samba - Mar 2016 - Intermittent Win7 trust issues

Hello list!

 

I'm trying to debug a problem that surfaced after a Samba upgrade from
v3.5.x to v4.1.17.

 

The problem is that Win7 workstations appear to randomly experience domain
trust issues logging in, although they can log in some times, they are
unsuccessful at other times. I cannot so far predict what would result in or
influence this behaviour. These are workstations on which nothing has
changed as a result of the Samba upgrade, and which did not exhibit any such
problems with the previous Samba version.

 

Smb.conf parameters below, followed by what seems to my untrained eye to be
a relevant log snippet from the server for one of the workstations in
question (PC-DAVE). Although I can clearly see the error in the log, my
untrained eye is not yet capable of discerning its cause. I have arbitrarily
copied only a portion of the log given its size (I've set logging to 10 in
an attempt to debug the problem, and it's a sizeable log - so I felt some
obligation to keep it to a dull roar for posting here).

 

I use local profiles only, so when the trust issue raises its ugly head I
stop Samba on the server, log on to the workstation, restart Samba. I can
then map drives on the server, etc. Samba appears to be starting up
correctly (testparm throws no errors, no errors in the log file).

 

I'm very stumped by the fact that the trust issue is intermittent.

 

Help gratefully accepted.

 

 

## smb.conf, exclusive of share information ###

 

   workgroup = DRBHOME

   dns proxy = no

   interfaces = eth1

   bind interfaces only = yes

  log file = /var/log/samba/log.%m

   max log size = 8192

   syslog = 0

   panic action = /usr/share/samba/panic-action %d

   server role = classic primary domain controller

   passdb backend = ldapsam

   obey pam restrictions = no

  unix password sync = yes

   passwd program = /usr/sbin/smbldap-passwd -u %u

   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .

   map to guest = never

   logon script = netlogon.cmd

  add user script = /usr/sbin/smbldap-useradd -m "%u"

  add machine script = /usr/sbin/smbldap-useradd -w "%u"

  add group script = /usr/sbin/smbldap-groupadd -p "%g"

  time server = yes

  security = user

  server string = DRBGATE

  domain logons = yes

  domain master = yes

  lanman auth = no

  ldap admin dn = "cn=admin,dc=drbhome,dc=ca"

  ldap delete dn = yes

  ldap group suffix = ou=Groups

  ldap idmap suffix = ou=Users

  ldap machine suffix = ou=Computers

  ldap passwd sync = yes

  ldap ssl = off

  ldap suffix = "dc=drbhome,dc=ca"

  ldap user suffix = ou=Users

  local master = yes

  log level = 10

  name resolve order = lmhosts host bcast

  netbios name = DRBGATE

  os level = 20

  preferred master = yes

  client lanman auth = no

  client ntlmv2 auth = yes

 client plaintext auth = no

  add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"

deadtime = 5

delete group script = /usr/sbin/smbldap-groupdel "%g%

delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"

delete user script = /usr/sbin/smbldap-userdel "%u"

encrypt passwords = yes

hosts allow = 192.168.2. 127.

set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"

 

## end smb.conf ##

 

 

## Log file snippet ##

 

[2016/03/13 18:11:24.668890,  1, pid=1422, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)

       samr_QueryUserInfo2: struct samr_QueryUserInfo2

          out: struct samr_QueryUserInfo2

              info                     : *

                  info                     : *

                      info                     : union samr_UserInfo(case
18)

                      info18: struct samr_UserInfo18

                          nt_pwd: struct samr_Password

                              hash                     :
63866ca03c2befbe90c29e51c48cae7e

                          lm_pwd: struct samr_Password

                              hash                     :
00000000000000000000000000000000

                         nt_pwd_active            : 0x01 (1)

                          lm_pwd_active            : 0x00 (0)

                          password_expired         : 0x00 (0)

              result                   : NT_STATUS_OK

[2016/03/13 18:11:24.669125,  4, pid=1422, effective(65534, 65534),
real(65534, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)

  pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 1

[2016/03/13 18:11:24.669167,  1, pid=1422, effective(65534, 65534),
real(65534, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)

       samr_Close: struct samr_Close

          in: struct samr_Close

              handle                   : *

                  handle: struct policy_handle

                      handle_type              : 0x00000000 (0)

                      uuid                     :
00000012-0000-0000-e556-8ce58e050000

[2016/03/13 18:11:24.669266,  6, pid=1422, effective(65534, 65534),
real(65534, 0), class=rpc_srv]
../source3/rpc_server/rpc_handles.c:337(find_policy_by_hnd_internal)

  Found policy hnd[0] [0000] 00 00 00 00 12 00 00 00   00 00 00 00 E5 56 8C
E5   ........ .....V..

  [0010] 8E 05 00 00                                       .... 

[2016/03/13 18:11:24.669333,  6, pid=1422, effective(65534, 65534),
real(65534, 0), class=rpc_srv]
../source3/rpc_server/rpc_handles.c:386(close_policy_hnd)

  Closed policy

[2016/03/13 18:11:24.669363,  1, pid=1422, effective(65534, 65534),
real(65534, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)

       samr_Close: struct samr_Close

          out: struct samr_Close

              handle                   : *

                  handle: struct policy_handle

                      handle_type              : 0x00000000 (0)

                      uuid                     :
00000000-0000-0000-0000-000000000000

              result                   : NT_STATUS_OK

[2016/03/13 18:11:24.669482, 10, pid=1422, effective(65534, 65534),
real(65534, 0), class=rpc_srv]
../source3/rpc_server/rpc_handles.c:416(close_policy_by_pipe)

  Deleted handle list for RPC connection \samr

[2016/03/13 18:11:24.669536,  2, pid=1422, effective(65534, 65534),
real(65534, 0)]
../libcli/auth/credentials.c:381(netlogon_creds_server_check_internal)

  credentials check failed

[2016/03/13 18:11:24.669577,  0, pid=1422, effective(65534, 65534),
real(65534, 0), class=rpc_srv]
../source3/rpc_server/netlogon/srv_netlog_nt.c:997(_netr_ServerAuthenticate3
)

  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client PC-DAVE machine account PC-DAVE$

[2016/03/13 18:11:24.669611,  1, pid=1422, effective(65534, 65534),
real(65534, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)

       netr_ServerAuthenticate3: struct netr_ServerAuthenticate3

          out: struct netr_ServerAuthenticate3

              return_credentials       : *

                  return_credentials: struct netr_Credential

                      data                     : 0000000000000000

              negotiate_flags          : *

                  negotiate_flags          : 0x410241ff (1090667007)

                         1: NETLOGON_NEG_ACCOUNT_LOCKOUT

                         1: NETLOGON_NEG_PERSISTENT_SAMREPL

                         1: NETLOGON_NEG_ARCFOUR     

                         1: NETLOGON_NEG_PROMOTION_COUNT

                         1: NETLOGON_NEG_CHANGELOG_BDC

                         1: NETLOGON_NEG_FULL_SYNC_REPL

                         1: NETLOGON_NEG_MULTIPLE_SIDS

                         1: NETLOGON_NEG_REDO        

                         1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL

                         0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC

                         0: NETLOGON_NEG_GENERIC_PASSTHROUGH

                         0: NETLOGON_NEG_CONCURRENT_RPC

                         0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL

                         0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL

                         1: NETLOGON_NEG_STRONG_KEYS 

                         0: NETLOGON_NEG_TRANSITIVE_TRUSTS

                         0: NETLOGON_NEG_DNS_DOMAIN_TRUSTS

                         1: NETLOGON_NEG_PASSWORD_SET2

                         0: NETLOGON_NEG_GETDOMAININFO

                         0: NETLOGON_NEG_CROSS_FOREST_TRUSTS

                         0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION

                         0: NETLOGON_NEG_RODC_PASSTHROUGH

                         0: NETLOGON_NEG_SUPPORTS_AES_SHA2

                         1: NETLOGON_NEG_SUPPORTS_AES

                        0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS

                         1: NETLOGON_NEG_AUTHENTICATED_RPC

              rid                      : *

                  rid                      : 0x00000000 (0)

              result                   : NT_STATUS_ACCESS_DENIED

 

 

## end log file snippet ##

With samba 4 <-> win7 (* or win8-10) trust issues. 
Then you have a few things to check

Start with checking if your time is in sync. 
Check the windows even log, for errors, look them up. 
If its a "bootcamp-ed" windows 7 install ( aka on a imac ), boot in
apple, update bootcamp.

Last, if you used an imaged windows 7, did you forgot to sysprep maybe? 

And correct, samba 3.x was more flexible with the SID of the computers, yes. 
So if im guessing, your problem is the forgotten sysprep. 
If thats so, remove the computer from the domain, run sysprep, give computer
The same name a gain, and re-join. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dave Beach
> Verzonden: dinsdag 15 maart 2016 2:23
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Intermittent Win7 trust issues
> 
> Hello list!
> 
> 
> 
> I'm trying to debug a problem that surfaced after a Samba upgrade from
> v3.5.x to v4.1.17.
> 
> 
> 
> The problem is that Win7 workstations appear to randomly experience domain
> trust issues logging in, although they can log in some times, they are
> unsuccessful at other times. I cannot so far predict what would result in
> or
> influence this behaviour. These are workstations on which nothing has
> changed as a result of the Samba upgrade, and which did not exhibit any
> such
> problems with the previous Samba version.
> 
> 
> 
> Smb.conf parameters below, followed by what seems to my untrained eye to
> be
> a relevant log snippet from the server for one of the workstations in
> question (PC-DAVE). Although I can clearly see the error in the log, my
> untrained eye is not yet capable of discerning its cause. I have
> arbitrarily
> copied only a portion of the log given its size (I've set logging to 10
in
> an attempt to debug the problem, and it's a sizeable log - so I felt
some
> obligation to keep it to a dull roar for posting here).
> 
> 
> 
> I use local profiles only, so when the trust issue raises its ugly head I
> stop Samba on the server, log on to the workstation, restart Samba. I can
> then map drives on the server, etc. Samba appears to be starting up
> correctly (testparm throws no errors, no errors in the log file).
> 
> 
> 
> I'm very stumped by the fact that the trust issue is intermittent.
> 
> 
> 
> Help gratefully accepted.
> 
> 
> 
> 
> 
> ## smb.conf, exclusive of share information ###
> 
> 
> 
>    workgroup = DRBHOME
> 
>    dns proxy = no
> 
>    interfaces = eth1
> 
>    bind interfaces only = yes
> 
>   log file = /var/log/samba/log.%m
> 
>    max log size = 8192
> 
>    syslog = 0
> 
>    panic action = /usr/share/samba/panic-action %d
> 
>    server role = classic primary domain controller
> 
>    passdb backend = ldapsam
> 
>    obey pam restrictions = no
> 
>   unix password sync = yes
> 
>    passwd program = /usr/sbin/smbldap-passwd -u %u
> 
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:*
> %n\n *password\supdated\ssuccessfully* .
> 
>    map to guest = never
> 
>    logon script = netlogon.cmd
> 
>   add user script = /usr/sbin/smbldap-useradd -m "%u"
> 
>   add machine script = /usr/sbin/smbldap-useradd -w "%u"
> 
>   add group script = /usr/sbin/smbldap-groupadd -p "%g"
> 
>   time server = yes
> 
>   security = user
> 
>   server string = DRBGATE
> 
>   domain logons = yes
> 
>   domain master = yes
> 
>   lanman auth = no
> 
>   ldap admin dn = "cn=admin,dc=drbhome,dc=ca"
> 
>   ldap delete dn = yes
> 
>   ldap group suffix = ou=Groups
> 
>   ldap idmap suffix = ou=Users
> 
>   ldap machine suffix = ou=Computers
> 
>   ldap passwd sync = yes
> 
>   ldap ssl = off
> 
>   ldap suffix = "dc=drbhome,dc=ca"
> 
>   ldap user suffix = ou=Users
> 
>   local master = yes
> 
>   log level = 10
> 
>   name resolve order = lmhosts host bcast
> 
>   netbios name = DRBGATE
> 
>   os level = 20
> 
>   preferred master = yes
> 
>   client lanman auth = no
> 
>   client ntlmv2 auth = yes
> 
>  client plaintext auth = no
> 
>   add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
> 
> deadtime = 5
> 
> delete group script = /usr/sbin/smbldap-groupdel "%g%
> 
> delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
> 
> delete user script = /usr/sbin/smbldap-userdel "%u"
> 
> encrypt passwords = yes
> 
> hosts allow = 192.168.2. 127.
> 
> set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
> 
> 
> 
> ## end smb.conf ##
> 
> 
> 
> 
> 
> ## Log file snippet ##
> 
> 
> 
> [2016/03/13 18:11:24.668890,  1, pid=1422, effective(0, 0), real(0, 0)]
> ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> 
>        samr_QueryUserInfo2: struct samr_QueryUserInfo2
> 
>           out: struct samr_QueryUserInfo2
> 
>               info                     : *
> 
>                   info                     : *
> 
>                       info                     : union samr_UserInfo(case
> 18)
> 
>                       info18: struct samr_UserInfo18
> 
>                           nt_pwd: struct samr_Password
> 
>                               hash                     :
> 63866ca03c2befbe90c29e51c48cae7e
> 
>                           lm_pwd: struct samr_Password
> 
>                               hash                     :
> 00000000000000000000000000000000
> 
>                          nt_pwd_active            : 0x01 (1)
> 
>                           lm_pwd_active            : 0x00 (0)
> 
>                           password_expired         : 0x00 (0)
> 
>               result                   : NT_STATUS_OK
> 
> [2016/03/13 18:11:24.669125,  4, pid=1422, effective(65534, 65534),
> real(65534, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
> 
>   pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 1
> 
> [2016/03/13 18:11:24.669167,  1, pid=1422, effective(65534, 65534),
> real(65534, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> 
>        samr_Close: struct samr_Close
> 
>           in: struct samr_Close
> 
>               handle                   : *
> 
>                   handle: struct policy_handle
> 
>                       handle_type              : 0x00000000 (0)
> 
>                       uuid                     :
> 00000012-0000-0000-e556-8ce58e050000
> 
> [2016/03/13 18:11:24.669266,  6, pid=1422, effective(65534, 65534),
> real(65534, 0), class=rpc_srv]
> ../source3/rpc_server/rpc_handles.c:337(find_policy_by_hnd_internal)
> 
>   Found policy hnd[0] [0000] 00 00 00 00 12 00 00 00   00 00 00 00 E5 56
> 8C
> E5   ........ .....V..
> 
>   [0010] 8E 05 00 00                                       ....
> 
> [2016/03/13 18:11:24.669333,  6, pid=1422, effective(65534, 65534),
> real(65534, 0), class=rpc_srv]
> ../source3/rpc_server/rpc_handles.c:386(close_policy_hnd)
> 
>   Closed policy
> 
> [2016/03/13 18:11:24.669363,  1, pid=1422, effective(65534, 65534),
> real(65534, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> 
>        samr_Close: struct samr_Close
> 
>           out: struct samr_Close
> 
>               handle                   : *
> 
>                   handle: struct policy_handle
> 
>                       handle_type              : 0x00000000 (0)
> 
>                       uuid                     :
> 00000000-0000-0000-0000-000000000000
> 
>               result                   : NT_STATUS_OK
> 
> [2016/03/13 18:11:24.669482, 10, pid=1422, effective(65534, 65534),
> real(65534, 0), class=rpc_srv]
> ../source3/rpc_server/rpc_handles.c:416(close_policy_by_pipe)
> 
>   Deleted handle list for RPC connection \samr
> 
> [2016/03/13 18:11:24.669536,  2, pid=1422, effective(65534, 65534),
> real(65534, 0)]
> ../libcli/auth/credentials.c:381(netlogon_creds_server_check_internal)
> 
>   credentials check failed
> 
> [2016/03/13 18:11:24.669577,  0, pid=1422, effective(65534, 65534),
> real(65534, 0), class=rpc_srv]
> ../source3/rpc_server/netlogon/srv_netlog_nt.c:997(_netr_ServerAuthenticat
> e3
> )
> 
>   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client PC-DAVE machine account PC-DAVE$
> 
> [2016/03/13 18:11:24.669611,  1, pid=1422, effective(65534, 65534),
> real(65534, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> 
>        netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
> 
>           out: struct netr_ServerAuthenticate3
> 
>               return_credentials       : *
> 
>                   return_credentials: struct netr_Credential
> 
>                       data                     : 0000000000000000
> 
>               negotiate_flags          : *
> 
>                   negotiate_flags          : 0x410241ff (1090667007)
> 
>                          1: NETLOGON_NEG_ACCOUNT_LOCKOUT
> 
>                          1: NETLOGON_NEG_PERSISTENT_SAMREPL
> 
>                          1: NETLOGON_NEG_ARCFOUR
> 
>                          1: NETLOGON_NEG_PROMOTION_COUNT
> 
>                          1: NETLOGON_NEG_CHANGELOG_BDC
> 
>                          1: NETLOGON_NEG_FULL_SYNC_REPL
> 
>                          1: NETLOGON_NEG_MULTIPLE_SIDS
> 
>                          1: NETLOGON_NEG_REDO
> 
>                          1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
> 
>                          0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
> 
>                          0: NETLOGON_NEG_GENERIC_PASSTHROUGH
> 
>                          0: NETLOGON_NEG_CONCURRENT_RPC
> 
>                          0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
> 
>                          0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
> 
>                          1: NETLOGON_NEG_STRONG_KEYS
> 
>                          0: NETLOGON_NEG_TRANSITIVE_TRUSTS
> 
>                          0: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
> 
>                          1: NETLOGON_NEG_PASSWORD_SET2
> 
>                          0: NETLOGON_NEG_GETDOMAININFO
> 
>                          0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
> 
>                          0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
> 
>                          0: NETLOGON_NEG_RODC_PASSTHROUGH
> 
>                          0: NETLOGON_NEG_SUPPORTS_AES_SHA2
> 
>                          1: NETLOGON_NEG_SUPPORTS_AES
> 
>                         0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
> 
>                          1: NETLOGON_NEG_AUTHENTICATED_RPC
> 
>               rid                      : *
> 
>                   rid                      : 0x00000000 (0)
> 
>               result                   : NT_STATUS_ACCESS_DENIED
> 
> 
> 
> 
> 
> ## end log file snippet ##
> 
> 
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

> With samba 4 <-> win7 (* or win8-10) trust issues. 
> Then you have a few things to check
> Start with checking if your time is in sync. 
Time is in sync.
> Check the windows even log, for errors, look them up. 
There don't seem to be any errors in the security log (which I admit I find
odd).
> If its a "bootcamp-ed" windows 7 install ( aka on a imac ), boot
in apple, update bootcamp.
It's not.
> Last, if you used an imaged windows 7, did you forgot to sysprep maybe? 
It's not an imaged install.

The very strange thing is that sometimes the trust issue doesn't manifest
itself, and I can log on, run the netlogon script, etc. Then, at what seems to
be unpredictable intervals, the trust issue will surface and I won't be able
to log on.