Glomski, Patrick
2016-Apr-26 21:08 UTC
[Samba] Nonfunctional linux/CIFS mounts after update (ADS / windows DC auth)
Failure for me is always: SMB PACKET: SMBsesssetupX (REPLY)> SMB Command = 0x73 > Error class = 0x6D > Error code = 49152 (0xc000) > Flags1 = 0x80 > Flags2 = 0x3 > Tree ID = 0 (0x0) > Proc ID = 12056 (0x2f18) > UID = 29165 (0x71ed) > MID = 3 (0x3) > Word Count = 0 (0x0) > NTError = STATUS_LOGON_FAILURE > smb_bcc=0 >Credentials are correct; it works through nautilus' smb://... Let me know what else would help to diagnose. I can also privately share verbose samba or other logs. Thanks, Patrick On Tue, Apr 26, 2016 at 3:59 PM, Jeremy Allison <jra at samba.org> wrote:> On Tue, Apr 26, 2016 at 12:06:39PM -0400, Glomski, Patrick wrote: > > Greetings, > > > > We use samba to share files to windows and linux machines and are in the > > same boat as several others recently posting to the list. When badlock > > patches came out, we updated our CentOS7 samba server (everything from > > samba to sssd to krb5 to nss was updated) and immediately had problems > with > > both client types not connecting to the windows shares. > > > > Windows machine connections were solved by using the realm > > (workgroup.com\username) > > to log in instead of the workgroup (workgroup\username). Although it's > not > > clear to me as to why I need '.com' to authenticate all of a sudden, it > > functions and isn't a critical concern for this production server. > > > > Linux machines were mounting via 'mount -t cifs -o > > user=workgroup/username'. This mount no longer functions and it appears > > (setting server log level to 10) that the authentication on the server is > > failing where it used to succeed. 'smbclient' also fails. > > Get a wireshark trace and post what error is returned please. >
Jeremy Allison
2016-Apr-27 18:50 UTC
[Samba] Nonfunctional linux/CIFS mounts after update (ADS / windows DC auth)
On Tue, Apr 26, 2016 at 05:08:48PM -0400, Glomski, Patrick wrote:> Failure for me is always: > > SMB PACKET: SMBsesssetupX (REPLY) > > SMB Command = 0x73 > > Error class = 0x6D > > Error code = 49152 (0xc000) > > Flags1 = 0x80 > > Flags2 = 0x3 > > Tree ID = 0 (0x0) > > Proc ID = 12056 (0x2f18) > > UID = 29165 (0x71ed) > > MID = 3 (0x3) > > Word Count = 0 (0x0) > > NTError = STATUS_LOGON_FAILURE > > smb_bcc=0 > > > > Credentials are correct; it works through nautilus' smb://... > > Let me know what else would help to diagnose. I can also privately share > verbose samba or other logs.Debug level 10 on smbd. Look into the cause of the STATUS_LOGON_FAILURE in SMBsesssetupX (should be pretty obvious from that).
Glomski, Patrick
2016-Apr-27 19:18 UTC
[Samba] Nonfunctional linux/CIFS mounts after update (ADS / windows DC auth)
I have been running in loglevel 10 and looking at the logs, but as I said in my initial post the credentials function fine with nautilus. Appended is a connection log snippet where samba walks through a cascade of authentication methods and finally fails. Earlier in the log, samba successfully determines which domain controller to talk to and pulls its information. However, just before the failure there is a line which I feel is the root cause of the problem.> domain_client_validate: Domain password server not available. >Taken at face value (not the best idea as it seems to be walking through a set of authentication methods), it indicates that somehow the information about the domain controller doing the authentication has been lost. The password is good: It works on Windows and it works with nautilus. Samba says the password is bad when using cifs or smbclient. What gives? For the situational awareness of others affected by this issue, I hoped it was sssd or the associated name service switch libraries, so I built and installed rpms for an older version of sssd. No dice. Patrick [2016/04/26 17:06:13.912141, 3, pid=11263, effective(0, 0), real(0, 0)]> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62088a15 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_ANONYMOUS > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > [2016/04/26 17:06:13.913179, 3, pid=11263, effective(0, 0), real(0, 0)] > ../source3/libsmb/cliconnect.c:2173(cli_session_setup_done_spnego) > SPNEGO login failed: Logon failure > [2016/04/26 17:06:13.913395, 0, pid=11263, effective(0, 0), real(0, 0), > class=auth] ../source3/auth/auth_domain.c:184(domain_client_validate) > domain_client_validate: Domain password server not available. > [2016/04/26 17:06:13.915495, 5, pid=11263, effective(0, 0), real(0, 0), > class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) > check_ntlm_password: winbind authentication for user [testuser] FAILED > with error NT_STATUS_LOGON_FAILURE > [2016/04/26 17:06:13.915542, 2, pid=11263, effective(0, 0), real(0, 0), > class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [testuser] -> [testuser] > FAILED with error NT_STATUS_LOGON_FAILURE > [2016/04/26 17:06:13.915561, 5, pid=11263, effective(0, 0), real(0, 0)] > ../source3/auth/auth_ntlmssp.c:188(auth3_check_password) > Checking NTLMSSP password for workgroup\testuser failed: > NT_STATUS_LOGON_FAILURE > [2016/04/26 17:06:13.915600, 3, pid=11263, effective(0, 0), real(0, 0)] > ../source3/smbd/error.c:82(error_packet_set) > NT error packet at ../source3/smbd/sesssetup.c(934) cmd=115 > (SMBsesssetupX) NT_STATUS_LOGON_FAILURE >On Wed, Apr 27, 2016 at 2:50 PM, Jeremy Allison <jra at samba.org> wrote:> On Tue, Apr 26, 2016 at 05:08:48PM -0400, Glomski, Patrick wrote: > > Failure for me is always: > > > > SMB PACKET: SMBsesssetupX (REPLY) > > > SMB Command = 0x73 > > > Error class = 0x6D > > > Error code = 49152 (0xc000) > > > Flags1 = 0x80 > > > Flags2 = 0x3 > > > Tree ID = 0 (0x0) > > > Proc ID = 12056 (0x2f18) > > > UID = 29165 (0x71ed) > > > MID = 3 (0x3) > > > Word Count = 0 (0x0) > > > NTError = STATUS_LOGON_FAILURE > > > smb_bcc=0 > > > > > > > Credentials are correct; it works through nautilus' smb://... > > > > Let me know what else would help to diagnose. I can also privately share > > verbose samba or other logs. > > Debug level 10 on smbd. Look into the cause > of the STATUS_LOGON_FAILURE in SMBsesssetupX > (should be pretty obvious from that). >
Maybe Matching Threads
- Nonfunctional linux/CIFS mounts after update (ADS / windows DC auth)
- Nonfunctional linux/CIFS mounts after update (ADS / windows DC auth)
- Nonfunctional linux/CIFS mounts after update (ADS / windows DC auth)
- Nonfunctional linux/CIFS mounts after update (ADS / windows DC auth)
- Nonfunctional linux/CIFS mounts after update (ADS / windows DC auth)