TARGET_INFO
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2019/10/15 07:06:26.589577, 1, pid=12457, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
> challenge: struct CHALLENGE_MESSAGE
> Signature : 'NTLMSSP'
> MessageType : NtLmChallenge (0x2)
> TargetNameLen : 0x0008 (8)
> TargetNameMaxLen : 0x0008 (8)
> TargetName : *
> TargetName : 'ASW'
> NegotiateFlags : 0x62898215 (1653178901)
> 1: NTLMSSP_NEGOTIATE_UNICODE
> 0: NTLMSSP_NEGOTIATE_OEM
> 1: NTLMSSP_REQUEST_TARGET
> 1: NTLMSSP_NEGOTIATE_SIGN
> 0: NTLMSSP_NEGOTIATE_SEAL
> 0: NTLMSSP_NEGOTIATE_DATAGRAM
> 0: NTLMSSP_NEGOTIATE_LM_KEY
> 0: NTLMSSP_NEGOTIATE_NETWARE
> 1: NTLMSSP_NEGOTIATE_NTLM
> 0: NTLMSSP_NEGOTIATE_NT_ONLY
> 0: NTLMSSP_ANONYMOUS
> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> 1: NTLMSSP_TARGET_TYPE_DOMAIN
> 0: NTLMSSP_TARGET_TYPE_SERVER
> 0: NTLMSSP_TARGET_TYPE_SHARE
> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> 0: NTLMSSP_NEGOTIATE_IDENTIFY
> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> 1: NTLMSSP_NEGOTIATE_TARGET_INFO
> 1: NTLMSSP_NEGOTIATE_VERSION
> 1: NTLMSSP_NEGOTIATE_128
> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> 0: NTLMSSP_NEGOTIATE_56
> ServerChallenge : 9577d49bcff93241
> Reserved : 0000000000000000
> TargetInfoLen : 0x00c2 (194)
> TargetInfoMaxLen : 0x00c2 (194)
> TargetInfo : *
> TargetInfo: struct AV_PAIR_LIST
> count : 0x00000007 (7)
> pair: ARRAY(7)
> pair: struct AV_PAIR
> AvId : MsvAvNbDomainName
(0x2)
> AvLen : 0x0008 (8)
> Value : union
ntlmssp_AvValue(case 0x2)
> AvNbDomainName : 'ASW'
> pair: struct AV_PAIR
> AvId : MsvAvNbComputerName
(0x1)
> AvLen : 0x0014 (20)
> Value : union
ntlmssp_AvValue(case 0x1)
> AvNbComputerName : 'ASWSERVER'
> pair: struct AV_PAIR
> AvId : MsvAvDnsDomainName
(0x4)
> AvLen : 0x0024 (36)
> Value : union
ntlmssp_AvValue(case 0x4)
> AvDnsDomainName :
'ASW.aswglobal.net'
> pair: struct AV_PAIR
> AvId : MsvAvDnsComputerName
(0x3)
> AvLen : 0x003a (58)
> Value : union
ntlmssp_AvValue(case 0x3)
> AvDnsComputerName :
'aswserver.asw.aswglobal.net'
> pair: struct AV_PAIR
> AvId : MsvAvDnsTreeName
(0x5)
> AvLen : 0x0024 (36)
> Value : union
ntlmssp_AvValue(case 0x5)
> AvDnsTreeName :
'ASW.aswglobal.net'
> pair: struct AV_PAIR
> AvDnsTreeName :
'ASW.aswglobal.net'
> pair: struct AV_PAIR
> AvId : MsvAvTimestamp (0x7)
> AvLen : 0x0008 (8)
> Value : union
ntlmssp_AvValue(case 0x7)
> AvTimestamp : Tue Oct 15 07:06:27
2019 EDT
> pair: struct AV_PAIR
> AvId : MsvAvEOL (0x0)
> AvLen : 0x0000 (0)
> Value : union
ntlmssp_AvValue(case 0x0)
> Version: struct ntlmssp_VERSION
> ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_10
(0xA)
> ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0
(0x0)
> ProductBuild : 0x3839 (14393)
> Reserved : 000000
> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (0xF)
> [2019/10/15 07:06:26.589905, 1, pid=12457, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
> authenticate: struct AUTHENTICATE_MESSAGE
> Signature : 'NTLMSSP'
> MessageType : NtLmAuthenticate (3)
> LmChallengeResponseLen : 0x0000 (0)
> LmChallengeResponseMaxLen: 0x0000 (0)
> LmChallengeResponse : *
> LmChallengeResponse : union
ntlmssp_LM_RESPONSE_with_len(case 0)
> NtChallengeResponseLen : 0x0000 (0)
> NtChallengeResponseMaxLen: 0x0000 (0)
> NtChallengeResponse : *
> NtChallengeResponse : union
ntlmssp_NTLM_RESPONSE_with_len(case 0)
> DomainNameLen : 0x0000 (0)
> DomainNameMaxLen : 0x0000 (0)
> DomainName : *
> DomainName : ''
> UserNameLen : 0x0000 (0)
> UserNameMaxLen : 0x0000 (0)
> UserName : *
> UserName : ''
> WorkstationLen : 0x0000 (0)
> WorkstationMaxLen : 0x0000 (0)
> Workstation : *
> Workstation : ''
> EncryptedRandomSessionKeyLen: 0x0010 (16)
> EncryptedRandomSessionKeyMaxLen: 0x0010 (16)
> EncryptedRandomSessionKey: *
> EncryptedRandomSessionKey: DATA_BLOB length=16
> [0000] 81 EE CC 4D B3 48 F7 A9 57 E9 E6 94 B7 55 59 DE ...M.H..
W....UY.
> NegotiateFlags : 0x62008a15 (1644202517)
> 1: NTLMSSP_NEGOTIATE_UNICODE
> 0: NTLMSSP_NEGOTIATE_OEM
> 1: NTLMSSP_REQUEST_TARGET
> 0: NTLMSSP_NEGOTIATE_OEM
> 1: NTLMSSP_REQUEST_TARGET
> 1: NTLMSSP_NEGOTIATE_SIGN
> 0: NTLMSSP_NEGOTIATE_SEAL
> 0: NTLMSSP_NEGOTIATE_DATAGRAM
> 0: NTLMSSP_NEGOTIATE_LM_KEY
> 0: NTLMSSP_NEGOTIATE_NETWARE
> 1: NTLMSSP_NEGOTIATE_NTLM
> 0: NTLMSSP_NEGOTIATE_NT_ONLY
> 1: NTLMSSP_ANONYMOUS
> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> 0: NTLMSSP_TARGET_TYPE_DOMAIN
> 0: NTLMSSP_TARGET_TYPE_SERVER
> 0: NTLMSSP_TARGET_TYPE_SHARE
> 0: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> 0: NTLMSSP_NEGOTIATE_IDENTIFY
> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> 0: NTLMSSP_NEGOTIATE_TARGET_INFO
> 1: NTLMSSP_NEGOTIATE_VERSION
> 1: NTLMSSP_NEGOTIATE_128
> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> 0: NTLMSSP_NEGOTIATE_56
> Version: struct ntlmssp_VERSION
> ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6
(6)
> ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1
(1)
> ProductBuild : 0x0000 (0)
> Reserved: ARRAY(3)
> [0] : 0x00 (0)
> [1] : 0x00 (0)
> [2] : 0x00 (0)
> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
> [2019/10/15 07:06:26.590148, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_client.c:761(ntlmssp_client_challenge)
> NTLMSSP: Set final flags:
> [2019/10/15 07:06:26.590160, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_ANONYMOUS
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2019/10/15 07:06:26.590195, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2019/10/15 07:06:26.590195, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2019/10/15 07:06:26.590206, 3, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_ANONYMOUS
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2019/10/15 07:06:26.590240, 5, pid=12457, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:638(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - using NTLM1
What version of Samba are you using ?
It looks like it using NTLM1 , but the Windows domain probably isn't,
try adding these lines to your smb.conf:
client min protocol = SMB2_02
server min protocol = SMB2_02
Rowland
L.P.H. van Belle
2019-Oct-16 14:20 UTC
[Samba] Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
Hai, Can you try this. kinit Administrator samba-tool domain trust create asw.aswglobal.net --quarantined=yes \ -U"Administrator at ASW.ASWGLOBAL.NET" -k yes \ --local-dc-username=Administrator at OTHER.ASWGLOBAL.NET --local-dc-kerberos=yes \ -d 10 You might also have hitted : https://bugzilla.samba.org/show_bug.cgi?id=14106 Fix spnego fallback from kerberos to ntlmssp in smbd server Or https://bugzilla.samba.org/show_bug.cgi?id=13884 Joining Active Directory should not use SAMR to set the password Or https://bugzilla.samba.org/show_bug.cgi?id=13491 Can't join SAMBA4 DC to a Microsoft Active Directory forest These are not exact the same but you problem looks about the same. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens ASW > Global via samba > Verzonden: woensdag 16 oktober 2019 14:41 > Aan: Rowland penny; samba at lists.samba.org > Onderwerp: Re: [Samba] Problem with SPNEGO on full trust 2016 > DC <> Samba 4.10.7 AD > > Hi Rowland, > > I made the change to my smb.conf but I still get that error > message that talks about NTLM1. Here is the full error I get > when creating the domain trust. I am going to try creating > the trust on a computer with the latest version of SAMBA+ to > see if that works. > > # samba-tool domain trust create asw.aswglobal.net > --quarantined=yes -U"Administrator at ASW.ASWGLOBAL.NET" > --local-dc-username=Administrator at OTHER.ASWGLOBAL.NET -d 10 > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > smb2: 10 > smb2_credits: 10 > dsdb_audit: 10 > dsdb_json_audit: 10 > dsdb_password_audit: 10 > dsdb_password_json_audit: 10 > dsdb_transaction_audit: 10 > dsdb_transaction_json_audit: 10 > dsdb_group_audit: 10 > dsdb_group_json_audit: 10 > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > Processing section "[global]" > Processing section "[sysvol]" > Processing section "[netlogon]" > pm_process() returned Yes > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Using binding ncalrpc:ASW-RSX[,auth_type=ncalrpc_as_system] > Mapped to DCERPC endpoint EPMAPPER > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > Starting GENSEC mechanism naclrpc_as_system > gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2475220 > gensec_update_done: naclrpc_as_system[0x2485a60]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x2475220/../../auth/gensec/ncalrpc.c:99]: > state[2] error[0 (0x0)] state[struct > gensec_ncalrpc_update_state (0x24753d0)] timer[(nil)] > finish[../../auth/gensec/ncalrpc.c:116] > dcerpc_pull_auth_trailer: auth_pad_length 0 > gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2486740 > gensec_update_done: naclrpc_as_system[0x2485a60]: > NT_STATUS_OK > tevent_req[0x2486740/../../auth/gensec/ncalrpc.c:99]: > state[2] error[0 (0x0)] state[struct > gensec_ncalrpc_update_state (0x24868f0)] timer[(nil)] > finish[../../auth/gensec/ncalrpc.c:116] > rpc request data: > [0000] 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ........ ........ > (...garbage...) > [0070] 00 00 00 00 00 00 00 00 01 00 00 00 > ........ .... > rpc reply data: > [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ........ ........ > (...garbage...) > Mapped to DCERPC endpoint DEFAULT > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > Starting GENSEC mechanism naclrpc_as_system > gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2475220 > gensec_update_done: naclrpc_as_system[0x2485a60]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x2475220/../../auth/gensec/ncalrpc.c:99]: > state[2] error[0 (0x0)] state[struct > gensec_ncalrpc_update_state (0x24753d0)] timer[(nil)] > finish[../../auth/gensec/ncalrpc.c:116] > dcerpc_pull_auth_trailer: auth_pad_length 0 > gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2486dc0 > gensec_update_done: naclrpc_as_system[0x2485a60]: > NT_STATUS_OK > tevent_req[0x2486dc0/../../auth/gensec/ncalrpc.c:99]: > state[2] error[0 (0x0)] state[struct > gensec_ncalrpc_update_state (0x2486f70)] timer[(nil)] > finish[../../auth/gensec/ncalrpc.c:116] > rpc request data: > [0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 > ........ ........ > (...garbage...) > [0030] 00 00 00 00 29 00 00 00 ....)... > rpc reply data: > [0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85 > ..... .x ..DF.... > (...garbage...) > rpc request data: > [0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85 > ..... .x ..DF.... > (...garbage...) > rpc reply data: > [0000] 00 00 02 00 0C 00 00 00 06 00 08 00 04 00 02 00 > ........ ........ > (...garbage...) > [00C0] 5B CF 86 04 00 00 00 00 [....... > LocalDomain Netbios[OTHER] DNS[other.aswglobal.net] > SID[S-1-5-21-1812336436-162148099-75943771] > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > finddcs: searching for a DC by DNS domain asw.aswglobal.net > finddcs: looking for SRV records for _ldap._tcp.asw.aswglobal.net > resolve_lmhosts: Attempting lmhosts lookup for name > _ldap._tcp.asw.aswglobal.net<0x0> > getlmhostsent: lmhost entry: 10.0.0.42 ASW#1C > getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET > getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET#1C > getlmhostsent: lmhost entry: 10.0.0.40 OTHER#1C > getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET > getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET#1C > dns_lookup_send_next: Sending DNS request #0 to 127.0.0.53 > dns_cli_request_send: Asking 127.0.0.53 for > _ldap._tcp.asw.aswglobal.net./1/33 via UDP > [0000] 9F F2 01 00 00 01 00 00 00 00 00 00 05 5F 6C 64 > ........ ....._ld > (...garbage...) > dns_lookup_send_next: cancelling wait_subreq > [0000] 9F F2 81 80 00 01 00 01 00 00 00 00 05 5F 6C 64 > ........ ....._ld > (...garbage...) > dns_cli_request_udp_done: Got op=8180 1/1/0/0 recs > finddcs: DNS SRV response 0 at '10.0.0.42' > finddcs: performing CLDAP query on 10.0.0.42 > &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX > command : LOGON_SAM_LOGON_RESPONSE_EX (23) > sbz : 0x0000 (0) > server_type : 0x0001f1fd (127485) > 1: NBT_SERVER_PDC > 1: NBT_SERVER_GC > 1: NBT_SERVER_LDAP > 1: NBT_SERVER_DS > 1: NBT_SERVER_KDC > 1: NBT_SERVER_TIMESERV > 1: NBT_SERVER_CLOSEST > 1: NBT_SERVER_WRITABLE > 0: NBT_SERVER_GOOD_TIMESERV > 0: NBT_SERVER_NDNC > 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 > 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 > 1: NBT_SERVER_ADS_WEB_SERVICE > 1: NBT_SERVER_DS_8 > 0: NBT_SERVER_HAS_DNS_NAME > 0: NBT_SERVER_IS_DEFAULT_NC > 0: NBT_SERVER_FOREST_ROOT > domain_uuid : > ba3d2257-3ed3-4a7e-b58a-244488d8a6db > forest : 'asw.aswglobal.net' > dns_domain : 'asw.aswglobal.net' > pdc_dns_name : 'aswserver.asw.aswglobal.net' > domain_name : 'ASW' > pdc_name : 'ASWSERVER' > user_name : '' > server_site : 'Default-First-Site-Name' > client_site : 'Default-First-Site-Name' > sockaddr_size : 0x00 (0) > sockaddr: struct nbt_sockaddr > sockaddr_family : 0x00000000 (0) > pdc_ip : (null) > remaining : DATA_BLOB length=0 > next_closest_site : NULL > nt_version : 0x00000005 (5) > 1: NETLOGON_NT_VERSION_1 > 0: NETLOGON_NT_VERSION_5 > 1: NETLOGON_NT_VERSION_5EX > 0: NETLOGON_NT_VERSION_5EX_WITH_IP > 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE > 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL > 0: NETLOGON_NT_VERSION_PDC > 0: NETLOGON_NT_VERSION_IP > 0: NETLOGON_NT_VERSION_LOCAL > 0: NETLOGON_NT_VERSION_GC > lmnt_token : 0xffff (65535) > lm20_token : 0xffff (65535) > finddcs: Found matching DC 10.0.0.42 with server_type=0x0001f1fd > RemoteDC Netbios[ASWSERVER] DNS[aswserver.asw.aswglobal.net] > ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,FULL_S > ECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8,__unknown_00018000__] > Using binding ncacn_np:aswserver.asw.aswglobal.net > Mapped to DCERPC endpoint \pipe\lsarpc > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > resolve_lmhosts: Attempting lmhosts lookup for name > aswserver.asw.aswglobal.net<0x20> > getlmhostsent: lmhost entry: 10.0.0.42 ASW#1C > getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET > getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET#1C > getlmhostsent: lmhost entry: 10.0.0.40 OTHER#1C > getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET > getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET#1C > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 87040 > SO_RCVBUF = 131072 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gssapi_krb5 > Password for [Administrator at ASW.ASWGLOBAL.NET]: > Received smb_krb5 packet of length 169 > Received smb_krb5 packet of length 108 > kinit for Administrator at ASW.ASWGLOBAL.NET succeeded > gensec_update_send: gssapi_krb5[0x2486130]: subreq: 0x2486dc0 > gensec_update_send: spnego[0x249da80]: subreq: 0x24a3cc0 > gensec_update_done: gssapi_krb5[0x2486130]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x2486dc0/../../source4/auth/gensec/gensec_gssapi.c > :1054]: state[2] error[0 (0x0)] state[struct > gensec_gssapi_update_state (0x2486f70)] timer[(nil)] > finish[../../source4/auth/gensec/gensec_gssapi.c:1065] > gensec_update_done: spnego[0x249da80]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x24a3cc0/../../auth/gensec/spnego.c:1600]: > state[2] error[0 (0x0)] state[struct > gensec_spnego_update_state (0x24a3e70)] timer[(nil)] > finish[../../auth/gensec/spnego.c:2070] > gensec_gssapi: NO credentials were delegated > GSSAPI Connection will be cryptographically signed > gensec_update_send: gssapi_krb5[0x2486130]: subreq: 0x24ab540 > gensec_update_send: spnego[0x249da80]: subreq: 0x24ada20 > gensec_update_done: gssapi_krb5[0x2486130]: NT_STATUS_OK > tevent_req[0x24ab540/../../source4/auth/gensec/gensec_gssapi.c > :1054]: state[2] error[0 (0x0)] state[struct > gensec_gssapi_update_state (0x24ab6f0)] timer[(nil)] > finish[../../source4/auth/gensec/gensec_gssapi.c:1072] > gensec_update_done: spnego[0x249da80]: NT_STATUS_OK > tevent_req[0x24ada20/../../auth/gensec/spnego.c:1600]: > state[2] error[0 (0x0)] state[struct > gensec_spnego_update_state (0x24adbd0)] timer[(nil)] > finish[../../auth/gensec/spnego.c:2070] > signed SMB2 message > signed SMB2 message > signed SMB2 message > rpc request data: > [0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 > ........ ........ > (...garbage...) > [0030] 00 00 00 00 29 00 00 00 ....)... > signed SMB2 message > rpc reply data: > (...garbage...) > rpc request data: > (...garbage...) > signed SMB2 message > rpc reply data: > [0000] 00 00 02 00 0C 00 00 00 08 00 0A 00 04 00 02 00 > ........ ........ > (...garbage...) > [00C0] AF B2 B1 5B 00 00 00 00 ...[.... > RemoteDomain Netbios[ASW] DNS[asw.aswglobal.net] > SID[S-1-5-21-822572291-61738364-1538372271] > rpc request data: > [0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85 > ..... .x ..DF.... > (...garbage...) > [0040] 61 00 6C 00 2E 00 6E 00 65 00 74 00 08 00 > a.l...n. e.t... > rpc reply data: > [0000] 00 00 00 00 34 00 00 C0 ....4... > rpc request data: > [0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85 > ..... .x ..DF.... > (...garbage...) > [0030] 08 00 .. > rpc reply data: > [0000] 00 00 00 00 34 00 00 C0 ....4... > rpc request data: > [0000] 00 00 00 00 D2 23 8F A2 E0 F9 0F 40 A0 98 2A BD > .....#.. ... at ..*. > (...garbage...) > [0040] 6C 00 2E 00 6E 00 65 00 74 00 08 00 > l...n.e. t... > signed SMB2 message > rpc reply data: > [0000] 00 00 00 00 34 00 00 C0 ....4... > rpc request data: > [0000] 00 00 00 00 D2 23 8F A2 E0 F9 0F 40 A0 98 2A BD > .....#.. ... at ..*. > (...garbage...) > signed SMB2 message > rpc reply data: > [0000] 00 00 00 00 34 00 00 C0 ....4... > Using binding ncalrpc:ASW-RSX[,auth_type=ncalrpc_as_system] > Mapped to DCERPC endpoint EPMAPPER > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > Starting GENSEC mechanism naclrpc_as_system > gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x2486dc0 > gensec_update_done: naclrpc_as_system[0x24a3fa0]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x2486dc0/../../auth/gensec/ncalrpc.c:99]: > state[2] error[0 (0x0)] state[struct > gensec_ncalrpc_update_state (0x2486f70)] timer[(nil)] > finish[../../auth/gensec/ncalrpc.c:116] > dcerpc_pull_auth_trailer: auth_pad_length 0 > gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x2486a80 > gensec_update_done: naclrpc_as_system[0x24a3fa0]: > NT_STATUS_OK > tevent_req[0x2486a80/../../auth/gensec/ncalrpc.c:99]: > state[2] error[0 (0x0)] state[struct > gensec_ncalrpc_update_state (0x2486c30)] timer[(nil)] > finish[../../auth/gensec/ncalrpc.c:116] > rpc request data: > [0000] 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ........ ........ > (...garbage...) > rpc reply data: > [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ........ ........ > (...garbage...) > Mapped to DCERPC endpoint DEFAULT > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > Starting GENSEC mechanism naclrpc_as_system > gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x2486dc0 > gensec_update_done: naclrpc_as_system[0x24a3fa0]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x2486dc0/../../auth/gensec/ncalrpc.c:99]: > state[2] error[0 (0x0)] state[struct > gensec_ncalrpc_update_state (0x2486f70)] timer[(nil)] > finish[../../auth/gensec/ncalrpc.c:116] > dcerpc_pull_auth_trailer: auth_pad_length 0 > gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x24ab540 > gensec_update_done: naclrpc_as_system[0x24a3fa0]: > NT_STATUS_OK > tevent_req[0x24ab540/../../auth/gensec/ncalrpc.c:99]: > state[2] error[0 (0x0)] state[struct > gensec_ncalrpc_update_state (0x24ab6f0)] timer[(nil)] > finish[../../auth/gensec/ncalrpc.c:116] > rpc request data: > [0000] 00 00 02 00 08 00 00 00 00 00 00 00 08 00 00 00 > ........ ........ > (...garbage...) > [0030] 00 00 00 00 00 00 00 40 .......@ > rpc reply data: > [0000] 04 00 02 00 08 00 02 00 0C 00 02 00 01 00 00 00 > ........ ........ > (...garbage...) > [0170] 65 00 00 00 00 00 00 00 e....... > Using binding ncacn_np:aswserver.asw.aswglobal.net > Mapped to DCERPC endpoint \pipe\netlogon > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > added interface lo ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 > netmask=255.255.255.224 > resolve_lmhosts: Attempting lmhosts lookup for name > aswserver.asw.aswglobal.net<0x20> > getlmhostsent: lmhost entry: 10.0.0.42 ASW#1C > getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET > getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET#1C > getlmhostsent: lmhost entry: 10.0.0.40 OTHER#1C > getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET > getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET#1C > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 87040 > SO_RCVBUF = 131072 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gssapi_krb5 > GSSAPI credentials for Administrator at ASW.ASWGLOBAL.NET will > expire in 36000 secs > gensec_update_send: gssapi_krb5[0x24b7e90]: subreq: 0x24ab540 > gensec_update_send: spnego[0x249dd90]: subreq: 0x24b6710 > gensec_update_done: gssapi_krb5[0x24b7e90]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x24ab540/../../source4/auth/gensec/gensec_gssapi.c > :1054]: state[2] error[0 (0x0)] state[struct > gensec_gssapi_update_state (0x24ab6f0)] timer[(nil)] > finish[../../source4/auth/gensec/gensec_gssapi.c:1065] > gensec_update_done: spnego[0x249dd90]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x24b6710/../../auth/gensec/spnego.c:1600]: > state[2] error[0 (0x0)] state[struct > gensec_spnego_update_state (0x24b68c0)] timer[(nil)] > finish[../../auth/gensec/spnego.c:2070] > gensec_gssapi: NO credentials were delegated > GSSAPI Connection will be cryptographically signed > gensec_update_send: gssapi_krb5[0x24b7e90]: subreq: 0x2141650 > gensec_update_send: spnego[0x249dd90]: subreq: 0x24b6710 > gensec_update_done: gssapi_krb5[0x24b7e90]: NT_STATUS_OK > tevent_req[0x2141650/../../source4/auth/gensec/gensec_gssapi.c > :1054]: state[2] error[0 (0x0)] state[struct > gensec_gssapi_update_state (0x2141800)] timer[(nil)] > finish[../../source4/auth/gensec/gensec_gssapi.c:1072] > gensec_update_done: spnego[0x249dd90]: NT_STATUS_OK > tevent_req[0x24b6710/../../auth/gensec/spnego.c:1600]: > state[2] error[0 (0x0)] state[struct > gensec_spnego_update_state (0x24b68c0)] timer[(nil)] > finish[../../auth/gensec/spnego.c:2070] > signed SMB2 message > signed SMB2 message > signed SMB2 message > rpc request data: > [0000] 00 00 02 00 1E 00 00 00 00 00 00 00 1E 00 00 00 > ........ ........ > (...garbage...) > [0060] 00 00 00 40 ...@ > signed SMB2 message > rpc reply data: > [0000] 00 00 02 00 04 00 02 00 08 00 02 00 01 00 00 00 > ........ ........ > (...garbage...) > [0180] 65 00 00 00 00 00 00 00 e....... > Creating remote TDO. > rpc request data: > [0000] 00 00 00 00 D2 23 8F A2 E0 F9 0F 40 A0 98 2A BD > .....#.. ... at ..*. > (...garbage...) > [04C0] 7F 00 0F 00 .... > signed SMB2 message > rpc reply data: > [0000] 00 00 00 00 E6 07 5D 60 F1 A0 66 40 AC 41 65 15 > ......]` ..f at .Ae. > [0010] A7 97 42 7B 00 00 00 00 ..B{.... > Remote TDO created. > Setting supported encryption types on remote TDO. > rpc request data: > [0000] 00 00 00 00 E6 07 5D 60 F1 A0 66 40 AC 41 65 15 > ......]` ..f at .Ae. > [0010] A7 97 42 7B 0D 00 0D 00 18 00 00 00 > ..B{.... .... > signed SMB2 message > rpc reply data: > [0000] 00 00 00 00 .... > Creating local TDO. > rpc request data: > [0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85 > ..... .x ..DF.... > (...garbage...) > [04C0] 7F 00 0F 00 .... > rpc reply data: > [0000] 03 00 00 00 D8 84 B1 B4 EF 1F B6 45 BC 4E DC 36 > ........ ...E.N.6 > [0010] 31 C7 21 9F 00 00 00 00 1.!..... > Local TDO created > Setting supported encryption types on local TDO. > rpc request data: > [0000] 03 00 00 00 D8 84 B1 B4 EF 1F B6 45 BC 4E DC 36 > ........ ...E.N.6 > [0010] 31 C7 21 9F 0D 00 0D 00 18 00 00 00 > 1.!..... .... > rpc reply data: > [0000] 00 00 00 00 .... > Validating outgoing trust... > rpc request data: > (...garbage...) > [0060] 74 00 00 00 00 00 00 00 t....... > ERROR: LocalValidation: DC[\\aswserver.asw.aswglobal.net] > CONNECTION[WERR_NO_LOGON_SERVERS] > TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED > signed SMB2 message > signed SMB2 message > Thanks > > ________________________________ > From: Rowland penny <rpenny at samba.org> > Sent: Tuesday, October 15, 2019 9:23 AM > To: samba at lists.samba.org <samba at lists.samba.org> > Subject: Re: [Samba] Problem with SPNEGO on full trust 2016 > DC <> Samba 4.10.7 AD > > On 15/10/2019 13:56, ASW Global via samba wrote: > > I've read the documentation that domain trusts should be > fully supported with both Kerberos and NTLM authentication. > I've created a new 2016 domain on a Windows box and created a > Samba domain on a Linux box with a BIND9_DLZ backend. Both > servers can resolve both DNS domains forwards and backwards > and I am able to connect a Windows 10 client to the Samba > domain without any issues. The problem occurs when create a > full external trust between the two domains. The trust is > created successfully with samba-tool however the verify fails > with TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED. > > > > The end result is a trust relation that fully works with > Kerberos authentication (such as logging in on the trusted > domain from a domain connected to the other) but this won't > work with NTLM authentication outside of it's realm. I am > constantly getting this error message in the wb-DOMAIN logs: > > > > Starting GENSEC submechanism ntlmssp > > [2019/10/15 07:06:26.589018, 1, pid=12457, effective(0, > 0), real(0, 0), class=rpc_parse] > ../../librpc/ndr/ndr.c:422(ndr_print_debug) > > negotiate: struct NEGOTIATE_MESSAGE > > Signature : 'NTLMSSP' > > MessageType : NtLmNegotiate (1) > > NegotiateFlags : 0x62088215 (1644724757) > > 1: NTLMSSP_NEGOTIATE_UNICODE > > 0: NTLMSSP_NEGOTIATE_OEM > > 1: NTLMSSP_REQUEST_TARGET > > 1: NTLMSSP_NEGOTIATE_SIGN > > 0: NTLMSSP_NEGOTIATE_SEAL > > 0: NTLMSSP_NEGOTIATE_DATAGRAM > > 0: NTLMSSP_NEGOTIATE_LM_KEY > > 0: NTLMSSP_NEGOTIATE_NETWARE > > 1: NTLMSSP_NEGOTIATE_NTLM > > 0: NTLMSSP_NEGOTIATE_NT_ONLY > > 0: NTLMSSP_ANONYMOUS > > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > > 0: NTLMSSP_TARGET_TYPE_DOMAIN > > 0: NTLMSSP_TARGET_TYPE_SERVER > > 0: NTLMSSP_TARGET_TYPE_SHARE > > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > > 0: NTLMSSP_NEGOTIATE_IDENTIFY > > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > > 1: NTLMSSP_NEGOTIATE_VERSION > > 1: NTLMSSP_NEGOTIATE_128 > > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > > 0: NTLMSSP_NEGOTIATE_56 > > DomainNameLen : 0x0000 (0) > > DomainNameMaxLen : 0x0000 (0) > > DomainName : * > > DomainName : '' > > WorkstationLen : 0x0000 (0) > > WorkstationMaxLen : 0x0000 (0) > > Workstation : * > > Workstation : '' > > Version: struct ntlmssp_VERSION > > ProductMajorVersion : > NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > > ProductMinorVersion : > NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > > ProductBuild : 0x0000 (0) > > Reserved: ARRAY(3) > > [0] : 0x00 (0) > > [1] : 0x00 (0) > > [2] : 0x00 (0) > > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > > [2] : 0x00 (0) > > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > > [2019/10/15 07:06:26.589188, 10, pid=12457, effective(0, > 0), real(0, 0), class=auth] > ../../auth/gensec/gensec.c:455(gensec_update_send) > > gensec_update_send: ntlmssp[0x5625297aa300]: subreq: > 0x5625299b9330 > > [2019/10/15 07:06:26.589207, 10, pid=12457, effective(0, > 0), real(0, 0), class=auth] > ../../auth/gensec/gensec.c:455(gensec_update_send) > > gensec_update_send: spnego[0x56252a561b00]: subreq: > 0x562529ff3510 > > [2019/10/15 07:06:26.589223, 10, pid=12457, effective(0, > 0), real(0, 0), class=auth] > ../../auth/gensec/gensec.c:512(gensec_update_done) > > gensec_update_done: ntlmssp[0x5625297aa300]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x5625299b9330/../../auth/ntlmssp/ntlmssp.c:180]: > state[2] error[0 (0x0)] state[struct > gensec_ntlmssp_update_state (0x5625299b94e0)] timer[(nil)] > finish[../../auth/ntlmssp/ntlmssp.c:215] > > [2019/10/15 07:06:26.589246, 10, pid=12457, effective(0, > 0), real(0, 0), class=auth] > ../../auth/gensec/gensec.c:512(gensec_update_done) > > gensec_update_done: spnego[0x56252a561b00]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x562529ff3510/../../auth/gensec/spnego.c:1600]: > state[2] error[0 (0x0)] state[struct > gensec_spnego_update_state (0x562529ff36c0)] timer[(nil)] > finish[../../auth/gensec/spnego.c:2070] > > [2019/10/15 07:06:26.589508, 3, pid=12457, effective(0, > 0), real(0, 0), class=auth] > ../../auth/ntlmssp/ntlmssp_client.c:273(ntlmssp_client_challenge) > > Got challenge flags: > > [2019/10/15 07:06:26.589527, 3, pid=12457, effective(0, > 0), real(0, 0), class=auth] > ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) > > Got NTLMSSP neg_flags=0x62898215 > > NTLMSSP_NEGOTIATE_UNICODE > > NTLMSSP_REQUEST_TARGET > > NTLMSSP_NEGOTIATE_SIGN > > NTLMSSP_NEGOTIATE_NTLM > > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > > NTLMSSP_TARGET_TYPE_DOMAIN > > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > > NTLMSSP_NEGOTIATE_TARGET_INFO > > NTLMSSP_NEGOTIATE_VERSION > > NTLMSSP_NEGOTIATE_128 > > NTLMSSP_NEGOTIATE_KEY_EXCH > > [2019/10/15 07:06:26.589577, 1, pid=12457, effective(0, > 0), real(0, 0), class=rpc_parse] > ../../librpc/ndr/ndr.c:422(ndr_print_debug) > > challenge: struct CHALLENGE_MESSAGE > > Signature : 'NTLMSSP' > > MessageType : NtLmChallenge (0x2) > > TargetNameLen : 0x0008 (8) > > TargetNameMaxLen : 0x0008 (8) > > TargetName : * > > TargetName : 'ASW' > > NegotiateFlags : 0x62898215 (1653178901) > > 1: NTLMSSP_NEGOTIATE_UNICODE > > 0: NTLMSSP_NEGOTIATE_OEM > > 1: NTLMSSP_REQUEST_TARGET > > 1: NTLMSSP_NEGOTIATE_SIGN > > 0: NTLMSSP_NEGOTIATE_SEAL > > 0: NTLMSSP_NEGOTIATE_DATAGRAM > > 0: NTLMSSP_NEGOTIATE_LM_KEY > > 0: NTLMSSP_NEGOTIATE_NETWARE > > 1: NTLMSSP_NEGOTIATE_NTLM > > 0: NTLMSSP_NEGOTIATE_NT_ONLY > > 0: NTLMSSP_ANONYMOUS > > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > > 1: NTLMSSP_TARGET_TYPE_DOMAIN > > 0: NTLMSSP_TARGET_TYPE_SERVER > > 0: NTLMSSP_TARGET_TYPE_SHARE > > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > > 0: NTLMSSP_NEGOTIATE_IDENTIFY > > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > > 1: NTLMSSP_NEGOTIATE_TARGET_INFO > > 1: NTLMSSP_NEGOTIATE_VERSION > > 1: NTLMSSP_NEGOTIATE_128 > > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > > 0: NTLMSSP_NEGOTIATE_56 > > ServerChallenge : 9577d49bcff93241 > > Reserved : 0000000000000000 > > TargetInfoLen : 0x00c2 (194) > > TargetInfoMaxLen : 0x00c2 (194) > > TargetInfo : * > > TargetInfo: struct AV_PAIR_LIST > > count : 0x00000007 (7) > > pair: ARRAY(7) > > pair: struct AV_PAIR > > AvId : > MsvAvNbDomainName (0x2) > > AvLen : 0x0008 (8) > > Value : union > ntlmssp_AvValue(case 0x2) > > AvNbDomainName : 'ASW' > > pair: struct AV_PAIR > > AvId : > MsvAvNbComputerName (0x1) > > AvLen : 0x0014 (20) > > Value : union > ntlmssp_AvValue(case 0x1) > > AvNbComputerName : 'ASWSERVER' > > pair: struct AV_PAIR > > AvId : > MsvAvDnsDomainName (0x4) > > AvLen : 0x0024 (36) > > Value : union > ntlmssp_AvValue(case 0x4) > > AvDnsDomainName : > 'ASW.aswglobal.net' > > pair: struct AV_PAIR > > AvId : > MsvAvDnsComputerName (0x3) > > AvLen : 0x003a (58) > > Value : union > ntlmssp_AvValue(case 0x3) > > AvDnsComputerName : > 'aswserver.asw.aswglobal.net' > > pair: struct AV_PAIR > > AvId : > MsvAvDnsTreeName (0x5) > > AvLen : 0x0024 (36) > > Value : union > ntlmssp_AvValue(case 0x5) > > AvDnsTreeName : > 'ASW.aswglobal.net' > > pair: struct AV_PAIR > > AvDnsTreeName : > 'ASW.aswglobal.net' > > pair: struct AV_PAIR > > AvId : > MsvAvTimestamp (0x7) > > AvLen : 0x0008 (8) > > Value : union > ntlmssp_AvValue(case 0x7) > > AvTimestamp : Tue > Oct 15 07:06:27 2019 EDT > > pair: struct AV_PAIR > > AvId : MsvAvEOL (0x0) > > AvLen : 0x0000 (0) > > Value : union > ntlmssp_AvValue(case 0x0) > > Version: struct ntlmssp_VERSION > > ProductMajorVersion : > NTLMSSP_WINDOWS_MAJOR_VERSION_10 (0xA) > > ProductMinorVersion : > NTLMSSP_WINDOWS_MINOR_VERSION_0 (0x0) > > ProductBuild : 0x3839 (14393) > > Reserved : 000000 > > NTLMRevisionCurrent : > NTLMSSP_REVISION_W2K3 (0xF) > > [2019/10/15 07:06:26.589905, 1, pid=12457, effective(0, > 0), real(0, 0), class=rpc_parse] > ../../librpc/ndr/ndr.c:422(ndr_print_debug) > > authenticate: struct AUTHENTICATE_MESSAGE > > Signature : 'NTLMSSP' > > MessageType : NtLmAuthenticate (3) > > LmChallengeResponseLen : 0x0000 (0) > > LmChallengeResponseMaxLen: 0x0000 (0) > > LmChallengeResponse : * > > LmChallengeResponse : union > ntlmssp_LM_RESPONSE_with_len(case 0) > > NtChallengeResponseLen : 0x0000 (0) > > NtChallengeResponseMaxLen: 0x0000 (0) > > NtChallengeResponse : * > > NtChallengeResponse : union > ntlmssp_NTLM_RESPONSE_with_len(case 0) > > DomainNameLen : 0x0000 (0) > > DomainNameMaxLen : 0x0000 (0) > > DomainName : * > > DomainName : '' > > UserNameLen : 0x0000 (0) > > UserNameMaxLen : 0x0000 (0) > > UserName : * > > UserName : '' > > WorkstationLen : 0x0000 (0) > > WorkstationMaxLen : 0x0000 (0) > > Workstation : * > > Workstation : '' > > EncryptedRandomSessionKeyLen: 0x0010 (16) > > EncryptedRandomSessionKeyMaxLen: 0x0010 (16) > > EncryptedRandomSessionKey: * > > EncryptedRandomSessionKey: DATA_BLOB length=16 > > [0000] 81 EE CC 4D B3 48 F7 A9 57 E9 E6 94 B7 55 59 DE > ...M.H.. W....UY. > > NegotiateFlags : 0x62008a15 (1644202517) > > 1: NTLMSSP_NEGOTIATE_UNICODE > > 0: NTLMSSP_NEGOTIATE_OEM > > 1: NTLMSSP_REQUEST_TARGET > > 0: NTLMSSP_NEGOTIATE_OEM > > 1: NTLMSSP_REQUEST_TARGET > > 1: NTLMSSP_NEGOTIATE_SIGN > > 0: NTLMSSP_NEGOTIATE_SEAL > > 0: NTLMSSP_NEGOTIATE_DATAGRAM > > 0: NTLMSSP_NEGOTIATE_LM_KEY > > 0: NTLMSSP_NEGOTIATE_NETWARE > > 1: NTLMSSP_NEGOTIATE_NTLM > > 0: NTLMSSP_NEGOTIATE_NT_ONLY > > 1: NTLMSSP_ANONYMOUS > > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > > 0: NTLMSSP_TARGET_TYPE_DOMAIN > > 0: NTLMSSP_TARGET_TYPE_SERVER > > 0: NTLMSSP_TARGET_TYPE_SHARE > > 0: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > > 0: NTLMSSP_NEGOTIATE_IDENTIFY > > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > > 1: NTLMSSP_NEGOTIATE_VERSION > > 1: NTLMSSP_NEGOTIATE_128 > > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > > 0: NTLMSSP_NEGOTIATE_56 > > Version: struct ntlmssp_VERSION > > ProductMajorVersion : > NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > > ProductMinorVersion : > NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > > ProductBuild : 0x0000 (0) > > Reserved: ARRAY(3) > > [0] : 0x00 (0) > > [1] : 0x00 (0) > > [2] : 0x00 (0) > > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > > [2019/10/15 07:06:26.590148, 3, pid=12457, effective(0, > 0), real(0, 0), class=auth] > ../../auth/ntlmssp/ntlmssp_client.c:761(ntlmssp_client_challenge) > > NTLMSSP: Set final flags: > > [2019/10/15 07:06:26.590160, 3, pid=12457, effective(0, > 0), real(0, 0), class=auth] > ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) > > Got NTLMSSP neg_flags=0x62008a15 > > NTLMSSP_NEGOTIATE_UNICODE > > NTLMSSP_REQUEST_TARGET > > NTLMSSP_NEGOTIATE_SIGN > > NTLMSSP_NEGOTIATE_NTLM > > NTLMSSP_ANONYMOUS > > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > > NTLMSSP_NEGOTIATE_VERSION > > NTLMSSP_NEGOTIATE_128 > > NTLMSSP_NEGOTIATE_KEY_EXCH > > [2019/10/15 07:06:26.590195, 3, pid=12457, effective(0, > 0), real(0, 0), class=auth] > ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset) > > NTLMSSP Sign/Seal - Initialising with flags: > > [2019/10/15 07:06:26.590195, 3, pid=12457, effective(0, > 0), real(0, 0), class=auth] > ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset) > > NTLMSSP Sign/Seal - Initialising with flags: > > [2019/10/15 07:06:26.590206, 3, pid=12457, effective(0, > 0), real(0, 0), class=auth] > ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) > > Got NTLMSSP neg_flags=0x62008a15 > > NTLMSSP_NEGOTIATE_UNICODE > > NTLMSSP_REQUEST_TARGET > > NTLMSSP_NEGOTIATE_SIGN > > NTLMSSP_NEGOTIATE_NTLM > > NTLMSSP_ANONYMOUS > > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > > NTLMSSP_NEGOTIATE_VERSION > > NTLMSSP_NEGOTIATE_128 > > NTLMSSP_NEGOTIATE_KEY_EXCH > > [2019/10/15 07:06:26.590240, 5, pid=12457, effective(0, > 0), real(0, 0), class=auth] > ../../auth/ntlmssp/ntlmssp_sign.c:638(ntlmssp_sign_reset) > > NTLMSSP Sign/Seal - using NTLM1 > > What version of Samba are you using ? > > It looks like it using NTLM1 , but the Windows domain probably isn't, > try adding these lines to your smb.conf: > > client min protocol = SMB2_02 > server min protocol = SMB2_02 > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >