Omnis ludis - games
2024-Jun-05 12:02 UTC
[Samba] Failed to bind to uuid NT_STATUS_LOGON_FAILURE
Good afternoon, tell me, this error occurs on the domain controller samba v
4.19.0, I paired the domain controller with sssd so that authentication
occurs under domain accounts on the domain controller, but as you know,
sssd changes the machine password every 30 days if this option is not
disabled
ad_maximum_machine_account_password_age = 0
I haven?t disabled it for 30 days and as I understand it, the password has
changed and when I call samba-tool drs showrepl the following error occurs
samba-tool drs showrepl -d 5
INFO: Current debug levels:
lpcfg_load: refreshing parameters from /opt/samba/etc/smb.conf
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc1.red-soft.biz[,seal]
Mapped to DCERPC endpoint 135
added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1.test.dom<0x20>
startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was No
such file or directory
Mapped to DCERPC endpoint 49153
added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1.red-soft.biz<0x20>
startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was No
such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 294
Received smb_krb5 packet of length 203
Failed to get kerberos credentials: kinit for DC1$@TEST.DOM failed
(Preauthentication failed)
Wrong username or password: kinit for DC1$@TEST.DOM failed
(Preauthentication failed)
gensec_update_done: gssapi_krb5[0x55d227285240]: NT_STATUS_LOGON_FAILURE
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating
NEG_TOKEN_INIT for ldap/DC1.TEST.DOM failed (next[ntlmssp]):
NT_STATUS_LOGON_FAILURE
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:10.81.0.250[49153,seal,target_hostname=dc1.test.dom,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.81.0.250]
NT_STATUS_LOGON_FAILURE
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
dc1.test.dom failed - drsException: DRS connection to dc1.test.dom failed:
(3221225581, 'The attempted logon is invalid. This is either due to a bad
username or authentication information.')
File "samba/netcmd/drs.py", line 55, in
samba.netcmd.drs.drsuapi_connect
File "samba/drs_utils.py", line 78, in
samba.drs_utils.drsuapi_connect
even if you can tell me the direction why this could happen, I will be
grateful, here is my samba config
# Global parameters
[global]
netbios name = DC1
realm = TEST.DOM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = TEST
idmap_ldb:use rfc2307 = yes
map acl inherit = yes
allow dns updates = nonsecure
dsdb:schema update allowed = true
ldap server require strong auth = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = dedicated keytab
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
[netlogon]
path = /opt/samba/var/locks/sysvol/red-soft.biz/scripts
read only = No
Christian Naumer
2024-Jun-05 12:15 UTC
[Samba] Failed to bind to uuid NT_STATUS_LOGON_FAILURE
Hi there, NEVER ever use sssd on a DC!!!!!! I did this once and sssd moved the DC from OU "Domain Controllers" to "Domain Computers". Even if this did not happen for you I still repeat "DO NOT DO THIS" Sorry for all the captal letters but this nearly broke my AD. I was lucky at the time that I had 3 more DCs. You can enable login to the DC with domain accounts without sssd. See here: https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC Regards Christian Am 05.06.24 um 14:02 schrieb Omnis ludis - games via samba:> Good afternoon, tell me, this error occurs on the domain controller samba v > 4.19.0, I paired the domain controller with sssd so that authentication > occurs under domain accounts on the domain controller, but as you know, > sssd changes the machine password every 30 days if this option is not > disabled > ad_maximum_machine_account_password_age = 0 > I haven?t disabled it for 30 days and as I understand it, the password has > changed and when I call samba-tool drs showrepl the following error occurs > samba-tool drs showrepl -d 5 > INFO: Current debug levels: > lpcfg_load: refreshing parameters from /opt/samba/etc/smb.conf > ldb_wrap open of secrets.ldb > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'ncalrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Using binding ncacn_ip_tcp:dc1.red-soft.biz[,seal] > Mapped to DCERPC endpoint 135 > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0 > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0 > resolve_lmhosts: Attempting lmhosts lookup for name dc1.test.dom<0x20> > startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was No > such file or directory > Mapped to DCERPC endpoint 49153 > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0 > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0 > resolve_lmhosts: Attempting lmhosts lookup for name dc1.red-soft.biz<0x20> > startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was No > such file or directory > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gssapi_krb5 > Received smb_krb5 packet of length 294 > Received smb_krb5 packet of length 203 > Failed to get kerberos credentials: kinit for DC1$@TEST.DOM failed > (Preauthentication failed) > Wrong username or password: kinit for DC1$@TEST.DOM failed > (Preauthentication failed) > gensec_update_done: gssapi_krb5[0x55d227285240]: NT_STATUS_LOGON_FAILURE > gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating > NEG_TOKEN_INIT for ldap/DC1.TEST.DOM failed (next[ntlmssp]): > NT_STATUS_LOGON_FAILURE > Starting GENSEC submechanism ntlmssp > Got challenge flags: > Got NTLMSSP neg_flags=0x62898235 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_SEAL > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_DOMAIN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_SEAL > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_SEAL > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > ncacn_ip_tcp:10.81.0.250[49153,seal,target_hostname=dc1.test.dom,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.81.0.250] > NT_STATUS_LOGON_FAILURE > ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to > dc1.test.dom failed - drsException: DRS connection to dc1.test.dom failed: > (3221225581, 'The attempted logon is invalid. This is either due to a bad > username or authentication information.') > File "samba/netcmd/drs.py", line 55, in samba.netcmd.drs.drsuapi_connect > File "samba/drs_utils.py", line 78, in samba.drs_utils.drsuapi_connect > > > even if you can tell me the direction why this could happen, I will be > grateful, here is my samba config > # Global parameters > [global] > netbios name = DC1 > realm = TEST.DOM > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = TEST > idmap_ldb:use rfc2307 = yes > map acl inherit = yes > allow dns updates = nonsecure > dsdb:schema update allowed = true > ldap server require strong auth = no > dedicated keytab file = /etc/krb5.keytab > kerberos method = dedicated keytab > > > [sysvol] > path = /opt/samba/var/locks/sysvol > read only = No > > [netlogon] > path = /opt/samba/var/locks/sysvol/red-soft.biz/scripts > read only = No