samba - Apr 2013 - Samba4: W2k clients cannot set / sync time with samba4 AD DC

As a follow-up to this thread 
(https://lists.samba.org/archive/samba/2013-April/172892.html) I have 
created an extra topic, because this is related only to NTP/time sync.

I have done some more tests on this topic, as this really hurts and I 
wouldn't be able to migrate to samba4 in productional environment. We 
are still using lots of W2k clients which cannot be replaced or 
upgraded. Well, I have done some network packet sniffing and as I 
suspected, it seems that the w2k clients really needs to authenticate 
first to be able to use the net time sync command. Here some information
 for clarification:

- everything installed and configured like described on the samba4 HowTo

-
 It affects all my W2k test clients I have tried, not only one. None of 
my w2k clients are able to get the correct time from samba4 AD DC.

-
 WinXP and Win7 are not affected by this, they work fine, from scratch. 
They can sync with my samba4 AD DC and get the time correctly

- I realized that w2k client cannot use "net time" commands when
trying to execute them on W2k DOS command prompt window.

 *
 If the w2k client is logged in as local administrator, then he will 
receives an "error code 5 - access denied" when trying to execute
"net
time" or even "net time /set".
 * If the w2k client is logged in as 
an normal domain user without admin privileges, "net time" command
will
work, but "net time /set" will fail with "system error 1314 -
client has
 no privilege to adjust time". 
 * If the w2k client is logged in 
with a domain admin account and therefore with admin privileges, "net 
time" will work and the command "net time /set" will set
correctly the
time synced with the samba4 AD DC. This is the only way to have the w2k 
time set to the corresponding samba4 AD DC time. 

Now what 
happens if I put the time to a wrong time (e.g. 6hours back), reboot the
 w2k client, and log-in with a domain admin account? Unfortunately the 
windows time service do NOT update the correct time, although a domain 
admin is logged in. Even not if I restart the windows time service. The 
time only will be set if I manually execute the command "net time
/set"
as explained before.

I logged out again from w2k machine and 
logged in with win2k's local administrator account. As I explained 
before, "net time /set" will return an "error code 5  - access
denied". I
 have sniffed that procedure. Then I entered "runas 
/user:MYDOM\domadminuser "net time /set"" and entered the
password for
this user when prompted. Et-voil? --> it works! As soon as I 
authenticate as domain administrator I am able to use this command. I 
also sniffed the packets for this executed command.

You can get the sniffed packet results by tcpdump here -->
http://paste.ubuntu.com/5600267/

Hope to get some feedback of the devs, it seems that this is related to SMB and
not to NTP itself ?

Any feedback appreciated, thanks and greetings...
Lucas

??? 22 ??? 2013 19:17:03 +0400, ?icro MEGAS  ???????:
@samba-devs:
 Could this be related to samba4 services/shares? I have googled a lot 
about this error message 5 when using "net time" command, and it seems
that there is a relation to the share on the server. I don't understand 
which share/service is affected for that. I have tried to check how "net
 time" react on my existing samba3 domain with s3 PDC. I tried at 
several Win2000 clients on my existing productional samba3 domain, and 
--> "net time ..." works fine there without any errors. So it could
be a problem within samba4 somehow? Would be nice to get a reply of a 
dev who can clarify that.

It must be something to have to do with samba4,  because in a samba3 environment
this command works fine.

Any feedback and help appreciated,
thanks... 

Lucas

??? 22 ??? 2013 18:08:41 +0400, ?icro MEGAS  ???????:
Hello again,

I
 just have found out which the dynamic updates didn't work. The reason 
was, that time synchronization of my win2k clients did NOT WORK 
correctly, so they were not in sync with my samba4 AD DC. This is 
necessary for Kerberso and therefore for signed updates. If the client 
is not in sync with the samba4 domain controller, the updates do NOT 
occur. So this is what I have found out:

although I am logged in 
with the local administrator account to the windows 2000 host and I am 
able to manually modify/adjust the windows time, I am NOT ABLE to use a 
"net time" command. I open a DOS command prompt on the w2k host (while
being a local administrator): I enter "net time" and press enter. I
get
at once the error message:

System error 5 occured.

Access denied

(I translated this from german).

Then
 I tried to authenticate to my samba4 AD domain as administrator. I 
entered in the DOS command prompt "net use \\mys4srv 
/user:MYDOM\administrator", entered my password when prompted and the 
auth suceeded. So at this point I am authenticated against my samba4 AD 
domain. Now I can re-execute "net time" and it works fine. After this 
authentication the windows client automatically was able to sync its 
time with my samba4 AD domain controller, as the default update 
mechanism Nt5DS is used (=that stands for time sync with the dc in the 
domain). Now I don't understand, why I had to authenticate first at my 
domain, to allow this to work?? Win7 and WinXP hosts don't show this 
behavior, they work from scratch and can sync their time.

I did 
not have applied any GPOs before, so everything is default. Anyone knows
 about this odd behaviour and can help to fix that? Any help 
appreciated. Thanks to all.

Regards,
Lucas.

??? 22 ??? 2013 16:08:06 +0400, ?icro MEGAS  ???????:
Hi all,

I am running samba 4.0.5 as Active-Directory Domain Controller with 
bind9 9.8 and I am using the BIND9_DLZ mech. I have setup my DNS quite 
exactly as described on the samba4_dns HowTo, but I am facing following 
problems:

Win2000 clients are NOT ABLE to update/add/delete dynamic dns 
ressource records to the DNS database, because it seems they cannot be 
verified by samba4? The BIND9 log with debug level 3 shows error 
messages like that:

[...]

22-Apr-2013 13:50:56.373 update-security: error: client 172.16.200.66#1343: upda

te 'ad.mycompany.com/IN' denied

[...]

22-Apr-2013 13:50:56.392 client: debug 3: client 172.16.200.66#1344: read

22-Apr-2013 13:50:56.392 client: debug 3: client @0x7f9a576948d0: accept

22-Apr-2013 13:50:56.395 client: debug 3: client 172.16.200.66#1344: TCP request

22-Apr-2013 13:50:56.395 client: debug 3: client 172.16.200.66#1344: query

22-Apr-2013 13:50:56.396 general: debug 3: failed gss_inquire_cred: GSSAPI error

: Major = Unspecified GSS failure.  Minor code may provide more information, Min

or = Credentials cache file '/tmp/krb5cc_110' not found.

22-Apr-2013 13:50:56.403 general: debug 3: gss-api source name (accept) is smb4t

estwin2k$@AD.MYCOMPANY.COM

22-Apr-2013 13:50:56.403 client: debug 3: client 172.16.200.66#1344: send

22-Apr-2013 13:50:56.403 client: debug 3: client 172.16.200.66#1344: sendto

22-Apr-2013 13:50:56.404 client: debug 3: client 172.16.200.66#1344: senddone

[...]

22-Apr-2013 13:50:56.536 client: debug 3: client 172.16.200.66#1346: TCP request

22-Apr-2013 13:50:56.536 client: debug 3: client 172.16.200.66#1346: query

22-Apr-2013 13:50:56.537 general: debug 3: failed gss_inquire_cred: GSSAPI error

: Major = Unspecified GSS failure.  Minor code may provide more information, Min

or = Credentials cache file '/tmp/krb5cc_110' not found.

22-Apr-2013 13:50:56.543 general: debug 3: gss-api source name (accept) is smb4t

estwin2k$@AD.MYCOMPANY.COM

22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: send

22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: sendto

22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: senddone

22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: next

22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: endrequest

22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: read

22-Apr-2013 13:50:56.549 client: debug 3: client 172.16.200.66#1346: next

22-Apr-2013 13:50:56.549 client: debug 3: client 172.16.200.66#1346: endrequest

22-Apr-2013 13:50:56.549 client: debug 3: client 172.16.200.66#1346: closetcp

22-Apr-2013 13:50:56.563 client: debug 3: client 172.16.200.66#1347: UDP request

22-Apr-2013 13:50:56.564 general: debug 3: GSS verify error: GSSAPI error: Major

= A token had an invalid Message Integrity Check (MIC), Minor = Unknown error.

[...]

22-Apr-2013 13:50:56.707 security: error: client 172.16.200.66#1351: request has

 invalid signature: TSIG 910533066770-2 (smb4testwin2k\$\@AD.MYCOMPANY.COM)

: tsig verify failure (BADSIG)

Anyone knows more about that and know how to debug/fix that? Any help
appreciated. Thanks a lot.

Lucas.

On Thu, 2013-04-25 at 11:47 +0400, ?icro MEGAS wrote:
> As a follow-up to this thread 
> (https://lists.samba.org/archive/samba/2013-April/172892.html) I have 
> created an extra topic, because this is related only to NTP/time sync.
> 
> I have done some more tests on this topic, as this really hurts and I 
> wouldn't be able to migrate to samba4 in productional environment. 
I keep saying that I can't even give you speculation without a packet
capture.  That means a PCAP format file. 

https://wiki.samba.org/index.php/Capture_Packets

I also don't understand why you can't use any number of other tools
(such as free NTP clients or forcing the NTP server with a script or
policy) to set the time for this specific deployment.

You keep asking about this, but you also keep not providing the specific
information that has been requested.  This makes it hard to help you,
even in this most extreme of deployment situations. 

Finally, I would ask that you help yourself:

08:28:00.436507 IP 172.16.200.66.3557 > samba4srv.mysite.com.ntp: NTPv2,
Client, length 68
08:28:00.436576 IP samba4srv.mysite.com > 172.16.200.66: ICMP samba4srv
.mysite.com udp port ntp unreachable, length 104

Is the NTP server set up correctly?  If the clients can't contact the
NTP server, then it doesn't surprise me that they can't use it.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org