thr3ads.net - samba - [Samba] RPC Authentication Error [Jun 2018]

If this information is useful, please help other people find it:
Share via:

Anantha Raghava

2018-Jun-13 11:07 UTC

[Samba] RPC Authentication Error

Hi,

Some time back I had written to the list about integrating Cisco ISE and 
facing errors with RPC login. When we actually integrated using ISE 
2.4.0357 we noticed that Kerberos authentication is working like a 
charm. But MS-RPC authentication throws error.

 From the samba logs, we noticed that ISE workstation is able to 
negotiate the RPC ports switch to higher Dynamic RPC ports, 
authentication is working fine. However, the very next step, the 
connerction gets terminated and ISE looses connection with AD Domain 
Controller. Samba log showing the error is shown below. My smb.conf is 
also shown.

Any specific setting we need to do in Samba to get this working?

My Samba version is 4.7.3

_*My smb.conf:

*_# Global parameters
[global]
     netbios name = DC1
     realm = EXAMPLE.COM
     server role = active directory domain controller
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
     workgroup = EXAMPLE
     idmap_ldb:use rfc2307 = yes
     ldap server require strong auth = No
# Logs and events
     eventlog list = Security
     log level = 3
     log file = /var/log/samba/dc1.%T.log
     max log size = 1000000

[netlogon]
     path = /usr/local/samba/var/locks/sysvol/exza.com/scripts
     read only = No

[sysvol]
     path = /usr/local/samba/var/locks/sysvol
     read only = No

_*Samba Logs (Log level set to 3)

*__[2018/06/13 16:11:57.262264,  2] 
../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_objects_commit)
   Replicated 0 objects (0 linked attributes) for DC=example,DC=com
[2018/06/13 16:12:14.433654,  2] 
../source4/dsdb/kcc/kcc_periodic.c:710(kccsrv_samba_kcc)
   Calling samba_kcc script
[2018/06/13 16:12:14.706632,  0] 
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
   /usr/local/samba/sbin/samba_kcc: ldb_wrap open of secrets.ldb
[2018/06/13 16:12:15.171836,  3] 
../lib/util/util_runcmd.c:291(samba_runcmd_io_handler)
   samba_runcmd_io_handler: Child /usr/local/samba/sbin/samba_kcc exited 0
[2018/06/13 16:12:15.171946,  3] 
../source4/dsdb/kcc/kcc_periodic.c:695(samba_kcc_done)
   Completed samba_kcc OK
[2018/06/13 16:12:58.219597,  3] 
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - 
NT_STATUS_LOCAL_DISCONNECT'
[2018/06/13 16:12:58.219997,  2] 
../source4/smbd/process_standard.c:473(standard_terminate)
   standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() 
- NT_STATUS_LOCAL_DISCONNECT]
[2018/06/13 16:12:58.233556,  2] 
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
   Child 12918 () exited with status 0
[2018/06/13 16:12:58.238059,  3] 
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2018/06/13 16:12:58.458247,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ ISEAPPL$@EXAMPLE.COM from 
iEXAMPLEpv4:192.168.100.40:40583 for cifs/pdc.EXAMPLE.com at EXAMPLE.COM 
[canonicalize, renewable, forwardable]
[2018/06/13 16:12:58.467845,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ authtime: 2018-06-13T16:10:17 starttime: 
2018-06-13T16:12:58 endtime: 2018-06-14T02:10:17 renew till: 
2018-06-20T16:10:17
[2018/06/13 16:12:58.516514,  3] 
../libcli/auth/schannel_state_tdb.c:360(schannel_store_challenge_tdb)
   schannel_store_challenge_tdb: stored challenge info for 'ISEAPPL' 
with key CHALLENGE/cc
[2018/06/13 16:12:58.521086,  3] 
../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb)
   schannel_store_session_key_tdb: stored schannel info with key 
SECRETS/SCHANNEL/ISEAPPL
[2018/06/13 16:12:58.521235,  3] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [NETLOGON,ServerAuthenticate] user [EXAMPLE]\[ISEAPPL$] at [Wed, 
13 Jun 2018 16:12:58.521173 IST] with [HMAC-MD5] status [NT_STATUS_OK] 
workstation [(null)] remote host [ipv4:192.168.100.40:62133] became 
[EXAMPLE]\[ISEAPPL$] [S-1-5-21-3209396036-1574839989-2322605064-1124]. 
local host [ipv4:192.168.100.26:445]  NETLOGON computer [ISEAPPL] trust 
account [ISEAPPL$]
[2018/06/13 16:12:58.524348,  3] 
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2018/06/13 16:12:58.524484,  2] 
../source4/smbd/process_standard.c:473(standard_terminate)
   standard_terminate: reason[dcesrv: dcesrv_fault_disconnect]
[2018/06/13 16:12:58.542045,  2] 
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
   Child 12955 () exited with status 0
[2018/06/13 16:12:58.562075,  3] 
../libcli/auth/schannel_state_tdb.c:360(schannel_store_challenge_tdb)
   schannel_store_challenge_tdb: stored challenge info for 'ISEAPPL' 
with key CHALLENGE/cc
[2018/06/13 16:12:58.584001,  3] 
../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb)
   schannel_store_session_key_tdb: stored schannel info with key 
SECRETS/SCHANNEL/ISEAPPL
[2018/06/13 16:12:58.584165,  3] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [NETLOGON,ServerAuthenticate] user [EXAMPLE]\[ISEAPPL$] at [Wed, 
13 Jun 2018 16:12:58.584107 IST] with [HMAC-MD5] status [NT_STATUS_OK] 
workstation [(null)] remote host [ipv4:192.168.100.40:62133] became 
[EXAMPLE]\[ISEAPPL$] [S-1-5-21-3209396036-1574839989-2322605064-1124]. 
local host [ipv4:192.168.100.26:445]  NETLOGON computer [ISEAPPL] trust 
account [ISEAPPL$]
[2018/06/13 16:12:58.589893,  3] 
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2018/06/13 16:12:58.590071,  2] 
../source4/smbd/process_standard.c:473(standard_terminate)
   standard_terminate: reason[dcesrv: dcesrv_fault_disconnect]
[2018/06/13 16:12:58.609884,  2] 
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
   Child 12956 () exited with status 0
[2018/06/13 16:12:58.620708,  3] 
../libcli/auth/schannel_state_tdb.c:360(schannel_store_challenge_tdb)
   schannel_store_challenge_tdb: stored challenge info for 'ISEAPPL' 
with key CHALLENGE/cc
[2018/06/13 16:12:58.625361,  3] 
../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb)
   schannel_store_session_key_tdb: stored schannel info with key 
SECRETS/SCHANNEL/ISEAPPL
[2018/06/13 16:12:58.625485,  3] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [NETLOGON,ServerAuthenticate] user [EXAMPLE]\[ISEAPPL$] at [Wed, 
13 Jun 2018 16:12:58.625439 IST] with [HMAC-MD5] status [NT_STATUS_OK] 
workstation [(null)] remote host [ipv4:192.168.100.40:62133] became 
[EXAMPLE]\[ISEAPPL$] [S-1-5-21-3209396036-1574839989-2322605064-1124]. 
local host [ipv4:192.168.100.26:445]  NETLOGON computer [ISEAPPL] trust 
account [ISEAPPL$]
[2018/06/13 16:12:58.628539,  3] 
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2018/06/13 16:12:58.628725,  2] 
../source4/smbd/process_standard.c:473(standard_terminate)
   standard_terminate: reason[dcesrv: dcesrv_fault_disconnect]
[2018/06/13 16:12:58.648041,  2] 
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
   Child 12957 () exited with status 0
[2018/06/13 16:13:11.409977,  2] 
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)
   ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on 
DC=DomainDnsZones,DC=example,DC=com using filter (uSNChanged>=5275)
[2018/06/13 16:13:11.413251,  3] 
../source4/rpc_server/drsuapi/getncchanges.c:2822(dcesrv_drsuapi_DsGetNCChanges)
   UpdateRefs on getncchanges for ebe5bcd2-1d05-493b-a482-00b5f91f0da1
[2018/06/13 16:13:11.414283,  2] 
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)
   DsGetNCChanges with uSNChanged >= 5275 flags 0x80000074 on 
<GUID=29d6d5f5-1e87-427b-8e84-e978c1725c5a>;DC=DomainDnsZones,DC=example,DC=com
gave 0 objects (done 0/0) 0 links (done 0/0 (as 
S-1-5-21-3209396036-1574839989-2322605064-1104))
[2018/06/13 16:13:11.471996,  2] 
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)
   ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on 
DC=ForestDnsZones,DC=example,DC=com using filter (uSNChanged>=5275)
[2018/06/13 16:13:11.474085,  3] 
../source4/rpc_server/drsuapi/getncchanges.c:2822(dcesrv_drsuapi_DsGetNCChanges)
   UpdateRefs on getncchanges for ebe5bcd2-1d05-493b-a482-00b5f91f0da1
[2018/06/13 16:13:11.475036,  2] 
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)
   DsGetNCChanges with uSNChanged >= 5275 flags 0x80000074 on 
<GUID=c223adac-9a39-4be5-9ba1-6c8c09b13788>;DC=ForestDnsZones,DC=example,DC=com
gave 0 objects (done 0/0) 0 links (done 0/0 (as 
S-1-5-21-3209396036-1574839989-2322605064-1104))
[2018/06/13 16:13:11.532511,  2] 
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)
   ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on 
CN=Schema,CN=Configuration,DC=example,DC=com using filter (uSNChanged>=5275)
[2018/06/13 16:13:11.565453,  3] 
../source4/rpc_server/drsuapi/getncchanges.c:2822(dcesrv_drsuapi_DsGetNCChanges)
   UpdateRefs on getncchanges for ebe5bcd2-1d05-493b-a482-00b5f91f0da1
[2018/06/13 16:13:11.566236,  2] 
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)
   DsGetNCChanges with uSNChanged >= 5275 flags 0x80000074 on 
<GUID=9917b04c-be53-4231-adb1-5a2e832ef106>;CN=Schema,CN=Configuration,DC=example,DC=com
gave 0 objects (done 0/0) 0 links (done 0/0 (as 
S-1-5-21-3209396036-1574839989-2322605064-1104))
[2018/06/13 16:13:11.617249,  2] 
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)
   ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on 
CN=Configuration,DC=example,DC=com using filter (uSNChanged>=5275)
[2018/06/13 16:13:11.641910,  3] 
../source4/rpc_server/drsuapi/getncchanges.c:2822(dcesrv_drsuapi_DsGetNCChanges)
   UpdateRefs on getncchanges for ebe5bcd2-1d05-493b-a482-00b5f91f0da1
[2018/06/13 16:13:11.642523,  2] 
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)
   DsGetNCChanges with uSNChanged >= 5275 flags 0x80000074 on 
<GUID=acf4c22d-2a78-4abb-89be-cf26883fc442>;CN=Configuration,DC=example,DC=com
gave 0 objects (done 0/0) 0 links (done 0/0 (as 
S-1-5-21-3209396036-1574839989-2322605064-1104))
[2018/06/13 16:13:11.693102,  2] 
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)
   ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on 
DC=example,DC=com using filter (uSNChanged>=5275)
[2018/06/13 16:13:11.701136,  3] 
../source4/rpc_server/drsuapi/getncchanges.c:2822(dcesrv_drsuapi_DsGetNCChanges)
   UpdateRefs on getncchanges for ebe5bcd2-1d05-493b-a482-00b5f91f0da1
[2018/06/13 16:13:11.701949,  2] 
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)
   DsGetNCChanges with uSNChanged >= 5275 flags 0x80000074 on 
<GUID=ea173018-cadb-4f3f-9502-20a48823f0d6>;<SID=S-1-5-21-3209396036-1574839989-2322605064>;DC=example,DC=com
gave 0 objects (done 0/0) 0 links (done 0/0 (as 
S-1-5-21-3209396036-1574839989-2322605064-1104))
[2018/06/13 16:13:28.198184,  3] 
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_IO_TIMEOUT'
[2018/06/13 16:13:28.198848,  2] 
../source4/smbd/process_standard.c:473(standard_terminate)
   standard_terminate: reason[ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_IO_TIMEOUT]
[2018/06/13 16:13:28.207854,  2] 
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
   Child 12930 () exited with status 0
[2018/06/13 16:13:28.305493,  3] 
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb__
**_**_**_

-- 

Thanks & Regards,


Anantha Raghava



Do not print this e-mail unless required. Save Paper & trees.

Andrew Bartlett

2018-Jun-13 12:14 UTC

head link

[Samba] RPC Authentication Error

On Wed, 2018-06-13 at 16:37 +0530, Anantha Raghava via samba
wrote:> Hi,
> 
> Some time back I had written to the list about integrating Cisco ISE and 
> facing errors with RPC login. When we actually integrated using ISE 
> 2.4.0357 we noticed that Kerberos authentication is working like a 
> charm. But MS-RPC authentication throws error.
> 
>  From the samba logs, we noticed that ISE workstation is able to 
> negotiate the RPC ports switch to higher Dynamic RPC ports, 
> authentication is working fine. However, the very next step, the 
> connerction gets terminated and ISE looses connection with AD Domain 
> Controller. Samba log showing the error is shown below. My smb.conf is 
> also shown.
> 
> Any specific setting we need to do in Samba to get this working?
Sadly not.  I'm pretty sure this is still 
https://bugzilla.samba.org/show_bug.cgi?id=11892

You can see that it manages a ServerAuthenticate but never gets to the
SamLogon. 

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Reasonably Related Threads

Search for more possibly parallel threads

samba - Jun 2018 - RPC Authentication Error

[Samba] RPC Authentication Error

[Samba] RPC Authentication Error

Reasonably Related Threads