samba - Nov 2013 - Running SQL Server xp_logininfo with Samba PDC

We have setup Samba 4.1 as a PDC.  We have successfully connected several
Windows 2008 Servers to the domain and created various users/groups.
 During an application installation on the Windows server, it runs the
command in SQL server:

master..xp_logininfo 'MYDOMAIN\useraccount'

SQLserver is running as a service user created on the domain (here called
MYDOMAIN)

This returns:

Msg 15404, Level 16, State 19, Procedure xp_logininfo, Line 64
Could not obtain information about Windows NT group/user
'DOMAIN\useraccount', error code 0x5.

In the security log on windows it has:

An account failed to log on.

Subject:
Security ID: MYDOMAIN\SQLService
Account Name: SQLService
Account Domain:       MYDOMAIN
Logon ID: 0x1063d

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006e
Sub Status: 0xc000006e

Process Information:
Caller Process ID: 0x52c
Caller Process Name: C:\Program Files\Microsoft SQL
Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe


In the Samba Log on the PDC it gives the following messages:

[2013/11/04 14:05:12.684946,  4]
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
  dreplsrv_notify_schedule(5) scheduled for: Mon Nov  4 14:05:18 2013 EST
[2013/11/04 14:05:17.693823,  4]
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
  dreplsrv_notify_schedule(5) scheduled for: Mon Nov  4 14:05:23 2013 EST
[2013/11/04 14:05:17.839450,  3]
../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2013/11/04 14:05:17.840862,  5]
../auth/gensec/gensec_start.c:649(gensec_start_mech)
  Starting GENSEC mechanism schannel
[2013/11/04 14:05:17.887505,  3]
../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
  schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/SERVERNAME
[2013/11/04 14:05:17.927963,  3]
../source4/rpc_server/dcerpc_server.c:963(dcesrv_request)
  Warning: 60 extra bytes in incoming RPC request
[2013/11/04 14:05:17.945518,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ SQLService at AD.MYDOMAIN.COM.AU from ipv4:
172.17.1.20:61630 for
SQLService\@AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU[canonicalize,
renewable, forwardable]
[2013/11/04 14:05:17.956953,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: s4u2self SQLService at AD.MYDOMAIN.COM.AU impersonating
sodadm at MYDOMAIN to service SQLService\@AD.MYDOMAIN.COM.AU at
AD.MYDOMAIN.COM.AU
[2013/11/04 14:05:17.957371,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Principal may not act as server -- SQLService\@
AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU
[2013/11/04 14:05:17.972537,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:172.17.1.20:61630
[2013/11/04 14:05:17.990408,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2013/11/04 14:05:17.990922,  5]
../source4/lib/messaging/messaging.c:554(imessaging_cleanup)
  imessaging: cleaning up /opt/samba4/private/smbd.tmp/msg/msg.1370.34
[2013/11/04 14:05:17.991117,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
[2013/11/04 14:05:18.136571,  5]
../source4/winbind/wb_irpc.c:144(wb_irpc_get_idmap)
  wb_irpc_get_idmap called
[2013/11/04 14:05:18.136706,  5]
../source4/winbind/wb_sids2xids.c:43(wb_sids2xids_send)
  wb_sids2xids_send called
[2013/11/04 14:05:18.161368,  5]
../source4/winbind/wb_irpc.c:176(wb_irpc_get_idmap_callback)
  wb_irpc_get_idmap_callback called
[2013/11/04 14:05:18.161647,  5]
../source4/winbind/wb_sids2xids.c:83(wb_sids2xids_recv)
  wb_sids2xids_recv called
[2013/11/04 14:05:18.198764,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'


Our smb.conf is currently:

# Global parameters
[global]
        workgroup = MYDOMAIN
        realm = AD.MYDOMAIN.COM.AU
        netbios name = GATEWAY
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        interfaces = eth1 lo
        log level = 5
        bind interfaces only = yes

[netlogon]
        path = /opt/samba4/var/locks/sysvol/ad.mydomain.com.au/scripts
        read only = No

[sysvol]
        path = /opt/samba4/var/locks/sysvol
        read only = No

I have replicated the exact same application installation using a Windows
Server PDC and it worked successfully.

Does anyone have any suggestions on things I can try?

Regards,

Jason

Hi,
On 11/03/2013 07:14 PM, Jason wrote:
> We have setup Samba 4.1 as a PDC.  We have successfully connected several
> Windows 2008 Servers to the domain and created various users/groups.
>   During an application installation on the Windows server, it runs the
> command in SQL server:
>
> master..xp_logininfo 'MYDOMAIN\useraccount'
>
> SQLserver is running as a service user created on the domain (here called
> MYDOMAIN)
>
> This returns:
>
> Msg 15404, Level 16, State 19, Procedure xp_logininfo, Line 64
> Could not obtain information about Windows NT group/user
> 'DOMAIN\useraccount', error code 0x5.
>
> In the security log on windows it has:
>
> An account failed to log on.
>
> Subject:
> Security ID: MYDOMAIN\SQLService
> Account Name: SQLService
> Account Domain:       MYDOMAIN
> Logon ID: 0x1063d
>
> Logon Type: 3
>
> Account For Which Logon Failed:
> Security ID: NULL SID
> Account Name:
> Account Domain:
>
> Failure Information:
> Failure Reason: Unknown user name or bad password.
> Status: 0xc000006e
> Sub Status: 0xc000006e
>
> Process Information:
> Caller Process ID: 0x52c
> Caller Process Name: C:\Program Files\Microsoft SQL
> Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
>
>
> In the Samba Log on the PDC it gives the following messages:
>
> [2013/11/04 14:05:12.684946,  4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
>    dreplsrv_notify_schedule(5) scheduled for: Mon Nov  4 14:05:18 2013 EST
> [2013/11/04 14:05:17.693823,  4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
>    dreplsrv_notify_schedule(5) scheduled for: Mon Nov  4 14:05:23 2013 EST
> [2013/11/04 14:05:17.839450,  3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
>    ldb_wrap open of secrets.ldb
> [2013/11/04 14:05:17.840862,  5]
> ../auth/gensec/gensec_start.c:649(gensec_start_mech)
>    Starting GENSEC mechanism schannel
> [2013/11/04 14:05:17.887505,  3]
> ../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
>    schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/SERVERNAME
> [2013/11/04 14:05:17.927963,  3]
> ../source4/rpc_server/dcerpc_server.c:963(dcesrv_request)
>    Warning: 60 extra bytes in incoming RPC request
> [2013/11/04 14:05:17.945518,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: TGS-REQ SQLService at AD.MYDOMAIN.COM.AU from ipv4:
> 172.17.1.20:61630 for
> SQLService\@AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU[canonicalize,
> renewable, forwardable]
> [2013/11/04 14:05:17.956953,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: s4u2self SQLService at AD.MYDOMAIN.COM.AU impersonating
> sodadm at MYDOMAIN to service SQLService\@AD.MYDOMAIN.COM.AU at
AD.MYDOMAIN.COM.AU
> [2013/11/04 14:05:17.957371,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: Principal may not act as server -- SQLService\@
> AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU
> [2013/11/04 14:05:17.972537,  3]
^^^^^ This is the key of the problem.
> Our smb.conf is currently:
>
> # Global parameters
> [global]
>          workgroup = MYDOMAIN
>          realm = AD.MYDOMAIN.COM.AU
>          netbios name = GATEWAY
>          server role = active directory domain controller
>          dns forwarder = 8.8.8.8
>          interfaces = eth1 lo
>          log level = 5
>          bind interfaces only = yes
>
> [netlogon]
>          path = /opt/samba4/var/locks/sysvol/ad.mydomain.com.au/scripts
>          read only = No
>
> [sysvol]
>          path = /opt/samba4/var/locks/sysvol
>          read only = No
>
> I have replicated the exact same application installation using a Windows
> Server PDC and it worked successfully.
Are you sure it's exactly the same ? it could be that some flags on the 
user account are missing.

-- 
Matthieu Patou
Samba Team
http://samba.org