Hello all,
I have 3 Linux boxes all authenticating against 2 Windows 2003 domain
controllers. Each Linux box is running a different Linux and samba version:
Box1: CentOS 3.4 3.0.25-7
Box2: CentOS 4.4 3.0.10-1
Box3: CentOS 5 3.0.23c-2
Their smb.conf and krb5.conf files are all identical (below). A few days
ago authentication stopped working and my /var/log/messages fills up
with "signing_good: BAD SIG: seq 1" and "SMB Signature
verification
failed on incoming packet!" errors. When someone tries to log into one
of the machines i get an "internal module error" and
"NT_STATUS_LOGON_TYPE_NOT_GRANTED" messages.
I've been on this for 2 full days now, I've tried everything I could
think of. Any help would be appreciated.
Regards,
Dan O'Brien
(conf files and messaeges below)
/var/log/messages
...
May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0]
libsmb/smb_signing.c:signing_good(240)
May 21 16:58:13 scandium winbindd[14882]: signing_good: BAD SIG: seq 1
May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0]
libsmb/clientgen.c:cli_receive_smb(121)
May 21 16:58:13 scandium winbindd[14882]: SMB Signature verification
failed on incoming packet!
May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0]
libsmb/smb_signing.c:signing_good(240)
May 21 16:58:13 scandium winbindd[14882]: signing_good: BAD SIG: seq 1
May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0]
libsmb/clientgen.c:cli_receive_smb(121)
May 21 16:58:13 scandium winbindd[14882]: SMB Signature verification
failed on incoming packet!
May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0]
libsmb/smb_signing.c:signing_good(240)
May 21 16:58:13 scandium winbindd[14882]: signing_good: BAD SIG: seq 1
May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0]
libsmb/clientgen.c:cli_receive_smb(121)
May 21 16:58:13 scandium winbindd[14882]: SMB Signature verification
failed on incoming packet!
May 21 16:58:13 scandium pam_winbind[17827]: request failed:
NT_STATUS_LOGON_TYPE_NOT_GRANTED, PAM error was 4, NT error was
NT_STATUS_LOGON_TYPE_NOT_GRANTED
May 21 16:58:13 scandium pam_winbind[17827]: internal module error
(retval = 4, user = `user'
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYDOMAIN.COM = {
kdc = mydomain.com
admin_server = dc1.mydomain.com
default_domain = mydomain.com
kdc = dc1.mydomain.com
kdc = dc2.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
smb.conf
[global]
realm = MYDOMAIN.COM
workgroup = mydomain
server string = Scandium
security = ADS
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
printcap name = /etc/printcap
load printers = yes
cups options = raw
log level = 9
log file = /var/log/samba/%m.log
max log size = 50
password server = dc2.mydomain.com dc2.mydomain.com
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
preferred master = no
dns proxy = no
Dan O'Brien
2007-May-22 21:42 UTC
[Samba] [SOLVED] Re: Active Directory authentication no longer works
After days of banging my head against my desk we've managed to find the cause of the issue. The problem was in the group policy on the domain controllers, under "Default Domain Controller Security Settings" -> Local Policies -> Security Options": Allow anonymous SID/Name translation: Was set to disabled Do not allow anonymous enumeration of SAM accounts and Shares: Was Enabled once we changed these (and disabled the "No Override" bit on the default domain policy). Everything started working again. Hope this helps someone else. Regards, Dan Dan O'Brien wrote:> Hello all, > > I have 3 Linux boxes all authenticating against 2 Windows 2003 domain > controllers. Each Linux box is running a different Linux and samba version: > > Box1: CentOS 3.4 3.0.25-7 > Box2: CentOS 4.4 3.0.10-1 > Box3: CentOS 5 3.0.23c-2 > > Their smb.conf and krb5.conf files are all identical (below). A few days > ago authentication stopped working and my /var/log/messages fills up > with "signing_good: BAD SIG: seq 1" and "SMB Signature verification > failed on incoming packet!" errors. When someone tries to log into one > of the machines i get an "internal module error" and > "NT_STATUS_LOGON_TYPE_NOT_GRANTED" messages. > > I've been on this for 2 full days now, I've tried everything I could > think of. Any help would be appreciated. > > > Regards, > Dan O'Brien > > (conf files and messaeges below) > > > > /var/log/messages > ... > May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0] > libsmb/smb_signing.c:signing_good(240) > May 21 16:58:13 scandium winbindd[14882]: signing_good: BAD SIG: seq 1 > May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0] > libsmb/clientgen.c:cli_receive_smb(121) > May 21 16:58:13 scandium winbindd[14882]: SMB Signature verification > failed on incoming packet! > May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0] > libsmb/smb_signing.c:signing_good(240) > May 21 16:58:13 scandium winbindd[14882]: signing_good: BAD SIG: seq 1 > May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0] > libsmb/clientgen.c:cli_receive_smb(121) > May 21 16:58:13 scandium winbindd[14882]: SMB Signature verification > failed on incoming packet! > May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0] > libsmb/smb_signing.c:signing_good(240) > May 21 16:58:13 scandium winbindd[14882]: signing_good: BAD SIG: seq 1 > May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0] > libsmb/clientgen.c:cli_receive_smb(121) > May 21 16:58:13 scandium winbindd[14882]: SMB Signature verification > failed on incoming packet! > May 21 16:58:13 scandium pam_winbind[17827]: request failed: > NT_STATUS_LOGON_TYPE_NOT_GRANTED, PAM error was 4, NT error was > NT_STATUS_LOGON_TYPE_NOT_GRANTED > May 21 16:58:13 scandium pam_winbind[17827]: internal module error > (retval = 4, user = `user' > > > krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > ticket_lifetime = 24000 > default_realm = MYDOMAIN.COM > dns_lookup_realm = false > dns_lookup_kdc = false > > [realms] > MYDOMAIN.COM = { > kdc = mydomain.com > admin_server = dc1.mydomain.com > default_domain = mydomain.com > kdc = dc1.mydomain.com > kdc = dc2.mydomain.com > } > > [domain_realm] > .mydomain.com = MYDOMAIN.COM > mydomain.com = MYDOMAIN.COM > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > smb.conf > [global] > > realm = MYDOMAIN.COM > workgroup = mydomain > server string = Scandium > security = ADS > idmap uid = 10000-20000 > idmap gid = 10000-20000 > > template shell = /bin/bash > template homedir = /home/%U > winbind use default domain = yes > printcap name = /etc/printcap > load printers = yes > cups options = raw > log level = 9 > log file = /var/log/samba/%m.log > max log size = 50 > password server = dc2.mydomain.com dc2.mydomain.com > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > local master = no > domain master = no > preferred master = no > dns proxy = no >
Apparently Analagous Threads
- signing failures during smbclient tar operation: SMB signature check failed
- SMB Signature verification failed when establish trust with win2003 domain
- SMB Signature verification failed on incoming packet!
- Client accessing Samba doesn't authenticate against Active Directory
- Erratic / unstable PDC