Pisch Tamás
2016-Jul-22 08:37 UTC
[Samba] authentication problem after upgrade to Debian Jessie
Hi,
I upgraded our servers from Wheezy to Jessie. I use samba in classic mode,
with openldap backend. After the upgrade, on the PDC (srv3) everything
seems to be ok, it authetnicates, the netlogon share is accessible on it,
but on the BDC (srv7), what is the file server, the authentication doesn't
work, shares are inaccessible.
I compared and syncronized the configuration files to as similar as
possible on the two servers, but it didn't solve this problem (there were
other smaller issues, they were solved with the changes).
After the upgrade, smbd didn't start at all. I reindexed the ldap
databases, and I think it helped to start smbd.
The folloving commands give correct results:
wbinfo -u
wbinfo -g
nmblookup -B SRV7 __SAMBA__
nmblookup -B DS1021 '*'
nmblookup -d 2 '*'
nmblookup -M xyz
The following commands give errors:
smbclient -U admin //SRV7/NETLOGON
Enter admin's password:
session setup failed: NT_STATUS_LOGON_FAILURE
smbclient -L SRV7 -d 10
...
Processing section "[global]"
doing parameter dos charset = CP852
doing parameter unix charset = UTF8
doing parameter workgroup = XYZ
doing parameter server string = SRV7
doing parameter interfaces = lo 192.168.0.7/24
doing parameter bind interfaces only = Yes
doing parameter security = USER
doing parameter passdb backend = ldapsam:"ldap://127.0.0.1:389"
doing parameter syslog = 0
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter smb ports = 139
doing parameter server max protocol = SMB2
doing parameter name resolve order = host wins bcast
doing parameter time server = Yes
doing parameter printcap name = /etc/printcap
doing parameter logon script = scripts\logon.cmd
doing parameter logon path = \\SRV7\profiles\%U
doing parameter logon drive = H:
doing parameter logon home = \\SRV7\%U
doing parameter domain logons = Yes
doing parameter preferred master = No
doing parameter domain master = No
doing parameter dns proxy = No
doing parameter wins server = 192.168.0.3
doing parameter ldap admin dn = cn=ldapsu,dc=xyz,dc=site
doing parameter ldap group suffix = ou=Groups
doing parameter ldap idmap suffix = ou=Idmap
doing parameter ldap machine suffix = ou=People
doing parameter ldap passwd sync = yes
doing parameter ldap suffix = dc=xyz,dc=site
doing parameter ldap ssl = no
doing parameter ldap user suffix = ou=People
doing parameter eventlog list = Security Application Syslog
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter idmap config * : ldap_user_dn = cn=idmapsu,dc=xyz,dc=site
doing parameter idmap config * : ldap_base_dn = ou=Idmap,dc=xyz,dc=site
doing parameter idmap config * : ldap_url = ldap://127.0.0.1:389/
doing parameter idmap config * : range = 10000-20000
doing parameter idmap config * : default = yes
doing parameter ldapsam:trusted = yes
doing parameter idmap config * : backend = ldap
doing parameter acl allow execute always = Yes
doing parameter create mask = 0770
doing parameter directory mask = 0770
doing parameter map acl inherit = Yes
doing parameter veto oplock files = /*.pdf/*.pst/
doing parameter browseable = No
doing parameter csc policy = disable
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface lo ip=::1 bcastnetmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
interpret_interface: Adding interface 192.168.0.7/24
added interface 192.168.0.7/24 ip=192.168.0.7 bcast=192.168.0.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SRV7"
Client started (version 4.2.10-Debian).
Enter admin's password:
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for
internal_resolve_name: looking up SRV7#20 (sitename (null))
name SRV7#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 192.168.0.7 at port 445
Connecting to 192.168.0.7 at port 139
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061808
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
session request ok
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
What could be the problem?
mathias dufresne
2016-Jul-26 08:43 UTC
[Samba] authentication problem after upgrade to Debian Jessie
Hi, SPNEGO is related to SASL which seems to me related to Kerberos (at least in AD context). You said you are running Samba domain in "classic mode" which should means that this domain is a NT4 domain. And as far as I'm aware of NT4 domains don't support Kerberos. Could you post your smb.conf files please? For both server srv3 and srv7. 2016-07-22 10:37 GMT+02:00 Pisch Tamás <pischta at gmail.com>:> Hi, > > I upgraded our servers from Wheezy to Jessie. I use samba in classic mode, > with openldap backend. After the upgrade, on the PDC (srv3) everything > seems to be ok, it authetnicates, the netlogon share is accessible on it, > but on the BDC (srv7), what is the file server, the authentication doesn't > work, shares are inaccessible. > I compared and syncronized the configuration files to as similar as > possible on the two servers, but it didn't solve this problem (there were > other smaller issues, they were solved with the changes). > After the upgrade, smbd didn't start at all. I reindexed the ldap > databases, and I think it helped to start smbd. > The folloving commands give correct results: > wbinfo -u > wbinfo -g > nmblookup -B SRV7 __SAMBA__ > nmblookup -B DS1021 '*' > nmblookup -d 2 '*' > nmblookup -M xyz > > The following commands give errors: > smbclient -U admin //SRV7/NETLOGON > Enter admin's password: > session setup failed: NT_STATUS_LOGON_FAILURE > > smbclient -L SRV7 -d 10 > ... > Processing section "[global]" > doing parameter dos charset = CP852 > doing parameter unix charset = UTF8 > doing parameter workgroup = XYZ > doing parameter server string = SRV7 > doing parameter interfaces = lo 192.168.0.7/24 > doing parameter bind interfaces only = Yes > doing parameter security = USER > doing parameter passdb backend = ldapsam:"ldap://127.0.0.1:389" > doing parameter syslog = 0 > doing parameter log file = /var/log/samba/log.%m > doing parameter max log size = 1000 > doing parameter smb ports = 139 > doing parameter server max protocol = SMB2 > doing parameter name resolve order = host wins bcast > doing parameter time server = Yes > doing parameter printcap name = /etc/printcap > doing parameter logon script = scripts\logon.cmd > doing parameter logon path = \\SRV7\profiles\%U > doing parameter logon drive = H: > doing parameter logon home = \\SRV7\%U > doing parameter domain logons = Yes > doing parameter preferred master = No > doing parameter domain master = No > doing parameter dns proxy = No > doing parameter wins server = 192.168.0.3 > doing parameter ldap admin dn = cn=ldapsu,dc=xyz,dc=site > doing parameter ldap group suffix = ou=Groups > doing parameter ldap idmap suffix = ou=Idmap > doing parameter ldap machine suffix = ou=People > doing parameter ldap passwd sync = yes > doing parameter ldap suffix = dc=xyz,dc=site > doing parameter ldap ssl = no > doing parameter ldap user suffix = ou=People > doing parameter eventlog list = Security Application Syslog > doing parameter panic action = /usr/share/samba/panic-action %d > doing parameter idmap config * : ldap_user_dn = cn=idmapsu,dc=xyz,dc=site > doing parameter idmap config * : ldap_base_dn = ou=Idmap,dc=xyz,dc=site > doing parameter idmap config * : ldap_url = ldap://127.0.0.1:389/ > doing parameter idmap config * : range = 10000-20000 > doing parameter idmap config * : default = yes > doing parameter ldapsam:trusted = yes > doing parameter idmap config * : backend = ldap > doing parameter acl allow execute always = Yes > doing parameter create mask = 0770 > doing parameter directory mask = 0770 > doing parameter map acl inherit = Yes > doing parameter veto oplock files = /*.pdf/*.pst/ > doing parameter browseable = No > doing parameter csc policy = disable > pm_process() returned Yes > lp_servicenumber: couldn't find homes > added interface lo ip=::1 bcast> netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 > interpret_interface: Adding interface 192.168.0.7/24 > added interface 192.168.0.7/24 ip=192.168.0.7 bcast=192.168.0.255 > netmask=255.255.255.0 > Netbios name list:- > my_netbios_names[0]="SRV7" > Client started (version 4.2.10-Debian). > Enter admin's password: > Opening cache file at /var/cache/samba/gencache.tdb > Opening cache file at /var/run/samba/gencache_notrans.tdb > sitename_fetch: No stored sitename for > internal_resolve_name: looking up SRV7#20 (sitename (null)) > name SRV7#20 found. > remove_duplicate_addrs2: looking for duplicate address/port pairs > Connecting to 192.168.0.7 at port 445 > Connecting to 192.168.0.7 at port 139 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 2626560 > SO_RCVBUF = 1061808 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > session request ok > Doing spnego session setup (blob length=74) > got OID=1.3.6.1.4.1.311.2.2.10 > got principal=not_defined_in_RFC4178 at please_ignore > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Starting GENSEC mechanism spnego > Starting GENSEC submechanism ntlmssp > negotiate: struct NEGOTIATE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmNegotiate (1) > NegotiateFlags : 0x62088215 (1644724757) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 0: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 0: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > 1: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > DomainNameLen : 0x0000 (0) > DomainNameMaxLen : 0x0000 (0) > DomainName : * > DomainName : '' > WorkstationLen : 0x0000 (0) > WorkstationMaxLen : 0x0000 (0) > Workstation : * > Workstation : '' > Version: struct ntlmssp_VERSION > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > ProductBuild : 0x0000 (0) > Reserved: ARRAY(3) > [0] : 0x00 (0) > [1] : 0x00 (0) > [2] : 0x00 (0) > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > Got challenge flags: > Got NTLMSSP neg_flags=0x62898215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_DOMAIN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > SPNEGO login failed: Logon failure > session setup failed: NT_STATUS_LOGON_FAILURE > > What could be the problem? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- authentication problem after upgrade to Debian Jessie
- DRS Replication between two DC's Failing
- cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
- Intermittent failure of net ads join command with error "The transport connection is now disconnected"
- Samba v3 works with LDAP, but not Samba v4