samba - Mar 2018 - Unable to access AD with ADExplorer

Hi,

On 3/27/2018 6:37 AM, Erdei Miklos via samba wrote:

> Hi,

>

> I have a test AD running Samba on Ubuntu that I sometimes poke with
Sysinternal's ADExplorer.

> A few days ago I tried connecting to it, but got a short reply of
"The directory service is not available."

> As it was working earlier, I tried finding the problem.

> After installing a few older releases, I found that it was working on
Ubuntu 17.04, Samba 4.5.8 and stopped working on Ubuntu 17.10, Samba 4.6.7.
Ubuntu 18.04 Beta's Samba 4.7 also fails to work.

> I know 4 .5 is EoL, but that is the last version that I could log
successfully on.

> The test ADs have exactly the same configuration, that was created
during the AD provisioning.

>

> Here are the log excerpts running on -d3:

>

> Working logon:

> ==================================Version
4.5.8-Ubuntu=================================
> [2018/03/26 16:32:38.889960,  3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)

>    ldb_wrap open of secrets.ldb

> [2018/03/26 16:32:38.896147,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088297

> [2018/03/26 16:32:38.897060,  3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)

>    Got user=[administrator] domain=[] workstation=[TEST] len1=24
len2=266

> [2018/03/26 16:32:38.897302,  3]
../source4/auth/ntlm/auth.c:271(auth_check_password_send)

>    auth_check_password_send: Checking password for unmapped user
[]\[administrator]@[TEST]

>    auth_check_password_send: mapped user is:
[SAMDOM]\[administrator]@[TEST]

> [2018/03/26 16:32:38.901252,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:38.901492,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088215

> [2018/03/26 16:32:38.901669,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:38.901878,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088235

> [2018/03/26 16:32:38.910422,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)

>    Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

> [2018/03/26 16:32:38.910667,  3]
../source4/smbd/process_single.c:114(single_terminate)

>    single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

> [2018/03/26 16:32:38.911755,  3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)

>    ldb_wrap open of secrets.ldb

> [2018/03/26 16:32:38.915128,  3] ../auth/ntlmssp/ntlmssp_util
.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088297

> [2018/03/26 16:32:38.915752,  3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)

>    Got user=[administrator] domain=[] workstation=[TEST] len1=24
len2=266

> [2018/03/26 16:32:38.915983,  3]
../source4/auth/ntlm/auth.c:271(auth_check_password_send)

>    auth_check_password_send: Checking password for unmapped user
[]\[administrator]@[TEST]

>    auth_check_password_send: mapped user is:
[SAMDOM]\[administrator]@[TEST]

> [2018/03/26 16:32:38.919313,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:38 .919555,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088215

> [2018/03/26 16:32:38.919752,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:38.919923,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088235

> [2018/03/26 16:32:39.571560,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)

>    Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

> [2018/03/26 16:32:39.572294,  3]
../source4/smbd/process_single.c:114(single_terminate)

>    single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

> [2018/03/26 16:32:39.575711,  3] 
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)

>    ldb_wrap open of secrets.ldb

> [2018/03/26 16:32:39.579515,  3] 
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088297

> [2018/03/26 16:32:39.580258,  3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)

>    Got user=[administrator] domain=[] workstation=[TEST] len1=24
len2=266

> [2018/03/26 16:32:39.580474,  3]
../source4/auth/ntlm/auth.c:271(auth_check_password_send)

>    auth_check_password_send: Checking password for unmapped user
[]\[administrator]@[TEST]

>    auth_check_password_send: mapped user is:
[SAMDOM]\[administrator]@[TEST]

> [2018/03/26 16:32:39.584407,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:39.584611,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088215

> [2018/03/26 16:32:39.584793,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:39.584959,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088235

> [2018/03/26 16:32:39.823078,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)

>    Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

> [2018/03/26 16:32:39.823431,  3]
../source4/smbd/process_single.c:114(single_terminate)

>    single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

> [2018/03/26 16:32:39.826504,  3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)

>    ldb_wrap open of secrets.ldb

> [2018/03/26 16:32:39.830011,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088297

> [2018/03/26 16:32:39.830652,  3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)

>    Got user=[administrator] domain=[] workstation=[TEST] len1=24
len2=266

> [2018/03/26 16:32:39.830890,  3] .
./source4/auth/ntlm/auth.c:271(auth_check_password_send)

>    auth_check_password_send: Checking password for unmapped user
[]\[administrator]@[TEST]

>    auth_check_password_send: mapped user is:
[SAMDOM]\[administrator]@[TEST]

> [2018/03/26 16:32:39.834247,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:39.834452,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088215

> [2018/03/26 16:32:39.834601,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:39.834756,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088235

> [2018/03/26 16:32:39.864216,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)

>    Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

> [2018/03/26 16:32:39 .864480,  3] 
../source4/smbd/process_single.c:114(single_terminate)

>    single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

> [2018/03/26 16:32:39.880432,  3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)

>    ldb_wrap open of secrets.ldb

> [2018/03/26 16:32:39.883778,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088297

> [2018/03/26 16:32:39.884513,  3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)

>    Got user=[administrator] domain=[] workstation=[TEST] len1=24
len2=266

> [2018/03/26 16:32:39.884731,  3]
../source4/auth/ntlm/auth.c:271(auth_check_password_send)

>    auth_check_password_send: Checking password for unmapped user
[]\[administrator]@[TEST]

>    auth_check_password_send: mapped user is:
[SAMDOM]\[administrator]@[TEST]

> [2018/03/26 16:32:39.888141,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:39.888350,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088215

> [2018/03/26 16:32:39.888502,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:39.888656,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088235

> [2018/03/26 16:32:39.911770,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)

>    Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

> [2018/03/26 16:32:39.912037,  3]
../source4/smbd/process_single.c:114(single_terminate)

>    single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

> [2018/03/26 16:32:39.933657,  3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)

>    ldb_wrap open of secrets.ldb

> [2018/03/26 16:32:39.938632,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088297

> [2018/03/26 16:32:39.939515,  3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)

>    Got user=[administrator] domain=[] workstation=[TEST] len1=24
len2=266

> [2018/03/26 16:32:39.939988,  3]
../source4/auth/ntlm/auth.c:271(auth_check_password_send)

>    auth_check_password_send: Checking password for unmapped user
[]\[administrator]@[TEST]

>    auth_check_password_send: mapped user is:
[SAMDOM]\[administrator]@[TEST]

> [2018/03/26 16:32:39.944810,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:39.945222,  3] ../auth/ntlmssp/ntlmssp_util
.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088215

> [2018/03/26 16:32:39.945541,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:39.945808,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088235

> ==================================Version
4.5.8-Ubuntu=================================
>

> Non-Working logon:

> ==================================Version
4.6.7-Ubuntu=================================
> [2018/03/26 16:32:45.920989,  3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)

>    ldb_wrap open of secrets.ldb

> [2018/03/26 16:32:45.926921,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088297

> [2018/03/26 16:32:45.927514,  3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)

>    Got user=[administrator] domain=[] workstation=[TEST] len1=24
len2=266

> [2018/03/26 16:32:45.927620,  3]
../source4/auth/ntlm/auth.c:271(auth_check_password_send)

>    auth_check_password_send: Checking password for unmapped user
[]\[administrator]@[TEST]

>    auth_check_password_send: mapped user is:
[SAMDOM]\[administrator]@[TEST]

> [2018/03/26 16:32:45.932479,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:45.932537,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088215

> [2018/03/26 16:32:45.932576,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:45.932600,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088215

> [2018/03/26 16:32:45.940988,  0] 
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)

>    NTLMSSP NTLM2 packet check failed due to invalid signature!

> [2018/03/26 16:32:45.941244,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)

>    Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_IO_DEVICE_ERROR'

> [2018/03/26 16:32:45.941284,  3]
../source4/smbd/process_single.c:114(single_terminate)

>    single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_IO_DEVICE_ERROR]

> [2018/03/26 16:32:45.942532,  3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)

>    ldb_wrap open of secrets.ldb

> [2018/03/26 16:32:45.946341,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088297

> [2018/03/26 16:32:45.946846,  3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)

>    Got user=[administrator] domain=[] workstation=[TEST] len1=24
len2=266

> [2018/03/26 16:32:45.946903,  3]
../source4/auth/ntlm/auth.c:271(auth_check_password_send)

>    auth_check_password_send: Checking password for unmapped user
[]\[administrator]@[TEST]

>    auth_check_password_send: mapped user is:
[SAMDOM]\[administrator]@[TEST]

> [2018/03/26 16:32:45.950762,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:45.950809,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088215

> [2018/03/26 16:32:45.950847,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

>    NTLMSSP Sign/Seal - Initialising with flags:

> [2018/03/26 16:32:45.950873,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

>    Got NTLMSSP neg_flags=0xe2088215

> [2018/03/26 16:32:45.958662,  0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)

>    NTLMSSP NTLM2 packet check failed due to invalid signature!

> [2018/03/26 16:32:45.958818,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)

>    Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_IO_DEVICE_ERROR'

> [2018/03/26 16:32:45.958850,  3] ../source4/smbd/process_single
.c:114(single_terminate)

>    single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_IO_DEVICE_ERROR]

> ==================================Version
4.6.7-Ubuntu=================================
>

> I tried "ldap server require strong auth = no", Googling
"NTLMSSP NTLM2 packet check failed due to invalid signature!",
checking the mailing list archives, and a bit more, but none gave any result.

>

> Can anyone help me how to proceed?

>

> Thanks for your help!

>

> Best regards,

> Miklos Erdei

>




I find if you don't use DOMAIN\username for the user you get this error 

message.
I tried logging on with and without domain prefix (and suffix too). Same result:
all formats work on 4.5 and none on 4.6.

M




-- 

--

James





_________________________________________

Citromail.hu levelezőrendszerből küldve

Lépj be vagy regisztrálj

On 3/27/2018 8:20 AM, Erdei Miklos via samba wrote:
> I find if you don't use DOMAIN\username for the user you get this error
> message.
> I tried logging on with and without domain prefix (and suffix too). Same
result: all formats work on 4.5 and none on 4.6.
>
> M
>
>
>
>
For reference I am currently using Ubuntu 14.04 and Samba 4.7.5. Sorry, 
I've only experienced that issue when not prefacing the domain name with 
the username.


-- 
--
James

On Tue, 2018-03-27 at 08:52 -0400, lingpanda101 via samba
wrote:
> On 3/27/2018 8:20 AM, Erdei Miklos via samba wrote:
> > I find if you don't use DOMAIN\username for the user you get this
error
> > message.
> > I tried logging on with and without domain prefix (and suffix too).
Same result: all formats work on 4.5 and none on 4.6.
> > 
> > M
> > 
> > 
> > 
> > 
> 
> For reference I am currently using Ubuntu 14.04 and Samba 4.7.5. Sorry, 
> I've only experienced that issue when not prefacing the domain name
with
> the username.
I think we just fixed that part:

https://bugzilla.samba.org/show_bug.cgi?id=13206

However I don't have any clues on the original problem mentioned here.

It sounds like ADExplorer and Samba have a disagreement on how to
handle NTLM packet signing/sealing in LDAP. 

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba