Tim Wright
2011-Jul-27 16:26 UTC
[Samba] Domain trust between Samba 3.5.9 and Windows 2008 Active Directory crashes lsass.exe which makes AD Domain Controller reboot
Hi
Trying to set up a one way trust between a 2008 Active Directory domain
and a Samba 3.5.9 server which is configured as a PDC.
There is already an existing trust between AD and an NT4 domain so AD has
been configured to support NTLM authentication (see below for full
details).
With no domain trust, using smbclient either anonymously or with a valid
user on the DC (e.g. Administrator) works ok,.
When a domain trust is created as follows:
On samba server
net rpc trustdom add AD <password>
pdbedit -Lw ad\$ shows that the trust account is set up correctly (i.e. I
appearing in the square brackets )
net rpc trustdom list shows the domain trust is ok
On AD DC:
Add new trust for the Samba domain in the normal way using the trust
password above
This validates ok.
Now smbclient -U% still ok but smbclient -UAdministrator causes the DC to
crash,
When it comes back up, the following appears in the Application Eventlog:
Log Name: Application
Source: Application Error
Date: 27/07/2011 16:25:07
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: LIVEDC.ad.gordian.co.uk
Description:
Faulting application lsass.exe, version 6.0.6002.18005, time stamp
0x49e01c84, faulting module ntdll.dll, version 6.0.6002.18005, time stamp
0x49e02d47, exception code 0x80000003, fault offset 0x000348d8, process id
0x244, application start time 0x01cc41619f198970.
Event Xml:
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-07-27T15:25:07.000Z" />
<EventRecordID>17693</EventRecordID>
<Channel>Application</Channel>
<Computer>LIVEDC.ad.gordian.co.uk</Computer>
<Security />
</System>
followed by
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 27/07/2011 16:25:20
Event ID: 1015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: LIVEDC.ad.gordian.co.uk
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with
status code 255. The machine must now be restarted.
Event Xml:
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit"
Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}"
EventSourceName="Wininit" />
<EventID Qualifiers="49152">1015</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-07-27T15:25:20.000Z" />
<EventRecordID>17694</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>LIVEDC.ad.gordian.co.uk</Computer>
<Security />
</System>
<EventData>
<Data>C:\Windows\system32\lsass.exe</Data>
<Data>255</Data>
</EventData>
</Event>
<EventData>
<Data>lsass.exe</Data>
<Data>6.0.6002.18005</Data>
<Data>49e01c84</Data>
<Data>ntdll.dll</Data>
<Data>6.0.6002.18005</Data>
<Data>49e02d47</Data>
<Data>80000003</Data>
<Data>000348d8</Data>
<Data>244</Data>
<Data>01cc41619f198970</Data>
</EventData>
</Event>
Here's the smb.conf with comments stripped:
[global]
workgroup = CTGDOMAIN
server string = Samba 3.5.9 Server PDC
security = user
hosts allow = 192.168.56. 192.168.153. 127.
load printers = no
log file = /opt/samba/var/log.%m
max log size = 50
interfaces = e1000g0 lo*
bind interfaces only = yes
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
logon path = \\%L\Profiles\%U
wins support = yes
name resolve order = lmhosts wins hosts broadcast
dns proxy = no
add user script = /usr/sbin/useradd %u
add group script = /usr/sbin/groupadd %g
add machine script = /usr/sbin/useradd -g machines -c Machine -d
/dev/null -s /bin/false %u
delete user script = /usr/sbin/userdel %u
delete user from group script = /usr/sbin/userdel %u %g
delete group script = /usr/sbin/groupdel %g
[homes]
comment = Home Directories
browseable = no
writable = yes
[netlogon]
comment = Network Logon Service
path = /opt/samba/lib/netlogon
guest ok = yes
writable = no
share modes = no
[Profiles]
path = /opt/samba/profiles
browseable = no
guest ok = yes
Has anyone else seen this issue or have any ideas about the best way to
debug?
thanks
tim
P.S. AD policy configuration
Network access: Allow anonymous SID/Name translation ENABLED
Network access: Do not allow anonymous enumeration of SAM accounts
DISABLED
Network access: Do not allow anonymous enumeration of SAM accounts and
shares DISABLED
Network access: Let Everyone permissions apply to anonymous users
ENABLED
Network access: Named pipes can be accessed anonymously ENABLED
Network access: Restrict anonymous access to Named Pipes and shares
DISABLED
Network security: LAN Manager authentication level "Send NTLM response
only"
Microsoft network client: Digitally sign communications (always)
DISABLED
Microsoft network client: Digitally sign communications (if server
agrees) ENABLED
Microsoft network server: Digitally sign communications (always)
DISABLED
Microsoft network server: Digitally sign communications (if client
agrees) ENABLED
Domain member: Digitally encrypt or sign secure channel data (always)
DISABLED
Domain member: Digitally encrypt secure channel data (when it is
possible) ENABLED
Domain member: Digitally sign secure channel data (when it is possible)
ENABLED
Domain member: Require strong (Windows 2000 or later) session key
DISABLED
Also have enabled the "Allow cryptography algorithms compatible with
Windows NT 4.0" policy
************************************************************
For further information on Gordian Knot Limited ("Gordian") and/or
Theta Corporation ("Theta") please visit our website at
http://www.gordian.co.uk or call +44 20 7290 9901.
The contents of this email and any attachments are confidential and may also be
privileged. If you are not the intended recipient of this e-mail you may not
copy, forward, disclose or otherwise use any part of it or any attachment in any
way or in any form whatsoever. If you have received this message in error,
please notify the sender immediately by telephone or return e-mail and delete it
and any attachment(s) from your system.
Gordian is a company registered in England with company number 2853833 at the
following address Lansdowne House, Berkeley Square, London, W1J 6AB, England.
In accordance with the FSA's Rules Theta is Gordian's client. Gordian
does not have a client relationship with any other person and does not owe
regulatory duties to any other person under the Conduct of Business Rules or
other parts of the FSA's Rules. Gordian is not responsible to you for
providing the same protections as those afforded to Theta, or for providing
advice in relation to investing in Theta.
Tim Wright
2011-Aug-05 10:47 UTC
[Samba] Domain trust between Samba 3.5.9 and Windows 2008 Active Directory crashes lsass.exe which makes AD Domain Controller reboot
Have some more information on this - looking at a packet capture of
traffic between the AD DC and the Samba PDC, the last packet it sends is a
"Session Setup AndX Request, NTLMSSP_AUTH" message but the NTLM SSP
bit of
the packet has User and Domain set to NULL. Turned up the debug level on
the samba side and see the following in the logs (sorry have include
preamble to final message in case it's of any use in diagnosing the
problem):
2011/08/05 11:06:04.401900, 5]
auth/auth.c:481(make_auth_context_subsystem)
Making default auth method list for DC, security=user, encrypt passwords
= yes
[2011/08/05 11:06:04.402126, 5] auth/auth.c:46(smb_register_auth)
Attempting to register auth backend sam
[2011/08/05 11:06:04.402268, 5] auth/auth.c:58(smb_register_auth)
Successfully added auth method 'sam'
[2011/08/05 11:06:04.402379, 5] auth/auth.c:46(smb_register_auth)
Attempting to register auth backend sam_ignoredomain
[2011/08/05 11:06:04.402487, 5] auth/auth.c:58(smb_register_auth)
Successfully added auth method 'sam_ignoredomain'
[2011/08/05 11:06:04.402603, 5] auth/auth.c:46(smb_register_auth)
Attempting to register auth backend unix
[2011/08/05 11:06:04.402711, 5] auth/auth.c:58(smb_register_auth)
Successfully added auth method 'unix'
[2011/08/05 11:06:04.402816, 5] auth/auth.c:46(smb_register_auth)
Attempting to register auth backend winbind
[2011/08/05 11:06:04.402929, 5] auth/auth.c:58(smb_register_auth)
Successfully added auth method 'winbind'
[2011/08/05 11:06:04.403042, 5] auth/auth.c:46(smb_register_auth)
Attempting to register auth backend wbc
[2011/08/05 11:06:04.403150, 5] auth/auth.c:58(smb_register_auth)
Successfully added auth method 'wbc'
[2011/08/05 11:06:04.403289, 5] auth/auth.c:46(smb_register_auth)
Attempting to register auth backend smbserver
[2011/08/05 11:06:04.403398, 5] auth/auth.c:58(smb_register_auth)
Successfully added auth method 'smbserver'
[2011/08/05 11:06:04.403531, 5] auth/auth.c:46(smb_register_auth)
Attempting to register auth backend trustdomain
[2011/08/05 11:06:04.403649, 5] auth/auth.c:58(smb_register_auth)
Successfully added auth method 'trustdomain'
[2011/08/05 11:06:04.403755, 5] auth/auth.c:46(smb_register_auth)
Attempting to register auth backend ntdomain
[2011/08/05 11:06:04.403862, 5] auth/auth.c:58(smb_register_auth)
Successfully added auth method 'ntdomain'
[2011/08/05 11:06:04.403968, 5] auth/auth.c:46(smb_register_auth)
Attempting to register auth backend guest
[2011/08/05 11:06:04.404075, 5] auth/auth.c:58(smb_register_auth)
Successfully added auth method 'guest'
[2011/08/05 11:06:04.404190, 5] auth/auth.c:46(smb_register_auth)
Attempting to register auth backend netlogond
[2011/08/05 11:06:04.404298, 5] auth/auth.c:58(smb_register_auth)
Successfully added auth method 'netlogond'
[2011/08/05 11:06:04.404404, 5] auth/auth.c:383(load_auth_module)
load_auth_module: Attempting to find an auth method to match guest
[2011/08/05 11:06:04.404533, 5] auth/auth.c:408(load_auth_module)
load_auth_module: auth method guest has a valid init
[2011/08/05 11:06:04.404650, 5] auth/auth.c:383(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam
[2011/08/05 11:06:04.404760, 5] auth/auth.c:408(load_auth_module)
load_auth_module: auth method sam has a valid init
[2011/08/05 11:06:04.404868, 5] auth/auth.c:383(load_auth_module)
load_auth_module: Attempting to find an auth method to match
winbind:trustdoma
in
[2011/08/05 11:06:04.404978, 5] auth/auth.c:383(load_auth_module)
[2011/08/05 11:06:04.404978, 5] auth/auth.c:383(load_auth_module)
load_auth_module: Attempting to find an auth method to match trustdomain
[2011/08/05 11:06:04.405098, 5] auth/auth.c:408(load_auth_module)
load_auth_module: auth method trustdomain has a valid init
[2011/08/05 11:06:04.405205, 5] auth/auth.c:408(load_auth_module)
load_auth_module: auth method winbind has a valid init
[2011/08/05 11:06:04.405501, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088297
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_LM_KEY
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP_NEGOTIATE_56
[2011/08/05 11:06:04.406184, 5] auth/auth.c:97(get_ntlm_challenge)
auth_get_challenge: module guest did not want to specify a challenge
[2011/08/05 11:06:04.406292, 5] auth/auth.c:97(get_ntlm_challenge)
auth_get_challenge: module sam did not want to specify a challenge
[2011/08/05 11:06:04.406408, 5] auth/auth.c:97(get_ntlm_challenge)
auth_get_challenge: module winbind did not want to specify a challenge
[2011/08/05 11:06:04.406521, 5] auth/auth.c:132(get_ntlm_challenge)
auth_context challenge created by random
[2011/08/05 11:06:04.406627, 5] auth/auth.c:133(get_ntlm_challenge)
challenge is:
[2011/08/05 11:06:04.406730, 5] ../lib/util/util.c:278(_dump_data)
[0000] 74 0C 51 36 68 7B 3F 72 t.Q6h{?r
[2011/08/05 11:06:04.407383, 5] lib/util.c:617(show_msg)
[2011/08/05 11:06:04.407446, 5] lib/util.c:627(show_msg)
size=264
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51203
smb_tid=65535
smb_pid=65279
smb_uid=100
smb_mid=64
smt_wct=4
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_vwv[ 2]= 0 (0x0)
smb_vwv[ 3]= 167 (0xA7)
smb_bcc=221
[2011/08/05 11:06:04.409709, 6] smbd/process.c:1486(process_smb)
got message type 0x0 of len 0xbc
[2011/08/05 11:06:04.409835, 3] smbd/process.c:1489(process_smb)
Transaction 2 of length 192 (0 toread)
[2011/08/05 11:06:04.409948, 5] lib/util.c:617(show_msg)
[2011/08/05 11:06:04.410006, 5] lib/util.c:627(show_msg)
size=188
smb_com=0x73
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=51207
smb_tid=65535
smb_pid=65279
smb_uid=100
smb_mid=128
smt_wct=12
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_vwv[ 2]=16644 (0x4104)
smb_vwv[ 3]= 50 (0x32)
smb_vwv[ 4]= 0 (0x0)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 0 (0x0)
smb_vwv[ 7]= 125 (0x7D)
smb_vwv[ 8]= 0 (0x0)
smb_vwv[ 9]= 0 (0x0)
smb_vwv[10]= 212 (0xD4)
smb_vwv[11]=40960 (0xA000)
smb_bcc=129
[2011/08/05 11:06:04.412256, 3] smbd/process.c:1298(switch_message)
switch message SMBsesssetupX (pid 18499) conn 0x0
[2011/08/05 11:06:04.412370, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/08/05 11:06:04.412482, 5]
auth/token_util.c:525(debug_nt_user_token)
NT user token: (NULL)
[2011/08/05 11:06:04.412596, 5]
auth/token_util.c:551(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2011/08/05 11:06:04.412860, 5] smbd/uid.c:369(change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2011/08/05 11:06:04.413027, 3]
smbd/sesssetup.c:1458(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2011/08/05 11:06:04.413135, 2]
smbd/sesssetup.c:1413(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old
resources.
[2011/08/05 11:06:04.413279, 3]
smbd/sesssetup.c:1212(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2011/08/05 11:06:04.413446, 3]
smbd/sesssetup.c:1254(reply_sesssetup_and_X_spnego)
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2011/08/05 11:06:04.413632, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
Got user=[] domain=[] workstation=[LIVEDC] len1=1 len2=0
tim
************************************************************
For further information on Gordian Knot Limited ("Gordian") and/or
Theta Corporation ("Theta") please visit our website at
http://www.gordian.co.uk or call +44 20 7290 9901.
The contents of this email and any attachments are confidential and may also be
privileged. If you are not the intended recipient of this e-mail you may not
copy, forward, disclose or otherwise use any part of it or any attachment in any
way or in any form whatsoever. If you have received this message in error,
please notify the sender immediately by telephone or return e-mail and delete it
and any attachment(s) from your system.
Gordian is a company registered in England with company number 2853833 at the
following address Lansdowne House, Berkeley Square, London, W1J 6AB, England.
In accordance with the FSA's Rules Theta is Gordian's client. Gordian
does not have a client relationship with any other person and does not owe
regulatory duties to any other person under the Conduct of Business Rules or
other parts of the FSA's Rules. Gordian is not responsible to you for
providing the same protections as those afforded to Theta, or for providing
advice in relation to investing in Theta.