samba - Apr 2016 - Nonfunctional linux/CIFS mounts after update (ADS / windows DC auth)

Failure for me is always:

SMB PACKET: SMBsesssetupX (REPLY)
> SMB Command   =  0x73
> Error class   =  0x6D
> Error code    =  49152 (0xc000)
> Flags1        =  0x80
> Flags2        =  0x3
> Tree ID       =  0 (0x0)
> Proc ID       =  12056 (0x2f18)
> UID           =  29165 (0x71ed)
> MID           =  3 (0x3)
> Word Count    =  0 (0x0)
> NTError = STATUS_LOGON_FAILURE
> smb_bcc=0
>
Credentials are correct; it works through nautilus' smb://...

Let me know what else would help to diagnose. I can also privately share
verbose samba or other logs.

Thanks,
Patrick


On Tue, Apr 26, 2016 at 3:59 PM, Jeremy Allison <jra at samba.org> wrote:
> On Tue, Apr 26, 2016 at 12:06:39PM -0400, Glomski, Patrick wrote:
> > Greetings,
> >
> > We use samba to share files to windows and linux machines and are in
the
> > same boat as several others recently posting to the list. When badlock
> > patches came out, we updated our CentOS7 samba server (everything from
> > samba to sssd to krb5 to nss was updated) and immediately had problems
> with
> > both client types not connecting to the windows shares.
> >
> > Windows machine connections were solved by using the realm
> > (workgroup.com\username)
> > to log in instead of the workgroup (workgroup\username). Although
it's
> not
> > clear to me as to why I need '.com' to authenticate all of a
sudden, it
> > functions and isn't a critical concern for this production server.
> >
> > Linux machines were mounting via 'mount -t cifs -o
> > user=workgroup/username'. This mount no longer functions and it
appears
> > (setting server log level to 10) that the authentication on the server
is
> > failing where it used to succeed. 'smbclient' also fails.
>
> Get a wireshark trace and post what error is returned please.
>

On Tue, Apr 26, 2016 at 05:08:48PM -0400, Glomski, Patrick
wrote:
> Failure for me is always:
> 
> SMB PACKET: SMBsesssetupX (REPLY)
> > SMB Command   =  0x73
> > Error class   =  0x6D
> > Error code    =  49152 (0xc000)
> > Flags1        =  0x80
> > Flags2        =  0x3
> > Tree ID       =  0 (0x0)
> > Proc ID       =  12056 (0x2f18)
> > UID           =  29165 (0x71ed)
> > MID           =  3 (0x3)
> > Word Count    =  0 (0x0)
> > NTError = STATUS_LOGON_FAILURE
> > smb_bcc=0
> >
> 
> Credentials are correct; it works through nautilus' smb://...
> 
> Let me know what else would help to diagnose. I can also privately share
> verbose samba or other logs.
Debug level 10 on smbd. Look into the cause
of the STATUS_LOGON_FAILURE in SMBsesssetupX
(should be pretty obvious from that).

I have been running in loglevel 10 and looking at the logs, but as I said
in my initial post the credentials function fine with nautilus. Appended is
a connection log snippet where samba walks through a cascade of
authentication methods and finally fails.

Earlier in the log, samba successfully determines which domain controller
to talk to and pulls its information. However, just before the failure
there is a line which I feel is the root cause of the problem.
>   domain_client_validate: Domain password server not available.
>
Taken at face value (not the best idea as it seems to be walking through a
set of authentication methods), it indicates that somehow the information
about the domain controller doing the authentication has been lost.

The password is good: It works on Windows and it works with nautilus. Samba
says the password is bad when using cifs or smbclient. What gives?

For the situational awareness of others affected by this issue, I hoped it
was sssd or the associated name service switch libraries, so I built and
installed rpms for an older version of sssd. No dice.

Patrick

[2016/04/26 17:06:13.912141,  3, pid=11263, effective(0, 0), real(0,
0)]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62088a15
>     NTLMSSP_NEGOTIATE_UNICODE
>     NTLMSSP_REQUEST_TARGET
>     NTLMSSP_NEGOTIATE_SIGN
>     NTLMSSP_NEGOTIATE_NTLM
>     NTLMSSP_ANONYMOUS
>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>     NTLMSSP_NEGOTIATE_VERSION
>     NTLMSSP_NEGOTIATE_128
>     NTLMSSP_NEGOTIATE_KEY_EXCH
> [2016/04/26 17:06:13.913179,  3, pid=11263, effective(0, 0), real(0, 0)]
> ../source3/libsmb/cliconnect.c:2173(cli_session_setup_done_spnego)
>   SPNEGO login failed: Logon failure
> [2016/04/26 17:06:13.913395,  0, pid=11263, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/auth_domain.c:184(domain_client_validate)
>   domain_client_validate: Domain password server not available.
> [2016/04/26 17:06:13.915495,  5, pid=11263, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
>   check_ntlm_password: winbind authentication for user [testuser] FAILED
> with error NT_STATUS_LOGON_FAILURE
> [2016/04/26 17:06:13.915542,  2, pid=11263, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [testuser] -> [testuser]
> FAILED with error NT_STATUS_LOGON_FAILURE
> [2016/04/26 17:06:13.915561,  5, pid=11263, effective(0, 0), real(0, 0)]
> ../source3/auth/auth_ntlmssp.c:188(auth3_check_password)
>   Checking NTLMSSP password for workgroup\testuser failed:
> NT_STATUS_LOGON_FAILURE
> [2016/04/26 17:06:13.915600,  3, pid=11263, effective(0, 0), real(0, 0)]
> ../source3/smbd/error.c:82(error_packet_set)
>   NT error packet at ../source3/smbd/sesssetup.c(934) cmd=115
> (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
>


On Wed, Apr 27, 2016 at 2:50 PM, Jeremy Allison <jra at samba.org> wrote:
> On Tue, Apr 26, 2016 at 05:08:48PM -0400, Glomski, Patrick wrote:
> > Failure for me is always:
> >
> > SMB PACKET: SMBsesssetupX (REPLY)
> > > SMB Command   =  0x73
> > > Error class   =  0x6D
> > > Error code    =  49152 (0xc000)
> > > Flags1        =  0x80
> > > Flags2        =  0x3
> > > Tree ID       =  0 (0x0)
> > > Proc ID       =  12056 (0x2f18)
> > > UID           =  29165 (0x71ed)
> > > MID           =  3 (0x3)
> > > Word Count    =  0 (0x0)
> > > NTError = STATUS_LOGON_FAILURE
> > > smb_bcc=0
> > >
> >
> > Credentials are correct; it works through nautilus' smb://...
> >
> > Let me know what else would help to diagnose. I can also privately
share
> > verbose samba or other logs.
>
> Debug level 10 on smbd. Look into the cause
> of the STATUS_LOGON_FAILURE in SMBsesssetupX
> (should be pretty obvious from that).
>