Pisch Tamás
2016-Jul-22 08:37 UTC
[Samba] authentication problem after upgrade to Debian Jessie
Hi, I upgraded our servers from Wheezy to Jessie. I use samba in classic mode, with openldap backend. After the upgrade, on the PDC (srv3) everything seems to be ok, it authetnicates, the netlogon share is accessible on it, but on the BDC (srv7), what is the file server, the authentication doesn't work, shares are inaccessible. I compared and syncronized the configuration files to as similar as possible on the two servers, but it didn't solve this problem (there were other smaller issues, they were solved with the changes). After the upgrade, smbd didn't start at all. I reindexed the ldap databases, and I think it helped to start smbd. The folloving commands give correct results: wbinfo -u wbinfo -g nmblookup -B SRV7 __SAMBA__ nmblookup -B DS1021 '*' nmblookup -d 2 '*' nmblookup -M xyz The following commands give errors: smbclient -U admin //SRV7/NETLOGON Enter admin's password: session setup failed: NT_STATUS_LOGON_FAILURE smbclient -L SRV7 -d 10 ... Processing section "[global]" doing parameter dos charset = CP852 doing parameter unix charset = UTF8 doing parameter workgroup = XYZ doing parameter server string = SRV7 doing parameter interfaces = lo 192.168.0.7/24 doing parameter bind interfaces only = Yes doing parameter security = USER doing parameter passdb backend = ldapsam:"ldap://127.0.0.1:389" doing parameter syslog = 0 doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter smb ports = 139 doing parameter server max protocol = SMB2 doing parameter name resolve order = host wins bcast doing parameter time server = Yes doing parameter printcap name = /etc/printcap doing parameter logon script = scripts\logon.cmd doing parameter logon path = \\SRV7\profiles\%U doing parameter logon drive = H: doing parameter logon home = \\SRV7\%U doing parameter domain logons = Yes doing parameter preferred master = No doing parameter domain master = No doing parameter dns proxy = No doing parameter wins server = 192.168.0.3 doing parameter ldap admin dn = cn=ldapsu,dc=xyz,dc=site doing parameter ldap group suffix = ou=Groups doing parameter ldap idmap suffix = ou=Idmap doing parameter ldap machine suffix = ou=People doing parameter ldap passwd sync = yes doing parameter ldap suffix = dc=xyz,dc=site doing parameter ldap ssl = no doing parameter ldap user suffix = ou=People doing parameter eventlog list = Security Application Syslog doing parameter panic action = /usr/share/samba/panic-action %d doing parameter idmap config * : ldap_user_dn = cn=idmapsu,dc=xyz,dc=site doing parameter idmap config * : ldap_base_dn = ou=Idmap,dc=xyz,dc=site doing parameter idmap config * : ldap_url = ldap://127.0.0.1:389/ doing parameter idmap config * : range = 10000-20000 doing parameter idmap config * : default = yes doing parameter ldapsam:trusted = yes doing parameter idmap config * : backend = ldap doing parameter acl allow execute always = Yes doing parameter create mask = 0770 doing parameter directory mask = 0770 doing parameter map acl inherit = Yes doing parameter veto oplock files = /*.pdf/*.pst/ doing parameter browseable = No doing parameter csc policy = disable pm_process() returned Yes lp_servicenumber: couldn't find homes added interface lo ip=::1 bcastnetmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 interpret_interface: Adding interface 192.168.0.7/24 added interface 192.168.0.7/24 ip=192.168.0.7 bcast=192.168.0.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="SRV7" Client started (version 4.2.10-Debian). Enter admin's password: Opening cache file at /var/cache/samba/gencache.tdb Opening cache file at /var/run/samba/gencache_notrans.tdb sitename_fetch: No stored sitename for internal_resolve_name: looking up SRV7#20 (sitename (null)) name SRV7#20 found. remove_duplicate_addrs2: looking for duplicate address/port pairs Connecting to 192.168.0.7 at port 445 Connecting to 192.168.0.7 at port 139 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 2626560 SO_RCVBUF = 1061808 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 session request ok Doing spnego session setup (blob length=74) got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp negotiate: struct NEGOTIATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmNegotiate (1) NegotiateFlags : 0x62088215 (1644724757) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 DomainNameLen : 0x0000 (0) DomainNameMaxLen : 0x0000 (0) DomainName : * DomainName : '' WorkstationLen : 0x0000 (0) WorkstationMaxLen : 0x0000 (0) Workstation : * Workstation : '' Version: struct ntlmssp_VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) ProductBuild : 0x0000 (0) Reserved: ARRAY(3) [0] : 0x00 (0) [1] : 0x00 (0) [2] : 0x00 (0) NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE What could be the problem?
mathias dufresne
2016-Jul-26 08:43 UTC
[Samba] authentication problem after upgrade to Debian Jessie
Hi, SPNEGO is related to SASL which seems to me related to Kerberos (at least in AD context). You said you are running Samba domain in "classic mode" which should means that this domain is a NT4 domain. And as far as I'm aware of NT4 domains don't support Kerberos. Could you post your smb.conf files please? For both server srv3 and srv7. 2016-07-22 10:37 GMT+02:00 Pisch Tamás <pischta at gmail.com>:> Hi, > > I upgraded our servers from Wheezy to Jessie. I use samba in classic mode, > with openldap backend. After the upgrade, on the PDC (srv3) everything > seems to be ok, it authetnicates, the netlogon share is accessible on it, > but on the BDC (srv7), what is the file server, the authentication doesn't > work, shares are inaccessible. > I compared and syncronized the configuration files to as similar as > possible on the two servers, but it didn't solve this problem (there were > other smaller issues, they were solved with the changes). > After the upgrade, smbd didn't start at all. I reindexed the ldap > databases, and I think it helped to start smbd. > The folloving commands give correct results: > wbinfo -u > wbinfo -g > nmblookup -B SRV7 __SAMBA__ > nmblookup -B DS1021 '*' > nmblookup -d 2 '*' > nmblookup -M xyz > > The following commands give errors: > smbclient -U admin //SRV7/NETLOGON > Enter admin's password: > session setup failed: NT_STATUS_LOGON_FAILURE > > smbclient -L SRV7 -d 10 > ... > Processing section "[global]" > doing parameter dos charset = CP852 > doing parameter unix charset = UTF8 > doing parameter workgroup = XYZ > doing parameter server string = SRV7 > doing parameter interfaces = lo 192.168.0.7/24 > doing parameter bind interfaces only = Yes > doing parameter security = USER > doing parameter passdb backend = ldapsam:"ldap://127.0.0.1:389" > doing parameter syslog = 0 > doing parameter log file = /var/log/samba/log.%m > doing parameter max log size = 1000 > doing parameter smb ports = 139 > doing parameter server max protocol = SMB2 > doing parameter name resolve order = host wins bcast > doing parameter time server = Yes > doing parameter printcap name = /etc/printcap > doing parameter logon script = scripts\logon.cmd > doing parameter logon path = \\SRV7\profiles\%U > doing parameter logon drive = H: > doing parameter logon home = \\SRV7\%U > doing parameter domain logons = Yes > doing parameter preferred master = No > doing parameter domain master = No > doing parameter dns proxy = No > doing parameter wins server = 192.168.0.3 > doing parameter ldap admin dn = cn=ldapsu,dc=xyz,dc=site > doing parameter ldap group suffix = ou=Groups > doing parameter ldap idmap suffix = ou=Idmap > doing parameter ldap machine suffix = ou=People > doing parameter ldap passwd sync = yes > doing parameter ldap suffix = dc=xyz,dc=site > doing parameter ldap ssl = no > doing parameter ldap user suffix = ou=People > doing parameter eventlog list = Security Application Syslog > doing parameter panic action = /usr/share/samba/panic-action %d > doing parameter idmap config * : ldap_user_dn = cn=idmapsu,dc=xyz,dc=site > doing parameter idmap config * : ldap_base_dn = ou=Idmap,dc=xyz,dc=site > doing parameter idmap config * : ldap_url = ldap://127.0.0.1:389/ > doing parameter idmap config * : range = 10000-20000 > doing parameter idmap config * : default = yes > doing parameter ldapsam:trusted = yes > doing parameter idmap config * : backend = ldap > doing parameter acl allow execute always = Yes > doing parameter create mask = 0770 > doing parameter directory mask = 0770 > doing parameter map acl inherit = Yes > doing parameter veto oplock files = /*.pdf/*.pst/ > doing parameter browseable = No > doing parameter csc policy = disable > pm_process() returned Yes > lp_servicenumber: couldn't find homes > added interface lo ip=::1 bcast> netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 > interpret_interface: Adding interface 192.168.0.7/24 > added interface 192.168.0.7/24 ip=192.168.0.7 bcast=192.168.0.255 > netmask=255.255.255.0 > Netbios name list:- > my_netbios_names[0]="SRV7" > Client started (version 4.2.10-Debian). > Enter admin's password: > Opening cache file at /var/cache/samba/gencache.tdb > Opening cache file at /var/run/samba/gencache_notrans.tdb > sitename_fetch: No stored sitename for > internal_resolve_name: looking up SRV7#20 (sitename (null)) > name SRV7#20 found. > remove_duplicate_addrs2: looking for duplicate address/port pairs > Connecting to 192.168.0.7 at port 445 > Connecting to 192.168.0.7 at port 139 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 2626560 > SO_RCVBUF = 1061808 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > session request ok > Doing spnego session setup (blob length=74) > got OID=1.3.6.1.4.1.311.2.2.10 > got principal=not_defined_in_RFC4178 at please_ignore > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Starting GENSEC mechanism spnego > Starting GENSEC submechanism ntlmssp > negotiate: struct NEGOTIATE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmNegotiate (1) > NegotiateFlags : 0x62088215 (1644724757) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 0: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 0: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > 1: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > DomainNameLen : 0x0000 (0) > DomainNameMaxLen : 0x0000 (0) > DomainName : * > DomainName : '' > WorkstationLen : 0x0000 (0) > WorkstationMaxLen : 0x0000 (0) > Workstation : * > Workstation : '' > Version: struct ntlmssp_VERSION > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > ProductBuild : 0x0000 (0) > Reserved: ARRAY(3) > [0] : 0x00 (0) > [1] : 0x00 (0) > [2] : 0x00 (0) > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > Got challenge flags: > Got NTLMSSP neg_flags=0x62898215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_DOMAIN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > SPNEGO login failed: Logon failure > session setup failed: NT_STATUS_LOGON_FAILURE > > What could be the problem? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Maybe Matching Threads
- authentication problem after upgrade to Debian Jessie
- DRS Replication between two DC's Failing
- cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
- Intermittent failure of net ads join command with error "The transport connection is now disconnected"
- Samba v3 works with LDAP, but not Samba v4