samba - Jun 2018 - Login to AD Member Fail

On 27.06.2018 13:43, Rowland Penny via samba wrote:
> On Wed, 27 Jun 2018 13:04:12 +0200
> basti via samba <samba at lists.samba.org> wrote:
> 
>> Hello,
>> when I try to login to AD member via IP-Address from Windows Client it
>> works.
>>
>> Login to AD Member from Windows Client via DNS Name fail.
>> Windows Errorcode: 0x80070035
>>
>> Dc1: Samba 4.5.12+dfsg-2+deb9u2
>> AD Member: Samba 4.5.12+dfsg-2+deb9u2
>>
>> winbindd.log (AD Member)
>>
>> [2018/06/27 12:49:58.787087,  1]
>> ../source3/winbindd/winbindd_pam.c:2567(winbindd_pam_auth_pac_send)
>>   Error during PAC signature verification: NT_STATUS_UNSUCCESSFUL
>> [2018/06/27 12:50:17.766117,  1]
>> ../source3/winbindd/winbindd_pam.c:2502(extract_pac_vrfy_sigs)
>>   Failed to initialize kerberos context: Invalid argument
>>
>>
>> win-client.log (AD Member)
>>
>> [2018/06/27 12:49:13.354207,  1]
>> ../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
>>   Failed to fetch record!
>> [2018/06/27 12:49:13.354282,  1]
>> ../source3/smbd/server_reload.c:69(delete_and_reload_printers)
>>   pcap cache not loaded
>>
>>
>> smb.conf (AD Member)
>>
>>   security = ADS
>>    workgroup = DOM
>>    realm = DOM.EXAMPLE.COM
>>
>>    bind interfaces only = yes
>>    interfaces = lo eth0
>>
>>    log file = /var/log/samba/%m.log
>>    log level = 1
>>
>>    idmap config * : backend = tdb
>>    idmap config * : range = 1000-1005
> 
> The above range is much too small, there are more than 6 'Well known
> SIDs'
> 
>>
>>    # idmap config for the DOM domain
>>    idmap config KES:backend = ad
>>    idmap config KES:schema_mode = rfc2307
>>    idmap config KES:range = 1006-999999
> 
> I hope this is just a typo, but just in case it isn't, 'KES' !=
'DOM'
> 
> I also hope you don't use sudo on this machine, mainly because you
> cannot have any local Unix users with the set ranges.
> 
>>
>>     winbind enum users = yes
>>     winbind enum groups = yes
>>     template homedir = /home/users/%U
>>     template shell = /bin/bash
>>
>>     winbind use default domain = yes
>>
>>     vfs objects = acl_xattr
>>     map acl inherit = yes
>>     store dos attributes = yes
>>
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>>
>>
> 
> Rowland
> 
That is just a typo, and yes there is only one local user with id 1000.

On Wed, 27 Jun 2018 14:02:30 +0200
basti via samba <samba at lists.samba.org> wrote:
> 
> 
> On 27.06.2018 13:43, Rowland Penny via samba wrote:
> > On Wed, 27 Jun 2018 13:04:12 +0200
> > basti via samba <samba at lists.samba.org> wrote:
> > 
> >> Hello,
> >> when I try to login to AD member via IP-Address from Windows
> >> Client it works.
> >>
> >> Login to AD Member from Windows Client via DNS Name fail.
> >> Windows Errorcode: 0x80070035
> >>
> >> Dc1: Samba 4.5.12+dfsg-2+deb9u2
> >> AD Member: Samba 4.5.12+dfsg-2+deb9u2
> >>
> >> winbindd.log (AD Member)
> >>
> >> [2018/06/27 12:49:58.787087,  1]
> >>
../source3/winbindd/winbindd_pam.c:2567(winbindd_pam_auth_pac_send)
> >>   Error during PAC signature verification: NT_STATUS_UNSUCCESSFUL
> >> [2018/06/27 12:50:17.766117,  1]
> >> ../source3/winbindd/winbindd_pam.c:2502(extract_pac_vrfy_sigs)
> >>   Failed to initialize kerberos context: Invalid argument
> >>
> >>
> >> win-client.log (AD Member)
> >>
> >> [2018/06/27 12:49:13.354207,  1]
> >>
../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
> >>   Failed to fetch record!
> >> [2018/06/27 12:49:13.354282,  1]
> >> ../source3/smbd/server_reload.c:69(delete_and_reload_printers)
> >>   pcap cache not loaded
> >>
> >>
> >> smb.conf (AD Member)
> >>
> >>   security = ADS
> >>    workgroup = DOM
> >>    realm = DOM.EXAMPLE.COM
> >>
> >>    bind interfaces only = yes
> >>    interfaces = lo eth0
> >>
> >>    log file = /var/log/samba/%m.log
> >>    log level = 1
> >>
> >>    idmap config * : backend = tdb
> >>    idmap config * : range = 1000-1005
> > 
> > The above range is much too small, there are more than 6 'Well
known
> > SIDs'
> > 
> >>
> >>    # idmap config for the DOM domain
> >>    idmap config KES:backend = ad
> >>    idmap config KES:schema_mode = rfc2307
> >>    idmap config KES:range = 1006-999999
> > 
> > I hope this is just a typo, but just in case it isn't,
'KES' !> > 'DOM'
> > 
> > I also hope you don't use sudo on this machine, mainly because you
> > cannot have any local Unix users with the set ranges.
> > 
> >>
> >>     winbind enum users = yes
> >>     winbind enum groups = yes
> >>     template homedir = /home/users/%U
> >>     template shell = /bin/bash
> >>
> >>     winbind use default domain = yes
> >>
> >>     vfs objects = acl_xattr
> >>     map acl inherit = yes
> >>     store dos attributes = yes
> >>
> >>     dedicated keytab file = /etc/krb5.keytab
> >>     kerberos method = secrets and keytab
> >>
> >>
> > 
> > Rowland
> > 
> That is just a typo, and yes there is only one local user with id
> 1000.
> 
Sorry, but, no there isn't, 'idmap config * : range = 1000-1005' has
seen to that, you cannot have two users with the ID '1000'

Can I also point that if you can only connect by IP, then you probably
have a DNS issue.

Rowland

On 27.06.2018 14:12, Rowland Penny via samba wrote:
> Can I also point that if you can only connect by IP, then you probably
> have a DNS issue.
> 
> Rowland
> 
I dont think so.

root at kes-srv-007:/var/log/samba# getent hosts kes-srv-007.kes
192.168.30.19   kes-srv-007.kes
root at kes-srv-007:/var/log/samba# smbclient -U 'KES\user'
\\\\kes-srv-007.kes\\websrv
Enter KES\users's password:
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
Domain=[KES] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
smb: \>

tcpdump before windows error message is shown

root at kes-srv-007:/var/log/samba# tcpdump -ni eth0 port 445 and host
192.168.30.49
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:49:09.561480 IP 192.168.30.49.65405 > 192.168.30.19.445: Flags [SEW],
seq 3407254319, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
14:49:09.561542 IP 192.168.30.19.445 > 192.168.30.49.65405: Flags [S.],
seq 1513924791, ack 3407254320, win 29200, options [mss
1460,nop,nop,sackOK,nop,wscale 7], length 0
14:49:09.561799 IP 192.168.30.49.65405 > 192.168.30.19.445: Flags [.],
ack 1, win 513, length 0
14:49:09.561949 IP 192.168.30.49.65405 > 192.168.30.19.445: Flags [P.],
seq 1:160, ack 1, win 513, length 159 SMB PACKET: SMBnegprot (REQUEST)

14:49:09.561985 IP 192.168.30.19.445 > 192.168.30.49.65405: Flags [.],
ack 160, win 237, length 0
14:49:09.668500 IP 192.168.30.19.445 > 192.168.30.49.65405: Flags [P.],
seq 1:229, ack 160, win 237, length 228 SMB-over-TCP packet:(raw data or
continuation?)

14:49:09.668861 IP 192.168.30.49.65405 > 192.168.30.19.445: Flags [P.],
seq 160:272, ack 229, win 512, length 112 SMB-over-TCP packet:(raw data
or continuation?)

14:49:09.668953 IP 192.168.30.19.445 > 192.168.30.49.65405: Flags [.],
ack 272, win 237, length 0
14:49:09.761300 IP 192.168.30.19.445 > 192.168.30.49.65405: Flags [P.],
seq 229:457, ack 272, win 237, length 228 SMB-over-TCP packet:(raw data
or continuation?)

14:49:09.762906 IP 192.168.30.49.65405 > 192.168.30.19.445: Flags [P.],
seq 272:2077, ack 457, win 511, length 1805 SMB-over-TCP packet:(raw
data or continuation?)

14:49:09.762978 IP 192.168.30.19.445 > 192.168.30.49.65405: Flags [.],
ack 2077, win 265, length 0
14:49:09.878633 IP 192.168.30.19.445 > 192.168.30.49.65405: Flags [P.],
seq 457:534, ack 2077, win 265, length 77 SMB-over-TCP packet:(raw data
or continuation?)

14:49:09.879231 IP 192.168.30.49.65405 > 192.168.30.19.445: Flags [R.],
seq 2077, ack 534, win 0, length 0
14:49:09.881160 IP 192.168.30.49.65406 > 192.168.30.19.445: Flags [SEW],
seq 2221000953, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
14:49:09.881205 IP 192.168.30.19.445 > 192.168.30.49.65406: Flags [S.],
seq 2677849087, ack 2221000954, win 29200, options [mss
1460,nop,nop,sackOK,nop,wscale 7], length 0
14:49:09.881401 IP 192.168.30.49.65406 > 192.168.30.19.445: Flags [.],
ack 1, win 513, length 0
14:49:09.881442 IP 192.168.30.49.65406 > 192.168.30.19.445: Flags [P.],
seq 1:113, ack 1, win 513, length 112 SMB-over-TCP packet:(raw data or
continuation?)

14:49:09.881453 IP 192.168.30.19.445 > 192.168.30.49.65406: Flags [.],
ack 113, win 229, length 0
14:49:10.056381 IP 192.168.30.19.445 > 192.168.30.49.65406: Flags [P.],
seq 1:229, ack 113, win 229, length 228 SMB-over-TCP packet:(raw data or
continuation?)

14:49:10.057573 IP 192.168.30.49.65406 > 192.168.30.19.445: Flags [P.],
seq 113:1918, ack 229, win 512, length 1805 SMB-over-TCP packet:(raw
data or continuation?)

14:49:10.057646 IP 192.168.30.19.445 > 192.168.30.49.65406: Flags [.],
ack 1918, win 257, length 0
14:49:10.163931 IP 192.168.30.19.445 > 192.168.30.49.65406: Flags [P.],
seq 229:306, ack 1918, win 257, length 77 SMB-over-TCP packet:(raw data
or continuation?)

14:49:10.164936 IP 192.168.30.49.65406 > 192.168.30.19.445: Flags [R.],
seq 1918, ack 306, win 0, length 0