Darren Kinley
2011-Oct-14 00:30 UTC
[Samba] 3.x build and 'net ads join' no longer work in 3.6.0
Hi Gurus, I've been trying to compile SaMBa 3.6.0 for its SMB2 support on/off half time for about two weeks. I've built ealier versions of 3.x and most recently 3.4.2 following the same procedure but it no longer works for 3.6.0. I'm about ready to give up and hope that someone here might be able to give me a clue. I would grab a pre-built package but neither sunfreeware nor blastwave have the latest releases. Debugging reveals that the problem _appears_ to lie in the NTLMSSP negotiation/authentication. 'kinit domainadmin at DS.XXX.CA' followed by 'net ads join -U domainadmin' results in 'Failed to join domain: failed to lookup DC info for domain 'DS.XXX.CA' over rpc: Logon failure' I think that these are the relevant details; Solaris 10 SPARC Kerberos 1.9.1 SaMBa 3.6.0 Windows Server 2008 R2 AD NTLM disabled, NTLM2 allowed, kerberos is preferred configure options; LDFLAGS="-L/usr/local/xxx-ads/lib -lintl -lresolv" LIBS="-lintl -lresolv" \ ./configure --prefix=/usr/local/xxx-ads/samba --with-krb5=/usr/local/xxx-ads/krb5 \ --with-ads --with-ldap --with-acl-support --with-winbind --with-pam smb.conf; (client ntlmv2 auth changed default settings and I've tried with both yes and no) [global] workgroup = DS realm = DS.XXX.CA server string = harry47.ds.xxx.ca security = ADS allow trusted domains = No username map = /usr/local/xxx-ads/samba/lib/smbusers log file = /var/log/xxx-samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No show add printer wizard = No dns proxy = No map acl inherit = Yes client ntlmv2 auth = yes One thing I am curious about is use_kerberos is off. net -d 10 ads join -U domainadmin output; ... libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'HARRY47' domain_name : * domain_name : 'DS.XXX.CA' account_ou : NULL admin_account : 'domainadmin' machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) ... negotiate: struct NEGOTIATE_MESSAGE ... challenge: struct CHALLENGE_MESSAGE ... authenticate: struct AUTHENTICATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmAuthenticate (3) LmChallengeResponseLen : 0x0018 (24) LmChallengeResponseMaxLen: 0x0018 (24) LmChallengeResponse : * LmChallengeResponse : union ntlmssp_LM_RESPONSE(case 24) v1: struct LM_RESPONSE Response : fb3bc06d202cf55d212e91453073beeba275df3da9655dd8 NtChallengeResponseLen : 0x00a4 (164) NtChallengeResponseMaxLen: 0x00a4 (164) NtChallengeResponse : * NtChallengeResponse : union ntlmssp_NTLM_RESPONSE(case 164) v2: struct NTLMv2_RESPONSE Response : 13a07b3f696f6507c5b03f9de96b8dab Challenge: struct NTLMv2_CLIENT_CHALLENGE RespType : 0x01 (1) HiRespType : 0x01 (1) Reserved1 : 0x0000 (0) Reserved2 : 0x00000000 (0) TimeStamp : Thu Oct 13 14:48:46 2011 PDT ChallengeFromClient : 934c469337007bc4 Reserved3 : 0x00000000 (0) AvPairs: struct AV_PAIR_LIST count : 0x00000007 (7) pair: ARRAY(7) pair: struct AV_PAIR AvId : MsvAvNbDomainName (0x2) AvLen : 0x0004 (4) Value : union ntlmssp_AvValue(case 0x2) AvNbDomainName : 'DS' pair: struct AV_PAIR AvId : MsvAvNbComputerName (0x1) AvLen : 0x000c (12) Value : union ntlmssp_AvValue(case 0x1) AvNbComputerName : 'ADYVR1' pair: struct AV_PAIR AvId : MsvAvDnsDomainName (0x4) AvLen : 0x0012 (18) Value : union ntlmssp_AvValue(case 0x4) AvDnsDomainName : 'ds.xxx.ca' pair: struct AV_PAIR AvId : MsvAvDnsComputerName (0x3) AvLen : 0x0020 (32) Value : union ntlmssp_AvValue(case 0x3) AvDnsComputerName : 'ADYVR1.ds.xxx.ca' pair: struct AV_PAIR AvId : MsvAvDnsTreeName (0x5) AvLen : 0x0012 (18) Value : union ntlmssp_AvValue(case 0x5) AvDnsTreeName : 'ds.xxx.ca' pair: struct AV_PAIR AvId : MsvAvTimestamp (0x7) AvLen : 0x0008 (8) Value : union ntlmssp_AvValue(case 0x7) AvTimestamp : Thu Oct 13 14:48:46 2011 PDT pair: struct AV_PAIR AvId : MsvAvEOL (0x0) AvLen : 0x0000 (0) Value : union ntlmssp_AvValue(case 0x0) DomainNameLen : 0x0000 (0) DomainNameMaxLen : 0x0000 (0) DomainName : * DomainName : '' UserNameLen : 0x000e (14) UserNameMaxLen : 0x000e (14) UserName : * UserName : 'DKINLEY' WorkstationLen : 0x000e (14) WorkstationMaxLen : 0x000e (14) Workstation : * Workstation : 'HARRY47' EncryptedRandomSessionKeyLen: 0x0010 (16) EncryptedRandomSessionKeyMaxLen: 0x0010 (16) EncryptedRandomSessionKey: * EncryptedRandomSessionKey: DATA_BLOB length=16 [0000] 94 A5 C7 0E 88 75 55 4A 30 C7 B4 D6 54 74 07 1D .....uUJ 0...Tt.. NegotiateFlags : 0x60088215 (1611170325) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 0: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH smb_signing_sign_pdu: sent SMB signature of [0000] 42 53 52 53 50 59 4C 20 BSRSPYL SPNEGO login failed: Logon failure failed session setup with NT_STATUS_LOGON_FAILURE libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'DS.XXX.CA' over rpc: Logon failure' domain_is_ad : 0x00 (0) result : WERR_LOGON_FAILURE Failed to join domain: failed to lookup DC info for domain 'DS.XXX.CA' over rpc: Logon failure return code = -1 Thanks in advance for your thoughts, Darren -- View this message in context: http://samba.2283325.n4.nabble.com/3-x-build-and-net-ads-join-no-longer-work-in-3-6-0-tp3903369p3903369.html Sent from the Samba - General mailing list archive at Nabble.com.
mathwig
2011-Oct-22 06:52 UTC
[Samba] 3.x build and 'net ads join' no longer work in 3.6.0
Hi Darren, please try: net ads join -U domainadmin%password GTX Lars -- View this message in context: http://samba.2283325.n4.nabble.com/3-x-build-and-net-ads-join-no-longer-work-in-3-6-0-tp3903369p3927648.html Sent from the Samba - General mailing list archive at Nabble.com.
Darren Kinley
2011-Oct-22 15:16 UTC
[Samba] 3.x build and 'net ads join' no longer work in 3.6.0
Hi Lars, I tried this with success using my 3.4.2 build but failure using my 3.6.0 build (both buillt on the same server and using the same configure options). Using Wireshark I was able to see that the two builds differ in their SMB negotiation and specifically in their handling of authentication info. I don't know the protocol stack; it appears that one offers the credentials up front while the other leaves the same fields blank (domains, usernames, IDs) but offers the same details later in the packet (or exchange) in the form of options. I'm not sure if this different behavior in is due to my error or it is an intentional refinement to the software/protocol that my 2008 R2 servers can't handle. I was hoping that someone might have some insight to my observations but there has been no response so far and I'm about to try other variants; 3.6.1 and 3.6.1 with Heimdal Kerberos. Thanks for your thoughts, Darren -- View this message in context: http://samba.2283325.n4.nabble.com/3-x-build-and-net-ads-join-no-longer-work-in-3-6-0-tp3903369p3928347.html Sent from the Samba - General mailing list archive at Nabble.com.