Hi guys, about a one or two weeks ago I've updated my samba to v4.1.7 which might or might not relate to the problem at hand. However lately we've seen some issues with users not able to login to workstations (win 7). Windows servers (2008 r2 and newer) were also affected. Sometimes one or two reboots would solve this problems, on few occasions I had to rejoin the computer account to the domain. On the workstations and servers I can see this event log entry when login problem occour: Log Name: System Source: Microsoft-Windows-Security-Kerberos Event ID: 4 Task Category: None Level: Error Keywords: Classic User: N/A Computer: workstation.sub.domain.tld Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server "workstation$". The target name used was "WORKSTATION$". This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SUB.DOMAIN.TLD) is different from the client domain (SUB.DOMAIN.TLD), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. Checking samba logs revealed this entry: log.samba-[2015/03/28 14:48:58.156066, 2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) log.samba: auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\workstation$] FAILED with error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT log.samba-[2015/03/28 14:48:58.160911, 2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) log.samba: auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\workstation$] FAILED with error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT log.samba-[2015/03/28 14:48:58.298127, 2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) I'm not sure where to start debugging. Setup: DC-01 (Ubuntu 12.04 LTS) DC-02 (Ubuntu 12.04 LTS) Samba Version 4.1.17 (build from sources) using BIND_DLZ 9.9.5 (Extended Support Version) the domain was migrated from samba3 with classic upgrade. I'd love to hear any ideas or suggestions. Thanks in advance. Regards, Dominik ## smb.conf root at XXX-DC-01:~# cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = DOMAIN realm = sub.domain.tld netbios name = XXX-DC-01 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes kccsrv:samba_kcc = false tls enabled = yes tls certfile = /usr/local/samba/private/tls/XXX-dc-01.pem tls keyfile = /usr/local/samba/private/tls/XXX-dc-01-key_nopas.pem tls cafile = /usr/local/samba/private/tls/cacert.pem tls crlfile = /usr/local/samba/private/tls/domain-samba.crl tls dhparams file = /usr/local/samba/private/tls/dcdhparams.pem host msdfs = yes log level = 2 syslog = 2 eventlog list = Application System Security SyslogLinux [netlogon] path = /usr/local/samba/var/locks/sysvol/biochem.dshs-koeln.de/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Izan Díez Sánchez
2016-Jul-05 08:33 UTC
[Samba] Login not possible / machine account issues
Some new info to see if someone can help me out. Everytime this happens the workstation seem to have refreshed its password according to pwdLastSet attribute. However, an error must be in such communication since it blocks any following login until it is rebooted. Izan Díez Sánchez ids at empre.es -----Mensaje original----- De: Izan Díez Sánchez [mailto:ids at empre.es] Enviado el: viernes, 24 de junio de 2016 11:59 Para: samba at lists.samba.org Asunto: Re: [Samba] Login not possible / machine account issues Hi, Did you find any solution? I am facing exactly the same scenario. -CentOS 6.7 -Samba Version 4.4.3 -BIND_DLZ 9.9.8 Some workstations suddenly are unable to login, unless I reboot or rejoin the domain. The only odd event I see in the client is the one already said: Log Name: System Source: Microsoft-Windows-Security-Kerberos Event ID: 4 Task Category: None Level: Error Keywords: Classic User: N/A Computer: workstation.sub.domain.tld Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server "workstation$". The target name used was "WORKSTATION$". This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SUB.DOMAIN.TLD) is different from the client domain (SUB.DOMAIN.TLD), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. Searching in the logs, apparently the domain controller is granting the ticket: [2016/06/24 10:35:23.082573, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ myuser at mydomain from ipv4:172.31.1.134:56661 for krbtgt/mydomain at mydomain [2016/06/24 10:35:23.088584, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: 128 [2016/06/24 10:35:23.088624, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- myuser at mydomain [2016/06/24 10:35:23.088640, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain [2016/06/24 10:35:23.088670, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: No preauth found, returning PREAUTH-REQUIRED -- myuser at mydomain [2016/06/24 10:35:23.089174, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2016/06/24 10:35:23.089214, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2016/06/24 10:35:23.090052, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ myuser at mydomain from ipv4:199.99.9.199:56662 for krbtgt/mydomain at mydomain [2016/06/24 10:35:23.095400, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 128 [2016/06/24 10:35:23.095437, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- myuser at mydomain [2016/06/24 10:35:23.095467, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain [2016/06/24 10:35:23.095526, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: ENC-TS Pre-authentication succeeded -- myuser at mydomain using arcfour-hmac-md5 [2016/06/24 10:35:23.095557, 4] ../source4/auth/sam.c:182(authsam_account_ok) authsam_account_ok: Checking SMB password for user myuser at mydomain [2016/06/24 10:35:23.095719, 5] ../source4/auth/sam.c:116(logon_hours_ok) logon_hours_ok: No hours restrictions for user myuser at mydomain [2016/06/24 10:35:23.095774, 5] ../source4/auth/sam.c:820(authsam_logon_success_accounting) lastLogonTimestamp is 131110567801968850 [2016/06/24 10:35:23.095937, 5] ../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp) sync interval is 14 [2016/06/24 10:35:23.095973, 5] ../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp) randomised sync interval is 12 (-2) [2016/06/24 10:35:23.095993, 5] ../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp) old timestamp is 131110567801968850, threshold 131101941230958000, diff 8626571010850 [2016/06/24 10:35:23.122089, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ authtime: 2016-06-24T10:35:23 starttime: unset endtime: 2016-06-24T20:35:23 renew till: 2016-07-01T10:35:23 [2016/06/24 10:35:23.122204, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using arcfour-hmac-md5/aes256-cts-hmac-sha1-96 [2016/06/24 10:35:23.122242, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable [2016/06/24 10:35:23.122933, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2016/06/24 10:35:23.122968, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2016/06/24 10:35:23.124716, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ myuser at MYDOMAIN.EA from ipv4:199.99.9.199:56663 for host/windows7machine.mydomain.ea at MYDOMAIN.EA [canonicalize, renewable, forwardable] I’ve troubleshot DNS and resolution is working fine for domain controllers (including services) and “windows7machine.mydomain.ea”. It looks like the machine has renewed its Kerberos password and the domain controller (KDC) didn’t notice. Although wouldn’t match with pure AD behavior according to <https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-passwo rd-process-2/> https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-passwor d-process-2/ My kerberos configuration is as simple as: [libdefaults] default_realm = MYDOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true I’m not Kerberos expert and maybe could be tuned to avoid this behavior in the active directory. It’s hard to believe no one has experienced something similar. Regards, -----Mensaje original----- De: Samba Maile [mailto:dominik.mailinglist at gmail.com] Enviado el: martes, 31 de marzo de 2015 13:18 Para: samba at lists.samba.org Asunto: [Samba] Login not possible / machine account issues Hi guys, about a one or two weeks ago I've updated my samba to v4.1.7 which might or might not relate to the problem at hand. However lately we've seen some issues with users not able to login to workstations (win 7). Windows servers (2008 r2 and newer) were also affected. Sometimes one or two reboots would solve this problems, on few occasions I had to rejoin the computer account to the domain. On the workstations and servers I can see this event log entry when login problem occour: Log Name: System Source: Microsoft-Windows-Security-Kerberos Event ID: 4 Task Category: None Level: Error Keywords: Classic User: N/A Computer: workstation.sub.domain.tld Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server "workstation$". The target name used was "WORKSTATION$". This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SUB.DOMAIN.TLD) is different from the client domain (SUB.DOMAIN.TLD), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. Checking samba logs revealed this entry: log.samba-[2015/03/28 14:48:58.156066, 2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) log.samba: auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\workstation$] FAILED with error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT log.samba-[2015/03/28 14:48:58.160911, 2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) log.samba: auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\workstation$] FAILED with error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT log.samba-[2015/03/28 14:48:58.298127, 2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) I'm not sure where to start debugging. Setup: DC-01 (Ubuntu 12.04 LTS) DC-02 (Ubuntu 12.04 LTS) Samba Version 4.1.17 (build from sources) using BIND_DLZ 9.9.5 (Extended Support Version) the domain was migrated from samba3 with classic upgrade. I'd love to hear any ideas or suggestions. Thanks in advance. Regards, Dominik ## smb.conf root at XXX-DC-01:~# cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = DOMAIN realm = sub.domain.tld netbios name = XXX-DC-01 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes kccsrv:samba_kcc = false tls enabled = yes tls certfile = /usr/local/samba/private/tls/XXX-dc-01.pem tls keyfile = /usr/local/samba/private/tls/XXX-dc-01-key_nopas.pem tls cafile = /usr/local/samba/private/tls/cacert.pem tls crlfile = /usr/local/samba/private/tls/domain-samba.crl tls dhparams file = /usr/local/samba/private/tls/dcdhparams.pem host msdfs = yes log level = 2 syslog = 2 eventlog list = Application System Security SyslogLinux [netlogon] path = /usr/local/samba/var/locks/sysvol/biochem.dshs-koeln.de/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --------------------------------------------------------------------- This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message by mistake, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. Visit our web page: www.empre.es Este mensaje puede contener datos confidenciales o privilegiados. Si Vd. no es el destinatario ni ha sido autorizado por el mismo para recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar ninguna medida basada en este mensaje o en los datos que contiene. Si Vd. ha recibido este mensaje por error, avise de forma inmediata al remitente por email y borre el mensaje. Gracias por su ayuda. Visite nuestra web: www.empre.es --------------------------------------------------------------------- Please, Do not print this message unless it is necessary. Our environment is in our hands. Antes de imprimir este mensaje, piense si es realmente necesario. El medio ambiente depende de nosotros.
L.P.H. van Belle
2016-Jul-05 08:44 UTC
[Samba] Login not possible / machine account issues
>>This can occur when the target server principal name (SPN) is registered >>on an account other than the account the target service is using.Hmm, multiple computers with the same serial cause these things. So first make sure this computers serial isnt used before. Or 2 computers with the same name in the netwerk, happens with not syspreped computers. Keep an eye on your samba logs, increase the debug levels. There should be 2 computers which complain. And check these out. At least that what i would have done first. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Izan Díez Sánchez > Verzonden: dinsdag 5 juli 2016 10:33 > Aan: 'Samba Maile'; samba at lists.samba.org > Onderwerp: Re: [Samba] Login not possible / machine account issues > > Some new info to see if someone can help me out. Everytime this happens > the workstation seem to have refreshed its password according to > pwdLastSet attribute. However, an error must be in such communication > since it blocks any following login until it is rebooted. > > > Izan Díez Sánchez > ids at empre.es > > -----Mensaje original----- > De: Izan Díez Sánchez [mailto:ids at empre.es] > Enviado el: viernes, 24 de junio de 2016 11:59 > Para: samba at lists.samba.org > Asunto: Re: [Samba] Login not possible / machine account issues > > Hi, > > Did you find any solution? > > I am facing exactly the same scenario. > -CentOS 6.7 > -Samba Version 4.4.3 > -BIND_DLZ 9.9.8 > > Some workstations suddenly are unable to login, unless I reboot or rejoin > the domain. The only odd event I see in the client is the one already > said: > > Log Name: System > Source: Microsoft-Windows-Security-Kerberos > Event ID: 4 > Task Category: None > Level: Error > Keywords: Classic > User: N/A > Computer: workstation.sub.domain.tld > Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from > the server "workstation$". The target name used was "WORKSTATION$". This > indicates that the target server failed to decrypt the ticket provided by > the client. This can occur when the target server principal name (SPN) is > registered on an account other than the account the target service is > using. Ensure that the target SPN is only registered on the account used > by the server. This error can also happen if the target service account > password is different than what is configured on the Kerberos Key > Distribution Center for that target service. Ensure that the service on > the server and the KDC are both configured to use the same password. If > the server name is not fully qualified, and the target domain > (SUB.DOMAIN.TLD) is different from the client domain (SUB.DOMAIN.TLD), > check if there are identically named server accounts in these two domains, > or use the fully-qualified name to identify the server. > > Searching in the logs, apparently the domain controller is granting the > ticket: > > [2016/06/24 10:35:23.082573, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ myuser at mydomain from ipv4:172.31.1.134:56661 for > krbtgt/mydomain at mydomain > [2016/06/24 10:35:23.088584, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: 128 > [2016/06/24 10:35:23.088624, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- myuser at mydomain > [2016/06/24 10:35:23.088640, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain > [2016/06/24 10:35:23.088670, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- > myuser at mydomain > [2016/06/24 10:35:23.089174, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > [2016/06/24 10:35:23.089214, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED] > [2016/06/24 10:35:23.090052, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ myuser at mydomain from ipv4:199.99.9.199:56662 for > krbtgt/mydomain at mydomain > [2016/06/24 10:35:23.095400, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: encrypted-timestamp, 128 > [2016/06/24 10:35:23.095437, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- myuser at mydomain > [2016/06/24 10:35:23.095467, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain > [2016/06/24 10:35:23.095526, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: ENC-TS Pre-authentication succeeded -- myuser at mydomain using > arcfour-hmac-md5 > [2016/06/24 10:35:23.095557, 4] > ../source4/auth/sam.c:182(authsam_account_ok) > authsam_account_ok: Checking SMB password for user myuser at mydomain > [2016/06/24 10:35:23.095719, 5] ../source4/auth/sam.c:116(logon_hours_ok) > logon_hours_ok: No hours restrictions for user myuser at mydomain > [2016/06/24 10:35:23.095774, 5] > ../source4/auth/sam.c:820(authsam_logon_success_accounting) > lastLogonTimestamp is 131110567801968850 > [2016/06/24 10:35:23.095937, 5] > ../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp) > sync interval is 14 > [2016/06/24 10:35:23.095973, 5] > ../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp) > randomised sync interval is 12 (-2) > [2016/06/24 10:35:23.095993, 5] > ../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp) > old timestamp is 131110567801968850, threshold 131101941230958000, diff > 8626571010850 > [2016/06/24 10:35:23.122089, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ authtime: 2016-06-24T10:35:23 starttime: unset endtime: > 2016-06-24T20:35:23 renew till: 2016-07-01T10:35:23 > [2016/06/24 10:35:23.122204, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128- > cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using arcfour- > hmac-md5/aes256-cts-hmac-sha1-96 > [2016/06/24 10:35:23.122242, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Requested flags: renewable-ok, canonicalize, renewable, > forwardable > [2016/06/24 10:35:23.122933, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > [2016/06/24 10:35:23.122968, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED] > [2016/06/24 10:35:23.124716, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: TGS-REQ myuser at MYDOMAIN.EA from ipv4:199.99.9.199:56663 for > host/windows7machine.mydomain.ea at MYDOMAIN.EA [canonicalize, renewable, > forwardable] > > > I?ve troubleshot DNS and resolution is working fine for domain controllers > (including services) and ?windows7machine.mydomain.ea?. It looks like the > machine has renewed its Kerberos password and the domain controller (KDC) > didn?t notice. Although wouldn?t match with pure AD behavior according to > <https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account- > passwo > rd-process-2/> > https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account- > passwor > d-process-2/ > > My kerberos configuration is as simple as: > > [libdefaults] > default_realm = MYDOMAIN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > > I?m not Kerberos expert and maybe could be tuned to avoid this behavior in > the active directory. It?s hard to believe no one has experienced > something similar. > > Regards, > > -----Mensaje original----- > De: Samba Maile [mailto:dominik.mailinglist at gmail.com] > Enviado el: martes, 31 de marzo de 2015 13:18 > Para: samba at lists.samba.org > Asunto: [Samba] Login not possible / machine account issues > > Hi guys, > > about a one or two weeks ago I've updated my samba to v4.1.7 which might > or might not relate to the problem at hand. > However lately we've seen some issues with users not able to login to > workstations (win 7). Windows servers (2008 r2 and newer) were also > affected. > Sometimes one or two reboots would solve this problems, on few occasions I > had to rejoin the computer account to the domain. > > On the workstations and servers I can see this event log entry when login > problem occour: > > Log Name: System > Source: Microsoft-Windows-Security-Kerberos > Event ID: 4 > Task Category: None > Level: Error > Keywords: Classic > User: N/A > Computer: workstation.sub.domain.tld > Description: > The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server > "workstation$". The target name used was "WORKSTATION$". This indicates > that the target server failed to decrypt the ticket provided by the > client. This can occur when the target server principal name > (SPN) is registered on an account other than the account the target > service is using. Ensure that the target SPN is only registered on the > account used by the server. This error can also happen if the target > service account password is different than what is configured on the > Kerberos Key Distribution Center for that target service. Ensure that the > service on the server and the KDC are both configured to use the same > password. If the server name is not fully qualified, and the target domain > (SUB.DOMAIN.TLD) is different from the client domain (SUB.DOMAIN.TLD), > check if there are identically named server accounts in these two domains, > or use the fully-qualified name to identify the server. > > Checking samba logs revealed this entry: > log.samba-[2015/03/28 14:48:58.156066, 2] > ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) > log.samba: auth_check_password_recv: sam_ignoredomain authentication for > user [DOMAIN\workstation$] FAILED with error > NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT > log.samba-[2015/03/28 14:48:58.160911, 2] > ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) > log.samba: auth_check_password_recv: sam_ignoredomain authentication for > user [DOMAIN\workstation$] FAILED with error > NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT > log.samba-[2015/03/28 14:48:58.298127, 2] > ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) > > I'm not sure where to start debugging. > > Setup: > DC-01 (Ubuntu 12.04 LTS) > DC-02 (Ubuntu 12.04 LTS) > > Samba Version 4.1.17 (build from sources) using BIND_DLZ 9.9.5 (Extended > Support Version) > > the domain was migrated from samba3 with classic upgrade. > > I'd love to hear any ideas or suggestions. > > Thanks in advance. > > Regards, > > Dominik > > > > > ## smb.conf > root at XXX-DC-01:~# cat /usr/local/samba/etc/smb.conf # Global parameters > [global] > workgroup = DOMAIN > realm = sub.domain.tld > netbios name = XXX-DC-01 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > kccsrv:samba_kcc = false > tls enabled = yes > tls certfile = /usr/local/samba/private/tls/XXX-dc-01.pem > tls keyfile = /usr/local/samba/private/tls/XXX-dc-01-key_nopas.pem > tls cafile = /usr/local/samba/private/tls/cacert.pem > tls crlfile = /usr/local/samba/private/tls/domain-samba.crl > tls dhparams file = /usr/local/samba/private/tls/dcdhparams.pem > host msdfs = yes > log level = 2 > syslog = 2 > eventlog list = Application System Security SyslogLinux > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/biochem.dshs- > koeln.de/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > > --------------------------------------------------------------------- > This message may contain confidential and/or privileged information. > If you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose or take any action based > on this message or any information herein. If you have received this > message by mistake, please advise the sender immediately by reply > e-mail and delete this message. Thank you for your cooperation. > Visit our web page: www.empre.es > > Este mensaje puede contener datos confidenciales o privilegiados. > Si Vd. no es el destinatario ni ha sido autorizado por el mismo para > recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar > ninguna medida basada en este mensaje o en los datos que > contiene. Si Vd. ha recibido este mensaje por error, avise de > forma inmediata al remitente por email y borre el > mensaje. Gracias por su ayuda. > Visite nuestra web: www.empre.es > --------------------------------------------------------------------- > > Please, Do not print this message unless it is necessary. > Our environment is in our hands. > Antes de imprimir este mensaje, piense si es realmente necesario. > El medio ambiente depende de nosotros. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Izan Díez Sánchez
2016-Jul-05 14:30 UTC
[Samba] Login not possible / machine account issues
With computer serial do you mean machine SID? If so, yes; many computers are clones without sysprep. But as far as I know that wouldn't be a problem unless the affected computer is the domain controller, according to https://blogs.technet.microsoft.com/markrussinovich/2009/11/03/the-machine-s id-duplication-myth-and-why-sysprep-matters/ in pure Windows AD domain. Is there any role the machine SID may be taking in the samba4 AD implementation? Something related with SPN... I've also checked UUIDs and computer names and there are no duplicated ones. Regards, Izan Díez Sánchez ids at empre.es -----Mensaje original----- De: L.P.H. van Belle [mailto:belle at bazuin.nl] Enviado el: martes, 5 de julio de 2016 10:44 Para: samba at lists.samba.org Asunto: Re: [Samba] Login not possible / machine account issues>>This can occur when the target server principal name (SPN) is registered >>on an account other than the account the target service is using.Hmm, multiple computers with the same serial cause these things. So first make sure this computers serial isnt used before. Or 2 computers with the same name in the netwerk, happens with not syspreped computers. Keep an eye on your samba logs, increase the debug levels. There should be 2 computers which complain. And check these out. At least that what i would have done first. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Izan Díez > Sánchez > Verzonden: dinsdag 5 juli 2016 10:33 > Aan: 'Samba Maile'; samba at lists.samba.org > Onderwerp: Re: [Samba] Login not possible / machine account issues > > Some new info to see if someone can help me out. Everytime this > happens the workstation seem to have refreshed its password according > to pwdLastSet attribute. However, an error must be in such > communication since it blocks any following login until it is rebooted. > > > Izan Díez Sánchez > ids at empre.es > > -----Mensaje original----- > De: Izan Díez Sánchez [mailto:ids at empre.es] Enviado el: viernes, 24 de > junio de 2016 11:59 > Para: samba at lists.samba.org > Asunto: Re: [Samba] Login not possible / machine account issues > > Hi, > > Did you find any solution? > > I am facing exactly the same scenario. > -CentOS 6.7 > -Samba Version 4.4.3 > -BIND_DLZ 9.9.8 > > Some workstations suddenly are unable to login, unless I reboot or > rejoin the domain. The only odd event I see in the client is the one > already > said: > > Log Name: System > Source: Microsoft-Windows-Security-Kerberos > Event ID: 4 > Task Category: None > Level: Error > Keywords: Classic > User: N/A > Computer: workstation.sub.domain.tld > Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error > from the server "workstation$". The target name used was > "WORKSTATION$". This indicates that the target server failed to > decrypt the ticket provided by the client. This can occur when the > target server principal name (SPN) is registered on an account other > than the account the target service is using. Ensure that the target > SPN is only registered on the account used by the server. This error > can also happen if the target service account password is different > than what is configured on the Kerberos Key Distribution Center for > that target service. Ensure that the service on the server and the KDC > are both configured to use the same password. If the server name is > not fully qualified, and the target domain > (SUB.DOMAIN.TLD) is different from the client domain (SUB.DOMAIN.TLD), > check if there are identically named server accounts in these two > domains, or use the fully-qualified name to identify the server. > > Searching in the logs, apparently the domain controller is granting > the > ticket: > > [2016/06/24 10:35:23.082573, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ myuser at mydomain from ipv4:172.31.1.134:56661 for > krbtgt/mydomain at mydomain > [2016/06/24 10:35:23.088584, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: 128 > [2016/06/24 10:35:23.088624, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- myuser at mydomain > [2016/06/24 10:35:23.088640, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain > [2016/06/24 10:35:23.088670, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- > myuser at mydomain > [2016/06/24 10:35:23.089174, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > [2016/06/24 10:35:23.089214, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED] > [2016/06/24 10:35:23.090052, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ myuser at mydomain from ipv4:199.99.9.199:56662 for > krbtgt/mydomain at mydomain > [2016/06/24 10:35:23.095400, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: encrypted-timestamp, 128 > [2016/06/24 10:35:23.095437, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- myuser at mydomain > [2016/06/24 10:35:23.095467, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain > [2016/06/24 10:35:23.095526, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: ENC-TS Pre-authentication succeeded -- myuser at mydomain > using > arcfour-hmac-md5 > [2016/06/24 10:35:23.095557, 4] > ../source4/auth/sam.c:182(authsam_account_ok) > authsam_account_ok: Checking SMB password for user myuser at mydomain > [2016/06/24 10:35:23.095719, 5] ../source4/auth/sam.c:116(logon_hours_ok) > logon_hours_ok: No hours restrictions for user myuser at mydomain > [2016/06/24 10:35:23.095774, 5] > ../source4/auth/sam.c:820(authsam_logon_success_accounting) > lastLogonTimestamp is 131110567801968850 > [2016/06/24 10:35:23.095937, 5] > ../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp) > sync interval is 14 > [2016/06/24 10:35:23.095973, 5] > ../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp) > randomised sync interval is 12 (-2) > [2016/06/24 10:35:23.095993, 5] > ../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp) > old timestamp is 131110567801968850, threshold 131101941230958000, > diff > 8626571010850 > [2016/06/24 10:35:23.122089, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ authtime: 2016-06-24T10:35:23 starttime: unset endtime: > 2016-06-24T20:35:23 renew till: 2016-07-01T10:35:23 > [2016/06/24 10:35:23.122204, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, > aes128- cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, > using arcfour- > hmac-md5/aes256-cts-hmac-sha1-96 > [2016/06/24 10:35:23.122242, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Requested flags: renewable-ok, canonicalize, renewable, > forwardable > [2016/06/24 10:35:23.122933, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > [2016/06/24 10:35:23.122968, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED] > [2016/06/24 10:35:23.124716, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: TGS-REQ myuser at MYDOMAIN.EA from ipv4:199.99.9.199:56663 > for host/windows7machine.mydomain.ea at MYDOMAIN.EA [canonicalize, > renewable, forwardable] > > > I?ve troubleshot DNS and resolution is working fine for domain > controllers (including services) and ?windows7machine.mydomain.ea?. It > looks like the machine has renewed its Kerberos password and the > domain controller (KDC) didn?t notice. Although wouldn?t match with > pure AD behavior according to > <https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account- > passwo > rd-process-2/> > https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account- > passwor > d-process-2/ > > My kerberos configuration is as simple as: > > [libdefaults] > default_realm = MYDOMAIN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > > I?m not Kerberos expert and maybe could be tuned to avoid this > behavior in the active directory. It?s hard to believe no one has > experienced something similar. > > Regards, > > -----Mensaje original----- > De: Samba Maile [mailto:dominik.mailinglist at gmail.com] > Enviado el: martes, 31 de marzo de 2015 13:18 > Para: samba at lists.samba.org > Asunto: [Samba] Login not possible / machine account issues > > Hi guys, > > about a one or two weeks ago I've updated my samba to v4.1.7 which > might or might not relate to the problem at hand. > However lately we've seen some issues with users not able to login to > workstations (win 7). Windows servers (2008 r2 and newer) were also > affected. > Sometimes one or two reboots would solve this problems, on few > occasions I had to rejoin the computer account to the domain. > > On the workstations and servers I can see this event log entry when > login problem occour: > > Log Name: System > Source: Microsoft-Windows-Security-Kerberos > Event ID: 4 > Task Category: None > Level: Error > Keywords: Classic > User: N/A > Computer: workstation.sub.domain.tld > Description: > The Kerberos client received a KRB_AP_ERR_MODIFIED error from the > server "workstation$". The target name used was "WORKSTATION$". This > indicates that the target server failed to decrypt the ticket provided > by the client. This can occur when the target server principal name > (SPN) is registered on an account other than the account the target > service is using. Ensure that the target SPN is only registered on the > account used by the server. This error can also happen if the target > service account password is different than what is configured on the > Kerberos Key Distribution Center for that target service. Ensure that > the service on the server and the KDC are both configured to use the > same password. If the server name is not fully qualified, and the > target domain > (SUB.DOMAIN.TLD) is different from the client domain (SUB.DOMAIN.TLD), > check if there are identically named server accounts in these two > domains, or use the fully-qualified name to identify the server. > > Checking samba logs revealed this entry: > log.samba-[2015/03/28 14:48:58.156066, 2] > ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) > log.samba: auth_check_password_recv: sam_ignoredomain authentication > for user [DOMAIN\workstation$] FAILED with error > NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT > log.samba-[2015/03/28 14:48:58.160911, 2] > ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) > log.samba: auth_check_password_recv: sam_ignoredomain authentication > for user [DOMAIN\workstation$] FAILED with error > NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT > log.samba-[2015/03/28 14:48:58.298127, 2] > ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) > > I'm not sure where to start debugging. > > Setup: > DC-01 (Ubuntu 12.04 LTS) > DC-02 (Ubuntu 12.04 LTS) > > Samba Version 4.1.17 (build from sources) using BIND_DLZ 9.9.5 > (Extended Support Version) > > the domain was migrated from samba3 with classic upgrade. > > I'd love to hear any ideas or suggestions. > > Thanks in advance. > > Regards, > > Dominik > > > > > ## smb.conf > root at XXX-DC-01:~# cat /usr/local/samba/etc/smb.conf # Global > parameters [global] > workgroup = DOMAIN > realm = sub.domain.tld > netbios name = XXX-DC-01 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > kccsrv:samba_kcc = false > tls enabled = yes > tls certfile = /usr/local/samba/private/tls/XXX-dc-01.pem > tls keyfile = /usr/local/samba/private/tls/XXX-dc-01-key_nopas.pem > tls cafile = /usr/local/samba/private/tls/cacert.pem > tls crlfile = /usr/local/samba/private/tls/domain-samba.crl > tls dhparams file = /usr/local/samba/private/tls/dcdhparams.pem > host msdfs = yes > log level = 2 > syslog = 2 > eventlog list = Application System Security SyslogLinux > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/biochem.dshs- > koeln.de/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > > --------------------------------------------------------------------- > This message may contain confidential and/or privileged information. > If you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose or take any action based > on this message or any information herein. If you have received this > message by mistake, please advise the sender immediately by reply > e-mail and delete this message. Thank you for your cooperation. > Visit our web page: www.empre.es > > Este mensaje puede contener datos confidenciales o privilegiados. > Si Vd. no es el destinatario ni ha sido autorizado por el mismo para > recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar > ninguna medida basada en este mensaje o en los datos que contiene. Si > Vd. ha recibido este mensaje por error, avise de forma inmediata al > remitente por email y borre el mensaje. Gracias por su ayuda. > Visite nuestra web: www.empre.es > --------------------------------------------------------------------- > > Please, Do not print this message unless it is necessary. > Our environment is in our hands. > Antes de imprimir este mensaje, piense si es realmente necesario. > El medio ambiente depende de nosotros. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba--------------------------------------------------------------------- This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message by mistake, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. Visit our web page: www.empre.es Este mensaje puede contener datos confidenciales o privilegiados. Si Vd. no es el destinatario ni ha sido autorizado por el mismo para recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar ninguna medida basada en este mensaje o en los datos que contiene. Si Vd. ha recibido este mensaje por error, avise de forma inmediata al remitente por email y borre el mensaje. Gracias por su ayuda. Visite nuestra web: www.empre.es --------------------------------------------------------------------- Please, Do not print this message unless it is necessary. Our environment is in our hands. Antes de imprimir este mensaje, piense si es realmente necesario. El medio ambiente depende de nosotros.
L.P.H. van Belle
2016-Jul-05 15:30 UTC
[Samba] Login not possible / machine account issues
Well, in my option, you the have found your problem. https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx 3) ..... After the unique system information is removed, .... And https://blogs.msdn.microsoft.com/aaron_margosis/2009/11/05/machine-sids-and-domain-sids/ Says: Mark?s point is that SIDs must be unique within the authority in which they are used. So while DEMOSYSTEM must have only one local account with the SID S-1-5-21-3419697060-3810377854-678604692-1000, it doesn?t matter if another computer uses the same SID to refer to a local account of its own. However, within the BIGDOMAIN domain, there must be only one computer account with the SID S-1-5-21-124525095-708259637-1543119021-937822. If multiple computers in the domain try to share that computer SID within the domain, problems will occur. So while it?s OK to clone a system before it joins a domain, doing so after it joins a domain (and is assigned a domain computer account and a corresponding domain SID) will cause problems. And now the big question. Did you join before or after the clone? I do have experiance on this and i did have problems also with the same serial is used. So I get one brand, get the OEM cd or that brand, and create an image for that brand. In this case the windows key isnt needed, since its done by bios. (OEM Key). When you use Volume licences or Retail its different again but still, you can prevent problems use sysprep when cloning. Usefull sysprep howto : http://www.tenforums.com/tutorials/3020-windows-10-image-customize-audit-mode-sysprep.html Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Izan Díez Sánchez [mailto:ids at empre.es] > Verzonden: dinsdag 5 juli 2016 16:30 > Aan: 'L.P.H. van Belle'; samba at lists.samba.org > Onderwerp: RE: [Samba] Login not possible / machine account issues > > With computer serial do you mean machine SID? If so, yes; many computers > are > clones without sysprep. But as far as I know that wouldn't be a problem > unless the affected computer is the domain controller, according to > https://blogs.technet.microsoft.com/markrussinovich/2009/11/03/the- > machine-s > id-duplication-myth-and-why-sysprep-matters/ in pure Windows AD domain. > > Is there any role the machine SID may be taking in the samba4 AD > implementation? Something related with SPN... > > I've also checked UUIDs and computer names and there are no duplicated > ones. > > Regards, > Izan Díez Sánchez > ids at empre.es > > -----Mensaje original----- > De: L.P.H. van Belle [mailto:belle at bazuin.nl] > Enviado el: martes, 5 de julio de 2016 10:44 > Para: samba at lists.samba.org > Asunto: Re: [Samba] Login not possible / machine account issues > > >>This can occur when the target server principal name (SPN) is registered > >>on an account other than the account the target service is using. > > Hmm, multiple computers with the same serial cause these things. > So first make sure this computers serial isnt used before. > Or 2 computers with the same name in the netwerk, happens with not > syspreped > computers. > > Keep an eye on your samba logs, increase the debug levels. > There should be 2 computers which complain. > And check these out. At least that what i would have done first. > > > Greetz, > > Louis > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Izan Díez > > Sánchez > > Verzonden: dinsdag 5 juli 2016 10:33 > > Aan: 'Samba Maile'; samba at lists.samba.org > > Onderwerp: Re: [Samba] Login not possible / machine account issues > > > > Some new info to see if someone can help me out. Everytime this > > happens the workstation seem to have refreshed its password according > > to pwdLastSet attribute. However, an error must be in such > > communication since it blocks any following login until it is rebooted. > > > > > > Izan Díez Sánchez > > ids at empre.es > > > > -----Mensaje original----- > > De: Izan Díez Sánchez [mailto:ids at empre.es] Enviado el: viernes, 24 de > > junio de 2016 11:59 > > Para: samba at lists.samba.org > > Asunto: Re: [Samba] Login not possible / machine account issues > > > > Hi, > > > > Did you find any solution? > > > > I am facing exactly the same scenario. > > -CentOS 6.7 > > -Samba Version 4.4.3 > > -BIND_DLZ 9.9.8 > > > > Some workstations suddenly are unable to login, unless I reboot or > > rejoin the domain. The only odd event I see in the client is the one > > already > > said: > > > > Log Name: System > > Source: Microsoft-Windows-Security-Kerberos > > Event ID: 4 > > Task Category: None > > Level: Error > > Keywords: Classic > > User: N/A > > Computer: workstation.sub.domain.tld > > Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error > > from the server "workstation$". The target name used was > > "WORKSTATION$". This indicates that the target server failed to > > decrypt the ticket provided by the client. This can occur when the > > target server principal name (SPN) is registered on an account other > > than the account the target service is using. Ensure that the target > > SPN is only registered on the account used by the server. This error > > can also happen if the target service account password is different > > than what is configured on the Kerberos Key Distribution Center for > > that target service. Ensure that the service on the server and the KDC > > are both configured to use the same password. If the server name is > > not fully qualified, and the target domain > > (SUB.DOMAIN.TLD) is different from the client domain (SUB.DOMAIN.TLD), > > check if there are identically named server accounts in these two > > domains, or use the fully-qualified name to identify the server. > > > > Searching in the logs, apparently the domain controller is granting > > the > > ticket: > > > > [2016/06/24 10:35:23.082573, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: AS-REQ myuser at mydomain from ipv4:172.31.1.134:56661 for > > krbtgt/mydomain at mydomain > > [2016/06/24 10:35:23.088584, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: Client sent patypes: 128 > > [2016/06/24 10:35:23.088624, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: Looking for PKINIT pa-data -- myuser at mydomain > > [2016/06/24 10:35:23.088640, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain > > [2016/06/24 10:35:23.088670, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- > > myuser at mydomain > > [2016/06/24 10:35:23.089174, 3] > > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > > Terminating connection - 'kdc_tcp_call_loop: > > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > > [2016/06/24 10:35:23.089214, 3] > > ../source4/smbd/process_single.c:114(single_terminate) > > single_terminate: reason[kdc_tcp_call_loop: > > tstream_read_pdu_blob_recv() > > - NT_STATUS_CONNECTION_DISCONNECTED] > > [2016/06/24 10:35:23.090052, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: AS-REQ myuser at mydomain from ipv4:199.99.9.199:56662 for > > krbtgt/mydomain at mydomain > > [2016/06/24 10:35:23.095400, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: Client sent patypes: encrypted-timestamp, 128 > > [2016/06/24 10:35:23.095437, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: Looking for PKINIT pa-data -- myuser at mydomain > > [2016/06/24 10:35:23.095467, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain > > [2016/06/24 10:35:23.095526, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: ENC-TS Pre-authentication succeeded -- myuser at mydomain > > using > > arcfour-hmac-md5 > > [2016/06/24 10:35:23.095557, 4] > > ../source4/auth/sam.c:182(authsam_account_ok) > > authsam_account_ok: Checking SMB password for user myuser at mydomain > > [2016/06/24 10:35:23.095719, 5] > ../source4/auth/sam.c:116(logon_hours_ok) > > logon_hours_ok: No hours restrictions for user myuser at mydomain > > [2016/06/24 10:35:23.095774, 5] > > ../source4/auth/sam.c:820(authsam_logon_success_accounting) > > lastLogonTimestamp is 131110567801968850 > > [2016/06/24 10:35:23.095937, 5] > > ../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp) > > sync interval is 14 > > [2016/06/24 10:35:23.095973, 5] > > ../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp) > > randomised sync interval is 12 (-2) > > [2016/06/24 10:35:23.095993, 5] > > ../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp) > > old timestamp is 131110567801968850, threshold 131101941230958000, > > diff > > 8626571010850 > > [2016/06/24 10:35:23.122089, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: AS-REQ authtime: 2016-06-24T10:35:23 starttime: unset > endtime: > > 2016-06-24T20:35:23 renew till: 2016-07-01T10:35:23 > > [2016/06/24 10:35:23.122204, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, > > aes128- cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, > > using arcfour- > > hmac-md5/aes256-cts-hmac-sha1-96 > > [2016/06/24 10:35:23.122242, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: Requested flags: renewable-ok, canonicalize, renewable, > > forwardable > > [2016/06/24 10:35:23.122933, 3] > > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > > Terminating connection - 'kdc_tcp_call_loop: > > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > > [2016/06/24 10:35:23.122968, 3] > > ../source4/smbd/process_single.c:114(single_terminate) > > single_terminate: reason[kdc_tcp_call_loop: > > tstream_read_pdu_blob_recv() > > - NT_STATUS_CONNECTION_DISCONNECTED] > > [2016/06/24 10:35:23.124716, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: TGS-REQ myuser at MYDOMAIN.EA from ipv4:199.99.9.199:56663 > > for host/windows7machine.mydomain.ea at MYDOMAIN.EA [canonicalize, > > renewable, forwardable] > > > > > > I?ve troubleshot DNS and resolution is working fine for domain > > controllers (including services) and ?windows7machine.mydomain.ea?. It > > looks like the machine has renewed its Kerberos password and the > > domain controller (KDC) didn?t notice. Although wouldn?t match with > > pure AD behavior according to > > <https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account- > > passwo > > rd-process-2/> > > https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account- > > passwor > > d-process-2/ > > > > My kerberos configuration is as simple as: > > > > [libdefaults] > > default_realm = MYDOMAIN.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > > > I?m not Kerberos expert and maybe could be tuned to avoid this > > behavior in the active directory. It?s hard to believe no one has > > experienced something similar. > > > > Regards, > > > > -----Mensaje original----- > > De: Samba Maile [mailto:dominik.mailinglist at gmail.com] > > Enviado el: martes, 31 de marzo de 2015 13:18 > > Para: samba at lists.samba.org > > Asunto: [Samba] Login not possible / machine account issues > > > > Hi guys, > > > > about a one or two weeks ago I've updated my samba to v4.1.7 which > > might or might not relate to the problem at hand. > > However lately we've seen some issues with users not able to login to > > workstations (win 7). Windows servers (2008 r2 and newer) were also > > affected. > > Sometimes one or two reboots would solve this problems, on few > > occasions I had to rejoin the computer account to the domain. > > > > On the workstations and servers I can see this event log entry when > > login problem occour: > > > > Log Name: System > > Source: Microsoft-Windows-Security-Kerberos > > Event ID: 4 > > Task Category: None > > Level: Error > > Keywords: Classic > > User: N/A > > Computer: workstation.sub.domain.tld > > Description: > > The Kerberos client received a KRB_AP_ERR_MODIFIED error from the > > server "workstation$". The target name used was "WORKSTATION$". This > > indicates that the target server failed to decrypt the ticket provided > > by the client. This can occur when the target server principal name > > (SPN) is registered on an account other than the account the target > > service is using. Ensure that the target SPN is only registered on the > > account used by the server. This error can also happen if the target > > service account password is different than what is configured on the > > Kerberos Key Distribution Center for that target service. Ensure that > > the service on the server and the KDC are both configured to use the > > same password. If the server name is not fully qualified, and the > > target domain > > (SUB.DOMAIN.TLD) is different from the client domain (SUB.DOMAIN.TLD), > > check if there are identically named server accounts in these two > > domains, or use the fully-qualified name to identify the server. > > > > Checking samba logs revealed this entry: > > log.samba-[2015/03/28 14:48:58.156066, 2] > > ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) > > log.samba: auth_check_password_recv: sam_ignoredomain authentication > > for user [DOMAIN\workstation$] FAILED with error > > NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT > > log.samba-[2015/03/28 14:48:58.160911, 2] > > ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) > > log.samba: auth_check_password_recv: sam_ignoredomain authentication > > for user [DOMAIN\workstation$] FAILED with error > > NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT > > log.samba-[2015/03/28 14:48:58.298127, 2] > > ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) > > > > I'm not sure where to start debugging. > > > > Setup: > > DC-01 (Ubuntu 12.04 LTS) > > DC-02 (Ubuntu 12.04 LTS) > > > > Samba Version 4.1.17 (build from sources) using BIND_DLZ 9.9.5 > > (Extended Support Version) > > > > the domain was migrated from samba3 with classic upgrade. > > > > I'd love to hear any ideas or suggestions. > > > > Thanks in advance. > > > > Regards, > > > > Dominik > > > > > > > > > > ## smb.conf > > root at XXX-DC-01:~# cat /usr/local/samba/etc/smb.conf # Global > > parameters [global] > > workgroup = DOMAIN > > realm = sub.domain.tld > > netbios name = XXX-DC-01 > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > drepl, winbind, ntp_signd, kcc, dnsupdate > > idmap_ldb:use rfc2307 = yes > > kccsrv:samba_kcc = false > > tls enabled = yes > > tls certfile = /usr/local/samba/private/tls/XXX-dc-01.pem > > tls keyfile = /usr/local/samba/private/tls/XXX-dc-01- > key_nopas.pem > > tls cafile = /usr/local/samba/private/tls/cacert.pem > > tls crlfile = /usr/local/samba/private/tls/domain-samba.crl > > tls dhparams file = /usr/local/samba/private/tls/dcdhparams.pem > > host msdfs = yes > > log level = 2 > > syslog = 2 > > eventlog list = Application System Security SyslogLinux > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/biochem.dshs- > > koeln.de/scripts > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > > > > > > > --------------------------------------------------------------------- > > This message may contain confidential and/or privileged information. > > If you are not the addressee or authorized to receive this for the > > addressee, you must not use, copy, disclose or take any action based > > on this message or any information herein. If you have received this > > message by mistake, please advise the sender immediately by reply > > e-mail and delete this message. Thank you for your cooperation. > > Visit our web page: www.empre.es > > > > Este mensaje puede contener datos confidenciales o privilegiados. > > Si Vd. no es el destinatario ni ha sido autorizado por el mismo para > > recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar > > ninguna medida basada en este mensaje o en los datos que contiene. Si > > Vd. ha recibido este mensaje por error, avise de forma inmediata al > > remitente por email y borre el mensaje. Gracias por su ayuda. > > Visite nuestra web: www.empre.es > > --------------------------------------------------------------------- > > > > Please, Do not print this message unless it is necessary. > > Our environment is in our hands. > > Antes de imprimir este mensaje, piense si es realmente necesario. > > El medio ambiente depende de nosotros. > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > --------------------------------------------------------------------- > This message may contain confidential and/or privileged information. > If you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose or take any action based > on this message or any information herein. If you have received this > message by mistake, please advise the sender immediately by reply > e-mail and delete this message. Thank you for your cooperation. > Visit our web page: www.empre.es > > Este mensaje puede contener datos confidenciales o privilegiados. > Si Vd. no es el destinatario ni ha sido autorizado por el mismo para > recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar > ninguna medida basada en este mensaje o en los datos que > contiene. Si Vd. ha recibido este mensaje por error, avise de > forma inmediata al remitente por email y borre el > mensaje. Gracias por su ayuda. > Visite nuestra web: www.empre.es > --------------------------------------------------------------------- > > Please, Do not print this message unless it is necessary. > Our environment is in our hands. > Antes de imprimir este mensaje, piense si es realmente necesario. > El medio ambiente depende de nosotros.