Roland Schwingel
2015-Jul-06 06:43 UTC
[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
Good morning Rowland and samba list ... Rowland Penny wrote on 03.07.2015 18:36:32: > From: Rowland Penny <rowlandpenny241155 at gmail.com> > To: samba at lists.samba.org, > Date: 03.07.2015 18:40 > Subject: Re: [Samba] Migration Samba3 -> Samba4: Accessing domain > member server is not working > Sent by: samba-bounces at lists.samba.org > > On 03/07/15 16:31, Roland Schwingel wrote: > > Hi ... > > > > When trying to migrate from samba3 to samba 4.2.2 I am facing a severe > > problem that bugs me for hours now. I cannot get a samba 4.2.2 > > fileserver to work with a samba 4.2.2 PDC as a domain member. > > ... > Hi, there was some changes made when 4.2.0 came out, these changes may > be your problem, see here: > > https://www.samba.org/samba/history/samba-4.2.0.html > > Under the heading: Winbindd/Netlogon improvements Thanks for the hint. I read that and added "allow nt4 crypto = yes" to my 4.2.2 PDC. This changed this a little bit but still gives me no working 4.2.2 member server. Adding "require strong key = no" and "client NTLMv2 auth = no" to the member servers smb.conf but it did not change anything. Here is the log file on the dedicated member server of one client trying to connect my member server: SID for local machine OSUSE-TEST is: S-1-5-21-1853263269-3041869306-167322181 SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205 Join to 'MYDOM' is OK [2015/07/06 08:02:46.342573, 3] ../source3/smbd/oplock.c:1306(init_oplocks) init_oplocks: initializing messages. [2015/07/06 08:02:46.342706, 3] ../source3/smbd/process.c:1879(process_smb) Transaction 0 of length 159 (0 toread) [2015/07/06 08:02:46.342748, 3] ../source3/smbd/process.c:1489(switch_message) switch message SMBnegprot (pid 10895) conn 0x0 [2015/07/06 08:02:46.343225, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [PC NETWORK PROGRAM 1.0] [2015/07/06 08:02:46.343263, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [LANMAN1.0] [2015/07/06 08:02:46.343288, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [Windows for Workgroups 3.1a] [2015/07/06 08:02:46.343302, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [LM1.2X002] [2015/07/06 08:02:46.343313, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [LANMAN2.1] [2015/07/06 08:02:46.343329, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [NT LM 0.12] [2015/07/06 08:02:46.343344, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [SMB 2.002] [2015/07/06 08:02:46.343358, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [SMB 2.???] [2015/07/06 08:02:46.343571, 3] ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) Selected protocol SMB2_FF [2015/07/06 08:02:46.344934, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'gssapi_spnego' registered [2015/07/06 08:02:46.344982, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'gssapi_krb5' registered [2015/07/06 08:02:46.344996, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2015/07/06 08:02:46.356774, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'sasl-DIGEST-MD5' registered [2015/07/06 08:02:46.356804, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'spnego' registered [2015/07/06 08:02:46.356819, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'schannel' registered [2015/07/06 08:02:46.356831, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'naclrpc_as_system' registered [2015/07/06 08:02:46.356841, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2015/07/06 08:02:46.356852, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'ntlmssp' registered [2015/07/06 08:02:46.356862, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'http_basic' registered [2015/07/06 08:02:46.356872, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'http_ntlm' registered [2015/07/06 08:02:46.356883, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'krb5' registered [2015/07/06 08:02:46.356894, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2015/07/06 08:02:46.357284, 3] ../source3/smbd/negprot.c:683(reply_negprot) Selected protocol SMB 2.??? [2015/07/06 08:02:46.359312, 3] ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2015/07/06 08:02:46.990929, 3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088297 [2015/07/06 08:02:46.991652, 3] ../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth) Got user=[roland] domain=[MYDOM] workstation=[DEVINTEL-100] len1=24 len2=314 [2015/07/06 08:02:46.991697, 3] ../source3/param/loadparm.c:3647(lp_load_ex) lp_load_ex: refreshing parameters [2015/07/06 08:02:46.991811, 3] ../source3/param/loadparm.c:564(init_globals) Initialising global parameters [2015/07/06 08:02:46.991927, 3] ../source3/param/loadparm.c:2597(lp_do_section) Processing section "[global]" [2015/07/06 08:02:46.992040, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[testshare]" [2015/07/06 08:02:46.992111, 3] ../source3/param/loadparm.c:1495(lp_add_ipc) adding IPC service [2015/07/06 08:02:46.994597, 3] ../source3/libsmb/namequery.c:3103(get_dc_list) get_dc_list: preferred server list: "PDCHOST, subnet-ldap" [2015/07/06 08:02:46.994804, 3] ../source3/libsmb/namequery.c:2323(resolve_hosts) resolve_hosts: Attempting host lookup for name subnet-ldap<0x20> [2015/07/06 08:02:47.022939, 3] ../source3/libsmb/namequery_dc.c:207(rpc_dc_name) rpc_dc_name: Returning DC PDCHOST (192.168.9.3) for domain MYDOM [2015/07/06 08:02:47.023024, 3] ../source3/lib/util_sock.c:617(open_socket_out_send) Connecting to 192.168.9.3 at port 445 [2015/07/06 08:02:47.083675, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [MYDOM]\[roland]@[DEVINTEL-100] with the new password interface [2015/07/06 08:02:47.083721, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password) check_ntlm_password: mapped user is: [MYDOM]\[roland]@[DEVINTEL-100] [2015/07/06 08:02:47.083862, 3] ../source3/libsmb/namequery.c:3103(get_dc_list) get_dc_list: preferred server list: "PDCHOST, subnet-ldap" [2015/07/06 08:02:47.084734, 3] ../source3/libsmb/namequery_dc.c:207(rpc_dc_name) rpc_dc_name: Returning DC PDCHOST (192.168.9.3) for domain MYDOM [2015/07/06 08:02:47.084963, 3] ../source3/lib/util_sock.c:617(open_socket_out_send) Connecting to 192.168.9.3 at port 445 [2015/07/06 08:02:47.188335, 0] ../source3/auth/auth_domain.c:302(domain_client_validate) domain_client_validate: unable to validate password for user roland in domain MYDOM to Domain controller PDCHOST. Error was NT_STATUS_LOCK_NOT_GRANTED. [2015/07/06 08:02:47.189817, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [roland] -> [roland] FAILED with error NT_STATUS_LOCK_NOT_GRANTED [2015/07/06 08:02:47.189854, 2] ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED [2015/07/06 08:02:47.190446, 3] ../source3/smbd/server_exit.c:246(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) So the problem is appearing here: [2015/07/06 08:02:47.188335, 0] ../source3/auth/auth_domain.c:302(domain_client_validate) domain_client_validate: unable to validate password for user roland in domain MYDOM to Domain controller PDCHOST. Error was NT_STATUS_LOCK_NOT_GRANTED. Why on earth is this happening? When my win7 testmachine is trying to access the 4.2.2 PDC directly everything is fine and easy. So I believe the setup of the PDC is correct. In the first 2 lines of the log I see the SIDs dumped. Both for my domain and for my member server. SID for local machine OSUSE-TEST is: S-1-5-21-1853263269-3041869306-167322181 SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205 Join to 'MYDOM' is OK According to my LDAP the sid for my test member server (OSUSE-TEST) should be S-1-5-21-290147797-1639656955-1287535205-61405 Is this maybe a problem? Or is this just the real local sid not the domain sid of this machine? Where shall I look on my 4.2.2 PDC to get more infos on the auth problem? The logfiles for the member server are empty on my PDC. Thanks for all your help! I hope this can be resolved soon! Roland
Apparently Analagous Threads
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Samba 4.2 AD member accesible by name but not by IP