Tomasz Majewski
2018-Jul-03 12:01 UTC
[Samba] Samba 4 AD DC on Fedora, problem with GPOs and denied security for machines
Hi,
i need help with strange problem.
I installed Fedora 28 to test Samba 4 AD DC with MIT Kerberos with
Windows 10 and Windows 7 clients and i can't run GPOs for machines.
GPOs for users works.
On Fedora 27 is the same problem.
After couple of hours changing settings I make a new installation of
Debian 9.4 and everything works "out of the box".
I set all like here:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
and
https://wiki.samba.org/index.php/Time_Synchronisation
========= > gpresult /r
RSOP data for MYDOMAIN\Administrator on WIN10ENG : Logging Mode
----------------------------------------------------------------
OS Configuration: Member Workstation
OS Version: 10.0.17134
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=WIN10ENG,CN=Computers,DC=mydomain,DC=com
Last time Group Policy was applied: 7/3/2018 at 2:15:44 AM
Group Policy was applied from: dc1.mydomain.com
Group Policy slow link threshold: 500 kbps
Domain Name: MYDOMAIN
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
Default Domain Policy
Filtering: Denied (Security)
The computer is a part of the following security groups
-------------------------------------------------------
NULL SID
NT AUTHORITY\NETWORK
This Organization
Untrusted Mandatory Level
USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=mydomain,DC=com
Last time Group Policy was applied: 7/3/2018 at 2:16:28 AM
Group Policy was applied from: dc1.mydomain.com
Group Policy slow link threshold: 500 kbps
Domain Name: MYDOMAIN
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
Default Domain Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Domain Admins
Denied RODC Password Replication Group
Schema Admins
Enterprise Admins
Group Policy Creator Owners
High Mandatory Level
=========
Maybe problem with GPOs is here:
"The computer is a part of the following security groups: NULL SID"
and
"Default Domain Policy: Filtering: Denied (Security)"
Some tests from wiki tutorial:
=========# smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.8.2)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter MYDOMAIN\Administrator's password:
. D 0 Mon Jul 2 13:46:15 2018
.. D 0 Mon Jul 2 13:46:19 2018
14034944 blocks of size 1024. 12061576 blocks available
# host -t SRV _ldap._tcp.mydomain.com.
_ldap._tcp.mydomain.com has SRV record 0 100 389 dc1.mydomain.com.
# host -t SRV _kerberos._udp.mydomain.com.
_kerberos._udp.mydomain.com has SRV record 0 100 88 dc1.mydomain.com.
# host -t A dc1.mydomain.com.
dc1.mydomain.com has address 192.168.206.10
# kinit administrator
Password for administrator at MYDOMAIN.COM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at MYDOMAIN.COM
Valid starting Expires Service principal
07/02/2018 14:00:45 07/03/2018 00:00:45 krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
renew until 07/03/2018 14:00:41
=========
and configs:
=========
# cat /etc/krb5.conf | grep -v -e '#' -e '^$'
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
spake_preauth_groups = edwards25519
# cat /etc/samba/smb.conf | grep -v -e '#' -e '^$'
[global]
dns forwarder = 10.10.10.211
netbios name = DC1
realm = MYDOMAIN.COM
server role = active directory domain controller
workgroup = MYDOMAIN
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/mydomain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
=========
and other tests:
=========
Hi,
i need help with strange problem.
I installed Fedora 28 to test Samba 4 AD DC with MIT Kerberos with
Windows 10 and Windows 7 clients and i can't run GPOs for machines.
GPOs for users works.
On Fedora 27 is the same problem.
After couple of hours changing settings I make a new installation of
Debian 9.4 and everything works "out of the box".
I set all like here:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
and
https://wiki.samba.org/index.php/Time_Synchronisation
========= > gpresult /r
RSOP data for MYDOMAIN\Administrator on WIN10ENG : Logging Mode
----------------------------------------------------------------
OS Configuration: Member Workstation
OS Version: 10.0.17134
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=WIN10ENG,CN=Computers,DC=mydomain,DC=com
Last time Group Policy was applied: 7/3/2018 at 2:15:44 AM
Group Policy was applied from: dc1.mydomain.com
Group Policy slow link threshold: 500 kbps
Domain Name: MYDOMAIN
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
Default Domain Policy
Filtering: Denied (Security)
The computer is a part of the following security groups
-------------------------------------------------------
NULL SID
NT AUTHORITY\NETWORK
This Organization
Untrusted Mandatory Level
USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=mydomain,DC=com
Last time Group Policy was applied: 7/3/2018 at 2:16:28 AM
Group Policy was applied from: dc1.mydomain.com
Group Policy slow link threshold: 500 kbps
Domain Name: MYDOMAIN
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
Default Domain Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Domain Admins
Denied RODC Password Replication Group
Schema Admins
Enterprise Admins
Group Policy Creator Owners
High Mandatory Level
=========
Maybe problem with GPOs is here:
The computer is a part of the following security groups: NULL SID
and
Default Domain Policy: Filtering: Denied (Security)
Some tests from wiki tutorial:
=========# smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.8.2)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter MYDOMAIN\Administrator's password:
. D 0 Mon Jul 2 13:46:15 2018
.. D 0 Mon Jul 2 13:46:19 2018
14034944 blocks of size 1024. 12061576 blocks available
# host -t SRV _ldap._tcp.mydomain.com.
_ldap._tcp.mydomain.com has SRV record 0 100 389 dc1.mydomain.com.
# host -t SRV _kerberos._udp.mydomain.com.
_kerberos._udp.mydomain.com has SRV record 0 100 88 dc1.mydomain.com.
# host -t A dc1.mydomain.com.
dc1.mydomain.com has address 192.168.206.10
# kinit administrator
Password for administrator at MYDOMAIN.COM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at MYDOMAIN.COM
Valid starting Expires Service principal
07/02/2018 14:00:45 07/03/2018 00:00:45 krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
renew until 07/03/2018 14:00:41
=========
and configs:
=========
# cat /etc/krb5.conf | grep -v -e '#' -e '^$'
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
spake_preauth_groups = edwards25519
# cat /etc/samba/smb.conf | grep -v -e '#' -e '^$'
[global]
dns forwarder = 10.10.10.211
netbios name = DC1
realm = MYDOMAIN.COM
server role = active directory domain controller
workgroup = MYDOMAIN
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/mydomain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
# cat /var/lib/samba/private/kdc.conf | grep -v -e '#' -e '^$'
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
kadmind_port = 464
[realms]
MYDOMAIN.COM = {
}
mydomain.com = {
}
MYDOMAIN = {
}
[dbmodules]
db_module_dir = /usr/lib64/krb5/plugins/kdb
MYDOMAIN.COM = {
db_library = samba
}
mydomain.com = {
db_library = samba
}
MYDOMAIN = {
db_library = samba
}
[logging]
kdc = FILE:/var/log/samba/mit_kdc.log
admin_server = FILE:/var/log/samba/mit_kadmin.log
=========
and other info:
=========
# samba-tool group listmembers 'Domain Computers'
WIN10$
WIN10ENG$
# samba-tool group listmembers 'Domain Users'
krbtgt
Administrator
# samba-tool gpo listall
GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path :
\\mydomain.com\sysvol\mydomain.com\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn :
CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
version : 0
flags : NONE
GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path :
\\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
dn :
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
version : 0
flags : NONE
# pdbedit -Lv -d 3 WIN10$
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
ldb_wrap open of idmap.ldb
Unix username: WIN10$
NT username:
Account Flags: [W ]
User SID: S-1-5-21-1300050927-3033631407-1805921976-1103
Primary Group SID: S-1-5-21-1300050927-3033631407-1805921976-515
Full Name:
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc:
Workstations:
Munged dial:
Logon time: Tue, 03 Jul 2018 10:12:17 CEST
Logoff time: 0
Kickoff time: Thu, 14 Sep 30828 03:48:05 CET
Password last set: Mon, 02 Jul 2018 15:35:38 CEST
Password can change: Mon, 02 Jul 2018 15:35:38 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
# pdbedit -Lv -d 3 Administrator
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
ldb_wrap open of idmap.ldb
Unix username: Administrator
NT username:
Account Flags: [U ]
User SID: S-1-5-21-1300050927-3033631407-1805921976-500
Primary Group SID: S-1-5-21-1300050927-3033631407-1805921976-513
Full Name:
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc: Built-in account for administering the computer/domain
Workstations:
Munged dial:
Logon time: Tue, 03 Jul 2018 12:24:10 CEST
Logoff time: 0
Kickoff time: Thu, 14 Sep 30828 03:48:05 CET
Password last set: Mon, 02 Jul 2018 13:46:19 CEST
Password can change: Mon, 02 Jul 2018 13:46:19 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
=========
some logs:
=========
# cat /var/log/samba/log.samba
[2018/07/03 09:53:34.446521, 0]
../source4/smbd/server.c:466(binary_smbd_main)
samba version 4.8.2 started.
Copyright Andrew Tridgell and the Samba Team 1992-2018
[2018/07/03 09:53:35.314221, 0]
../source4/smbd/server.c:638(binary_smbd_main)
binary_smbd_main: samba: using 'standard' process model
[2018/07/03 09:53:37.069464, 0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/krb5kdc: krb5kdc: starting...
# cat /var/log/samba/log.samba (log level = 3)
[2018/07/03 13:08:54.701296, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.158460, 3]
../libcli/auth/schannel_state_tdb.c:362(schannel_store_challenge_tdb)
schannel_store_challenge_tdb: stored challenge info for 'WIN10ENG'
with key CHALLENGE/3939
[2018/07/03 13:08:56.162929, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/07/03 13:08:56.167539, 3]
../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb)
schannel_store_session_key_tdb: stored schannel info with key
SECRETS/SCHANNEL/WIN10ENG
[2018/07/03 13:08:56.169422, 3]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [NETLOGON,ServerAuthenticate] user [MYDOMAIN]\[WIN10ENG$] at
[Tue, 03 Jul 2018 13:08:56.169397 CEST] with [HMAC-SHA256] status
[NT_STATUS_OK] workstation [(null)] remote host
[ipv4:192.168.206.102:49677] became [MYDOMAIN]\[WIN10ENG$]
[S-1-5-21-1300050927-3033631407-1805921976-1104]. local host
[ipv4:192.168.206.10:49153] NETLOGON computer [WIN10ENG] trust account
[WIN10ENG$]
[2018/07/03 13:08:56.169728, 3] ../auth/auth_log.c:591(log_no_json)
log_no_json: JSON auth logs not available unless compiled with jansson
[2018/07/03 13:08:56.197063, 2]
../source4/rpc_server/dcerpc_server.c:76(dcesrv_assoc_group_reference)
../source4/rpc_server/dcerpc_server.c:76: Failed to find assoc_group
0x0000a4a5
[2018/07/03 13:08:56.198680, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.200050, 3]
../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/WIN10ENG
[2018/07/03 13:08:56.200824, 3]
../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/WIN10ENG
[2018/07/03 13:08:56.201092, 3]
../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb)
schannel_store_session_key_tdb: stored schannel info with key
SECRETS/SCHANNEL/WIN10ENG
[2018/07/03 13:08:56.209198, 3]
../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/WIN10ENG
[2018/07/03 13:08:56.209473, 3]
../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb)
schannel_store_session_key_tdb: stored schannel info with key
SECRETS/SCHANNEL/WIN10ENG
[2018/07/03 13:08:56.329474, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.360224, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.389213, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/07/03 13:08:56.409493, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.570344, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/07/03 13:08:56.580480, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.588002, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.596842, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.607760, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
[2018/07/03 13:08:56.611825, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.613104, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
[2018/07/03 13:08:56.625498, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
[2018/07/03 13:08:56.637539, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
[2018/07/03 13:08:56.764344, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:08:57.117411, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:08:58.562198, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:08:58.894450, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/07/03 13:08:59.592761, 2]
../source4/dns_server/dns_update.c:773(dns_server_process_update)
Got a dns update request.
[2018/07/03 13:08:59.593268, 2]
../source4/dns_server/dns_update.c:730(dns_update_allowed)
Update not allowed for unsigned packet.
[2018/07/03 13:08:59.612698, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'dns_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
[2018/07/03 13:08:59.613178, 2]
../source4/dns_server/dns_update.c:773(dns_server_process_update)
Got a dns update request.
[2018/07/03 13:08:59.614267, 2]
../source4/dns_server/dns_update.c:389(handle_one_update)
Looking at record:
[2018/07/03 13:08:59.614576, 2]
../source4/dns_server/dns_update.c:390(handle_one_update)
[2018/07/03 13:08:59.614692, 1] ../librpc/ndr/ndr.c:422(ndr_print_debug)
discard_const(update): struct dns_res_rec
name : 'win10eng.mydomain.com'
rr_type : DNS_QTYPE_AAAA (0x1C)
rr_class : DNS_QCLASS_ANY (0xFF)
ttl : 0x00000000 (0)
length : 0x0000 (0)
rdata : union dns_rdata(case 0x1C)
ipv6_record : (null)
unexpected : DATA_BLOB length=0
[2018/07/03 13:08:59.616716, 2]
../source4/dns_server/dns_update.c:389(handle_one_update)
Looking at record:
[2018/07/03 13:08:59.616959, 2]
../source4/dns_server/dns_update.c:390(handle_one_update)
[2018/07/03 13:08:59.617107, 1] ../librpc/ndr/ndr.c:422(ndr_print_debug)
discard_const(update): struct dns_res_rec
name : 'win10eng.mydomain.com'
rr_type : DNS_QTYPE_A (0x1)
rr_class : DNS_QCLASS_ANY (0xFF)
ttl : 0x00000000 (0)
length : 0x0000 (0)
rdata : union dns_rdata(case 0x1)
ipv4_record : (null)
unexpected : DATA_BLOB length=0
[2018/07/03 13:08:59.619166, 2]
../source4/dns_server/dns_update.c:389(handle_one_update)
Looking at record:
[2018/07/03 13:08:59.619421, 2]
../source4/dns_server/dns_update.c:390(handle_one_update)
[2018/07/03 13:08:59.619543, 1] ../librpc/ndr/ndr.c:422(ndr_print_debug)
discard_const(update): struct dns_res_rec
name : 'win10eng.mydomain.com'
rr_type : DNS_QTYPE_A (0x1)
rr_class : DNS_QCLASS_IN (0x1)
ttl : 0x000004b0 (1200)
length : 0x0004 (4)
rdata : union dns_rdata(case 0x1)
ipv4_record : 192.168.206.102
unexpected : DATA_BLOB length=0
[2018/07/03 13:09:00.439410, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/07/03 13:09:02.048705, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ntp_signd_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
[2018/07/03 13:09:04.826540, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ntp_signd_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
[2018/07/03 13:09:07.183331, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:09:07.184064, 3]
../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/WIN10ENG
[2018/07/03 13:09:08.717034, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:09:09.218428, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:09:09.449597, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/07/03 13:09:09.450626, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/07/03 13:09:19.901443, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
[2018/07/03 13:09:19.901761, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
[2018/07/03 13:09:19.901336, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
[2018/07/03 13:09:19.902664, 3]
../source4/smbd/process_single.c:125(single_terminate)
stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: single_terminate: reason[dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED]
[2018/07/03 13:09:19.903527, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
[2018/07/03 13:09:19.904807, 3]
../source4/smbd/process_single.c:125(single_terminate)
single_terminate: single_terminate: reason[dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED]
[2018/07/03 13:09:19.905532, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
[2018/07/03 13:09:19.905990, 3]
../source4/smbd/process_single.c:125(single_terminate)
single_terminate: single_terminate: reason[dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED]
[2018/07/03 13:09:50.729042, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:09:50.737605, 3]
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_drsuapi_DsBind)
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: doing DsBind with
system_session
[2018/07/03 13:09:51.118966, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:09:51.156994, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/07/03 13:09:51.848260, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/07/03 13:09:51.918885, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/07/03 13:10:19.900339, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
[2018/07/03 13:10:19.900598, 3]
../source4/smbd/process_single.c:125(single_terminate)
single_terminate: single_terminate: reason[dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED]
[2018/07/03 13:10:19.900640, 3]
../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
[2018/07/03 13:10:19.901027, 3]
../source4/smbd/process_single.c:125(single_terminate)
single_terminate: single_terminate: reason[dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED]
[2018/07/03 13:10:37.530420, 2]
../source4/dsdb/kcc/kcc_periodic.c:710(kccsrv_samba_kcc)
Calling samba_kcc script
[2018/07/03 13:10:37.712443, 0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
[2018/07/03 13:10:37.948734, 3]
../lib/util/util_runcmd.c:291(samba_runcmd_io_handler)
samba_runcmd_io_handler: Child /usr/sbin/samba_kcc exited 0
[2018/07/03 13:10:37.949167, 3]
../source4/dsdb/kcc/kcc_periodic.c:695(samba_kcc_done)
Completed samba_kcc OK
# cat /var/log/samba/mit_kdc.log
otp: Loaded
Jul 03 09:53:37 dc1.mydomain.com krb5kdc[1074](info): setting up network...
krb5kdc: setsockopt(16,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(18,IPV6_V6ONLY,1) worked
Jul 03 09:53:37 dc1.mydomain.com krb5kdc[1074](info): set up 4 sockets
Jul 03 09:53:37 dc1.mydomain.com krb5kdc[1074](info): commencing operation
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes
{18 17 23 24 -135 3}) 192.168.206.101: NEEDED_PREAUTH:
win10$@mydomain.com for krbtgt/mydomain.com at mydomain.com, Additional
pre-authentication required
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes
{18 17 23 24 -135 3}) 192.168.206.101: ISSUE: authtime 1530605521,
etypes {rep=18 tkt=18 ses=18}, win10$@mydomain.com for
krbtgt/mydomain.com at mydomain.com
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes
{18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521, etypes
{rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for
ldap/dc1.mydomain.com/mydomain.com at MYDOMAIN.COM
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes
{18 17 23 24 -135 3}) 192.168.206.101: NEEDED_PREAUTH:
win10$@mydomain.com for krbtgt/mydomain.com at mydomain.com, Additional
pre-authentication required
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes
{18 23 -133 -128 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521,
etypes {rep=18 tkt=18 ses=18}, win10$@mydomain.com for
krbtgt/mydomain.com at mydomain.com
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes
{18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521, etypes
{rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for
DNS/dc1.mydomain.com at MYDOMAIN.COM
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (1 etypes
{18}) 192.168.206.101: ISSUE: authtime 1530605521, etypes {rep=18 tkt=18
ses=18}, WIN10$@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes
{18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521, etypes
{rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for
cifs/dc1.mydomain.com at MYDOMAIN.COM
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes
{18 17 23 24 -135 3}) 192.168.206.101: NEEDED_PREAUTH:
win10$@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Additional
pre-authentication required
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 21
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes
{18 17 23 24 -135 3}) 192.168.206.101: ISSUE: authtime 1530605521,
etypes {rep=18 tkt=18 ses=18}, win10$@MYDOMAIN.COM for
krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes
{18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521, etypes
{rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for
LDAP/dc1.mydomain.com/mydomain.com at MYDOMAIN.COM
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:03 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes
{18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521, etypes
{rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for WIN10$@MYDOMAIN.COM
Jul 03 10:12:03 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:16 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes
{18 23 -133 -128 24 -135}) 192.168.206.101: NEEDED_PREAUTH:
WIN10$@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Additional
pre-authentication required
Jul 03 10:12:16 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:16 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes
{18 23 -133 -128 24 -135}) 192.168.206.101: ISSUE: authtime 1530605536,
etypes {rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for
krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
Jul 03 10:12:16 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:16 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes
{18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605536, etypes
{rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for win10$@MYDOMAIN.COM
Jul 03 10:12:16 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:13:00 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes
{18 17 23 24 -135 3}) 192.168.206.101: NEEDED_PREAUTH:
administrator\@mydomain.com at MYDOMAIN.COM for
krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required
Jul 03 10:13:00 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:13:00 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes
{18 17 23 24 -135 3}) 192.168.206.101: ISSUE: authtime 1530605580,
etypes {rep=18 tkt=18 ses=18}, administrator\@mydomain.com at MYDOMAIN.COM
for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
Jul 03 10:13:00 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:13:00 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes
{18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605580, etypes
{rep=18 tkt=18 ses=18}, Administrator at MYDOMAIN.COM for
host/win10.mydomain.com at MYDOMAIN.COM
Jul 03 10:13:00 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:13:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes
{18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605580, etypes
{rep=18 tkt=18 ses=18}, Administrator at MYDOMAIN.COM for
LDAP/dc1.mydomain.com/mydomain.com at MYDOMAIN.COM
Jul 03 10:13:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:13:02 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes
{18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605580, etypes
{rep=18 tkt=18 ses=18}, Administrator at MYDOMAIN.COM for
cifs/dc1.mydomain.com/mydomain.com at MYDOMAIN.COM
Jul 03 10:13:02 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:13:02 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (1 etypes
{18}) 192.168.206.101: ISSUE: authtime 1530605580, etypes {rep=18 tkt=18
ses=18}, Administrator at MYDOMAIN.COM for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
Jul 03 10:13:02 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
nfo): closing down fd 19
=========
Thank you for your time and help
Rowland Penny
2018-Jul-03 12:24 UTC
[Samba] Samba 4 AD DC on Fedora, problem with GPOs and denied security for machines
On Tue, 3 Jul 2018 14:01:42 +0200 Tomasz Majewski via samba <samba at lists.samba.org> wrote:> Hi, > i need help with strange problem. > > I installed Fedora 28 to test Samba 4 AD DC with MIT Kerberos with > Windows 10 and Windows 7 clients and i can't run GPOs for machines. > GPOs for users works. > > On Fedora 27 is the same problem. > > After couple of hours changing settings I make a new installation of > Debian 9.4 and everything works "out of the box". >'MIT' still seems to be a work in progress, there are numerous known problems and it looks like you have found another one. Rowland