samba - Feb 2017 - Regular users can't log in to Samba AD DC from Windows

Hi,

I continue setting up my FreeBSD 11.0 machine with Samba 4.4.9 built 
from sources. (Actually, OS type and Samba version don't matter so much, 
as I have the same problem with Debian Jessie and Samba 4.5.5)

I followed the Wiki very close. Some details from provisioning:
...
Realm [RW.LAN]:
  Domain [RW]:
  Server Role (dc, member, standalone) [dc]:
  DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) 
[SAMBA_INTERNAL]:
  DNS forwarder IP address (write 'none' to disable forwarding)
[8.8.8.8]:
...
Server Role:           active directory domain controller
Hostname:              samba4-pfbsd
NetBIOS Domain:        RW
DNS Domain:            rw.lan
DOMAIN SID:            S-1-5-21-324325147-3161353582-651567851

The generated smb.conf file (I only add a user shell definition and a 
file share):

# Global parameters
[global]
     netbios name = SAMBA4-PFBSD
     realm = RW.LAN
     workgroup = RW
     dns forwarder = 8.8.8.8
     server role = active directory domain controller
     idmap_ldb:use rfc2307 = yes
     template shell = /usr/sbin/nologin

[netlogon]
     path = /usr/local/samba/var/locks/sysvol/rw.lan/scripts
     read only = No

[sysvol]
     path = /usr/local/samba/var/locks/sysvol
     read only = No

[samba-share]
        path = /samba-share
        read only = no

The generated krb5.conf:
[libdefaults]
     default_realm = RW.LAN
     dns_lookup_realm = false
     dns_lookup_kdc = true

/etc/nsswitch.conf:

# $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z 
markj $
#
group: files winbind
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

All suggested tests (LDAP, SRV, A, Kerberos) passed; I also created a 
reverse DNS zone and a test user "user1"

Next, I successfully joined a Windows 10 Enterprise machine and logged 
in as a domain administrator. I can access the file share, write to it, 
set Windows permissions.

But when I open ADUC and click a user properties, I only have 5 tabs 
there (Environment, Sessions, Remote control, Remote Desktop Service 
Profile, COM+), and I can't add any other user. Windows just says 
nothing but from Samba logs I see something like this:
...
ldb_wrap open of secrets.ldb
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
ldb_request BASE dn=CN=Users,DC=rw,DC=lan filter=(objectClass=*)
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 16:44:01 2017 EET
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
...

And I can't log in from the Windows machine to the domain with user1. 
Windows says, "Username or password is incorrect", and in Samba logs I
see:
...
Kerberos: AS-REQ user1\@RW.LAN at RW.LAN from ipv4:192.168.0.102:56084 for 
krbtgt/RW.LAN at RW.LAN
Kerberos: Client sent patypes: 128
Kerberos: Looking for PKINIT pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Looking for ENC-TS pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
user1\@RW.LAN at RW.LAN
Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ user1\@RW.LAN at RW.LAN from ipv4:192.168.0.102:56085 for 
krbtgt/RW.LAN at RW.LAN
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Looking for ENC-TS pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN at RW.LAN (enctype 
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for 
checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Not updating badPwdCount on CN=User1 Tester1,CN=Users,DC=rw,DC=lan after 
wrong password
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN at RW.LAN
Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ user1\@RW.LAN at RW.LAN from ipv4:192.168.0.102:56086 for 
krbtgt/RW.LAN at RW.LAN
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Looking for ENC-TS pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN at RW.LAN (enctype 
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for 
checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Not updating badPwdCount on CN=User1 Tester1,CN=Users,DC=rw,DC=lan after 
wrong password
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN at RW.LAN
Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED]
added interface rl0 ip=192.168.0.192 bcast=192.168.0.255 
netmask=255.255.255.0
ldb_wrap open of secrets.ldb
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:15 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:20 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:25 2017 EET
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:30 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:35 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:40 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:45 2017 EET
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
...

Am I missing something basic here?

Thanks,
Alnis

On Mon, 6 Feb 2017 10:07:18 +0200
Alnis Morics via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I continue setting up my FreeBSD 11.0 machine with Samba 4.4.9 built 
> from sources. (Actually, OS type and Samba version don't matter so
> much, as I have the same problem with Debian Jessie and Samba 4.5.5)
> 
> I followed the Wiki very close. Some details from provisioning:
Did you run the provision command like this:

samba-tool domain provision --use-rfc2307 --interactive
> 
> [samba-share]
>         path = /samba-share
>         read only = no
> 
Have you set up the libnnss_winbind links ?

> 
> Next, I successfully joined a Windows 10 Enterprise machine and
> logged in as a domain administrator. I can access the file share,
> write to it, set Windows permissions.
> 
> But when I open ADUC and click a user properties, I only have 5 tabs 
> there (Environment, Sessions, Remote control, Remote Desktop Service 
> Profile, COM+), and I can't add any other user. Windows just says 
> nothing but from Samba logs I see something like this:
This is a windows 10 problem, do a search on 'windows 10 missing tabs'

Rowland

Thank you, Rowland, for the reply.

On 02/06/2017 10:44, Rowland Penny via samba wrote:
> On Mon, 6 Feb 2017 10:07:18 +0200
> Alnis Morics via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> I continue setting up my FreeBSD 11.0 machine with Samba 4.4.9 built
>> from sources. (Actually, OS type and Samba version don't matter so
>> much, as I have the same problem with Debian Jessie and Samba 4.5.5)
>>
>> I followed the Wiki very close. Some details from provisioning:
>
> Did you run the provision command like this:
>
> samba-tool domain provision --use-rfc2307 --interactive
yes
>
>>
>> [samba-share]
>>         path = /samba-share
>>         read only = no
>>
>
> Have you set up the libnnss_winbind links ?
yes:

ln -s /usr/local/samba/lib/nss_winbind.so.1 /usr/local/lib/nss/
ln -s /usr/local/samba/lib/nss_winbind.so.1 
/usr/local/lib/nss/nss_winbind.so
ldconfig

And the nss tests as per Wiki seem to pass:

wbinfo --ping-dc
checking the NETLOGON for domain[RW] dc connection to 
"samba4-pfbsd.rw.lan" succeeded

# getent passwd Administrator
RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin

# getent passwd user1
RW\user1:*:3000017:20:User1 Tester1:/home/user1:/usr/sbin/nologin

# getent group "Domain Users"
RW\domain users:x:20

# touch testfile
# ll testfile
-rw-r--r--  1 root  wheel  0 Jan 28 19:25 testfile
# chown user1:"domain users" testfile
# ll testfile
-rw-r--r--  1 RW\user1  staff  0 Jan 28 19:25 testfile

Only I would expect that a regular users' GID numbers are not within 
0-1000, but I don't know.
>
>
>>
>> Next, I successfully joined a Windows 10 Enterprise machine and
>> logged in as a domain administrator. I can access the file share,
>> write to it, set Windows permissions.
>>
>> But when I open ADUC and click a user properties, I only have 5 tabs
>> there (Environment, Sessions, Remote control, Remote Desktop Service
>> Profile, COM+), and I can't add any other user. Windows just says
>> nothing but from Samba logs I see something like this:
>
> This is a windows 10 problem, do a search on 'windows 10 missing
tabs'
>
> Rowland
>