odix
2012-Nov-20 09:52 UTC
[Samba] problems with windows 2000 terminal server in AD with samba4rc5 (on Ubuntu 12.04.1 64bit) DC
Dear all, after upgrading an existing NT4 domain, via "injecting" a samba3 LDAP BDC to vampire security database, classicupgrade with samba-tool ... everything seems to work like expecting, except the mentioned windows 2000 terminal server, see excerpt from log.samba file: ... [2012/11/18 13:09:26, 0] ../source4/smbd/server.c:475(binary_smbd_main) samba: using 'standard' process model [2012/11/18 14:56:10, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error in module acl: insufficient access rights (50) [2012/11/18 14:56:19, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) NTLMSSP NTLM2 packet check failed due to invalid signature! [2012/11/18 15:04:41, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) NTLMSSP NTLM2 packet check failed due to invalid signature! [2012/11/18 15:07:05, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error in module acl: Constraint violation (19) [2012/11/18 15:59:47, 0] ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch) ../source4/rpc_server/handles.c:102: Attempt to use invalid sid S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7 [2012/11/18 15:59:47, 0] ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch) ../source4/rpc_server/handles.c:102: Attempt to use invalid sid S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7 [2012/11/18 15:59:47, 0] ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch) ... also failed to update dns entry: Nov 18 17:52:56 sambadc named[752]: client 192.168.12.34#57038: request has invalid signature: TSIG 1236950581266-2 (w2000\$\@XXX.LAN): tsig verify failure (BADSIG) I would suggest that it has something todo with the default setting of RequireSignOrSeal or RequireStrongKey which defaults to 0 in windows 2000 afaik, but I'm not sure. Any other suggestions ? thanks odi
odix
2012-Nov-21 08:58 UTC
[Samba] problems with windows 2000 terminal server in AD with samba4rc5 (on Ubuntu 12.04.1 64bit) DC
Dear all, after upgrading an existing NT4 domain, via "injecting" a samba3 LDAP BDC to vampire security database, classicupgrade with samba-tool ... everything seems to work like expecting, except the mentioned windows 2000 terminal server, see excerpt from log.samba file: ... [2012/11/18 13:09:26, 0] ../source4/smbd/server.c:475(binary_smbd_main) samba: using 'standard' process model [2012/11/18 14:56:10, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error in module acl: insufficient access rights (50) [2012/11/18 14:56:19, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) NTLMSSP NTLM2 packet check failed due to invalid signature! [2012/11/18 15:04:41, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) NTLMSSP NTLM2 packet check failed due to invalid signature! [2012/11/18 15:07:05, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error in module acl: Constraint violation (19) [2012/11/18 15:59:47, 0] ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch) ../source4/rpc_server/handles.c:102: Attempt to use invalid sid S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7 [2012/11/18 15:59:47, 0] ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch) ../source4/rpc_server/handles.c:102: Attempt to use invalid sid S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7 [2012/11/18 15:59:47, 0] ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch) ... also failed to update dns entry: Nov 18 17:52:56 sambadc named[752]: client 192.168.12.34#57038: request has invalid signature: TSIG 1236950581266-2 (w2000\$\@XXX.LAN): tsig verify failure (BADSIG) I would suggest that it has something todo with the default setting of RequireSignOrSeal or RequireStrongKey which defaults to 0 in windows 2000 afaik, but I'm not sure. Any other suggestions ? thanks odi
Possibly Parallel Threads
- S4 AD Domain Up; but lots of NTLMSSP NTLM2 errors
- log.samba failure messages
- Samba ADS-member-server: FQDNs in /etc/hosts
- Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
- Bad DSA objectGUID ed8970e5-84cc-43dd-89f1-4af8d6ab675a for sid S-1-5-21-570971082-1333357699-3675202899-1375