samba-ml.20.dignative at spamgourmet.com
2018-Jul-09 08:55 UTC
[Samba] Errors "Domain password server not available" and "SPNEGO login failed: The request is not supported"
Hi, I am running an Ubuntu 14.04 server with Samba 2:4.3.11+dfsg-0ubuntu0.14.04.14, which just provides storage services to the network. It is configured to use an existing Active Directory infrastructure based on Windows servers. Since some weeks I am experiencing issues with accessing the network shares served by Samba (no matter which client/operating system). Connection/mounting attempts ultimately fail most of the time. I am seeing errors like "SPNEGO login failed: The request is not supported." and "domain_client_validate: Domain password server not available." in the logs. But sometimes, without changes on the server side, accessing the shares works fine. An excerpt of the full log is attached below. I tried many hours already to solve the problem by modifying the Samba configuration without success, however, the original configuration worked fine for years. I have no clue how this issue can be solved and would appreciate any support. Thank you in advance and kind regards, René Log excerpt: [2018/07/09 09:28:37.296984, 3, pid=31899, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to [REDACTED] at port 445 [2018/07/09 09:28:37.297273, 5, pid=31899, effective(0, 0), real(0, 0)] ../lib/util/util_net.c:1055(print_socket_options) Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 46080 SO_RCVBUF = 372480 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 [2018/07/09 09:28:37.298134, 3, pid=31899, effective(0, 0), real(0, 0)] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send) Doing spnego session setup (blob length=120) [2018/07/09 09:28:37.298168, 3, pid=31899, effective(0, 0), real(0, 0)] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 [2018/07/09 09:28:37.298190, 3, pid=31899, effective(0, 0), real(0, 0)] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send) got principal=not_defined_in_RFC4178 at please_ignore [2018/07/09 09:28:37.298291, 5, pid=31899, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech) Starting GENSEC mechanism spnego [2018/07/09 09:28:37.298315, 5, pid=31899, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech) Starting GENSEC submechanism ntlmssp [2018/07/09 09:28:37.298339, 1, pid=31899, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) negotiate: struct NEGOTIATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmNegotiate (1) NegotiateFlags : 0x62088215 (1644724757) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 DomainNameLen : 0x0000 (0) DomainNameMaxLen : 0x0000 (0) DomainName : * DomainName : '' WorkstationLen : 0x0000 (0) WorkstationMaxLen : 0x0000 (0) Workstation : * Workstation : '' Version: struct ntlmssp_VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) ProductBuild : 0x0000 (0) Reserved: ARRAY(3) [0] : 0x00 (0) [1] : 0x00 (0) [2] : 0x00 (0) NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) [2018/07/09 09:28:37.298917, 3, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge) Got challenge flags: [2018/07/09 09:28:37.298934, 3, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2018/07/09 09:28:37.298984, 3, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge) NTLMSSP: Set final flags: [2018/07/09 09:28:37.298996, 3, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62008a15 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_ANONYMOUS NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2018/07/09 09:28:37.299027, 3, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP Sign/Seal - Initialising with flags: [2018/07/09 09:28:37.299037, 3, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62008a15 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_ANONYMOUS NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2018/07/09 09:28:37.299067, 5, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:633(ntlmssp_sign_reset) NTLMSSP Sign/Seal - using NTLM1 [2018/07/09 09:28:37.299462, 3, pid=31899, effective(0, 0), real(0, 0)] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego) SPNEGO login failed: The request is not supported. [2018/07/09 09:28:37.299558, 3, pid=31899, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to [REDACTED] at port 445 [2018/07/09 09:28:37.299857, 5, pid=31899, effective(0, 0), real(0, 0)] ../lib/util/util_net.c:1055(print_socket_options) Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 46080 SO_RCVBUF = 372480 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 [2018/07/09 09:28:37.300719, 3, pid=31899, effective(0, 0), real(0, 0)] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send) Doing spnego session setup (blob length=120) [2018/07/09 09:28:37.300772, 3, pid=31899, effective(0, 0), real(0, 0)] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 [2018/07/09 09:28:37.300800, 3, pid=31899, effective(0, 0), real(0, 0)] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send) got principal=not_defined_in_RFC4178 at please_ignore [2018/07/09 09:28:37.300905, 5, pid=31899, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech) Starting GENSEC mechanism spnego [2018/07/09 09:28:37.300927, 5, pid=31899, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech) Starting GENSEC submechanism ntlmssp [2018/07/09 09:28:37.300950, 1, pid=31899, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) negotiate: struct NEGOTIATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmNegotiate (1) NegotiateFlags : 0x62088215 (1644724757) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 DomainNameLen : 0x0000 (0) DomainNameMaxLen : 0x0000 (0) DomainName : * DomainName : '' WorkstationLen : 0x0000 (0) WorkstationMaxLen : 0x0000 (0) Workstation : * Workstation : '' Version: struct ntlmssp_VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) ProductBuild : 0x0000 (0) Reserved: ARRAY(3) [0] : 0x00 (0) [1] : 0x00 (0) [2] : 0x00 (0) NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) [2018/07/09 09:28:37.301526, 3, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge) Got challenge flags: [2018/07/09 09:28:37.301543, 3, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2018/07/09 09:28:37.301590, 3, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge) NTLMSSP: Set final flags: [2018/07/09 09:28:37.301602, 3, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62008a15 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_ANONYMOUS NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2018/07/09 09:28:37.301633, 3, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP Sign/Seal - Initialising with flags: [2018/07/09 09:28:37.301644, 3, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62008a15 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_ANONYMOUS NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2018/07/09 09:28:37.301681, 5, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:633(ntlmssp_sign_reset) NTLMSSP Sign/Seal - using NTLM1 [2018/07/09 09:28:37.301999, 3, pid=31899, effective(0, 0), real(0, 0)] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego) SPNEGO login failed: The request is not supported. [2018/07/09 09:28:37.302044, 0, pid=31899, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_domain.c:184(domain_client_validate) domain_client_validate: Domain password server not available. [2018/07/09 09:28:37.302060, 5, pid=31899, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) check_ntlm_password: winbind authentication for user [REDACTED] FAILED with error NT_STATUS_NOT_SUPPORTED [2018/07/09 09:28:37.302087, 2, pid=31899, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [REDACTED] -> [REDACTED] FAILED with error NT_STATUS_NOT_SUPPORTED [2018/07/09 09:28:37.302108, 5, pid=31899, effective(0, 0), real(0, 0)] ../source3/auth/auth_ntlmssp.c:188(auth3_check_password) Checking NTLMSSP password for [REDACTED] failed: NT_STATUS_NOT_SUPPORTED [2018/07/09 09:28:37.302131, 5, pid=31899, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_server.c:737(ntlmssp_server_check_password) ../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for [REDACTED] failed: NT_STATUS_NOT_SUPPORTED [2018/07/09 09:28:37.302153, 2, pid=31899, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NOT_SUPPORTED
Rowland Penny
2018-Jul-09 09:15 UTC
[Samba] Errors "Domain password server not available" and "SPNEGO login failed: The request is not supported"
On Mon, 9 Jul 2018 10:55:11 +0200 M.Eng. René Schwarz via samba <samba at lists.samba.org> wrote:> Hi, > > > I am running an Ubuntu 14.04 server with Samba > 2:4.3.11+dfsg-0ubuntu0.14.04.14, which just provides storage services > to the network. It is configured to use an existing Active Directory > infrastructure based on Windows servers. > > Since some weeks I am experiencing issues with accessing the network > shares served by Samba (no matter which client/operating system). > Connection/mounting attempts ultimately fail most of the time. I am > seeing errors like "SPNEGO login failed: The request is not > supported." and "domain_client_validate: Domain password server not > available." in the logs. But sometimes, without changes on the server > side, accessing the shares works fine. An excerpt of the full log is > attached below. > > I tried many hours already to solve the problem by modifying the Samba > configuration without success, however, the original configuration > worked fine for years. > > I have no clue how this issue can be solved and would appreciate any > support. > > > Thank you in advance and kind regards, > René > >At first glance it looks like your Ubuntu server is trying to use NTLMv1 against something that no longer uses it. Can you post your smb.conf and tell us what your windows servers are ? Rowland
samba-ml.20.dignative at spamgourmet.com
2018-Jul-09 09:54 UTC
[Samba] Errors "Domain password server not available" and (samba-ml: samba@lists.samba.org exclusive) "SPNEGO login failed: The request is not supported"
On 2018/07/09 11:15, Rowland Penny via samba - samba at lists.samba.org wrote:> At first glance it looks like your Ubuntu server is trying to use > NTLMv1 against something that no longer uses it. > > Can you post your smb.conf and tell us what your windows servers are ?Hi Rowland, thank you very much for your quick response. Yes, please find my reduced smb.conf attached below. I have just removed the 20+ share definitions we have; they are all similar to the example one displayed. Unfortunately, I can't tell you any details about the Windows servers since they are centrally managed (by another organizational unit) and I don't know much about them. Kind regards and thank you for your support, René [global] workgroup = [REDACTED] local master = no server string = %h server (Samba, Ubuntu) wins support = no wins server = [REDACTED] dns proxy = no realm = [REDACTED] security = ads domain master = no domain logons = no machine password timeout = 0 kerberos method = dedicated keytab dedicated keytab file = /etc/opt/quest/vas/host.keytab idmap uid = 1-2147483647 idmap gid = 1-2147483647 encrypt passwords = yes lanman auth = no ntlm auth = no use spnego = yes log file = /var/log/samba/samba.log max log size = 10000 syslog = 0 panic action = /usr/share/samba/panic-action %d server role = standalone server passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes guest account = nobody [data_exchange] path = /srv/shares/data_exchange browsable = yes public = yes writeable = yes guest ok = yes create mask = 0664 force create mode = 0664 directory mask = 2775 force directory mode = 2775 admin users = [REDACTED], [REDACTED] force user = nobody force group = nogroup