Eleuterio Contracampo
2017-Apr-21 15:57 UTC
[Samba] Fwd: Unable to change passwords from Win XP Pro clients
Thank you Rowland!! Sorry about my ignorance. I guess I tried many different things and polluted the smb.conf file. I've removed every single line you mentioned off my smb.conf. Still the problem persists: MYDOMAIN\Administrator (S-1-5-21-1965676298-842383976-2353361141-500) is changing password of user2 at MYDOMAIN.org.ar [2017/04/21 12:05:42.233899, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2017/04/21 12:05:42.233940, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2017/04/21 12:05:45.687345, 2] ../source4/dsdb/repl/drepl_notify.c:199(dreplsrv_notify_op_callback) dreplsrv_notify: DsReplicaSync successfuly sent to 375d3482-b7f4-49ae-839b-2ca6a2be9698._msdcs.MYDOMAIN.org.ar [2017/04/21 12:05:46.691655, 2] ../source4/rpc_server/drsuapi/getncchanges.c:1428(getncchanges_collect_objects) ../source4/rpc_server/drsuapi/getncchanges.c:1428: getncchanges on DC=MYDOMAIN,DC=org,DC=ar using filter (uSNChanged>=7425) [2017/04/21 12:05:46.733142, 3] ../source4/rpc_server/drsuapi/getncchanges.c:2008(dcesrv_drsuapi_DsGetNCChanges) UpdateRefs on getncchanges for 375d3482-b7f4-49ae-839b-2ca6a2be9698 [2017/04/21 12:05:46.734033, 2] ../source4/rpc_server/drsuapi/getncchanges.c:2115(dcesrv_drsuapi_DsGetNCChanges) DsGetNCChanges with uSNChanged >= 7425 flags 0x00000074 on <GUID=17a35154-99b3-44c6-8829-a5db4acf402c>;<SID=S-1-5-21-1965676298-842383976-2353361141>;DC=MYDOMAIN,DC=org,DC=ar gave 1 objects (done 1/1) 0 links (done 0/0 (as S-1-5-21-1965676298-842383976-2353361141-1105)) Same behavior: win7 clients work, win XP clients don't. Anything else I should try? thanks again, EC On Fri, Apr 21, 2017 at 11:30 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 21 Apr 2017 10:39:58 -0400 > Eleuterio Contracampo via samba <samba at lists.samba.org> wrote: > > > Hello everyone, > > > > First time with Samba 4. > > I've got it running mostly (with Windows 7 clients, everything works > > like a charm.), but I-m struggling with an issue that is driving me > > nuts (spent countless hours trying out stuff and googleing without > > luck): > > > > When users log in from Win XP Pro terminals, and are forced to change > > initially assigned passwords, they get an error (1728: error in RCP > > protocol) and cannot continue. > > > > **Some background about my setup:* > > PDC: SERV5N > > BDC: SERV6N > > You do not have a 'PDC' & 'BDC', you have two AD DCs > > > > **My smb.conf (PDC):* > > > > # Global parameters > > > > [global] > > Remove this lot from smb.conf: > > wins support = yes > security = user > os level = 65 > domain logons = yes > preferred master = yes > domain master = yes > local master = yes > name resolve order = host wins lmhosts bcast > remote announce = 192.168.40.255 > remote browse sync = 192.168.40.255 > passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.40.213" > ldap suffix = dc=MYDOMAIN,dc=org,dc=ar > ldap user suffix = ou=users > ldap machine suffix = ou=machines > ldap group suffix = ou=groups > ldap admin dn = cn=admin,dc=MYDOMAIN,dc=org,dc=ar > ldap delete dn = no > acl:search = false > kerberos method = secrets only > vfs objects = fileid acl_xattr > map acl inherit = yes > store dos attributes = yes > ldap passwd sync = yes > > They are either default settings or have absolutely no place in an AD > DC smb.conf. The 'ldap' lines should only be used on a ldap based Samba > machine, not an AD DC, 'acl_xattr' is built into the samba binary. > Finally 'ldap passwd sync' only makes sense when you want the local > users passwords to sync with the users in ldap, only problem is, you > cannot have a local user with the same name as an AD user. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Eleuterio Contracampo
2017-Apr-21 16:00 UTC
[Samba] Fwd: Unable to change passwords from Win XP Pro clients
Sorry, I missed some relevant part of the logs after the suggested changes: Kerberos: AS-REQ user2 at MYDOMAIN from ipv4:192.168.44.56:2080 for krbtgt/MYDOMAIN at MYDOMAIN [2017/04/21 12:47:37.526742, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 128 [2017/04/21 12:47:37.526772, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- user2 at MYDOMAIN [2017/04/21 12:47:37.526791, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- user2 at MYDOMAIN [2017/04/21 12:47:37.526934, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: ENC-TS Pre-authentication succeeded -- user2 at MYDOMAIN using arcfour-hmac-md5 [2017/04/21 12:47:37.526965, 2] ../source4/auth/sam.c:218(authsam_account_ok) sam_account_ok: Account for user 'user2 at MYDOMAIN' password must change!. [2017/04/21 12:47:45.429986, 2] ../source4/nbt_server/dgram/netlogon.c:198(nbtd_mailslot_netlogon_handler) nbtd netlogon handler failed from 192.168.40.112:138 to CER<1c> - NT_STATUS_BAD_NETWORK_NAME [2017/04/21 12:47:45.430057, 2] ../source4/nbt_server/dgram/netlogon.c:198(nbtd_mailslot_netlogon_handler) nbtd netlogon handler failed from 192.168.40.112:138 to CER<1c> - NT_STATUS_BAD_NETWORK_NAME [2017/04/21 12:47:45.593337, 2] ../source4/nbt_server/dgram/netlogon.c:198(nbtd_mailslot_netlogon_handler) nbtd netlogon handler failed from 192.168.40.112:138 to CER<1c> - NT_STATUS_BAD_NETWORK_NAME [2017/04/21 12:47:45.593408, 2] ../source4/nbt_server/dgram/netlogon.c:198(nbtd_mailslot_netlogon_handler) nbtd netlogon handler failed from 192.168.40.112:138 to CER<1c> - NT_STATUS_BAD_NETWORK_NAME [2017/04/21 12:47:54.894173, 3] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2017/04/21 12:47:54.894544, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe208b2b7 [2017/04/21 12:47:54.897859, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth) Got user=[] domain=[] workstation=[HOSTYYY] len1=1 len2=0 [2017/04/21 12:47:54.897907, 3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send) auth_check_password_send: Checking password for unmapped user []\[]@[HOSTYYY] auth_check_password_send: mapped user is: [MYDOMAIN]\[]@[HOSTYYY] [2017/04/21 12:47:54.897976, 0] ../auth/gensec/gensec.c:257(gensec_verify_dcerpc_auth_level) Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6 [2017/04/21 12:47:54.901039, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'dcesrv: dcesrv_fault_disconnect' [2017/04/21 12:47:54.901078, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[dcesrv: dcesrv_fault_disconnect] [2017/04/21 12:47:54.957292, 3] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2017/04/21 12:47:54.957653, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe208b2b7 [2017/04/21 12:47:54.960943, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth) Got user=[] domain=[] workstation=[HOSTYYY] len1=1 len2=0 [2017/04/21 12:47:54.960984, 3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send) auth_check_password_send: Checking password for unmapped user []\[]@[HOSTYYY] auth_check_password_send: mapped user is: [MYDOMAIN]\[]@[HOSTYYY] [2017/04/21 12:47:54.961041, 0] ../auth/gensec/gensec.c:257(gensec_verify_dcerpc_auth_level) Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6 [2017/04/21 12:47:54.964150, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'dcesrv: dcesrv_fault_disconnect' [2017/04/21 12:47:54.964187, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[dcesrv: dcesrv_fault_disconnect] [2017/04/21 12:47:55.147539, 3] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2017/04/21 12:47:55.147901, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe208b2b7 [2017/04/21 12:47:55.152947, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth) Got user=[] domain=[] workstation=[HOSTYYY] len1=1 len2=0 [2017/04/21 12:47:55.152989, 3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send) auth_check_password_send: Checking password for unmapped user []\[]@[HOSTYYY] auth_check_password_send: mapped user is: [MYDOMAIN]\[]@[HOSTYYY] [2017/04/21 12:47:55.153046, 0] ../auth/gensec/gensec.c:257(gensec_verify_dcerpc_auth_level) Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6 [2017/04/21 12:47:55.156384, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'dcesrv: dcesrv_fault_disconnect' [2017/04/21 12:47:55.156424, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[dcesrv: dcesrv_fault_disconnect] [2017/04/21 12:47:55.215248, 3] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2017/04/21 12:47:55.215605, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe208b2b7 [2017/04/21 12:47:55.219199, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth) Got user=[] domain=[] workstation=[HOSTYYY] len1=1 len2=0 [2017/04/21 12:47:55.219241, 3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send) auth_check_password_send: Checking password for unmapped user []\[]@[HOSTYYY] auth_check_password_send: mapped user is: [MYDOMAIN]\[]@[HOSTYYY] [2017/04/21 12:47:55.219297, 0] ../auth/gensec/gensec.c:257(gensec_verify_dcerpc_auth_level) Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6 On Fri, Apr 21, 2017 at 11:57 AM, Eleuterio Contracampo < econtracampo at gmail.com> wrote:> Thank you Rowland!! > > Sorry about my ignorance. I guess I tried many different things and > polluted the smb.conf file. > > I've removed every single line you mentioned off my smb.conf. Still the > problem persists: > > MYDOMAIN\Administrator (S-1-5-21-1965676298-842383976-2353361141-500) is > changing password of user2 at MYDOMAIN.org.ar > > [2017/04/21 12:05:42.233899, 3] ../source4/smbd/service_ > stream.c:66(stream_terminate_connection) > > Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED' > > [2017/04/21 12:05:42.233940, 3] ../source4/smbd/process_ > single.c:114(single_terminate) > > single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - > NT_STATUS_CONNECTION_DISCONNECTED] > > [2017/04/21 12:05:45.687345, 2] ../source4/dsdb/repl/drepl_ > notify.c:199(dreplsrv_notify_op_callback) > > dreplsrv_notify: DsReplicaSync successfuly sent to 375d3482-b7f4-49ae-839b- > 2ca6a2be9698._msdcs.MYDOMAIN.org.ar > > [2017/04/21 12:05:46.691655, 2] ../source4/rpc_server/drsuapi/ > getncchanges.c:1428(getncchanges_collect_objects) > > ../source4/rpc_server/drsuapi/getncchanges.c:1428: getncchanges on > DC=MYDOMAIN,DC=org,DC=ar using filter (uSNChanged>=7425) > > [2017/04/21 12:05:46.733142, 3] ../source4/rpc_server/drsuapi/ > getncchanges.c:2008(dcesrv_drsuapi_DsGetNCChanges) > > UpdateRefs on getncchanges for 375d3482-b7f4-49ae-839b-2ca6a2be9698 > > [2017/04/21 12:05:46.734033, 2] ../source4/rpc_server/drsuapi/ > getncchanges.c:2115(dcesrv_drsuapi_DsGetNCChanges) > > DsGetNCChanges with uSNChanged >= 7425 flags 0x00000074 on > <GUID=17a35154-99b3-44c6-8829-a5db4acf402c>;<SID=S-1-5-21- > 1965676298-842383976-2353361141>;DC=MYDOMAIN,DC=org,DC=ar > > gave 1 objects (done 1/1) 0 links (done 0/0 (as > S-1-5-21-1965676298-842383976-2353361141-1105)) > > > Same behavior: win7 clients work, win XP clients don't. Anything else I > should try? > > thanks again, > > EC > > On Fri, Apr 21, 2017 at 11:30 AM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Fri, 21 Apr 2017 10:39:58 -0400 >> Eleuterio Contracampo via samba <samba at lists.samba.org> wrote: >> >> > Hello everyone, >> > >> > First time with Samba 4. >> > I've got it running mostly (with Windows 7 clients, everything works >> > like a charm.), but I-m struggling with an issue that is driving me >> > nuts (spent countless hours trying out stuff and googleing without >> > luck): >> > >> > When users log in from Win XP Pro terminals, and are forced to change >> > initially assigned passwords, they get an error (1728: error in RCP >> > protocol) and cannot continue. >> > >> > **Some background about my setup:* >> > PDC: SERV5N >> > BDC: SERV6N >> >> You do not have a 'PDC' & 'BDC', you have two AD DCs >> >> >> > **My smb.conf (PDC):* >> > >> > # Global parameters >> > >> > [global] >> >> Remove this lot from smb.conf: >> >> wins support = yes >> security = user >> os level = 65 >> domain logons = yes >> preferred master = yes >> domain master = yes >> local master = yes >> name resolve order = host wins lmhosts bcast >> remote announce = 192.168.40.255 >> remote browse sync = 192.168.40.255 >> passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.40.213" >> ldap suffix = dc=MYDOMAIN,dc=org,dc=ar >> ldap user suffix = ou=users >> ldap machine suffix = ou=machines >> ldap group suffix = ou=groups >> ldap admin dn = cn=admin,dc=MYDOMAIN,dc=org,dc=ar >> ldap delete dn = no >> acl:search = false >> kerberos method = secrets only >> vfs objects = fileid acl_xattr >> map acl inherit = yes >> store dos attributes = yes >> ldap passwd sync = yes >> >> They are either default settings or have absolutely no place in an AD >> DC smb.conf. The 'ldap' lines should only be used on a ldap based Samba >> machine, not an AD DC, 'acl_xattr' is built into the samba binary. >> Finally 'ldap passwd sync' only makes sense when you want the local >> users passwords to sync with the users in ldap, only problem is, you >> cannot have a local user with the same name as an AD user. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
Rowland Penny
2017-Apr-21 16:50 UTC
[Samba] Fwd: Unable to change passwords from Win XP Pro clients
On Fri, 21 Apr 2017 12:00:59 -0400 Eleuterio Contracampo via samba <samba at lists.samba.org> wrote:> [2017/04/21 12:47:55.219297, 0] > ../auth/gensec/gensec.c:257(gensec_verify_dcerpc_auth_level) > > Did not manage to negotiate mandetory feature SIGN for dcerpc > auth_level 6 >I think you may be running into an artefact of the badlock patches, for which Win7 will have received patches, but there are no patches for XP as it is no longer supported. Try setting 'client ipc signing =' to 'auto' or 'disabled', but note this will affect win7 as well. See here, for more info: https://wiki.samba.org/index.php/Samba_4.3_Features_added/changed#CVE-2016-2115: Rowland