Pisch Tamás
2016-Jul-26 09:06 UTC
[Samba] authentication problem after upgrade to Debian Jessie
Hi, thank you for your answer. Yesterday I solved the problem. It turned out that getent passwd and getent group gave entries only from flat files. It related to nsswitch.conf and libnss-ldap. Former was ok, but later was different on the two servers. On the PDC, there was libnss-ldapd, but on the BDC there was libnss-ldap installed. According to the Debian Wiki, libnss-ldapd is simpler, and better in some way, so I switched to it on the BDC. During installation, it asked the settings (which I don't know, where it stores unfortunately) and then the authentication worked! With the distributiun upgrade, the libnss-ldap version changed, and I think, the configuration file parameters of the libnss-ldap changed, but I kept my old settings. Maybe it broke the authentication. Thanks. 2016-07-26 10:43 GMT+02:00 mathias dufresne <infractory at gmail.com>:> Hi, > > SPNEGO is related to SASL which seems to me related to Kerberos (at least > in AD context). You said you are running Samba domain in "classic mode" > which should means that this domain is a NT4 domain. And as far as I'm > aware of NT4 domains don't support Kerberos. > > Could you post your smb.conf files please? For both server srv3 and srv7. > > 2016-07-22 10:37 GMT+02:00 Pisch Tamás <pischta at gmail.com>: > >> Hi, >> >> I upgraded our servers from Wheezy to Jessie. I use samba in classic mode, >> with openldap backend. After the upgrade, on the PDC (srv3) everything >> seems to be ok, it authetnicates, the netlogon share is accessible on it, >> but on the BDC (srv7), what is the file server, the authentication doesn't >> work, shares are inaccessible. >> I compared and syncronized the configuration files to as similar as >> possible on the two servers, but it didn't solve this problem (there were >> other smaller issues, they were solved with the changes). >> After the upgrade, smbd didn't start at all. I reindexed the ldap >> databases, and I think it helped to start smbd. >> The folloving commands give correct results: >> wbinfo -u >> wbinfo -g >> nmblookup -B SRV7 __SAMBA__ >> nmblookup -B DS1021 '*' >> nmblookup -d 2 '*' >> nmblookup -M xyz >> >> The following commands give errors: >> smbclient -U admin //SRV7/NETLOGON >> Enter admin's password: >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> smbclient -L SRV7 -d 10 >> ... >> Processing section "[global]" >> doing parameter dos charset = CP852 >> doing parameter unix charset = UTF8 >> doing parameter workgroup = XYZ >> doing parameter server string = SRV7 >> doing parameter interfaces = lo 192.168.0.7/24 >> doing parameter bind interfaces only = Yes >> doing parameter security = USER >> doing parameter passdb backend = ldapsam:"ldap://127.0.0.1:389" >> doing parameter syslog = 0 >> doing parameter log file = /var/log/samba/log.%m >> doing parameter max log size = 1000 >> doing parameter smb ports = 139 >> doing parameter server max protocol = SMB2 >> doing parameter name resolve order = host wins bcast >> doing parameter time server = Yes >> doing parameter printcap name = /etc/printcap >> doing parameter logon script = scripts\logon.cmd >> doing parameter logon path = \\SRV7\profiles\%U >> doing parameter logon drive = H: >> doing parameter logon home = \\SRV7\%U >> doing parameter domain logons = Yes >> doing parameter preferred master = No >> doing parameter domain master = No >> doing parameter dns proxy = No >> doing parameter wins server = 192.168.0.3 >> doing parameter ldap admin dn = cn=ldapsu,dc=xyz,dc=site >> doing parameter ldap group suffix = ou=Groups >> doing parameter ldap idmap suffix = ou=Idmap >> doing parameter ldap machine suffix = ou=People >> doing parameter ldap passwd sync = yes >> doing parameter ldap suffix = dc=xyz,dc=site >> doing parameter ldap ssl = no >> doing parameter ldap user suffix = ou=People >> doing parameter eventlog list = Security Application Syslog >> doing parameter panic action = /usr/share/samba/panic-action %d >> doing parameter idmap config * : ldap_user_dn = cn=idmapsu,dc=xyz,dc=site >> doing parameter idmap config * : ldap_base_dn = ou=Idmap,dc=xyz,dc=site >> doing parameter idmap config * : ldap_url = ldap://127.0.0.1:389/ >> doing parameter idmap config * : range = 10000-20000 >> doing parameter idmap config * : default = yes >> doing parameter ldapsam:trusted = yes >> doing parameter idmap config * : backend = ldap >> doing parameter acl allow execute always = Yes >> doing parameter create mask = 0770 >> doing parameter directory mask = 0770 >> doing parameter map acl inherit = Yes >> doing parameter veto oplock files = /*.pdf/*.pst/ >> doing parameter browseable = No >> doing parameter csc policy = disable >> pm_process() returned Yes >> lp_servicenumber: couldn't find homes >> added interface lo ip=::1 bcast>> netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff >> added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 >> interpret_interface: Adding interface 192.168.0.7/24 >> added interface 192.168.0.7/24 ip=192.168.0.7 bcast=192.168.0.255 >> netmask=255.255.255.0 >> Netbios name list:- >> my_netbios_names[0]="SRV7" >> Client started (version 4.2.10-Debian). >> Enter admin's password: >> Opening cache file at /var/cache/samba/gencache.tdb >> Opening cache file at /var/run/samba/gencache_notrans.tdb >> sitename_fetch: No stored sitename for >> internal_resolve_name: looking up SRV7#20 (sitename (null)) >> name SRV7#20 found. >> remove_duplicate_addrs2: looking for duplicate address/port pairs >> Connecting to 192.168.0.7 at port 445 >> Connecting to 192.168.0.7 at port 139 >> Socket options: >> SO_KEEPALIVE = 0 >> SO_REUSEADDR = 0 >> SO_BROADCAST = 0 >> TCP_NODELAY = 1 >> TCP_KEEPCNT = 9 >> TCP_KEEPIDLE = 7200 >> TCP_KEEPINTVL = 75 >> IPTOS_LOWDELAY = 0 >> IPTOS_THROUGHPUT = 0 >> SO_REUSEPORT = 0 >> SO_SNDBUF = 2626560 >> SO_RCVBUF = 1061808 >> SO_SNDLOWAT = 1 >> SO_RCVLOWAT = 1 >> SO_SNDTIMEO = 0 >> SO_RCVTIMEO = 0 >> TCP_QUICKACK = 1 >> TCP_DEFER_ACCEPT = 0 >> session request ok >> Doing spnego session setup (blob length=74) >> got OID=1.3.6.1.4.1.311.2.2.10 >> got principal=not_defined_in_RFC4178 at please_ignore >> GENSEC backend 'gssapi_spnego' registered >> GENSEC backend 'gssapi_krb5' registered >> GENSEC backend 'gssapi_krb5_sasl' registered >> GENSEC backend 'spnego' registered >> GENSEC backend 'schannel' registered >> GENSEC backend 'naclrpc_as_system' registered >> GENSEC backend 'sasl-EXTERNAL' registered >> GENSEC backend 'ntlmssp' registered >> GENSEC backend 'ntlmssp_resume_ccache' registered >> GENSEC backend 'http_basic' registered >> GENSEC backend 'http_ntlm' registered >> GENSEC backend 'krb5' registered >> GENSEC backend 'fake_gssapi_krb5' registered >> Starting GENSEC mechanism spnego >> Starting GENSEC submechanism ntlmssp >> negotiate: struct NEGOTIATE_MESSAGE >> Signature : 'NTLMSSP' >> MessageType : NtLmNegotiate (1) >> NegotiateFlags : 0x62088215 (1644724757) >> 1: NTLMSSP_NEGOTIATE_UNICODE >> 0: NTLMSSP_NEGOTIATE_OEM >> 1: NTLMSSP_REQUEST_TARGET >> 1: NTLMSSP_NEGOTIATE_SIGN >> 0: NTLMSSP_NEGOTIATE_SEAL >> 0: NTLMSSP_NEGOTIATE_DATAGRAM >> 0: NTLMSSP_NEGOTIATE_LM_KEY >> 0: NTLMSSP_NEGOTIATE_NETWARE >> 1: NTLMSSP_NEGOTIATE_NTLM >> 0: NTLMSSP_NEGOTIATE_NT_ONLY >> 0: NTLMSSP_ANONYMOUS >> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED >> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED >> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL >> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> 0: NTLMSSP_TARGET_TYPE_DOMAIN >> 0: NTLMSSP_TARGET_TYPE_SERVER >> 0: NTLMSSP_TARGET_TYPE_SHARE >> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY >> 0: NTLMSSP_NEGOTIATE_IDENTIFY >> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY >> 0: NTLMSSP_NEGOTIATE_TARGET_INFO >> 1: NTLMSSP_NEGOTIATE_VERSION >> 1: NTLMSSP_NEGOTIATE_128 >> 1: NTLMSSP_NEGOTIATE_KEY_EXCH >> 0: NTLMSSP_NEGOTIATE_56 >> DomainNameLen : 0x0000 (0) >> DomainNameMaxLen : 0x0000 (0) >> DomainName : * >> DomainName : '' >> WorkstationLen : 0x0000 (0) >> WorkstationMaxLen : 0x0000 (0) >> Workstation : * >> Workstation : '' >> Version: struct ntlmssp_VERSION >> ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) >> ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) >> ProductBuild : 0x0000 (0) >> Reserved: ARRAY(3) >> [0] : 0x00 (0) >> [1] : 0x00 (0) >> [2] : 0x00 (0) >> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) >> Got challenge flags: >> Got NTLMSSP neg_flags=0x62898215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_TARGET_TYPE_DOMAIN >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY >> NTLMSSP_NEGOTIATE_TARGET_INFO >> NTLMSSP_NEGOTIATE_VERSION >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP: Set final flags: >> Got NTLMSSP neg_flags=0x62088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY >> NTLMSSP_NEGOTIATE_VERSION >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP Sign/Seal - Initialising with flags: >> Got NTLMSSP neg_flags=0x62088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY >> NTLMSSP_NEGOTIATE_VERSION >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> SPNEGO login failed: Logon failure >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> What could be the problem? >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
Possibly Parallel Threads
Wisdom of the Ancients
