Peter Rosenthal
2009-Mar-16 20:10 UTC
[Samba] smbclient with Kerberos works, smbclient with NTLM does not?
Hello, I am investigating some strange authentication problems with our network. I am attempting to access a share on a DC with smbclient. If I authenticate with kerberos (kinit, then smbclient -k) then everything works fine. If, instead I use -U administrator -W DOMAIN, or just -U administrator, I get session setup failed: NT_STATUS_LOGON_FAILURE This is samba 3.3.2. Here is the d5 output from smbclient: INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 registry: False/0 lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter workgroup = TESTDOMAIN doing parameter server string = Samba Server Version %v doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter security = ads doing parameter realm = TESTDOMAIN.COM doing parameter encrypt passwords = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter winbind use default domain = yes doing parameter winbind separator = / doing parameter winbind nested groups = yes doing parameter winbind refresh tickets = true doing parameter winbind nss info = rfc2307 doing parameter use kerberos keytab = yes doing parameter idmap config TESTDOMAIN : backend = ad doing parameter idmap config TESTDOMAIN : range = 10000-999999 doing parameter idmap config TESTDOMAIN : schema_mode = rfc2307 doing parameter winbind offline logon = yes doing parameter template homedir = /home/%U pm_process() returned Yes Attempting to register new charset UCS-2LE Registered charset UCS-2LE Attempting to register new charset UTF-16LE Registered charset UTF-16LE Attempting to register new charset UCS-2BE Registered charset UCS-2BE Attempting to register new charset UTF-16BE Registered charset UTF-16BE Attempting to register new charset UTF8 Registered charset UTF8 Attempting to register new charset UTF-8 Registered charset UTF-8 Attempting to register new charset ASCII Registered charset ASCII Attempting to register new charset 646 Registered charset 646 Attempting to register new charset ISO-8859-1 Registered charset ISO-8859-1 Attempting to register new charset UCS2-HEX Registered charset UCS2-HEX Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE added interface eth0 ip=X bcast=X:ffff:ffff:ffff:ffff netmask=ffff:ffff:ffff:ffff:: added interface eth0 ip=X bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: added interface eth0 ip=192.168.0.7 bcast=192.168.0.255 netmask=255.255.255.0 Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Netbios name list:- my_netbios_names[0]="EL5" Client started (version 3.3.2). Opening cache file at /var/lib/samba/gencache.tdb tdb(unnamed): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only. sitename_fetch: Returning sitename for TESTDOMAIN.COM: "SITE1" no entry for dc1#20 found. resolve_lmhosts: Attempting lmhosts lookup for name dc1<0x20> getlmhostsent: lmhost entry: 127.0.0.1 localhost resolve_wins: Attempting wins lookup for name dc1<0x20> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name dc1<0x20> namecache_store: storing 1 address for dc1#20: 192.168.0.4 Connecting to 192.168.0.4 at port 445 socket option SO_KEEPALIVE = 0 socket option SO_REUSEADDR = 0 socket option SO_BROADCAST = 0 socket option TCP_NODELAY = 1 socket option TCP_KEEPCNT = 9 socket option TCP_KEEPIDLE = 7200 socket option TCP_KEEPINTVL = 75 socket option IPTOS_LOWDELAY = 0 socket option IPTOS_THROUGHPUT = 0 socket option SO_SNDBUF = 16384 socket option SO_RCVBUF = 87380 socket option SO_SNDLOWAT = 1 socket option SO_RCVLOWAT = 1 socket option SO_SNDTIMEO = 0 socket option SO_RCVTIMEO = 0 session request ok size=175 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=32067 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=12416 (0x3080) smb_vwv[12]=13890 (0x3642) smb_vwv[13]=27340 (0x6ACC) smb_vwv[14]=51622 (0xC9A6) smb_vwv[15]=41985 (0xA401) smb_vwv[16]= 1 (0x1) smb_bcc=106 size=175 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=32067 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=12416 (0x3080) smb_vwv[12]=13890 (0x3642) smb_vwv[13]=27340 (0x6ACC) smb_vwv[14]=51622 (0xC9A6) smb_vwv[15]=41985 (0xA401) smb_vwv[16]= 1 (0x1) smb_bcc=106 Doing spnego session setup (blob length=106) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=dc1$@TESTDOMAIN.COM size=410 smb_com=0x73 smb_rcls=22 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=32067 smb_uid=55296 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 410 (0x19A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 227 (0xE3) smb_bcc=367 size=410 smb_com=0x73 smb_rcls=22 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=32067 smb_uid=55296 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 410 (0x19A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 227 (0xE3) smb_bcc=367 Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP challenge set by NTLM2 challenge is: [000] DB DB CB 5D EC FE A9 86 ...].... NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH size=35 smb_com=0x73 smb_rcls=109 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=32067 smb_uid=55296 smb_mid=3 smt_wct=0 smb_bcc=0 size=35 smb_com=0x73 smb_rcls=109 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=32067 smb_uid=55296 smb_mid=3 smt_wct=0 smb_bcc=0 SPNEGO login failed: Logon failure
Peter Rosenthal
2009-Mar-20 18:44 UTC
[Samba] Re: smbclient with Kerberos works, smbclient with NTLM does not?
If someone could at least give me an idea of how to go about debugging this problem (relevant log files/debug levels/errors on windows itself) I would be very grateful. 2009/3/16 Peter Rosenthal <voiperster@gmail.com>> Hello, > > I am investigating some strange authentication problems with our network. I > am attempting to access a share on a DC with smbclient. If I authenticate > with kerberos (kinit, then smbclient -k) then everything works fine. If, > instead I use -U administrator -W DOMAIN, or just -U administrator, I get > > session setup failed: NT_STATUS_LOGON_FAILURE > > This is samba 3.3.2. > > Here is the d5 output from smbclient: > > INFO: Current debug levels: > all: True/5 > tdb: False/0 > printdrivers: False/0 > lanman: False/0 > smb: False/0 > rpc_parse: False/0 > rpc_srv: False/0 > rpc_cli: False/0 > passdb: False/0 > sam: False/0 > auth: False/0 > winbind: False/0 > vfs: False/0 > idmap: False/0 > quota: False/0 > acls: False/0 > locking: False/0 > msdfs: False/0 > dmapi: False/0 > registry: False/0 > lp_load_ex: refreshing parameters > Initialising global parameters > params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" > Processing section "[global]" > doing parameter workgroup = TESTDOMAIN > doing parameter server string = Samba Server Version %v > doing parameter log file = /var/log/samba/log.%m > doing parameter max log size = 50 > doing parameter security = ads > doing parameter realm = TESTDOMAIN.COM > doing parameter encrypt passwords = yes > doing parameter winbind enum users = yes > doing parameter winbind enum groups = yes > doing parameter winbind use default domain = yes > doing parameter winbind separator = / > doing parameter winbind nested groups = yes > doing parameter winbind refresh tickets = true > doing parameter winbind nss info = rfc2307 > doing parameter use kerberos keytab = yes > doing parameter idmap config TESTDOMAIN : backend = ad > doing parameter idmap config TESTDOMAIN : range = 10000-999999 > doing parameter idmap config TESTDOMAIN : schema_mode = rfc2307 > doing parameter winbind offline logon = yes > doing parameter template homedir = /home/%U > pm_process() returned Yes > Attempting to register new charset UCS-2LE > Registered charset UCS-2LE > Attempting to register new charset UTF-16LE > Registered charset UTF-16LE > Attempting to register new charset UCS-2BE > Registered charset UCS-2BE > Attempting to register new charset UTF-16BE > Registered charset UTF-16BE > Attempting to register new charset UTF8 > Registered charset UTF8 > Attempting to register new charset UTF-8 > Registered charset UTF-8 > Attempting to register new charset ASCII > Registered charset ASCII > Attempting to register new charset 646 > Registered charset 646 > Attempting to register new charset ISO-8859-1 > Registered charset ISO-8859-1 > Attempting to register new charset UCS2-HEX > Registered charset UCS2-HEX > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > added interface eth0 ip=X bcast=X:ffff:ffff:ffff:ffff > netmask=ffff:ffff:ffff:ffff:: > added interface eth0 ip=X bcast=fe80::ffff:ffff:ffff:ffff%eth0 > netmask=ffff:ffff:ffff:ffff:: > added interface eth0 ip=192.168.0.7 bcast=192.168.0.255 > netmask=255.255.255.0 > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Netbios name list:- > my_netbios_names[0]="EL5" > Client started (version 3.3.2). > Opening cache file at /var/lib/samba/gencache.tdb > tdb(unnamed): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: > Permission denied > gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only. > sitename_fetch: Returning sitename for TESTDOMAIN.COM: "SITE1" > no entry for dc1#20 found. > resolve_lmhosts: Attempting lmhosts lookup for name dc1<0x20> > getlmhostsent: lmhost entry: 127.0.0.1 localhost > resolve_wins: Attempting wins lookup for name dc1<0x20> > resolve_wins: WINS server resolution selected and no WINS servers listed. > resolve_hosts: Attempting host lookup for name dc1<0x20> > namecache_store: storing 1 address for dc1#20: 192.168.0.4 > Connecting to 192.168.0.4 at port 445 > socket option SO_KEEPALIVE = 0 > socket option SO_REUSEADDR = 0 > socket option SO_BROADCAST = 0 > socket option TCP_NODELAY = 1 > socket option TCP_KEEPCNT = 9 > socket option TCP_KEEPIDLE = 7200 > socket option TCP_KEEPINTVL = 75 > socket option IPTOS_LOWDELAY = 0 > socket option IPTOS_THROUGHPUT = 0 > socket option SO_SNDBUF = 16384 > socket option SO_RCVBUF = 87380 > socket option SO_SNDLOWAT = 1 > socket option SO_RCVLOWAT = 1 > socket option SO_SNDTIMEO = 0 > socket option SO_RCVTIMEO = 0 > session request ok > size=175 > smb_com=0x72 > smb_rcls=0 > smb_reh=0 > smb_err=0 > smb_flg=136 > smb_flg2=51201 > smb_tid=0 > smb_pid=32067 > smb_uid=0 > smb_mid=1 > smt_wct=17 > smb_vwv[ 0]= 9 (0x9) > smb_vwv[ 1]=12807 (0x3207) > smb_vwv[ 2]= 256 (0x100) > smb_vwv[ 3]= 1024 (0x400) > smb_vwv[ 4]= 17 (0x11) > smb_vwv[ 5]= 0 (0x0) > smb_vwv[ 6]= 256 (0x100) > smb_vwv[ 7]= 0 (0x0) > smb_vwv[ 8]= 0 (0x0) > smb_vwv[ 9]=64768 (0xFD00) > smb_vwv[10]= 499 (0x1F3) > smb_vwv[11]=12416 (0x3080) > smb_vwv[12]=13890 (0x3642) > smb_vwv[13]=27340 (0x6ACC) > smb_vwv[14]=51622 (0xC9A6) > smb_vwv[15]=41985 (0xA401) > smb_vwv[16]= 1 (0x1) > smb_bcc=106 > size=175 > smb_com=0x72 > smb_rcls=0 > smb_reh=0 > smb_err=0 > smb_flg=136 > smb_flg2=51201 > smb_tid=0 > smb_pid=32067 > smb_uid=0 > smb_mid=1 > smt_wct=17 > smb_vwv[ 0]= 9 (0x9) > smb_vwv[ 1]=12807 (0x3207) > smb_vwv[ 2]= 256 (0x100) > smb_vwv[ 3]= 1024 (0x400) > smb_vwv[ 4]= 17 (0x11) > smb_vwv[ 5]= 0 (0x0) > smb_vwv[ 6]= 256 (0x100) > smb_vwv[ 7]= 0 (0x0) > smb_vwv[ 8]= 0 (0x0) > smb_vwv[ 9]=64768 (0xFD00) > smb_vwv[10]= 499 (0x1F3) > smb_vwv[11]=12416 (0x3080) > smb_vwv[12]=13890 (0x3642) > smb_vwv[13]=27340 (0x6ACC) > smb_vwv[14]=51622 (0xC9A6) > smb_vwv[15]=41985 (0xA401) > smb_vwv[16]= 1 (0x1) > smb_bcc=106 > Doing spnego session setup (blob length=106) > got OID=1 2 840 48018 1 2 2 > got OID=1 2 840 113554 1 2 2 > got OID=1 2 840 113554 1 2 2 3 > got OID=1 3 6 1 4 1 311 2 2 10 > got principal=dc1$@TESTDOMAIN.COM > size=410 > smb_com=0x73 > smb_rcls=22 > smb_reh=0 > smb_err=49152 > smb_flg=136 > smb_flg2=51205 > smb_tid=0 > smb_pid=32067 > smb_uid=55296 > smb_mid=2 > smt_wct=4 > smb_vwv[ 0]= 255 (0xFF) > smb_vwv[ 1]= 410 (0x19A) > smb_vwv[ 2]= 0 (0x0) > smb_vwv[ 3]= 227 (0xE3) > smb_bcc=367 > size=410 > smb_com=0x73 > smb_rcls=22 > smb_reh=0 > smb_err=49152 > smb_flg=136 > smb_flg2=51205 > smb_tid=0 > smb_pid=32067 > smb_uid=55296 > smb_mid=2 > smt_wct=4 > smb_vwv[ 0]= 255 (0xFF) > smb_vwv[ 1]= 410 (0x19A) > smb_vwv[ 2]= 0 (0x0) > smb_vwv[ 3]= 227 (0xE3) > smb_bcc=367 > Got challenge flags: > Got NTLMSSP neg_flags=0x62898215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_CHAL_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x60088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP challenge set by NTLM2 > challenge is: > [000] DB DB CB 5D EC FE A9 86 ...].... > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x60088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > size=35 > smb_com=0x73 > smb_rcls=109 > smb_reh=0 > smb_err=49152 > smb_flg=136 > smb_flg2=51205 > smb_tid=0 > smb_pid=32067 > smb_uid=55296 > smb_mid=3 > smt_wct=0 > smb_bcc=0 > size=35 > smb_com=0x73 > smb_rcls=109 > smb_reh=0 > smb_err=49152 > smb_flg=136 > smb_flg2=51205 > smb_tid=0 > smb_pid=32067 > smb_uid=55296 > smb_mid=3 > smt_wct=0 > smb_bcc=0 > SPNEGO login failed: Logon failure > >