Fernando Torrez
2012-Nov-20 21:10 UTC
[Samba] FOOBAR\usuario1 windows explorer hungs forever while accessing shared dirs in LAPAZ\comp1 (interdomain trust relationships)
Hi all
I have two samba PDC installed according to these specifications:
domain FOOBAR with pdc server name: BAR (ip 192.168.1.1)
opensuse 11.1
samba-3.5.6-15.1
openldap2-2.4.12-5.6.1
smbldap-tools-0.9.5-25.1
A winxp called USUARIO1 joined to the FOOBAR domain (ip 192.168.1.100)
domain LAPAZ with pdc server name: SERVERLPZ (ip 192.168.10.4)
openSUSE 12.2
samba-3.6.7-48.12.1.i586
openldap2-2.4.31-2.1.3.i586
smbldap-tools-0.9.6-5.1.noarch
A winxp called COMP1 joined to the LAPAZ domain (ip 192.168.10.101)
I made interdomain trust relationships according to the steps written at the end
of this mail,
but when FOOBAR\USUARIO1 tries to access shares available on LAPAZ\COMP1 using
windows explorer, it hungs forever.
Doing some packet capture with wireshark I got these results:
249 15.610519 192.168.1.101 192.168.10.100 SMB 260 Session
Setup AndX Request, NTLMSSP_NEGOTIATE
250 15.610866 192.168.10.100 192.168.1.101 SMB 291 Session
Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
251 15.611490 192.168.1.101 192.168.10.100 SMB 400 Session
Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
252 15.615751 192.168.1.101 192.168.10.100 ICMP 74 Echo (ping)
request id=0x0200, seq=1024/4, ttl=30
253 15.622135 192.168.10.100 192.168.1.101 ICMP 74 Echo (ping)
reply id=0x0200, seq=1024/4, ttl=128
254 15.689197 192.168.10.100 192.168.1.101 SMB 175 Session
Setup AndX Response
255 15.689820 192.168.1.101 192.168.10.100 SMB 136 Tree
Connect AndX Request, Path: \\COMPU1\IPC$
256 15.689959 192.168.10.100 192.168.1.101 SMB 93 Tree Connect
AndX Response, Error: Unknown (0xC000035C)
257 15.690717 192.168.1.101 192.168.10.100 SMB 260 Session
Setup AndX Request, NTLMSSP_NEGOTIATE
258 15.690970 192.168.10.100 192.168.1.101 SMB 291 Session
Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
259 15.691353 192.168.1.101 192.168.10.100 SMB 400 Session
Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
260 15.732067 192.168.10.100 192.168.1.101 SMB 175 Session
Setup AndX Response
261 15.732568 192.168.1.101 192.168.10.100 SMB 136 Tree
Connect AndX Request, Path: \\COMPU1\IPC$
262 15.732728 192.168.10.100 192.168.1.101 SMB 93 Tree Connect
AndX Response, Error: Unknown (0xC000035C)
263 15.733215 192.168.1.101 192.168.10.100 SMB 260 Session
Setup AndX Request, NTLMSSP_NEGOTIATE
264 15.733547 192.168.10.100 192.168.1.101 SMB 291 Session
Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
265 15.733918 192.168.1.101 192.168.10.100 SMB 400 Session
Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
266 15.745888 192.168.10.100 192.168.1.101 SMB 175 Session
Setup AndX Response
267 15.746319 192.168.1.101 192.168.10.100 SMB 136 Tree
Connect AndX Request, Path: \\COMPU1\IPC$
268 15.746437 192.168.10.100 192.168.1.101 SMB 93 Tree Connect
AndX Response, Error: Unknown (0xC000035C)
As it can be seen, there's a recurrent strange error called: Error: Unknown
(0xC000035C) and doing some googling I only could find something like:
0xC000035C (STATUS_NETWORK_SESSION_EXPIRED) that is referred to a Network
session expired
I think that samba 3.5 and samba 3,6 are not fully compatible when doing
interdomain trustings
because idmap are not configured and managed in the same way. isn't it?
This behavior doesn't appear if FOOBAR\USUARIO1 tries to access
LAPAZ\SERVERLPZ shares
or if LAPAZ\COMP1 tries to access any FOOBAR shares (either FOOBAR\USUARIO1 or
FOOBAR\BAR).
I thought that both windows have samething wrong, so I tried with another two
win workstations with same results.
If someone can point me to the right direction to solve this problem. I would
really appreciate any help
Thanks in advance
Fernando Torrez
INTERDOMAIN TRUST RELATIONSHIP PROCESS
1.- PREVIOUS ADJUSTMENTS
On LAPAZ domain server (serverlpz) I changed wins server to use FOOBAR wins
server:
wins server = 192.168.1.1
and made sure that smb.conf have these lines defined for mapping:
idmap config * : backend = ldap
idmap config * : readonly = no
idmap config * : default = yes
idmap config * : ldap_base_dn = ou=Idmap,dc=lapaz,dc=tld
idmap config * : ldap_user_dn = cn=Manager,dc=lapaz,dc=tld
idmap config * : ldap_url = ldap://serverlpz.lapaz.tld
idmap config * : range = 50000-500000
idmap alloc config:ldap_base_dn = ou=Idmap,dc=lapaz,dc=tld
idmap alloc config:ldap_user_dn = cn=Manager,dc=lapaz,dc=tld
idmap alloc config:ldap_url = ldap://serverlpz.lapaz.tld
idmap alloc config:range = 50000-500000
and finally I ran the command:
serverlpz:~ # net idmap secret '*' mysecret
Secret stored
on FOOBAR domain server (bar) I only made sure that these lines were defined:
idmap backend = ldap:ldap://bar.foobar.tld
idmap uid = 10000-20000
idmap gid = 10000-20000
2.-MAKING TWO WAY INTERDOMAIN TRUST RELATIONSHIP
serverlpz:/var/log/samba # smbldap-useradd -i foobar
New password : ADMINISTRATOR
Retype new password : ADMINISTRATOR
bar:~ # net rpc trustdom establish lapaz
Enter FOOBAR$'s password: ADMINISTRATOR
Could not connect to server SERVERLPZ
Trust to domain LAPAZ established
bar:~ # smbldap-useradd -i lapaz
New password : ADMINISTRATOR
Retype new password : ADMINISTRATOR
serverlpz:~ # net rpc trustdom establish foobar
Enter LAPAZ$'s password: ADMINISTRATOR
Could not connect to server BAR
Trust to domain FOOBAR established
3.- VERIFYING TRUSTINGS
bar:~ # net rpc trustdom list -Uroot%mykey
Trusted domains list:
LAPAZ S-1-5-21-2768586194-2883361281-2776744031
Trusting domains list:
LAPAZ S-1-5-21-2768586194-2883361281-2776744031
serverlpz:~ # net rpc trustdom list -Uroot%mysecondkey
Trusted domains list:
FOOBAR S-1-5-21-792737186-2111905618-2835975785
Trusting domains list:
FOOBAR S-1-5-21-792737186-2111905618-2835975785
bar:~ # wbinfo -u
root
nobody
usuario1
LAPAZ\root
LAPAZ\nobody
LAPAZ\compu1
bar:~ # wbinfo -g
domain admins
domain users
domain guests
domain computers
sistemas
LAPAZ\domain admins
LAPAZ\domain users
LAPAZ\domain guests
LAPAZ\domain computers
LAPAZ\seccion
serverlpz:/var/log/samba # wbinfo -u
root
nobody
compu1
FOOBAR\root
FOOBAR\nobody
FOOBAR\usuario1
serverlpz:/var/log/samba # wbinfo -g
domain admins
domain users
domain guests
domain computers
seccion
FOOBAR\domain admins
FOOBAR\domain users
FOOBAR\domain guests
FOOBAR\domain computers
FOOBAR\sistemas
5.- MODIFYING nsswitch TO ENABLE AUTHENTICATION THROUGH winbind
I made sure that both nsswitch.conf files have these lines defined:
passwd: files ldap winbind
shadow: files ldap
group: files ldap winbind
5.- FINAL VERIFICATIONS
bar:~ # getent passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
....
root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
usuario1:x:1001:513:System User:/home/usuario1:/bin/bash
bar$:*:1002:515:Computer:/dev/null:/bin/false
usuario1$:*:1003:515:Computer:/dev/null:/bin/false
lapaz$:*:1004:513:Computer:/dev/null:/bin/false
LAPAZ\root:*:10000:10124::/home/LAPAZ/root:/bin/false
LAPAZ\nobody:*:10001:10124::/home/LAPAZ/nobody:/bin/false
LAPAZ\compu1:*:10002:10124:compu1:/home/LAPAZ/compu1:/bin/false
bar:~ # getent group
at:!:25:
....
ldap:!:70:
named:!:44:
winbind:!:107:
Domain Admins:*:512:root
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
sistemas:*:1002:
LAPAZ\domain admins:x:10125:LAPAZ\root
LAPAZ\domain users:x:10124:LAPAZ\compu1,LAPAZ\foobar$
LAPAZ\domain guests:x:10126:LAPAZ\nobody
LAPAZ\domain computers:x:10127:LAPAZ\serverlpz$,LAPAZ\compu1$
LAPAZ\seccion:x:10128:
on serverlpz
serverlpz:~ # getent passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
..
root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
compu1:x:1001:513:System User:/home/compu1:/bin/bash
serverlpz$:*:1002:515:Computer:/dev/null:/bin/false
compu1$:*:1003:515:Computer:/dev/null:/bin/false
foobar$:*:1004:513:Computer:/dev/null:/bin/false
FOOBAR\root:*:50002:50003::/home/FOOBAR/root:/bin/false
FOOBAR\nobody:*:50003:50003::/home/FOOBAR/nobody:/bin/false
FOOBAR\usuario1:*:50004:50003:usuario1:/home/FOOBAR/usuario1:/bin/false
serverlpz:~ # getent group
at:!:25:
..
winbind:!:112:
Domain Admins:*:512:root
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
seccion:*:1002:
FOOBAR\domain admins:x:50004:
FOOBAR\domain users:x:50003:FOOBAR\usuario1,FOOBAR\lapaz$
FOOBAR\domain guests:x:50005:FOOBAR\nobody
FOOBAR\domain computers:x:50006:FOOBAR\bar$,FOOBAR\usuario1$
FOOBAR\sistemas:x:50007:
Alex Crow
2013-Feb-27 18:08 UTC
[Samba] FOOBAR\usuario1 windows explorer hungs forever while accessing shared dirs in LAPAZ\comp1 (interdomain trust relationships)
Hi, Did this ever get an answer? I just upgraded both ends of a bidirectional domain trust setup to 3.6.12 (from 3.5.something against 3.6.5, worked perfectly) and I face *exactly* the same problem, ie a share on an XP box cannot be access by another XP box at the other end. The SMB error code is identical. Thanks Alex On 20/11/12 21:10, Fernando Torrez wrote:> Hi all > > I have two samba PDC installed according to these specifications: > > domain FOOBAR with pdc server name: BAR (ip 192.168.1.1) > opensuse 11.1 > samba-3.5.6-15.1 > openldap2-2.4.12-5.6.1 > smbldap-tools-0.9.5-25.1 > A winxp called USUARIO1 joined to the FOOBAR domain (ip 192.168.1.100) > > > domain LAPAZ with pdc server name: SERVERLPZ (ip 192.168.10.4) > openSUSE 12.2 > samba-3.6.7-48.12.1.i586 > openldap2-2.4.31-2.1.3.i586 > smbldap-tools-0.9.6-5.1.noarch > A winxp called COMP1 joined to the LAPAZ domain (ip 192.168.10.101) > > I made interdomain trust relationships according to the steps written at the end of this mail, > but when FOOBAR\USUARIO1 tries to access shares available on LAPAZ\COMP1 using windows explorer, it hungs forever. > > Doing some packet capture with wireshark I got these results: > > 249 15.610519 192.168.1.101 192.168.10.100 SMB 260 Session Setup AndX Request, NTLMSSP_NEGOTIATE > 250 15.610866 192.168.10.100 192.168.1.101 SMB 291 Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED > 251 15.611490 192.168.1.101 192.168.10.100 SMB 400 Session Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1 > 252 15.615751 192.168.1.101 192.168.10.100 ICMP 74 Echo (ping) request id=0x0200, seq=1024/4, ttl=30 > 253 15.622135 192.168.10.100 192.168.1.101 ICMP 74 Echo (ping) reply id=0x0200, seq=1024/4, ttl=128 > 254 15.689197 192.168.10.100 192.168.1.101 SMB 175 Session Setup AndX Response > 255 15.689820 192.168.1.101 192.168.10.100 SMB 136 Tree Connect AndX Request, Path: \\COMPU1\IPC$ > 256 15.689959 192.168.10.100 192.168.1.101 SMB 93 Tree Connect AndX Response, Error: Unknown (0xC000035C) > 257 15.690717 192.168.1.101 192.168.10.100 SMB 260 Session Setup AndX Request, NTLMSSP_NEGOTIATE > 258 15.690970 192.168.10.100 192.168.1.101 SMB 291 Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED > 259 15.691353 192.168.1.101 192.168.10.100 SMB 400 Session Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1 > 260 15.732067 192.168.10.100 192.168.1.101 SMB 175 Session Setup AndX Response > 261 15.732568 192.168.1.101 192.168.10.100 SMB 136 Tree Connect AndX Request, Path: \\COMPU1\IPC$ > 262 15.732728 192.168.10.100 192.168.1.101 SMB 93 Tree Connect AndX Response, Error: Unknown (0xC000035C) > 263 15.733215 192.168.1.101 192.168.10.100 SMB 260 Session Setup AndX Request, NTLMSSP_NEGOTIATE > 264 15.733547 192.168.10.100 192.168.1.101 SMB 291 Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED > 265 15.733918 192.168.1.101 192.168.10.100 SMB 400 Session Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1 > 266 15.745888 192.168.10.100 192.168.1.101 SMB 175 Session Setup AndX Response > 267 15.746319 192.168.1.101 192.168.10.100 SMB 136 Tree Connect AndX Request, Path: \\COMPU1\IPC$ > 268 15.746437 192.168.10.100 192.168.1.101 SMB 93 Tree Connect AndX Response, Error: Unknown (0xC000035C) > > As it can be seen, there's a recurrent strange error called: Error: Unknown (0xC000035C) and doing some googling I only could find something like: > 0xC000035C (STATUS_NETWORK_SESSION_EXPIRED) that is referred to a Network session expired > > I think that samba 3.5 and samba 3,6 are not fully compatible when doing interdomain trustings > because idmap are not configured and managed in the same way. isn't it? > > This behavior doesn't appear if FOOBAR\USUARIO1 tries to access LAPAZ\SERVERLPZ shares > or if LAPAZ\COMP1 tries to access any FOOBAR shares (either FOOBAR\USUARIO1 or FOOBAR\BAR). > > I thought that both windows have samething wrong, so I tried with another two win workstations with same results. > > If someone can point me to the right direction to solve this problem. I would really appreciate any help > > Thanks in advance > > Fernando Torrez > > > INTERDOMAIN TRUST RELATIONSHIP PROCESS > > 1.- PREVIOUS ADJUSTMENTS > On LAPAZ domain server (serverlpz) I changed wins server to use FOOBAR wins server: > > wins server = 192.168.1.1 > > and made sure that smb.conf have these lines defined for mapping: > > idmap config * : backend = ldap > idmap config * : readonly = no > idmap config * : default = yes > idmap config * : ldap_base_dn = ou=Idmap,dc=lapaz,dc=tld > idmap config * : ldap_user_dn = cn=Manager,dc=lapaz,dc=tld > idmap config * : ldap_url = ldap://serverlpz.lapaz.tld > idmap config * : range = 50000-500000 > > idmap alloc config:ldap_base_dn = ou=Idmap,dc=lapaz,dc=tld > idmap alloc config:ldap_user_dn = cn=Manager,dc=lapaz,dc=tld > idmap alloc config:ldap_url = ldap://serverlpz.lapaz.tld > idmap alloc config:range = 50000-500000 > > and finally I ran the command: > serverlpz:~ # net idmap secret '*' mysecret > Secret stored > > on FOOBAR domain server (bar) I only made sure that these lines were defined: > > idmap backend = ldap:ldap://bar.foobar.tld > idmap uid = 10000-20000 > idmap gid = 10000-20000 > > 2.-MAKING TWO WAY INTERDOMAIN TRUST RELATIONSHIP > > serverlpz:/var/log/samba # smbldap-useradd -i foobar > New password : ADMINISTRATOR > Retype new password : ADMINISTRATOR > > bar:~ # net rpc trustdom establish lapaz > Enter FOOBAR$'s password: ADMINISTRATOR > Could not connect to server SERVERLPZ > Trust to domain LAPAZ established > > bar:~ # smbldap-useradd -i lapaz > New password : ADMINISTRATOR > Retype new password : ADMINISTRATOR > > serverlpz:~ # net rpc trustdom establish foobar > Enter LAPAZ$'s password: ADMINISTRATOR > Could not connect to server BAR > Trust to domain FOOBAR established > > 3.- VERIFYING TRUSTINGS > bar:~ # net rpc trustdom list -Uroot%mykey > Trusted domains list: > LAPAZ S-1-5-21-2768586194-2883361281-2776744031 > Trusting domains list: > LAPAZ S-1-5-21-2768586194-2883361281-2776744031 > > serverlpz:~ # net rpc trustdom list -Uroot%mysecondkey > Trusted domains list: > FOOBAR S-1-5-21-792737186-2111905618-2835975785 > Trusting domains list: > FOOBAR S-1-5-21-792737186-2111905618-2835975785 > > bar:~ # wbinfo -u > root > nobody > usuario1 > LAPAZ\root > LAPAZ\nobody > LAPAZ\compu1 > bar:~ # wbinfo -g > domain admins > domain users > domain guests > domain computers > sistemas > LAPAZ\domain admins > LAPAZ\domain users > LAPAZ\domain guests > LAPAZ\domain computers > LAPAZ\seccion > > serverlpz:/var/log/samba # wbinfo -u > root > nobody > compu1 > FOOBAR\root > FOOBAR\nobody > FOOBAR\usuario1 > serverlpz:/var/log/samba # wbinfo -g > domain admins > domain users > domain guests > domain computers > seccion > FOOBAR\domain admins > FOOBAR\domain users > FOOBAR\domain guests > FOOBAR\domain computers > FOOBAR\sistemas > > 5.- MODIFYING nsswitch TO ENABLE AUTHENTICATION THROUGH winbind > > I made sure that both nsswitch.conf files have these lines defined: > > passwd: files ldap winbind > shadow: files ldap > group: files ldap winbind > > 5.- FINAL VERIFICATIONS > > bar:~ # getent passwd > at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash > .... > root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false > nobody:x:999:514:nobody:/dev/null:/bin/false > usuario1:x:1001:513:System User:/home/usuario1:/bin/bash > bar$:*:1002:515:Computer:/dev/null:/bin/false > usuario1$:*:1003:515:Computer:/dev/null:/bin/false > lapaz$:*:1004:513:Computer:/dev/null:/bin/false > LAPAZ\root:*:10000:10124::/home/LAPAZ/root:/bin/false > LAPAZ\nobody:*:10001:10124::/home/LAPAZ/nobody:/bin/false > LAPAZ\compu1:*:10002:10124:compu1:/home/LAPAZ/compu1:/bin/false > > bar:~ # getent group > at:!:25: > .... > ldap:!:70: > named:!:44: > winbind:!:107: > Domain Admins:*:512:root > Domain Users:*:513: > Domain Guests:*:514: > Domain Computers:*:515: > Administrators:*:544: > Account Operators:*:548: > Print Operators:*:550: > Backup Operators:*:551: > Replicators:*:552: > sistemas:*:1002: > LAPAZ\domain admins:x:10125:LAPAZ\root > LAPAZ\domain users:x:10124:LAPAZ\compu1,LAPAZ\foobar$ > LAPAZ\domain guests:x:10126:LAPAZ\nobody > LAPAZ\domain computers:x:10127:LAPAZ\serverlpz$,LAPAZ\compu1$ > LAPAZ\seccion:x:10128: > > on serverlpz > > serverlpz:~ # getent passwd > at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash > .. > root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false > nobody:x:999:514:nobody:/dev/null:/bin/false > compu1:x:1001:513:System User:/home/compu1:/bin/bash > serverlpz$:*:1002:515:Computer:/dev/null:/bin/false > compu1$:*:1003:515:Computer:/dev/null:/bin/false > foobar$:*:1004:513:Computer:/dev/null:/bin/false > FOOBAR\root:*:50002:50003::/home/FOOBAR/root:/bin/false > FOOBAR\nobody:*:50003:50003::/home/FOOBAR/nobody:/bin/false > FOOBAR\usuario1:*:50004:50003:usuario1:/home/FOOBAR/usuario1:/bin/false > > serverlpz:~ # getent group > at:!:25: > .. > winbind:!:112: > Domain Admins:*:512:root > Domain Users:*:513: > Domain Guests:*:514: > Domain Computers:*:515: > Administrators:*:544: > Account Operators:*:548: > Print Operators:*:550: > Backup Operators:*:551: > Replicators:*:552: > seccion:*:1002: > FOOBAR\domain admins:x:50004: > FOOBAR\domain users:x:50003:FOOBAR\usuario1,FOOBAR\lapaz$ > FOOBAR\domain guests:x:50005:FOOBAR\nobody > FOOBAR\domain computers:x:50006:FOOBAR\bar$,FOOBAR\usuario1$ > FOOBAR\sistemas:x:50007: >