samba - Oct 2016 - invalid NTLMSSP_MIC / SPNEGO login failed: NT_STATUS_INVALID_PARAMETER

Hello,

since I upgraded my NT4 domain Samba 4.2.11 to 4.2.14 I can no longer 
authenticate
when I access any share.
After that I even upgraded to Samba 4.4.5 but still get the same error:


[2016/10/15 04:42:19.786198,  2] 
../source3/auth/auth.c:305(auth_check_ntlm_password)
   check_ntlm_password:  authentication for user [xx] -> [xx] -> [xx] 
succeeded
[2016/10/15 04:42:19.789933,  1] 
../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
   ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[xx] 
domain=[XXXXXXX] workstation=[XXXXX]
[2016/10/15 04:42:19.789982,  1] ../lib/util/util.c:559(dump_data)
   [0000] 97 BD D0 A6 D7 16 E4 0A   59 33 62 ED CC 6A 35 04 ........ 
Y3b..j5.
[2016/10/15 04:42:19.790035,  1] ../lib/util/util.c:559(dump_data)
   [0000] F2 85 BB 00 46 11 89 C4   84 E3 2C 4C 5D FA F4 6A ....F... 
..,L]..j
[2016/10/15 04:42:19.790095,  2] 
../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_INVALID_PARAMETER


Server: FreeBSD 10.3/64 bit
Clients: Windows 7 64bit

When I downgrade to 4.2.11 everything works again.
An upgrade to DC is currently not an option so I need to stick to NT4 
PDC for a while.

I duplicated the whole server to a VM, so I could test anything and 
wouldn't harm the production server.

Any idea what might the cause?
Do you need more Information?




My smb.conf:

[global]

    workgroup = XXXXXXX
    netbios name = SERVER
    unix password sync = false
    max log size = 100
    unix extensions = no
    log level = 2 vfs:2
    map to guest = Bad User
    server max protocol = smb2
    server min protocol = smb2
    passdb backend = tdbsam
    unix charset = ISO8859-1
    dos charset = CP1252
    bind interfaces only = yes
    hosts allow = 192.168.255. 127.
    acl allow execute always = True
    load printers = no
    log file = /var/log/samba4/log.%m
    log level = 2
    security = user
    encrypt passwords = yes
    interfaces = em0, lo0
    local master = yes
    os level = 65
    domain master = yes
    preferred master = yes
    domain logons = yes
    wins support = yes
    wins proxy = yes
    dns proxy = no

On 24/10/16 18:03, Boris S. via samba wrote:
>
> Hello,
>
> since I upgraded my NT4 domain Samba 4.2.11 to 4.2.14 I can no longer
> authenticate
> when I access any share.
> After that I even upgraded to Samba 4.4.5 but still get the same error:
>
>
> [2016/10/15 04:42:19.786198,  2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [xx] -> [xx] -> [xx]
> succeeded
> [2016/10/15 04:42:19.789933,  1]
> ../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
>   ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[xx]
> domain=[XXXXXXX] workstation=[XXXXX]
> [2016/10/15 04:42:19.789982,  1] ../lib/util/util.c:559(dump_data)
>   [0000] 97 BD D0 A6 D7 16 E4 0A   59 33 62 ED CC 6A 35 04 ........
> Y3b..j5.
> [2016/10/15 04:42:19.790035,  1] ../lib/util/util.c:559(dump_data)
>   [0000] F2 85 BB 00 46 11 89 C4   84 E3 2C 4C 5D FA F4 6A ....F...
> ..,L]..j
> [2016/10/15 04:42:19.790095,  2]
> ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
>
>
> Server: FreeBSD 10.3/64 bit
> Clients: Windows 7 64bit
>
> When I downgrade to 4.2.11 everything works again.
> An upgrade to DC is currently not an option so I need to stick to NT4
> PDC for a while.
>
> I duplicated the whole server to a VM, so I could test anything and
> wouldn't harm the production server.
>
> Any idea what might the cause?
> Do you need more Information?
>
>
>
>
> My smb.conf:
>
> [global]
>
>    workgroup = XXXXXXX
>    netbios name = SERVER
>    unix password sync = false
>    max log size = 100
>    unix extensions = no
>    log level = 2 vfs:2
>    map to guest = Bad User
>    server max protocol = smb2
>    server min protocol = smb2
>    passdb backend = tdbsam
>    unix charset = ISO8859-1
>    dos charset = CP1252
>    bind interfaces only = yes
>    hosts allow = 192.168.255. 127.
>    acl allow execute always = True
>    load printers = no
>    log file = /var/log/samba4/log.%m
>    log level = 2
>    security = user
>    encrypt passwords = yes
>    interfaces = em0, lo0
>    local master = yes
>    os level = 65
>    domain master = yes
>    preferred master = yes
>    domain logons = yes
>    wins support = yes
>    wins proxy = yes
>    dns proxy = no
>
>
>
>
I have had pretty much the same issue against CentOS 6.x/Samba 3.x DCs
from Samba 4.2.x (CentOS) and 4.4.x (Sernet) File servers.

Please look at BZ#12393 and add your findings:
https://bugzilla.samba.org/show_bug.cgi?id=12303

We upgraded our DCs to 4.4.x and it went away. Are you /really/ still
running actual NT4 DCs? Wow....

Cheers

Alex




--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

With the patches for BADLOCK I had to upgrade/patch my domain 
controllers first then upgrade the member servers.

In addition to security fixes, some of the signing defaults changed so I 
think I had to explicitly set

         server signing = No



On 10/24/16 14:25, Alex Crow via samba wrote:
>
> On 24/10/16 18:03, Boris S. via samba wrote:
>> Hello,
>>
>> since I upgraded my NT4 domain Samba 4.2.11 to 4.2.14 I can no longer
>> authenticate
>> when I access any share.
>> After that I even upgraded to Samba 4.4.5 but still get the same error:
>>
>>
>> [2016/10/15 04:42:19.786198,  2]
>> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>>    check_ntlm_password:  authentication for user [xx] -> [xx] ->
[xx]
>> succeeded
>> [2016/10/15 04:42:19.789933,  1]
>> ../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
>>    ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[xx]
>> domain=[XXXXXXX] workstation=[XXXXX]
>> [2016/10/15 04:42:19.789982,  1] ../lib/util/util.c:559(dump_data)
>>    [0000] 97 BD D0 A6 D7 16 E4 0A   59 33 62 ED CC 6A 35 04 ........
>> Y3b..j5.
>> [2016/10/15 04:42:19.790035,  1] ../lib/util/util.c:559(dump_data)
>>    [0000] F2 85 BB 00 46 11 89 C4   84 E3 2C 4C 5D FA F4 6A ....F...
>> ..,L]..j
>> [2016/10/15 04:42:19.790095,  2]
>> ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
>>    SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
>>
>>
>> Server: FreeBSD 10.3/64 bit
>> Clients: Windows 7 64bit
>>
>> When I downgrade to 4.2.11 everything works again.
>> An upgrade to DC is currently not an option so I need to stick to NT4
>> PDC for a while.
>>
>> I duplicated the whole server to a VM, so I could test anything and
>> wouldn't harm the production server.
>>
>> Any idea what might the cause?
>> Do you need more Information?
>>
>>
>>
>>
>> My smb.conf:
>>
>> [global]
>>
>>     workgroup = XXXXXXX
>>     netbios name = SERVER
>>     unix password sync = false
>>     max log size = 100
>>     unix extensions = no
>>     log level = 2 vfs:2
>>     map to guest = Bad User
>>     server max protocol = smb2
>>     server min protocol = smb2
>>     passdb backend = tdbsam
>>     unix charset = ISO8859-1
>>     dos charset = CP1252
>>     bind interfaces only = yes
>>     hosts allow = 192.168.255. 127.
>>     acl allow execute always = True
>>     load printers = no
>>     log file = /var/log/samba4/log.%m
>>     log level = 2
>>     security = user
>>     encrypt passwords = yes
>>     interfaces = em0, lo0
>>     local master = yes
>>     os level = 65
>>     domain master = yes
>>     preferred master = yes
>>     domain logons = yes
>>     wins support = yes
>>     wins proxy = yes
>>     dns proxy = no
>>
>>
>>
>>
> I have had pretty much the same issue against CentOS 6.x/Samba 3.x DCs
> from Samba 4.2.x (CentOS) and 4.4.x (Sernet) File servers.
>
> Please look at BZ#12393 and add your findings:
> https://bugzilla.samba.org/show_bug.cgi?id=12303
>
> We upgraded our DCs to 4.4.x and it went away. Are you /really/ still
> running actual NT4 DCs? Wow....
>
> Cheers
>
> Alex
>
>
>
>
> --
> This message is intended only for the addressee and may contain
> confidential information. Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
> This email is not intended to, nor should it be taken to, constitute
advice.
> The information provided is correct to our knowledge & belief and must
not
> be used as a substitute for obtaining tax, regulatory, investment, legal or
> any other appropriate advice.
>
> "Transact" is operated by Integrated Financial Arrangements Ltd.
> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020)
7608 5300.
> (Registered office: as above; Registered in England and Wales under
> number: 3727592). Authorised and regulated by the Financial Conduct
> Authority (entered on the Financial Services Register; no. 190856).
>

Answering my own question:

I "fixed" it with forcing Windows 7 clients to use LM/NTLM.

using gpedit.msc -> Local Computer Policy - Computer Configuration - 
Windows Settings - Security Settings - Local Policies - Security Options
Changing "LAN Manager authentication level" to "send LM &
NTLM responses"
https://social.technet.microsoft.com/Forums/windows/en-US/aca3e2d0-6d43-431f-bbba-3c01aea6d5a6/changing-authentication-level?forum=w7itpronetworking


So it seems that all current Samba versions doesn't support a classic 
domain (PDC) to use NTLMv2
although it was possible until Samba 4.2.11.

Boris



Am 24.10.2016 um 19:03 schrieb Boris S. via samba:
>
> Hello,
>
> since I upgraded my NT4 domain Samba 4.2.11 to 4.2.14 I can no 
> longer authenticate
> when I access any share.
> After that I even upgraded to Samba 4.4.5 but still get the same error:
>
>
> [2016/10/15 04:42:19.786198,  2] 
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [xx] -> [xx] -> [xx] 
> succeeded
> [2016/10/15 04:42:19.789933,  1] 
> ../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
>   ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[xx] 
> domain=[XXXXXXX] workstation=[XXXXX]
> [2016/10/15 04:42:19.789982,  1] ../lib/util/util.c:559(dump_data)
>   [0000] 97 BD D0 A6 D7 16 E4 0A   59 33 62 ED CC 6A 35 04 ........ 
> Y3b..j5.
> [2016/10/15 04:42:19.790035,  1] ../lib/util/util.c:559(dump_data)
>   [0000] F2 85 BB 00 46 11 89 C4   84 E3 2C 4C 5D FA F4 6A ....F... 
> ..,L]..j
> [2016/10/15 04:42:19.790095,  2] 
> ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
>
>
> Server: FreeBSD 10.3/64 bit
> Clients: Windows 7 64bit
>
> When I downgrade to 4.2.11 everything works again.
> An upgrade to DC is currently not an option so I need to stick to 
> NT4 PDC for a while.
>
> I duplicated the whole server to a VM, so I could test anything and 
> wouldn't harm the production server.
>
> Any idea what might the cause?
> Do you need more Information?
>
>
>
>
> My smb.conf:
>
> [global]
>
>    workgroup = XXXXXXX
>    netbios name = SERVER
>    unix password sync = false
>    max log size = 100
>    unix extensions = no
>    log level = 2 vfs:2
>    map to guest = Bad User
>    server max protocol = smb2
>    server min protocol = smb2
>    passdb backend = tdbsam
>    unix charset = ISO8859-1
>    dos charset = CP1252
>    bind interfaces only = yes
>    hosts allow = 192.168.255. 127.
>    acl allow execute always = True
>    load printers = no
>    log file = /var/log/samba4/log.%m
>    log level = 2
>    security = user
>    encrypt passwords = yes
>    interfaces = em0, lo0
>    local master = yes
>    os level = 65
>    domain master = yes
>    preferred master = yes
>    domain logons = yes
>    wins support = yes
>    wins proxy = yes
>    dns proxy = no
>
>
>
>