samba - Jun 2024 - Failed to bind to uuid NT_STATUS_LOGON_FAILURE

Hi there,
NEVER ever use sssd on a DC!!!!!! I did this once and sssd moved the DC 
from OU "Domain Controllers" to "Domain Computers". Even if
this did not
happen for you I still repeat "DO NOT DO THIS" Sorry for all the
captal
letters but this nearly broke my AD. I was lucky at the time that I had 
3 more DCs.
You can enable login to the DC with domain accounts without sssd. See here:

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC


Regards


Christian

Am 05.06.24 um 14:02 schrieb Omnis ludis - games via
samba:
> Good afternoon, tell me, this error occurs on the domain controller samba v
> 4.19.0, I paired the domain controller with sssd so that authentication
> occurs under domain accounts on the domain controller, but as you know,
> sssd changes the machine password every 30 days if this option is not
> disabled
> ad_maximum_machine_account_password_age = 0
> I haven?t disabled it for 30 days and as I understand it, the password has
> changed and when I call samba-tool drs showrepl the following error occurs
> samba-tool drs showrepl -d 5
> INFO: Current debug levels:
> lpcfg_load: refreshing parameters from /opt/samba/etc/smb.conf
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'ncalrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:dc1.red-soft.biz[,seal]
> Mapped to DCERPC endpoint 135
> added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
> added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
> resolve_lmhosts: Attempting lmhosts lookup for name
dc1.test.dom<0x20>
> startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was
No
> such file or directory
> Mapped to DCERPC endpoint 49153
> added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
> added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
> resolve_lmhosts: Attempting lmhosts lookup for name
dc1.red-soft.biz<0x20>
> startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was
No
> such file or directory
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Received smb_krb5 packet of length 294
> Received smb_krb5 packet of length 203
> Failed to get kerberos credentials: kinit for DC1$@TEST.DOM failed
> (Preauthentication failed)
> Wrong username or password: kinit for DC1$@TEST.DOM failed
> (Preauthentication failed)
> gensec_update_done: gssapi_krb5[0x55d227285240]: NT_STATUS_LOGON_FAILURE
> gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating
> NEG_TOKEN_INIT for ldap/DC1.TEST.DOM failed (next[ntlmssp]):
> NT_STATUS_LOGON_FAILURE
> Starting GENSEC submechanism ntlmssp
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_SEAL
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_TARGET_TYPE_DOMAIN
>    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>    NTLMSSP_NEGOTIATE_TARGET_INFO
>    NTLMSSP_NEGOTIATE_VERSION
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_SEAL
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>    NTLMSSP_NEGOTIATE_VERSION
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_SEAL
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>    NTLMSSP_NEGOTIATE_VERSION
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR
> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>
ncacn_ip_tcp:10.81.0.250[49153,seal,target_hostname=dc1.test.dom,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.81.0.250]
> NT_STATUS_LOGON_FAILURE
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection
to
> dc1.test.dom failed - drsException: DRS connection to dc1.test.dom failed:
> (3221225581, 'The attempted logon is invalid. This is either due to a
bad
> username or authentication information.')
>    File "samba/netcmd/drs.py", line 55, in
samba.netcmd.drs.drsuapi_connect
>    File "samba/drs_utils.py", line 78, in
samba.drs_utils.drsuapi_connect
> 
> 
> even if you can tell me the direction why this could happen, I will be
> grateful, here is my samba config
> # Global parameters
> [global]
>          netbios name = DC1
>          realm = TEST.DOM
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = TEST
>          idmap_ldb:use rfc2307 = yes
>          map acl inherit = yes
>          allow dns updates = nonsecure
>          dsdb:schema update allowed = true
>          ldap server require strong auth = no
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = dedicated keytab
> 
> 
> [sysvol]
>          path = /opt/samba/var/locks/sysvol
>          read only = No
> 
> [netlogon]
>          path = /opt/samba/var/locks/sysvol/red-soft.biz/scripts
>          read only = No

Yes, well, I understand that you can't use sssd, but I already have this
problem and I'm asking for help, what can I do to make samba accept the
computer password back and everything works again, any tip in this
direction maybe I need to fix some keytab or change kvno somewhere, any
hint in this the direction would give a chance that even such a problem can
be fixed

??, 5 ???. 2024??. ? 15:17, Christian Naumer via samba <
samba at lists.samba.org>:
> Hi there,
> NEVER ever use sssd on a DC!!!!!! I did this once and sssd moved the DC
> from OU "Domain Controllers" to "Domain Computers".
Even if this did not
> happen for you I still repeat "DO NOT DO THIS" Sorry for all the
captal
> letters but this nearly broke my AD. I was lucky at the time that I had
> 3 more DCs.
> You can enable login to the DC with domain accounts without sssd. See here:
>
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>
>
> Regards
>
>
> Christian
>
> Am 05.06.24 um 14:02 schrieb Omnis ludis - games via samba:
> > Good afternoon, tell me, this error occurs on the domain controller
> samba v
> > 4.19.0, I paired the domain controller with sssd so that
authentication
> > occurs under domain accounts on the domain controller, but as you
know,
> > sssd changes the machine password every 30 days if this option is not
> > disabled
> > ad_maximum_machine_account_password_age = 0
> > I haven?t disabled it for 30 days and as I understand it, the password
> has
> > changed and when I call samba-tool drs showrepl the following error
> occurs
> > samba-tool drs showrepl -d 5
> > INFO: Current debug levels:
> > lpcfg_load: refreshing parameters from /opt/samba/etc/smb.conf
> > ldb_wrap open of secrets.ldb
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'ncalrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'http_negotiate' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Using binding ncacn_ip_tcp:dc1.red-soft.biz[,seal]
> > Mapped to DCERPC endpoint 135
> > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255
> netmask=255.255.255.0
> > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255
> netmask=255.255.255.0
> > resolve_lmhosts: Attempting lmhosts lookup for name
dc1.test.dom<0x20>
> > startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts.
Error was
> No
> > such file or directory
> > Mapped to DCERPC endpoint 49153
> > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255
> netmask=255.255.255.0
> > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255
> netmask=255.255.255.0
> > resolve_lmhosts: Attempting lmhosts lookup for name dc1.red-soft.biz
> <0x20>
> > startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts.
Error was
> No
> > such file or directory
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism gssapi_krb5
> > Received smb_krb5 packet of length 294
> > Received smb_krb5 packet of length 203
> > Failed to get kerberos credentials: kinit for DC1$@TEST.DOM failed
> > (Preauthentication failed)
> > Wrong username or password: kinit for DC1$@TEST.DOM failed
> > (Preauthentication failed)
> > gensec_update_done: gssapi_krb5[0x55d227285240]:
NT_STATUS_LOGON_FAILURE
> > gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating
> > NEG_TOKEN_INIT for ldap/DC1.TEST.DOM failed (next[ntlmssp]):
> > NT_STATUS_LOGON_FAILURE
> > Starting GENSEC submechanism ntlmssp
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898235
> >    NTLMSSP_NEGOTIATE_UNICODE
> >    NTLMSSP_REQUEST_TARGET
> >    NTLMSSP_NEGOTIATE_SIGN
> >    NTLMSSP_NEGOTIATE_SEAL
> >    NTLMSSP_NEGOTIATE_NTLM
> >    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >    NTLMSSP_TARGET_TYPE_DOMAIN
> >    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >    NTLMSSP_NEGOTIATE_TARGET_INFO
> >    NTLMSSP_NEGOTIATE_VERSION
> >    NTLMSSP_NEGOTIATE_128
> >    NTLMSSP_NEGOTIATE_KEY_EXCH
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088235
> >    NTLMSSP_NEGOTIATE_UNICODE
> >    NTLMSSP_REQUEST_TARGET
> >    NTLMSSP_NEGOTIATE_SIGN
> >    NTLMSSP_NEGOTIATE_SEAL
> >    NTLMSSP_NEGOTIATE_NTLM
> >    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >    NTLMSSP_NEGOTIATE_VERSION
> >    NTLMSSP_NEGOTIATE_128
> >    NTLMSSP_NEGOTIATE_KEY_EXCH
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> >    NTLMSSP_NEGOTIATE_UNICODE
> >    NTLMSSP_REQUEST_TARGET
> >    NTLMSSP_NEGOTIATE_SIGN
> >    NTLMSSP_NEGOTIATE_SEAL
> >    NTLMSSP_NEGOTIATE_NTLM
> >    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >    NTLMSSP_NEGOTIATE_VERSION
> >    NTLMSSP_NEGOTIATE_128
> >    NTLMSSP_NEGOTIATE_KEY_EXCH
> > dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR
> > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> >
>
ncacn_ip_tcp:10.81.0.250[49153,seal,target_hostname=dc1.test.dom,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.81.0.250]
> > NT_STATUS_LOGON_FAILURE
> > ERROR(<class 'samba.drs_utils.drsException'>): DRS
connection to
> > dc1.test.dom failed - drsException: DRS connection to dc1.test.dom
> failed:
> > (3221225581, 'The attempted logon is invalid. This is either due
to a bad
> > username or authentication information.')
> >    File "samba/netcmd/drs.py", line 55, in
> samba.netcmd.drs.drsuapi_connect
> >    File "samba/drs_utils.py", line 78, in
samba.drs_utils.drsuapi_connect
> >
> >
> > even if you can tell me the direction why this could happen, I will be
> > grateful, here is my samba config
> > # Global parameters
> > [global]
> >          netbios name = DC1
> >          realm = TEST.DOM
> >          server role = active directory domain controller
> >          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl,
> > winbindd, ntp_signd, kcc, dnsupdate
> >          workgroup = TEST
> >          idmap_ldb:use rfc2307 = yes
> >          map acl inherit = yes
> >          allow dns updates = nonsecure
> >          dsdb:schema update allowed = true
> >          ldap server require strong auth = no
> >          dedicated keytab file = /etc/krb5.keytab
> >          kerberos method = dedicated keytab
> >
> >
> > [sysvol]
> >          path = /opt/samba/var/locks/sysvol
> >          read only = No
> >
> > [netlogon]
> >          path = /opt/samba/var/locks/sysvol/red-soft.biz/scripts
> >          read only = No
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>