Darren Kinley
2011-Oct-14 00:30 UTC
[Samba] 3.x build and 'net ads join' no longer work in 3.6.0
Hi Gurus,
I've been trying to compile SaMBa 3.6.0 for its SMB2 support on/off half
time
for about two weeks. I've built ealier versions of 3.x and most recently
3.4.2
following the same procedure but it no longer works for 3.6.0. I'm about
ready to give up and hope that someone here might be able to give me a clue.
I would grab a pre-built package but neither sunfreeware nor blastwave have
the latest releases.
Debugging reveals that the problem _appears_ to lie in the NTLMSSP
negotiation/authentication.
'kinit domainadmin at DS.XXX.CA' followed by 'net ads join -U
domainadmin'
results in
'Failed to join domain: failed to lookup DC info for domain
'DS.XXX.CA' over
rpc: Logon failure'
I think that these are the relevant details;
Solaris 10 SPARC
Kerberos 1.9.1
SaMBa 3.6.0
Windows Server 2008 R2 AD
NTLM disabled, NTLM2 allowed, kerberos is preferred
configure options;
LDFLAGS="-L/usr/local/xxx-ads/lib -lintl -lresolv" LIBS="-lintl
-lresolv" \
./configure --prefix=/usr/local/xxx-ads/samba
--with-krb5=/usr/local/xxx-ads/krb5 \
--with-ads --with-ldap --with-acl-support --with-winbind --with-pam
smb.conf;
(client ntlmv2 auth changed default settings and I've tried with both yes
and no)
[global]
workgroup = DS
realm = DS.XXX.CA
server string = harry47.ds.xxx.ca
security = ADS
allow trusted domains = No
username map = /usr/local/xxx-ads/samba/lib/smbusers
log file = /var/log/xxx-samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
show add printer wizard = No
dns proxy = No
map acl inherit = Yes
client ntlmv2 auth = yes
One thing I am curious about is use_kerberos is off.
net -d 10 ads join -U domainadmin output;
...
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'HARRY47'
domain_name : *
domain_name : 'DS.XXX.CA'
account_ou : NULL
admin_account : 'domainadmin'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
...
negotiate: struct NEGOTIATE_MESSAGE
...
challenge: struct CHALLENGE_MESSAGE
...
authenticate: struct AUTHENTICATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmAuthenticate (3)
LmChallengeResponseLen : 0x0018 (24)
LmChallengeResponseMaxLen: 0x0018 (24)
LmChallengeResponse : *
LmChallengeResponse : union ntlmssp_LM_RESPONSE(case 24)
v1: struct LM_RESPONSE
Response :
fb3bc06d202cf55d212e91453073beeba275df3da9655dd8
NtChallengeResponseLen : 0x00a4 (164)
NtChallengeResponseMaxLen: 0x00a4 (164)
NtChallengeResponse : *
NtChallengeResponse : union ntlmssp_NTLM_RESPONSE(case 164)
v2: struct NTLMv2_RESPONSE
Response : 13a07b3f696f6507c5b03f9de96b8dab
Challenge: struct NTLMv2_CLIENT_CHALLENGE
RespType : 0x01 (1)
HiRespType : 0x01 (1)
Reserved1 : 0x0000 (0)
Reserved2 : 0x00000000 (0)
TimeStamp : Thu Oct 13 14:48:46 2011 PDT
ChallengeFromClient : 934c469337007bc4
Reserved3 : 0x00000000 (0)
AvPairs: struct AV_PAIR_LIST
count : 0x00000007 (7)
pair: ARRAY(7)
pair: struct AV_PAIR
AvId : MsvAvNbDomainName
(0x2)
AvLen : 0x0004 (4)
Value : union
ntlmssp_AvValue(case 0x2)
AvNbDomainName : 'DS'
pair: struct AV_PAIR
AvId :
MsvAvNbComputerName (0x1)
AvLen : 0x000c (12)
Value : union
ntlmssp_AvValue(case 0x1)
AvNbComputerName : 'ADYVR1'
pair: struct AV_PAIR
AvId :
MsvAvDnsDomainName (0x4)
AvLen : 0x0012 (18)
Value : union
ntlmssp_AvValue(case 0x4)
AvDnsDomainName : 'ds.xxx.ca'
pair: struct AV_PAIR
AvId :
MsvAvDnsComputerName (0x3)
AvLen : 0x0020 (32)
Value : union
ntlmssp_AvValue(case 0x3)
AvDnsComputerName :
'ADYVR1.ds.xxx.ca'
pair: struct AV_PAIR
AvId : MsvAvDnsTreeName
(0x5)
AvLen : 0x0012 (18)
Value : union
ntlmssp_AvValue(case 0x5)
AvDnsTreeName : 'ds.xxx.ca'
pair: struct AV_PAIR
AvId : MsvAvTimestamp
(0x7)
AvLen : 0x0008 (8)
Value : union
ntlmssp_AvValue(case 0x7)
AvTimestamp : Thu Oct 13
14:48:46 2011 PDT
pair: struct AV_PAIR
AvId : MsvAvEOL (0x0)
AvLen : 0x0000 (0)
Value : union
ntlmssp_AvValue(case 0x0)
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
UserNameLen : 0x000e (14)
UserNameMaxLen : 0x000e (14)
UserName : *
UserName : 'DKINLEY'
WorkstationLen : 0x000e (14)
WorkstationMaxLen : 0x000e (14)
Workstation : *
Workstation : 'HARRY47'
EncryptedRandomSessionKeyLen: 0x0010 (16)
EncryptedRandomSessionKeyMaxLen: 0x0010 (16)
EncryptedRandomSessionKey: *
EncryptedRandomSessionKey: DATA_BLOB length=16
[0000] 94 A5 C7 0E 88 75 55 4A 30 C7 B4 D6 54 74 07 1D .....uUJ 0...Tt..
NegotiateFlags : 0x60088215 (1611170325)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
0: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
smb_signing_sign_pdu: sent SMB signature of
[0000] 42 53 52 53 50 59 4C 20 BSRSPYL
SPNEGO login failed: Logon failure
failed session setup with NT_STATUS_LOGON_FAILURE
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain
'DS.XXX.CA' over rpc: Logon failure'
domain_is_ad : 0x00 (0)
result : WERR_LOGON_FAILURE
Failed to join domain: failed to lookup DC info for domain 'DS.XXX.CA'
over
rpc: Logon failure
return code = -1
Thanks in advance for your thoughts,
Darren
--
View this message in context:
http://samba.2283325.n4.nabble.com/3-x-build-and-net-ads-join-no-longer-work-in-3-6-0-tp3903369p3903369.html
Sent from the Samba - General mailing list archive at Nabble.com.
mathwig
2011-Oct-22 06:52 UTC
[Samba] 3.x build and 'net ads join' no longer work in 3.6.0
Hi Darren, please try: net ads join -U domainadmin%password GTX Lars -- View this message in context: http://samba.2283325.n4.nabble.com/3-x-build-and-net-ads-join-no-longer-work-in-3-6-0-tp3903369p3927648.html Sent from the Samba - General mailing list archive at Nabble.com.
Darren Kinley
2011-Oct-22 15:16 UTC
[Samba] 3.x build and 'net ads join' no longer work in 3.6.0
Hi Lars, I tried this with success using my 3.4.2 build but failure using my 3.6.0 build (both buillt on the same server and using the same configure options). Using Wireshark I was able to see that the two builds differ in their SMB negotiation and specifically in their handling of authentication info. I don't know the protocol stack; it appears that one offers the credentials up front while the other leaves the same fields blank (domains, usernames, IDs) but offers the same details later in the packet (or exchange) in the form of options. I'm not sure if this different behavior in is due to my error or it is an intentional refinement to the software/protocol that my 2008 R2 servers can't handle. I was hoping that someone might have some insight to my observations but there has been no response so far and I'm about to try other variants; 3.6.1 and 3.6.1 with Heimdal Kerberos. Thanks for your thoughts, Darren -- View this message in context: http://samba.2283325.n4.nabble.com/3-x-build-and-net-ads-join-no-longer-work-in-3-6-0-tp3903369p3928347.html Sent from the Samba - General mailing list archive at Nabble.com.