samba - Sep 2016 - ntlmssp_server_postauth: invalid NTLMSSP_MIC on CTDB fileserver (NT-style domain)

Hi List,

As the subject states, I'm running a CTDB cluster. Samba is Sernet 4.4.5
in an NT-Style Samba domain (DCs are Centos 6 packaged samba, 3.6.22)

Every so often, users are unable to connect to network shares. Most of
the problems seem to happen on Windows 7 domain members, but smbclient
will also fail to connect. I see these lines in the logs for every
attempted connection:

[2016/09/22 06:08:42.135972,  1]
../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
  ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[aa3]
domain=[FOO_NET] workstation=[VM-FOOBAR]
[2016/09/22 06:08:42.135995,  1] ../lib/util/util.c:559(dump_data)
  [0000] F1 27 49 D5 8E 68 FE 25   B7 6E C9 7C 86 F7 D9 21   .'I..h.%
.n.|...!
[2016/09/22 06:08:42.136013,  1] ../lib/util/util.c:559(dump_data)
  [0000] BA 8D 1F 5E A8 7D 9D 5E   7B 05 4D C4 BD 30 EE 72   ...^.}.^
{.M..0.r

smbclient -L seems only to work as a guest at this point, but testing it
with an authenticated user fails with the same messages.

The only way to fix this seems to be to restart the CTDB daemon on all
the servers.

Anyone have any insight into what might be causing this?

Regards,

Alex


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

Apologies, should have included auth related settings:

max protocol = SMB2
workgroup = FOO
netbios name = LCLUSTER
clustering = yes
security = DOMAIN
interfaces = enp4s0f0
passdb backend = tdbsam
username map = /etc/samba/smbusers
syslog = 0
log file = /var/log/samba/%m
max log size = 102400
log level = 1
name resolve order = wins lmhosts bcast hosts
time server = no
ldap ssl = no
guest account = nobody
map to guest = bad user
require strong key = false
winbind sealed pipes = false
client signing = off
client ldap sasl wrapping = plain



On 22/09/16 10:58, Alex Crow via samba wrote:
> Hi List,
>
> As the subject states, I'm running a CTDB cluster. Samba is Sernet
4.4.5
> in an NT-Style Samba domain (DCs are Centos 6 packaged samba, 3.6.22)
>
> Every so often, users are unable to connect to network shares. Most of
> the problems seem to happen on Windows 7 domain members, but smbclient
> will also fail to connect. I see these lines in the logs for every
> attempted connection:
>
> [2016/09/22 06:08:42.135972,  1]
> ../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
>   ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[aa3]
> domain=[FOO_NET] workstation=[VM-FOOBAR]
> [2016/09/22 06:08:42.135995,  1] ../lib/util/util.c:559(dump_data)
>   [0000] F1 27 49 D5 8E 68 FE 25   B7 6E C9 7C 86 F7 D9 21   .'I..h.%
> .n.|...!
> [2016/09/22 06:08:42.136013,  1] ../lib/util/util.c:559(dump_data)
>   [0000] BA 8D 1F 5E A8 7D 9D 5E   7B 05 4D C4 BD 30 EE 72   ...^.}.^
> {.M..0.r
>
> smbclient -L seems only to work as a guest at this point, but testing it
> with an authenticated user fails with the same messages.
>
> The only way to fix this seems to be to restart the CTDB daemon on all
> the servers.
>
> Anyone have any insight into what might be causing this?
>
> Regards,
>
> Alex
>
>
> --
> This message is intended only for the addressee and may contain
> confidential information. Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
> This email is not intended to, nor should it be taken to, constitute
advice.
> The information provided is correct to our knowledge & belief and must
not
> be used as a substitute for obtaining tax, regulatory, investment, legal or
> any other appropriate advice.
>
> "Transact" is operated by Integrated Financial Arrangements Ltd.
> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020)
7608 5300.
> (Registered office: as above; Registered in England and Wales under
> number: 3727592). Authorised and regulated by the Financial Conduct
> Authority (entered on the Financial Services Register; no. 190856).
>
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

On Thu, 22 Sep 2016 10:58:18 +0100
Alex Crow via samba <samba at lists.samba.org> wrote:
> Hi List,
> 
> As the subject states, I'm running a CTDB cluster. Samba is Sernet
> 4.4.5 in an NT-Style Samba domain (DCs are Centos 6 packaged samba,
> 3.6.22)
> 
> Every so often, users are unable to connect to network shares. Most of
> the problems seem to happen on Windows 7 domain members, but smbclient
> will also fail to connect. I see these lines in the logs for every
> attempted connection:
> 
> [2016/09/22 06:08:42.135972,  1]
> ../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
>   ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[aa3]
> domain=[FOO_NET] workstation=[VM-FOOBAR]
> [2016/09/22 06:08:42.135995,  1] ../lib/util/util.c:559(dump_data)
>   [0000] F1 27 49 D5 8E 68 FE 25   B7 6E C9 7C 86 F7 D9 21   .'I..h.%
> .n.|...!
> [2016/09/22 06:08:42.136013,  1] ../lib/util/util.c:559(dump_data)
>   [0000] BA 8D 1F 5E A8 7D 9D 5E   7B 05 4D C4 BD 30 EE 72   ...^.}.^
> {.M..0.r
> 
> smbclient -L seems only to work as a guest at this point, but testing
> it with an authenticated user fails with the same messages.
> 
> The only way to fix this seems to be to restart the CTDB daemon on all
> the servers.
> 
> Anyone have any insight into what might be causing this?
> 
> Regards,
> 
> Alex
> 
This sounds very like this bug:

https://bugzilla.samba.org/show_bug.cgi?id=11847

But it is supposed to be fixed ?

Rowland

On 22/09/16 12:12, Rowland Penny via samba wrote:
> On Thu, 22 Sep 2016 10:58:18 +0100
> Alex Crow via samba <samba at lists.samba.org> wrote:
>
>> Hi List,
>>
>> As the subject states, I'm running a CTDB cluster. Samba is Sernet
>> 4.4.5 in an NT-Style Samba domain (DCs are Centos 6 packaged samba,
>> 3.6.22)
>>
>> Every so often, users are unable to connect to network shares. Most of
>> the problems seem to happen on Windows 7 domain members, but smbclient
>> will also fail to connect. I see these lines in the logs for every
>> attempted connection:
>>
> This sounds very like this bug:
>
> https://bugzilla.samba.org/show_bug.cgi?id=11847
>
> But it is supposed to be fixed ?
>
> Rowland
>
I have "map to guest = bad user". Sorry, I must have missed pasting
that in.

However the bug only seems to reference guest share access. This is 
happening on normal, restricted shares.

Thanks,

Alex

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).