samba - Dec 2012 - S4 AD Domain Up; but lots of NTLMSSP NTLM2 errors

samba-4.0.0 x86_64, CentOS6.3

My Samba4 / AD is up and running after migrating this weekend.  Testing
looked good and the domain *is working* but there are some issues.

My log.samba file is full of the following; I'm not certain of the
significance of these.

[2012/12/17 05:59:09,
0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/12/17 06:35:30,
0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/12/17 06:55:58,
0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/12/17 06:59:10,
0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/12/17 07:44:14,
0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/12/17 07:58:31,
0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/12/17 08:10:11,
0]
../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=pc02541,OU=Industries
Workstations,DC=micore,DC=us: error in module acl: Constraint violation
(19)
[2012/12/17 08:26:00,
0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/12/17 08:37:30,
0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/12/17 08:41:42,
0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/12/17 09:15:32,
0]
../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=pc02541,OU=Industries
Workstations,DC=micore,DC=us: error in module acl: Constraint violation
(19)
[2012/12/17 09:24:47,
0]
../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=chrisxpprovm,OU=Industries
Workstations,DC=micore,DC=us: error in module acl: Constraint violation
(19)
....

-- 
Adam Tauno Williams  GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA

On Mon, 2012-12-17 at 09:35 -0500, Adam Tauno Williams
wrote:
> samba-4.0.0 x86_64, CentOS6.3
> 
> My Samba4 / AD is up and running after migrating this weekend.  Testing
> looked good and the domain *is working* but there are some issues.
> 
> My log.samba file is full of the following; I'm not certain of the
> significance of these.
> 
> [2012/12/17 05:59:09,
> 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>   NTLMSSP NTLM2 packet check failed due to invalid signature!
> [2012/12/17 06:35:30,
Any idea what client is giving these?  

I thought we managed to silence these a while back - there was a case
where this was happening on LDAP.
>   Failed to modify SPNs on CN=pc02541,OU=Industries
> Workstations,DC=micore,DC=us: error in module acl: Constraint violation
> (19)
> [2012/12/17 09:24:47,
> 0]
../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
>   Failed to modify SPNs on CN=chrisxpprovm,OU=Industries
> Workstations,DC=micore,DC=us: error in module acl: Constraint violation
> (19)
These are different to the above, and it is a known issue.  We have a
set of patches, but they need much more work before we can fix that.  It
happens when the client is trying to change only the case of the
servicePrincipalName over DRS.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org