Johannes Engel
2018-Jan-22 20:30 UTC
[Samba] RODC and LDAP via Simple Authentication fails
That was exactly what I was looking for. I hope 4.8 should not be too
far away... ;)
In the meantime I found this in the logs at level 2:
[2018/01/22 21:15:50.010307, 3]
../source4/auth/ntlm/auth.c:240(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[(null)]\[cn=LDAP,cn=Users,dc=my,dc=domain,dc=com]@[(null)]
auth_check_password_send: user is: [MYDOMAIN]\[ldap]@[(null)]
[2018/01/22 21:15:50.016870, 3]
../source4/dsdb/repl/drepl_secret.c:145(drepl_repl_secret)
../source4/dsdb/repl/drepl_secret.c:145: started secret replication
for CN=ldap,CN=Users,DC=my,DC=domain,DC=com
[2018/01/22 21:15:50.017031, 3]
../libcli/nbt/lmhosts.c:184(resolve_lmhosts_file_as_sockaddr)
resolve_lmhosts: Attempting lmhosts lookup for name
ef201f76-caaa-40b7-9ff2-41b4790dcf4d._msdcs.my.domain.com<0x20>
[2018/01/22 21:15:50.022197, 2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
auth_check_password_recv: sam_failtrusts authentication for user
[MYDOMAIN\ldap] FAILED with error NT_STATUS_NO_TRUST_LSA_SECRET,
authoritative=1
[2018/01/22 21:15:50.026733, 2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [LDAP,simple bind] user
[(null)]\[cn=LDAP,cn=Users,dc=my,dc=domain,dc=com] at [Mon, 22 Jan 2018
21:15:50.026694 CET] with [Plaintext] status
[NT_STATUS_NO_TRUST_LSA_SECRET] workstation [(null)] remote host
[ipv4:192.168.10.60:51622] mapped to [MYDOMAIN]\[ldap]. local host
[ipv4:192.168.10.60:636]
[2018/01/22 21:15:50.027299, 2] ../auth/auth_log.c:220(log_json)
JSON Authentication: {"timestamp":
"2018-01-22T21:15:50.026864+0100",
"type": "Authentication", "Authentication":
{"version": {"major": 1,
"minor": 0}, "status":
"NT_STATUS_NO_TRUST_LSA_SECRET", "localAddress":
"ipv4:192.168.10.60:636", "clientDomain": null,
"remoteAddress":
"ipv4:192.168.10.60:51622", "serviceDescription":
"LDAP",
"passwordType": "Plaintext", "authDescription":
"simple bind",
"mappedDomain": "MYDOMAIN",
"netlogonSecureChannelType": 0,
"clientAccount": "cn=LDAP,cn=Users,dc=my,dc=domain,dc=com",
"becameAccount": null, "workstation": null,
"becameDomain": null,
"becameSid": "(NULL SID)", "mappedAccount":
"ldap", "netlogonComputer":
null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags":
"0x00000000", "netlogonTrustAccountSid": "(NULL
SID)"}}
[2018/01/22 21:15:50.027400, 3]
../auth/auth_log.c:139(get_auth_event_server)
get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2018/01/22 21:15:50.031314, 3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/01/22 21:15:50.031680, 2]
../source4/smbd/process_standard.c:473(standard_terminate)
standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT]
[2018/01/22 21:15:50.045176, 2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
Child 16200 () exited with status 0
[2018/01/22 21:15:50.052762, 3]
../libcli/nbt/lmhosts.c:184(resolve_lmhosts_file_as_sockaddr)
resolve_lmhosts: Attempting lmhosts lookup for name
ef201f76-caaa-40b7-9ff2-41b4790dcf4d._msdcs.my.domain.com<0x20>
[2018/01/22 21:15:50.090394, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/01/22 21:15:52.380162, 2]
../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for DC=my,DC=domain,DC=com
[2018/01/22 21:15:52.380345, 3]
../source4/dsdb/repl/drepl_secret.c:57(drepl_repl_secret_callback)
../source4/dsdb/repl/drepl_secret.c:57: repl secret completed OK for
'CN=ldap,CN=Users,DC=my,DC=domain,DC=com'
Does that help?
Best regards
Johannes
Am 22.01.2018 um 21:08 schrieb Andrew Bartlett:> On Mon, 2018-01-22 at 20:56 +0100, Johannes Engel via samba wrote:
>> Hi Andrew,
>>
>> I am deeply impressed by your speed! :D
>>
>> The RODC is actually Samba 4.7.4, the other DCs are still on 4.6.12.
>>
>> Any suggestion how I can debug this w/o setting everything on level 10?
;)
> Just turn up the logs one level at a time until something comes out.
>
> Upgrading the other DCs to 4.7 (carefully, per my other mail) might
> help, as it would then match what our tests do, but I can't think of
> how exactly.
>
> In the long run it will ensure that the bad password count and lockout
> is correctly handled.
>
> Samba 4.8 will make this a little easier to debug because 'auth' is
now
> accepted as a debug class in the AD DC, so you can see those logs more
> specifically with something like 'log level = 3 auth:5 winbind:5'.
>
> I hope this helps,
>
> Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180122/1964ea22/signature.sig>
Andrew Bartlett
2018-Jan-22 20:39 UTC
[Samba] RODC and LDAP via Simple Authentication fails
On Mon, 2018-01-22 at 21:30 +0100, Johannes Engel via samba wrote:> [2018/01/22 21:15:50.022197, 2] > ../source4/auth/ntlm/auth.c:475(auth_check_password_recv) > auth_check_password_recv: sam_failtrusts authentication for user > [MYDOMAIN\ldap] FAILED with error NT_STATUS_NO_TRUST_LSA_SECRET, > authoritative=1Hmm. Are you sure the RODC's join to the domain is all OK? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Johannes Engel
2018-Jan-22 21:07 UTC
[Samba] RODC and LDAP via Simple Authentication fails
Am 22.01.2018 um 21:39 schrieb Andrew Bartlett:> On Mon, 2018-01-22 at 21:30 +0100, Johannes Engel via samba wrote: >> [2018/01/22 21:15:50.022197, 2] >> ../source4/auth/ntlm/auth.c:475(auth_check_password_recv) >> auth_check_password_recv: sam_failtrusts authentication for user >> [MYDOMAIN\ldap] FAILED with error NT_STATUS_NO_TRUST_LSA_SECRET, >> authoritative=1 > Hmm. Are you sure the RODC's join to the domain is all OK?Certainly to me it looks ok: Finding a writeable DC for domain 'my.domain.com' Found DC dc.my.domain.com Password for [MYDOMAIN\Administrator]: workgroup is MYDOMAIN realm is my.domain.com Deleted CN=MYRODC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com Adding CN=MYRODC,OU=Domain Controllers,DC=my,DC=domain,DC=com Adding CN=krbtgt_MYRODC,CN=Users,DC=my,DC=domain,DC=com Got krbtgt_name=krbtgt_38921 Renaming CN=krbtgt_MYRODC,CN=Users,DC=my,DC=domain,DC=com to CN=krbtgt_38921,CN=Users,DC=my,DC=domain,DC=com Adding CN=MYRODC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com Adding CN=NTDS Settings,CN=MYRODC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com Adding CN=RODC Connection (FRS),CN=NTDS Settings,CN=MYRODC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com Adding SPNs to CN=MYRODC,OU=Domain Controllers,DC=my,DC=domain,DC=com Setting account password for MYRODC$ Enabling account Calling bare provision Looking up IPv4 addresses More than one IPv4 address found. Using 192.168.5.206 Looking up IPv6 addresses More than one IPv6 address found. Using 2001:1234:5678::1 Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema The Kerberos KDC configuration for Samba AD is located at /var/lib/samba/private/kdc.conf A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf Provision OK for domain DN DC=my,DC=domain,DC=com Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=my,DC=domain,DC=com] objects[402/1638] linked_values[0/0] Partition[CN=Configuration,DC=my,DC=domain,DC=com] objects[804/1638] linked_values[0/0] Partition[CN=Configuration,DC=my,DC=domain,DC=com] objects[1206/1638] linked_values[0/0] Partition[CN=Configuration,DC=my,DC=domain,DC=com] objects[1608/1638] linked_values[0/2] Partition[CN=Configuration,DC=my,DC=domain,DC=com] objects[1638/1638] linked_values[38/38] Replicating critical objects from the base DN of the domain Partition[DC=my,DC=domain,DC=com] objects[100/100] linked_values[39/39] Partition[DC=my,DC=domain,DC=com] objects[502/566] linked_values[0/82] Partition[DC=my,DC=domain,DC=com] objects[666/566] linked_values[243/243] Done with always replicated NC (base, config, schema) Exop on[CN=MYRODC,OU=Domain Controllers,DC=my,DC=domain,DC=com] objects[1] linked_values[8] Exop on[CN=krbtgt_38921,CN=Users,DC=my,DC=domain,DC=com] objects[1] linked_values[0] Committing SAM database Sending DsReplicaUpdateRefs for all the replicated partitions Setting RODC invocationId Setting isSynchronized and dsServiceName Setting up secrets database Joined domain MYDOMAIN (SID S-1-5-21-2089342896-204912209-1759679801) as an RODC Any thoughts? Best regards Johannes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 512 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180122/665bc3ad/signature.sig>