samba - Jan 2018 - RODC and LDAP via Simple Authentication fails

Hi Andrew,

I am deeply impressed by your speed! :D

The RODC is actually Samba 4.7.4, the other DCs are still on 4.6.12.

Any suggestion how I can debug this w/o setting everything on level 10? ;)

Best regards
Johannes


Am 22.01.2018 um 20:45 schrieb Andrew Bartlett:
> On Mon, 2018-01-22 at 20:36 +0100, Johannes Engel via samba wrote:
>> Dear all,
>>
>> setting up a DMZ environment I was thinking to use an RODC there for
>> user authentication. One of the application in the DMZ needs to access
>> the directory via LDAP.
>>
>> When I tried to connect to the RODC using LDAP with simple bind, I
>> always received the following error
>>
>> ldap_bind: Invalid credentials (49)
>>         additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
>> AcceptSecurityContext error, data 6fa, v1db1
>>
>> even though the credentials used are correct and do work with the
>> "normal" DCs.
>>
>> I have already added the corresponding user to the group "Allowed
RODC
>> Password Replication Group", but that did not change anything...
>>
>> Authentication through Kerberos seems to work, but is not an option for
>> the application, unfortunately.
>>
>> Did I miss anything that prevents my scenario to work by design? Thanks
>> a lot for your help!
> It should work with the current release, the simple bind should get
> converted into an NTLM login and passed along via winbind, so this is
> quite odd.  Are you using Samba 4.7?  
>
> (If you are not running 4.7, just take care to upgrade by doing a new
> join, not an in-place upgrade due to a linked attribute bug just
> reported and fixed). 
>
> Thanks,
>
> Andrew Bartlett
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180122/96fbafd8/signature.sig>

On Mon, 2018-01-22 at 20:56 +0100, Johannes Engel via samba
wrote:
> Hi Andrew,
> 
> I am deeply impressed by your speed! :D
> 
> The RODC is actually Samba 4.7.4, the other DCs are still on 4.6.12.
> 
> Any suggestion how I can debug this w/o setting everything on level 10? ;)
Just turn up the logs one level at a time until something comes out.  

Upgrading the other DCs to 4.7 (carefully, per my other mail) might
help, as it would then match what our tests do, but I can't think of
how exactly.  

In the long run it will ensure that the bad password count and lockout
is correctly handled. 

Samba 4.8 will make this a little easier to debug because 'auth' is now
accepted as a debug class in the AD DC, so you can see those logs more
specifically with something like 'log level = 3 auth:5 winbind:5'.

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

That was exactly what I was looking for. I hope 4.8 should not be too
far away... ;)

In the meantime I found this in the logs at level 2:

[2018/01/22 21:15:50.010307,  3]
../source4/auth/ntlm/auth.c:240(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user
[(null)]\[cn=LDAP,cn=Users,dc=my,dc=domain,dc=com]@[(null)]
  auth_check_password_send: user is: [MYDOMAIN]\[ldap]@[(null)]
[2018/01/22 21:15:50.016870,  3]
../source4/dsdb/repl/drepl_secret.c:145(drepl_repl_secret)
  ../source4/dsdb/repl/drepl_secret.c:145: started secret replication
for CN=ldap,CN=Users,DC=my,DC=domain,DC=com
[2018/01/22 21:15:50.017031,  3]
../libcli/nbt/lmhosts.c:184(resolve_lmhosts_file_as_sockaddr)
  resolve_lmhosts: Attempting lmhosts lookup for name
ef201f76-caaa-40b7-9ff2-41b4790dcf4d._msdcs.my.domain.com<0x20>
[2018/01/22 21:15:50.022197,  2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
  auth_check_password_recv: sam_failtrusts authentication for user
[MYDOMAIN\ldap] FAILED with error NT_STATUS_NO_TRUST_LSA_SECRET,
authoritative=1
[2018/01/22 21:15:50.026733,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [LDAP,simple bind] user
[(null)]\[cn=LDAP,cn=Users,dc=my,dc=domain,dc=com] at [Mon, 22 Jan 2018
21:15:50.026694 CET] with [Plaintext] status
[NT_STATUS_NO_TRUST_LSA_SECRET] workstation [(null)] remote host
[ipv4:192.168.10.60:51622] mapped to [MYDOMAIN]\[ldap]. local host
[ipv4:192.168.10.60:636]
[2018/01/22 21:15:50.027299,  2] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp":
"2018-01-22T21:15:50.026864+0100",
"type": "Authentication", "Authentication":
{"version": {"major": 1,
"minor": 0}, "status":
"NT_STATUS_NO_TRUST_LSA_SECRET", "localAddress":
"ipv4:192.168.10.60:636", "clientDomain": null,
"remoteAddress":
"ipv4:192.168.10.60:51622", "serviceDescription":
"LDAP",
"passwordType": "Plaintext", "authDescription":
"simple bind",
"mappedDomain": "MYDOMAIN",
"netlogonSecureChannelType": 0,
"clientAccount": "cn=LDAP,cn=Users,dc=my,dc=domain,dc=com",
"becameAccount": null, "workstation": null,
"becameDomain": null,
"becameSid": "(NULL SID)", "mappedAccount":
"ldap", "netlogonComputer":
null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags":
"0x00000000", "netlogonTrustAccountSid": "(NULL
SID)"}}
[2018/01/22 21:15:50.027400,  3]
../auth/auth_log.c:139(get_auth_event_server)
  get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2018/01/22 21:15:50.031314,  3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/01/22 21:15:50.031680,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
  standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT]
[2018/01/22 21:15:50.045176,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 16200 () exited with status 0
[2018/01/22 21:15:50.052762,  3]
../libcli/nbt/lmhosts.c:184(resolve_lmhosts_file_as_sockaddr)
  resolve_lmhosts: Attempting lmhosts lookup for name
ef201f76-caaa-40b7-9ff2-41b4790dcf4d._msdcs.my.domain.com<0x20>
[2018/01/22 21:15:50.090394,  3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/01/22 21:15:52.380162,  2]
../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_objects_commit)
  Replicated 0 objects (0 linked attributes) for DC=my,DC=domain,DC=com
[2018/01/22 21:15:52.380345,  3]
../source4/dsdb/repl/drepl_secret.c:57(drepl_repl_secret_callback)
  ../source4/dsdb/repl/drepl_secret.c:57: repl secret completed OK for
'CN=ldap,CN=Users,DC=my,DC=domain,DC=com'

Does that help?
Best regards
Johannes

Am 22.01.2018 um 21:08 schrieb Andrew Bartlett:
> On Mon, 2018-01-22 at 20:56 +0100, Johannes Engel via samba wrote:
>> Hi Andrew,
>>
>> I am deeply impressed by your speed! :D
>>
>> The RODC is actually Samba 4.7.4, the other DCs are still on 4.6.12.
>>
>> Any suggestion how I can debug this w/o setting everything on level 10?
;)
> Just turn up the logs one level at a time until something comes out.  
>
> Upgrading the other DCs to 4.7 (carefully, per my other mail) might
> help, as it would then match what our tests do, but I can't think of
> how exactly.  
>
> In the long run it will ensure that the bad password count and lockout
> is correctly handled. 
>
> Samba 4.8 will make this a little easier to debug because 'auth' is
now
> accepted as a debug class in the AD DC, so you can see those logs more
> specifically with something like 'log level = 3 auth:5 winbind:5'.
>
> I hope this helps,
>
> Andrew Bartlett

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180122/1964ea22/signature.sig>