samba - Apr 2015 - Centos7 Samba 4.1.12 -> Centos 5.11 Samba 3.5.2 = Rejecting auth request

Dear Sirs/Madams,

I have the following problem, for which the internet does not have a solution 
yet:
I am trying to have a Centos7 server with Samba 4.1.12 authenticate his users 
(security=domain) with a DC samba version 3.5.2 on a Centos5.11 machine (which 
has an LDAP Backend). This works for other servers (OpenSuse 13.2 with samba 
4.1.17) and for a bunch of Windows7 clients. I can join the domain with net 
rpc join, which seems to work on client side but the log of the DC already 
shows the error

rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting 
auth request from client DENG machine account DENG$

I created the machine account on the DC with a LAM web interface.

The connection with the machine worked already before, I do not know what 
happened, maybe an update for samba on the machines lead to this. I did not 
change any configuration files, so the configuration worked already. But after 
the error occured I deleted the machine account and created a new one.

Is there a way to renew the credentials that fail to check? What are the 
credentials anyway? Is there maybe a new encryption taking place which the old 
DC does not know?

I am really stuck.

Thanks in advance,

Holger


testparm on the client

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[xxx1]"
Processing section "[xxx2]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
 
[global]
        workgroup = Test
        server string = Samba Server Version %v
        interfaces = lo, eth0, 127.0.0.1
        security = DOMAIN
        log file = /var/log/samba/log.%m
        max log size = 50
        load printers = No
        wins server = some IP
        idmap config * : backend = tdb
        hosts allow = 127.0.0.1, outside IP

Hi Holger,

I'm no expert here, but this sounds like an issue I just worked on.

In my situation, I could mount the shares IF the client had a kerberos 
ticket or was a client that was joined to the AD domain. But if I tried 
to mount a share with a client that was sending a username/password pair 
then I would get a similar behavior you are seeing -- the domain 
controller would refuse to authenticate the client session.  One 
difference is that I have windows domain controllers, not the Samba DCs 
you are using, but the error sounds very similar.

The way I was testing this was by using smbclient on a linux box as my 
test client.

A password session like this:
smbclient //server.name/share -U DOMAIN\\user
would ask for a password and then fail with unclear error messages.

But a kerberos session like this:
kinit user at DOMAIN.FULLY.QUALIFIED
<asks for a password>
smbclient //server.name/share -U DOMAIN\\user -k
kdestroy
would work just fine.

Would you mind testing that to see if you see the same behavior?  If 
that is the case, then I'm betting that we're seeing the same problem.  
It seems that patches added to the CentOS package for schannel support 
may interfere with password authentication.

I have CentOS7 packages for samba-4.1.12 that I recompiled without the 
schannel patches, or I also have samba-4.1.17 packages if you want to 
give them a try (I am using the 4.1.17 packages).  I have not run them 
through any testing other than use on our live servers, and they are 
working fine here.

-Ty



On 04/24/2015 01:31 AM, Holger Hecht wrote:
> Dear Sirs/Madams,
>
> I have the following problem, for which the internet does not have a
solution
> yet:
> I am trying to have a Centos7 server with Samba 4.1.12 authenticate his
users
> (security=domain) with a DC samba version 3.5.2 on a Centos5.11 machine
(which
> has an LDAP Backend). This works for other servers (OpenSuse 13.2 with
samba
> 4.1.17) and for a bunch of Windows7 clients. I can join the domain with net
> rpc join, which seems to work on client side but the log of the DC already
> shows the error
>
> rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
>    _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client DENG machine account DENG$
>
> I created the machine account on the DC with a LAM web interface.
>
> The connection with the machine worked already before, I do not know what
> happened, maybe an update for samba on the machines lead to this. I did not
> change any configuration files, so the configuration worked already. But
after
> the error occured I deleted the machine account and created a new one.
>
> Is there a way to renew the credentials that fail to check? What are the
> credentials anyway? Is there maybe a new encryption taking place which the
old
> DC does not know?
>
> I am really stuck.
>
> Thanks in advance,
>
> Holger
>
>
> testparm on the client
>
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[homes]"
> Processing section "[xxx1]"
> Processing section "[xxx2]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>   
> [global]
>          workgroup = Test
>          server string = Samba Server Version %v
>          interfaces = lo, eth0, 127.0.0.1
>          security = DOMAIN
>          log file = /var/log/samba/log.%m
>          max log size = 50
>          load printers = No
>          wins server = some IP
>          idmap config * : backend = tdb
>          hosts allow = 127.0.0.1, outside IP
>
-- 
-===========================-
    Ty Boyack
    NREL Senior IT Engineer
    Ty.Boyack at colostate.edu
    (970) 491-1186
-===========================-