thr3ads.net - samba - [Samba] Problem after update version 4.15.0 [Sep 2021]

If this information is useful, please help other people find it:
Share via:

L.P.H. van Belle

2021-Sep-29 07:23 UTC

[Samba] Problem after update version 4.15.0

The computer password is expired. 
You can try, Remove the pc from domain and rejoin. 

And did you verify if the computer time is in sync with AD. 

Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rainer Meier via samba
> Verzonden: dinsdag 28 september 2021 23:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem after update version 4.15.0
> 
>  > my last version 4.14.7
> 
> I actually have the same problem upgrading from 4.14.7.
> 
> In fact I found it's not happening to all workstations and 
> seems to be 
> limited to workstation accounts only. On affected 
> workstations no login 
> is possible. However connecting to shares using a local user 
> account on 
> this workstation is working just fine. Just no domain user login is 
> possible while the workstation reporting invalid password.
> 
> I can also migrate back to 4.17.7 binaries and I am able to log on to 
> the workstation again.
> 
> Somehow it does not affect workstations recently joined to the domain 
> but seems to affect only workstations joined to the domain 
> since a long 
> time. Actually one workstation I am able to reproduce the issue is 
> joined since 2016.
> Re-joining the workstation might fix the issue but is not really an 
> option I want to follow.
> 
> Also resetting the computer account did not change anything.
> 
> I also compared "samba-tool computer show" of a working and one 
> non-working machine and can't find any differences other than 
> timestamps.
> 
> Also tried different protocols (limiting to SMB2 and also disabling 
> signing on client and server side) without success.
> 
> 
> Logs:
> 
> [2021/09/28 23:12:11.479107,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:564(make_auth3_context_for_ntlm)
>    make_auth3_context_for_ntlm: Making default auth method list for 
> server role = 'active directory domain controller'
> [2021/09/28 23:12:11.479171,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:52(smb_register_auth)
>    Attempting to register auth backend anonymous
> [2021/09/28 23:12:11.479199,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:64(smb_register_auth)
>    Successfully added auth method 'anonymous'
> [2021/09/28 23:12:11.479217,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:52(smb_register_auth)
>    Attempting to register auth backend sam
> [2021/09/28 23:12:11.479232,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:64(smb_register_auth)
>    Successfully added auth method 'sam'
> [2021/09/28 23:12:11.479247,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:52(smb_register_auth)
>    Attempting to register auth backend sam_ignoredomain
> [2021/09/28 23:12:11.479263,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:64(smb_register_auth)
>    Successfully added auth method 'sam_ignoredomain'
> [2021/09/28 23:12:11.479278,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:52(smb_register_auth)
>    Attempting to register auth backend sam_netlogon3
> [2021/09/28 23:12:11.479307,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:64(smb_register_auth)
>    Successfully added auth method 'sam_netlogon3'
> [2021/09/28 23:12:11.479324,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:52(smb_register_auth)
>    Attempting to register auth backend winbind
> [2021/09/28 23:12:11.479339,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:64(smb_register_auth)
>    Successfully added auth method 'winbind'
> [2021/09/28 23:12:11.479354,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:52(smb_register_auth)
>    Attempting to register auth backend unix
> [2021/09/28 23:12:11.479370,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:64(smb_register_auth)
>    Successfully added auth method 'unix'
> [2021/09/28 23:12:11.479395,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:52(smb_register_auth)
>    Attempting to register auth backend samba4
> [2021/09/28 23:12:11.479411,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:64(smb_register_auth)
>    Successfully added auth method 'samba4'
> [2021/09/28 23:12:11.479426,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:426(load_auth_module)
>    load_auth_module: Attempting to find an auth method to match samba4
> [2021/09/28 23:12:11.482777,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'gssapi_spnego' registered
> [2021/09/28 23:12:11.482852,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'gssapi_krb5' registered
> [2021/09/28 23:12:11.482870,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'gssapi_krb5_sasl' registered
> [2021/09/28 23:12:11.482913,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'spnego' registered
> [2021/09/28 23:12:11.482931,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'schannel' registered
> [2021/09/28 23:12:11.482948,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'naclrpc_as_system' registered
> [2021/09/28 23:12:11.482974,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'sasl-EXTERNAL' registered
> [2021/09/28 23:12:11.482992,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'ntlmssp' registered
> [2021/09/28 23:12:11.483009,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'ntlmssp_resume_ccache' registered
> [2021/09/28 23:12:11.483027,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'http_basic' registered
> [2021/09/28 23:12:11.483045,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'http_ntlm' registered
> [2021/09/28 23:12:11.483062,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'http_negotiate' registered
> [2021/09/28 23:12:11.483079,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'krb5' registered
> [2021/09/28 23:12:11.483096,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:1082(gensec_register)
>    GENSEC backend 'fake_gssapi_krb5' registered
> [2021/09/28 23:12:11.483115,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:451(load_auth_module)
>    load_auth_module: auth method samba4 has a valid init
> [2021/09/28 23:12:11.489069,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source4/auth/ntlm/auth.c:831(auth_register)
>    AUTH backend 'sam' registered
> [2021/09/28 23:12:11.489126,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source4/auth/ntlm/auth.c:831(auth_register)
>    AUTH backend 'sam_ignoredomain' registered
> [2021/09/28 23:12:11.489144,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source4/auth/ntlm/auth.c:831(auth_register)
>    AUTH backend 'anonymous' registered
> [2021/09/28 23:12:11.489161,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source4/auth/ntlm/auth.c:831(auth_register)
>    AUTH backend 'winbind' registered
> [2021/09/28 23:12:11.489177,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source4/auth/ntlm/auth.c:831(auth_register)
>    AUTH backend 'name_to_ntstatus' registered
> [2021/09/28 23:12:11.493050,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:843(gensec_start_mech)
>    Starting GENSEC mechanism spnego
> [2021/09/28 23:12:11.493498,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:843(gensec_start_mech)
>    Starting GENSEC submechanism gssapi_krb5
> [2021/09/28 23:12:11.494307, 10, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
>    gensec_update_send: spnego[0x5588bd35f470]: subreq: 0x5588bded6b80
> [2021/09/28 23:12:11.494371, 10, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec.c:547(gensec_update_done)
>    gensec_update_done: spnego[0x5588bd35f470]: 
> NT_STATUS_MORE_PROCESSING_REQUIRED 
> tevent_req[0x5588bded6b80/../../auth/gensec/spnego.c:1631]: state[2] 
> error[0 (0x0)]  state[struct gensec_spnego_update_state 
> (0x5588bded6d40)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
> [2021/09/28 23:12:11.506170,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:564(make_auth3_context_for_ntlm)
>    make_auth3_context_for_ntlm: Making default auth method list for 
> server role = 'active directory domain controller'
> [2021/09/28 23:12:11.506261,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:426(load_auth_module)
>    load_auth_module: Attempting to find an auth method to match samba4
> [2021/09/28 23:12:11.506281,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source3/auth/auth.c:451(load_auth_module)
>    load_auth_module: auth method samba4 has a valid init
> [2021/09/28 23:12:11.510859,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:843(gensec_start_mech)
>    Starting GENSEC mechanism spnego
> [2021/09/28 23:12:11.511280,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec_start.c:843(gensec_start_mech)
>    Starting GENSEC submechanism ntlmssp
> [2021/09/28 23:12:11.511347,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
>    Got NTLMSSP neg_flags=0xe2088297
>      NTLMSSP_NEGOTIATE_UNICODE
>      NTLMSSP_NEGOTIATE_OEM
>      NTLMSSP_REQUEST_TARGET
>      NTLMSSP_NEGOTIATE_SIGN
>      NTLMSSP_NEGOTIATE_LM_KEY
>      NTLMSSP_NEGOTIATE_NTLM
>      NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>      NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>      NTLMSSP_NEGOTIATE_VERSION
>      NTLMSSP_NEGOTIATE_128
>      NTLMSSP_NEGOTIATE_KEY_EXCH
>      NTLMSSP_NEGOTIATE_56
> [2021/09/28 23:12:11.511416, 10, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source4/auth/ntlm/auth.c:83(auth_get_challenge)
>    auth_get_challenge: challenge set by random
> [2021/09/28 23:12:11.511589, 10, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
>    gensec_update_send: ntlmssp[0x5588bd3fbcf0]: subreq: 0x5588be057940
> [2021/09/28 23:12:11.511613, 10, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
>    gensec_update_send: spnego[0x5588bd7b6470]: subreq: 0x5588bd81f5b0
> [2021/09/28 23:12:11.511720, 10, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec.c:547(gensec_update_done)
>    gensec_update_done: ntlmssp[0x5588bd3fbcf0]: 
> NT_STATUS_MORE_PROCESSING_REQUIRED 
> tevent_req[0x5588be057940/../../auth/ntlmssp/ntlmssp.c:180]: state[2] 
> error[0 (0x0)]  state[struct gensec_ntlmssp_update_state 
> (0x5588be057b00)] timer[(nil)] 
> finish[../../auth/ntlmssp/ntlmssp.c:215]
> [2021/09/28 23:12:11.511766, 10, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec.c:547(gensec_update_done)
>    gensec_update_done: spnego[0x5588bd7b6470]: 
> NT_STATUS_MORE_PROCESSING_REQUIRED 
> tevent_req[0x5588bd81f5b0/../../auth/gensec/spnego.c:1631]: state[2] 
> error[0 (0x0)]  state[struct gensec_spnego_update_state 
> (0x5588bd81f770)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
> [2021/09/28 23:12:11.514648,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] 
> ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
>    Got user=[CYB64W10-TEST$] domain=[CYBERDYNE] 
> workstation=[CYB64W10-TEST] len1=24 len2=340
> [2021/09/28 23:12:11.514750, 10, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] 
> ../../auth/ntlmssp/ntlmssp_server.c:544(ntlmssp_server_preauth)
> [2021/09/28 23:12:11.514766,  1] 
> ../../librpc/ndr/ndr.c:435(ndr_print_debug)
>         &v2_resp: struct NTLMv2_RESPONSE
>            Response                 : 1edb5b9741c49d2c7f9de26c6edc5de1
>            Challenge: struct NTLMv2_CLIENT_CHALLENGE
>                RespType                 : 0x01 (1)
>                HiRespType               : 0x01 (1)
>                Reserved1                : 0x0000 (0)
>                Reserved2                : 0x00000000 (0)
>                TimeStamp                : Tue Sep 28 11:12:12 
> PM 2021 CEST
>                ChallengeFromClient      : b5ba50318f977163
>                Reserved3                : 0x00000000 (0)
>                AvPairs: struct AV_PAIR_LIST
>                    count                    : 0x0000000a (10)
>                    pair: ARRAY(10)
>                        pair: struct AV_PAIR
>                            AvId                     : 
> MsvAvNbDomainName 
> (0x2)
>                            AvLen                    : 0x0012 (18)
>                            Value                    : union 
> ntlmssp_AvValue(case 0x2)
>                            AvNbDomainName           : 'CYBERDYNE'
>                        pair: struct AV_PAIR
>                            AvId                     : 
> MsvAvNbComputerName (0x1)
>                            AvLen                    : 0x000c (12)
>                            Value                    : union 
> ntlmssp_AvValue(case 0x1)
>                            AvNbComputerName         : 'SKYNET'
>                        pair: struct AV_PAIR
>                            AvId                     : 
> MsvAvDnsDomainName 
> (0x4)
>                            AvLen                    : 0x0024 (36)
>                            Value                    : union 
> ntlmssp_AvValue(case 0x4)
>                            AvDnsDomainName          : 
> 'ad.cyberdyne.local'
>                        pair: struct AV_PAIR
>                            AvId                     : 
> MsvAvDnsComputerName (0x3)
>                            AvLen                    : 0x0032 (50)
>                            Value                    : union 
> ntlmssp_AvValue(case 0x3)
>                            AvDnsComputerName        : 
> 'skynet.ad.cyberdyne.local'
>                        pair: struct AV_PAIR
>                            AvId                     : 
> MsvAvTimestamp (0x7)
>                            AvLen                    : 0x0008 (8)
>                            Value                    : union 
> ntlmssp_AvValue(case 0x7)
>                            AvTimestamp              : Tue Sep 28 
> 11:12:12 PM 2021 CEST
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvFlags (0x6)
>                            AvLen                    : 0x0004 (4)
>                            Value                    : union 
> ntlmssp_AvValue(case 0x6)
>                            AvFlags                  : 0x00000002 (2)
>                                   0: 
> NTLMSSP_AVFLAG_CONSTRAINTED_ACCOUNT
>                                   1: 
> NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE
>                                   0: 
> NTLMSSP_AVFLAG_TARGET_SPN_FROM_UNTRUSTED_SOURCE
>                        pair: struct AV_PAIR
>                            AvId                     : 
> MsvAvSingleHost (0x8)
>                            AvLen                    : 0x0030 (48)
>                            Value                    : union 
> ntlmssp_AvValue(case 0x8)
>                            AvSingleHost: struct ntlmssp_SingleHostData
>                                Size                     : 
> 0x00000030 (48)
>                                Z4                       : 
> 0x00000000 (0)
>                                token_info: struct 
> LSAP_TOKEN_INFO_INTEGRITY
>                                    Flags                    : 
> 0x00000000 (0)
>                                    TokenIL                  : 
> 0x00004000 
> (16384)
>                                    MachineId                : 
> ee332d1498ee205bbe0b10ef6d13c44c4cfdd979ff677d416e7b400cdcdb4503
>                                remaining                : 
> DATA_BLOB length=0
>                        pair: struct AV_PAIR
>                            AvId                     : 
> MsvChannelBindings 
> (0xA)
>                            AvLen                    : 0x0010 (16)
>                            Value                    : union 
> ntlmssp_AvValue(case 0xA)
>                            ChannelBindings          : 
> 00000000000000000000000000000000
>                        pair: struct AV_PAIR
>                            AvId                     : 
> MsvAvTargetName (0x9)
>                            AvLen                    : 0x003c (60)
>                            Value                    : union 
> ntlmssp_AvValue(case 0x9)
>                            AvTargetName             : 
> 'cifs/skynet.ad.cyberdyne.local'
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvEOL (0x0)
>                            AvLen                    : 0x0000 (0)
>                            Value                    : union 
> ntlmssp_AvValue(case 0x0)
> [2021/09/28 23:12:11.515308,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] 
> ../../source4/auth/ntlm/auth.c:241(auth_check_password_send)
>    auth_check_password_send: Checking password for unmapped user 
> [CYBERDYNE]\[CYB64W10-TEST$]@[CYB64W10-TEST]
>    auth_check_password_send: user is: 
> [CYBERDYNE]\[CYB64W10-TEST$]@[CYB64W10-TEST]
> [2021/09/28 23:12:11.515348,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../source4/auth/ntlm/auth.c:69(auth_get_challenge)
>    auth_get_challenge: returning previous challenge by module random 
> (normal)
> [2021/09/28 23:12:11.515365, 10, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] 
> ../../source4/auth/ntlm/auth.c:310(auth_check_password_send)
>    auth_check_password_send: auth_context challenge created by random
> [2021/09/28 23:12:11.515380, 10, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] 
> ../../source4/auth/ntlm/auth.c:315(auth_check_password_send)
>    auth_check_password_send: challenge is:
> [2021/09/28 23:12:11.518330, 10, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
>    gensec_update_send: ntlmssp[0x5588bd3fbcf0]: subreq: 0x5588be057940
> [2021/09/28 23:12:11.518402, 10, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
>    gensec_update_send: spnego[0x5588bd7b6470]: subreq: 0x5588bd81f5b0
> [2021/09/28 23:12:11.518489,  2, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] 
> ../../source4/auth/ntlm/auth.c:437(auth_check_password_recv)
>    auth_check_password_recv: sam authentication for user 
> [CYBERDYNE\CYB64W10-TEST$] FAILED with error 
> NT_STATUS_WRONG_PASSWORD, 
> authoritative=1
> [2021/09/28 23:12:11.518557,  2] 
> ../../auth/auth_log.c:635(log_authentication_event_human_readable)
>    Auth: [SMB2,NTLMSSP] user [CYBERDYNE]\[CYB64W10-TEST$] at [Tue, 28 
> Sep 2021 23:12:11.518538 CEST] with [NTLMv2] status 
> [NT_STATUS_WRONG_PASSWORD] workstation [CYB64W10-TEST] remote host 
> [ipv4:10.0.1.137:50082] mapped to [CYBERDYNE]\[CYB64W10-TEST$]. local 
> host [ipv4:10.0.2.6:445]
>    {"timestamp": "2021-09-28T23:12:11.518668+0200",
"type":
> "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> 2}, "eventId": 4625, "logonId": "0",
"logonType": 3, "status":
> "NT_STATUS_WRONG_PASSWORD", "localAddress":
"ipv4:10.0.2.6:445",
> "remoteAddress": "ipv4:10.0.1.137:50082", 
> "serviceDescription": "SMB2", 
> "authDescription": "NTLMSSP", "clientDomain":
"CYBERDYNE",
> "clientAccount": "CYB64W10-TEST$",
"workstation": "CYB64W10-TEST",
> "becameAccount": null, "becameDomain": null,
"becameSid": null,
> "mappedAccount": "CYB64W10-TEST$",
"mappedDomain": "CYBERDYNE",
> "netlogonComputer": null, "netlogonTrustAccount": null,
> "netlogonNegotiateFlags": "0x00000000", 
> "netlogonSecureChannelType": 0, 
> "netlogonTrustAccountSid": null, "passwordType":
"NTLMv2",
> "duration": 
> 10774}}
> [2021/09/28 23:12:11.518770,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] 
> ../../auth/ntlmssp/ntlmssp_server.c:813(ntlmssp_server_auth_done)
>    ntlmssp_server_auth_done: Checking NTLMSSP password for 
> CYBERDYNE\CYB64W10-TEST$ failed: NT_STATUS_WRONG_PASSWORD
> [2021/09/28 23:12:11.518799,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec.c:534(gensec_update_done)
>    gensec_update_done: ntlmssp[0x5588bd3fbcf0]: 
> NT_STATUS_WRONG_PASSWORD 
> tevent_req[0x5588be057940/../../auth/ntlmssp/ntlmssp.c:180]: state[3] 
> error[-7963671676338569110 (0x917B5ACDC000006A)]  state[struct 
> gensec_ntlmssp_update_state (0x5588be057b00)] timer[(nil)] 
> finish[../../auth/ntlmssp/ntlmssp.c:239]
> [2021/09/28 23:12:11.518822,  3, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] 
> ../../auth/gensec/spnego.c:1443(gensec_spnego_server_negTokenT
> arg_step)
>    gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) 
> login failed: 
> NT_STATUS_WRONG_PASSWORD
> [2021/09/28 23:12:11.518846,  5, pid=26638, effective(0, 0), 
> real(0, 0), 
> class=auth] ../../auth/gensec/gensec.c:534(gensec_update_done)
>    gensec_update_done: spnego[0x5588bd7b6470]: 
> NT_STATUS_WRONG_PASSWORD 
> tevent_req[0x5588bd81f5b0/../../auth/gensec/spnego.c:1631]: state[3] 
> error[-7963671676338569110 (0x917B5ACDC000006A)]  state[struct 
> gensec_spnego_update_state (0x5588bd81f770)] timer[(nil)] 
> finish[../../auth/gensec/spnego.c:2039]On 28.09.2021 23:10, 
> samba-bounces at lists.samba.org wrote:
> 
> 
> best regards,
> Rainer
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

rme at bluemail.ch

2021-Sep-29 07:50 UTC

head link

[Samba] Problem after update version 4.15.0

Hi Louis

On 29.09.2021 09:23, L.P.H. van Belle via samba wrote:> The computer password is expired.
> You can try, Remove the pc from domain and rejoin.
> 
> And did you verify if the computer time is in sync with AD.
Where can I check this? And why does it not happen on Samba 4.14.7?

In fact I can perfectly use the computer account when downgrading to 
4.14.7. I did the upgrade, test, downgrade cycle a couple of times 
already. Samba 4.14.7 always working finde and Samba 4.15 claiming the 
password to be wrong (wrong, not expired).

If expiration is a problem the question is how the password can be 
renewed without having to re-join the machine - before the upgrade of 
course.

I don't want to lose 80% of my machines after Samba 4.15 upgrade 
blocking my users to log in and then having to re-join all the machines 
which work perfectly fine on Samba 4.14.7.

best regards,
Rainer

L.P.H. van Belle

2021-Sep-29 08:08 UTC

head link

[Samba] Problem after update version 4.15.0

This.> ../../source4/auth/ntlm/auth.c:241(auth_check_password_send)
>    auth_check_password_send: Checking password for unmapped user 
> [CYBERDYNE]\[CYB64W10-TEST$]@[CYB64W10-TEST]
I would have expected> [CYBERDYNE]\[CYB64W10-TEST$]@[AD.CYBERDYNE.LOCAL]
I see this so now and then here also that, suddenly a computer/user cant login.
Common causes.. 
1) PC time out of sync with DC.
2) Computer account its password expired.
3) Lots domain trust. 

But what does the evenlog show and i assume the same user on an other computer
can login?
> I also compared "samba-tool computer show" of a working and one 
> non-working machine and can't find any differences other than 
> timestamps.Hmm, is this an "old" domain, like from before 4.9? 

Did you use 
'samba-tool dns zoneoptions' for aging control
----------------------------------------------
Or 
Marking old records as static or dynamic with 'samba-tool'
>From : https://www.samba.org/samba/history/samba-4.15.0.html 
If i have to gamble on this, 2 options.
Windows 10 bug or Samba fix in 4.15 that triggered it. 

And if you dont want to re-register 1 pc.. 
(You can do this with a script at login for the whole domain. )

Increase the debugging and post it, maybe we see more in these loggings.

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: rme at bluemail.ch [mailto:rme at bluemail.ch] 
> Verzonden: woensdag 29 september 2021 9:50
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem after update version 4.15.0
> 
> Hi Louis
> 
> On 29.09.2021 09:23, L.P.H. van Belle via samba wrote:
> > The computer password is expired.
> > You can try, Remove the pc from domain and rejoin.
> > 
> > And did you verify if the computer time is in sync with AD.
> 
> Where can I check this? And why does it not happen on Samba 4.14.7?
> 
> In fact I can perfectly use the computer account when downgrading to 
> 4.14.7. I did the upgrade, test, downgrade cycle a couple of times 
> already. Samba 4.14.7 always working finde and Samba 4.15 
> claiming the password to be wrong (wrong, not expired).
> 
> If expiration is a problem the question is how the password can be 
> renewed without having to re-join the machine - before the upgrade of 
> course.
> 
> I don't want to lose 80% of my machines after Samba 4.15 upgrade 
> blocking my users to log in and then having to re-join all 
> the machines 
> which work perfectly fine on Samba 4.14.7.
> 
> best regards,
> Rainer
> 
>

samba - Sep 2021 - Problem after update version 4.15.0

[Samba] Problem after update version 4.15.0

[Samba] Problem after update version 4.15.0

[Samba] Problem after update version 4.15.0