Paulo Cesar
2023-Sep-11 17:10 UTC
[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10
Hello everybody.
After installing a new AD domain controller with version
4.17.10+dfsg-0+deb12u1~bpo11+1, present in the Debian 11.7 backports repository,
I am unable to join workstations running Windows XP SP3 to the domain. The Samba
AD server was initially configured with the options
"domain-sid=S-1-5-21-9500468976-950304483-95027178",
"dns-backend=SAMBA_INTERNAL", "use-rfc2307" and
"next-rid=5000000 ".
In previous tests, joining the domain with version 4.13.13 was working. I also
tested version 4.17.9 (debian main repository) and 4.17.10 (debian-security
repository) present in Debian 12 and the failure also occurs in both versions.
The tests were carried out with "fresh installations" of the Samba
server and with the SMBv1 protocol, as well, as NTLMv1 active in the ADDC server
configuration (smb.conf). I also tried enabling NTLMv2 on the Windows XP client
but this had no effect.
The Windows XP SP3 installation is also "fresh", the local system
firewall has been disabled and there is no firewall protecting the AD domain
controller (neither local or through a service on the network). When trying to
join the domain with the user "administrator" an "internal
error" message is presented to the user along with the error
"0x54f" (Unable to bind to DS) recorded in the file
"C:\Windows\Debug\NetSetup .log" (full logs are available in this
message).
I have successfully run the join tests with Windows 2003 Server (64-bit) and
Windows 7 SP2.
Other actions I tried to take to try to solve the problem:
- Remove the client machine account running Windows XP from the directory
service and purge this data (expunge by samba-tool), with no effect;
- Installing KB969084 on Windows XP due to some research on the internet
regarding similar problems, with no effect;
- Change local security policies, specially related to communication channel
signing (in network security options), with no effect;
- Change options related to authentication present on the server (smb.conf) but
none of the changed settings, alone or together, had any effect.
The server's "smb.conf" file:
[global]
?? ?dns forwarder = 10.1.1.9
?? ?interfaces = lo ens18
?? ?netbios name = SERVERT
?? ?realm = TESTE.SMB4.REDE
?? ?server role = active directory domain controller
?? ?workgroup = TESTE
?? ?idmap_ldb:use rfc2307 = yes
?? ?server services = -nbt
?? ?idmap_ldb:use rfc2307 = yes
?? ?lm interval = 0
?? ?max log size = 0
?? ?log level = 3 auth:3 auth_audit:5 auth_audit_json:5 dsdb_json_audit:5
dsdb_password_json_audit:5 dsdb_group_json_audit:5 dsdb_transaction_json_audit:5
?? ?debug class = yes
?? ?### Legacy auth ###
?? ?lm announce = no
?? ?lanman auth = yes
?? ?#ntlm auth = yes
?? ?ntlm auth = ntlmv1-permitted
?? ?client lanman auth = yes
?? ?client ntlmv2 auth = yes
?? ?client min protocol = NT1
?? ?server min protocol = NT1
?? ?#allow nt4 crypto = yes
?? ?#kerberos encryption types = legacy
?? ?#client ipc min protocol = NT1
?? ?#kdc force enable rc4 weak session keys = yes
?? ?server reject md5 schannel:TESTEXPPC$ = no
?? ?allow nt4 crypto:TESTEXPPC$ = yes
?? ?#client signing = auto
?? ?#server signing = auto
?? ?#server schannel require seal:TESTEXPPC$ = no
?? ?
[sysvol]
?? ?path = /var/lib/samba/sysvol
?? ?read only = No
[netlogon]
?? ?path = /var/lib/samba/sysvol/teste.smb4.rede/scripts
?? ?read only = No
[comp]
?? ?path = /tmp/comp
?? ?read only = no
?? ?public = yes
?? ?
The server's "/etc/resolv.conf" file:
domain teste.smb4.rede
search teste.smb4.rede
nameserver 10.1.1.7
nameserver 10.1.1.146
The server's "/etc/hosts" file:
127.0.0.1?? ?localhost
10.1.1.7?? ?servert.teste.smb4.rede?? ?servert
# The following lines are desirable for IPv6 capable hosts
::1???? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
The logs present in the Windows XP SP3 "NetSetup.log" file:
09/11 11:39:06 NetpDoDomainJoin
09/11 11:39:06 NetpMachineValidToJoin: 'TESTEXPPC'
09/11 11:39:06 NetpGetLsaPrimaryDomain: status: 0x0
09/11 11:39:06 NetpMachineValidToJoin: status: 0x0
09/11 11:39:06 NetpJoinDomain
09/11 11:39:06 ?? ?Machine: TESTEXPPC
09/11 11:39:06 ?? ?Domain: teste.smb4.rede
09/11 11:39:06 ?? ?MachineAccountOU: (NULL)
09/11 11:39:06 ?? ?Account: teste.smb4.rede\administrator
09/11 11:39:06 ?? ?Options: 0x27
09/11 11:39:06 ?? ?OS Version: 5.1
09/11 11:39:06 ?? ?Build number: 2600
09/11 11:39:06 ?? ?ServicePack: Service Pack 3
09/11 11:39:06 NetpValidateName: checking to see if 'teste.smb4.rede' is
valid as type 3 name
09/11 11:39:06 NetpValidateName: 'teste.smb4.rede' is not a valid
NetBIOS domain name: 0x7b
09/11 11:39:06 NetpCheckDomainNameIsValid [ Exists ] for
'teste.smb4.rede' returned 0x0
09/11 11:39:06 NetpValidateName: name 'teste.smb4.rede' is valid for
type 3
09/11 11:39:06 NetpDsGetDcName: trying to find DC in domain
'teste.smb4.rede', flags: 0x1020
09/11 11:39:06 NetpDsGetDcName: found DC '\\servert.teste.smb4.rede' in
the specified domain
09/11 11:39:06 NetpJoinDomain: status of connecting to dc
'\\servert.teste.smb4.rede': 0x0
09/11 11:39:06 NetpGetLsaPrimaryDomain: status: 0x0
09/11 11:39:06 NetpGetDnsHostName: Read NV Hostname: testexppc
09/11 11:39:06 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain
name: teste.smb4.rede
09/11 11:39:06 NetpLsaOpenSecret: status: 0xc0000034
09/11 11:39:06 NetpGetLsaPrimaryDomain: status: 0x0
09/11 11:39:06 NetpLsaOpenSecret: status: 0xc0000034
09/11 11:39:07 NetpManageMachineAccountWithSid: NetUserAdd on
'\\servert.teste.smb4.rede' for 'TESTEXPPC$' failed: 0x8b0
09/11 11:39:07 NetpManageMachineAccountWithSid: status of attempting to set
password on '\\servert.teste.smb4.rede' for 'TESTEXPPC$': 0x0
09/11 11:39:07 NetpJoinDomain: status of creating account: 0x0
09/11 11:39:07 NetpGetComputerObjectDn: Unable to bind to DS on
'\\servert.teste.smb4.rede': 0x54f
09/11 11:39:07 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x54f
09/11 11:39:07 ldap_unbind status: 0x0
09/11 11:39:07 NetpJoinDomain: status of setting DnsHostName and SPN: 0x54f
09/11 11:39:07 NetpJoinDomain: initiaing a rollback due to earlier errors
09/11 11:39:07 NetpGetLsaPrimaryDomain: status: 0x0
09/11 11:39:07 NetpManageMachineAccountWithSid: status of disabling account
'TESTEXPPC$' on '\\servert.teste.smb4.rede': 0x0
09/11 11:39:07 NetpJoinDomain: rollback: status of deleting computer account:
0x0
09/11 11:39:07 NetpLsaOpenSecret: status: 0x0
09/11 11:39:07 NetpJoinDomain: rollback: status of deleting secret: 0x0
09/11 11:39:07 NetpJoinDomain: status of disconnecting from
'\\servert.teste.smb4.rede': 0x0
09/11 11:39:07 NetpDoDomainJoin: status: 0x54f
Samba server logs during join attempt:
[2023/09/11 12:11:25.304407,? 5, class=auth_audit]
../../auth/auth_log.c:752(log_successful_authz_event_human_readable)
? Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT AUTHORITY]\[ANONYMOUS LOGON]
[S-1-5-7] at [Mon, 11 Sep 2023 12:11:25.304394 -03] Remote host
[ipv4:10.2.2.122:55378] local host [ipv4:10.1.1.7:135]
[2023/09/11 12:11:25.325044,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: Probing for AS-REQ
[2023/09/11 12:11:25.325078,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: Probing for TGS-REQ
[2023/09/11 12:11:25.325703,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: heim_audit_vaddkv(): kv pair[0]
tixaddrs=TYPE_20:54455354455850504320202020202020
[2023/09/11 12:11:25.325728,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: Not a FAST request
[2023/09/11 12:11:25.325742,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: TGS-REQ Administrator at TESTE.SMB4.REDE from ipv4:10.2.2.122:58742
for krbtgt/TESTE.SMB4.REDE at TESTE.SMB4.REDE [renewable-ok, canonicalize,
renewable, forwarded, forwardable]
[2023/09/11 12:11:25.329450,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: heim_audit_setkv_number(): setting kv pair auth=1694445085
[2023/09/11 12:11:25.329470,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: heim_audit_setkv_number(): setting kv pair start=1694445085
[2023/09/11 12:11:25.329476,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: heim_audit_setkv_number(): setting kv pair end=1694481085
[2023/09/11 12:11:25.329481,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: heim_audit_setkv_number(): setting kv pair renew=1695049885
[2023/09/11 12:11:25.329492,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: TGS-REQ authtime: 2023-09-11T12:11:25 starttime: 2023-09-11T12:11:25
endtime: 2023-09-11T22:11:25 renew till: 2023-09-18T12:11:25
[2023/09/11 12:11:25.329501,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: heim_audit_vaddkv(): kv pair[0] canon_client_name=Administrator at
TESTE.SMB4.REDE
[2023/09/11 12:11:25.329506,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: heim_audit_setkv_number(): setting kv pair pac_attributes=1
[2023/09/11 12:11:25.329631,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: heim_audit_vaddkv(): kv pair[0] etypes=18,-133,-128,3,1,24,-135
[2023/09/11 12:11:25.329642,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, -133, -128, 3,
1, 24, -135, using arcfour-hmac-md5/aes256-cts-hmac-sha1-96
[2023/09/11 12:11:25.329652,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: heim_audit_vaddkv(): kv pair[0] etype=23/18
[2023/09/11 12:11:25.329659,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwarded,
forwardable
[2023/09/11 12:11:25.329665,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: heim_audit_vaddkv(): kv pair[0]
flags=renewable-ok,canonicalize,renewable,forwarded,forwardable
[2023/09/11 12:11:25.329798,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.004772
[2023/09/11 12:11:25.329818,? 3, class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: TGS-REQ SUCCESS ipv4:10.2.2.122:58742 Administrator at
TESTE.SMB4.REDE krbtgt/TESTE.SMB4.REDE at TESTE.SMB4.REDE etype=23/18
pac_attributes=1 canon_client_name=Administrator at TESTE.SMB4.REDE
end=1694481085 auth=1694445085 etypes=18,-133,-128,3,1,24,-135 renew=1695049885
elapsed=0.004772 flags=renewable-ok,canonicalize,renewable,forwarded,forwardable
start=1694445085 tixaddrs=TYPE_20:54455354455850504320202020202020
[2023/09/11 12:11:25.334025,? 3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
? stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2023/09/11 12:11:25.337696,? 3, class=ldb]
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
? ldb_wrap open of secrets.ldb
[2023/09/11 12:11:25.343249,? 3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
? stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2023/09/11 12:11:25.343438,? 3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
? stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
[2023/09/11 12:11:25.348151,? 3, class=ldb]
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
? ldb_wrap open of privilege.ldb
[2023/09/11 12:11:25.367180,? 4, class=auth_audit]
../../auth/auth_log.c:752(log_successful_authz_event_human_readable)
? Successful AuthZ: [DCE/RPC,ncacn_np] user [TESTE]\[Administrator]
[S-1-5-21-9500468976-950304483-95027178-500] at [Mon, 11 Sep 2023
12:11:25.367169 -03] Remote host [ipv4:10.2.2.122:60708] local host
[ipv4:10.1.1.7:445]
? {"timestamp": "2023-09-11T12:11:25.433246-0300",
"type": "dsdbChange", "dsdbChange":
{"version": {"major": 1, "minor": 0},
"statusCode": 0, "status": "Success",
"operation": "Modify", "remoteAddress":
"ipv4:10.2.2.122:60708", "performedAsSystem": false,
"userSid": "S-1-5-21-9500468976-950304483-95027178-500",
"dn": "CN=TESTEXPPC,CN=Computers,DC=teste,DC=smb4,DC=rede",
"transactionId": "bb37fa00-00b2-46cc-b5f8-0c2f5c47659b",
"sessionId": "4bf09255-fd12-4d2c-81df-10f7372a1b8f",
"attributes": {"userAccountControl": {"actions":
[{"action": "replace", "values":
[{"value": "4098"}]}]}}}}
[2023/09/11 12:11:25.433326,? 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1717(descriptor_prepare_commit)
? descriptor_prepare_commit: changes: num_registrations=0
[2023/09/11 12:11:25.433334,? 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1719(descriptor_prepare_commit)
? descriptor_prepare_commit: changes: num_registered=0
[2023/09/11 12:11:25.433338,? 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1829(descriptor_prepare_commit)
? descriptor_prepare_commit: changes: num_toplevel=0
[2023/09/11 12:11:25.433342,? 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1850(descriptor_prepare_commit)
? descriptor_prepare_commit: changes: num_processed=0
[2023/09/11 12:11:25.433346,? 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1851(descriptor_prepare_commit)
? descriptor_prepare_commit: objects: num_processed=0
[2023/09/11 12:11:25.433349,? 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1852(descriptor_prepare_commit)
? descriptor_prepare_commit: objects: num_skipped=0
[2023/09/11 12:11:25.449399,? 3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
? stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
[2023/09/11 12:11:25.473967,? 3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
? stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
Only for additional info: I also configured a domain controller in NT4 mode
using Samba version 4.17.10 and apparently everything still works (join and user
authentication) as expected for Windows XP and other versions that i tested.
I searched for a few days before making this post to try to find something on
the list that could help me but unfortunately I didn't find anything. I also
checked that this problem was not related to bug 9959
(https://bugzilla.samba.org/show_bug.cgi?id=9959), because I saw that the Samba
4.17 code was recently updated to 4.17.11 because of this bug , but there is
only a single object with "CN=System" in the directory service, I
believe there is no relationship between the reported problems.
I also know about the fact that Windows XP is an obsolete system and should no
longer be in use but unfortunately it is still used in some specific situations
for some of the organizations that I provide services.
I am not a native English speaker, I apologize if I made any mistakes regarding
the language when constructing this text.
My greetings to everyone.
Andrew Bartlett
2023-Sep-11 19:55 UTC
[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10
On Mon, 2023-09-11 at 17:10 +0000, Paulo Cesar via samba wrote:> I also know about the fact that Windows XP is an obsolete system and > should no longer be in use but unfortunately it is still used in some > specific situations for some of the organizations that I provide > services.If I was in this situation, and Windows XP failed but Windows 2003 still worked, I would try to use Windows 2003 for whatever the need is. Hopefully they are compatible enough for whatever special use case you have. But in general, they are much the same codebase, but I wonder if possibly the server got a few more late patches. In mentioning WinXP, I notice they are still issuing some security patches, like this one: https://www.microsoft.com/en-us/download/details.aspx?id=55245 (Also for 2003) https://www.microsoft.com/en-us/download/details.aspx?id=55248 As to debugging, clearly the join fails at: 09/11 11:39:07 NetpGetComputerObjectDn: Unable to bind to DS on '\\servert.teste.smb4.rede': 0x54f 09/11 11:39:07 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x54f 09/11 11:39:07 ldap_unbind status: 0x0 09/11 11:39:07 NetpJoinDomain: status of setting DnsHostName and SPN: 0x54f 09/11 11:39:07 NetpJoinDomain: initiaing a rollback due to earlier errors I would ensure the clocks are already in sync with NTP, then get a network trace taken from the server and turn up the Samba logs to 'log level = 10', with 'debug highres timestamp = yes' and look for the matching packet (a bind presumably) and anything samba indicates about the failure. But this may be a case for a Samba commercial support provider, it looks pretty tricky. Andrew, -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions