samba-ml.20.dignative at spamgourmet.com
2018-Jul-09 08:55 UTC
[Samba] Errors "Domain password server not available" and "SPNEGO login failed: The request is not supported"
Hi,
I am running an Ubuntu 14.04 server with Samba
2:4.3.11+dfsg-0ubuntu0.14.04.14, which just provides storage services to
the network. It is configured to use an existing Active Directory
infrastructure based on Windows servers.
Since some weeks I am experiencing issues with accessing the network
shares served by Samba (no matter which client/operating system).
Connection/mounting attempts ultimately fail most of the time. I am
seeing errors like "SPNEGO login failed: The request is not
supported."
and "domain_client_validate: Domain password server not available." in
the logs. But sometimes, without changes on the server side, accessing
the shares works fine. An excerpt of the full log is attached below.
I tried many hours already to solve the problem by modifying the Samba
configuration without success, however, the original configuration
worked fine for years.
I have no clue how this issue can be solved and would appreciate any
support.
Thank you in advance and kind regards,
René
Log excerpt:
[2018/07/09 09:28:37.296984, 3, pid=31899, effective(0, 0), real(0, 0)]
../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to [REDACTED] at port 445
[2018/07/09 09:28:37.297273, 5, pid=31899, effective(0, 0), real(0, 0)]
../lib/util/util_net.c:1055(print_socket_options)
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 46080
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
[2018/07/09 09:28:37.298134, 3, pid=31899, effective(0, 0), real(0, 0)]
../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2018/07/09 09:28:37.298168, 3, pid=31899, effective(0, 0), real(0, 0)]
../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2018/07/09 09:28:37.298190, 3, pid=31899, effective(0, 0), real(0, 0)]
../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178 at please_ignore
[2018/07/09 09:28:37.298291, 5, pid=31899, effective(0, 0), real(0, 0)]
../auth/gensec/gensec_start.c:680(gensec_start_mech)
Starting GENSEC mechanism spnego
[2018/07/09 09:28:37.298315, 5, pid=31899, effective(0, 0), real(0, 0)]
../auth/gensec/gensec_start.c:680(gensec_start_mech)
Starting GENSEC submechanism ntlmssp
[2018/07/09 09:28:37.298339, 1, pid=31899, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:402(ndr_print_debug)
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
[2018/07/09 09:28:37.298917, 3, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2018/07/09 09:28:37.298934, 3, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2018/07/09 09:28:37.298984, 3, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2018/07/09 09:28:37.298996, 3, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2018/07/09 09:28:37.299027, 3, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2018/07/09 09:28:37.299037, 3, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2018/07/09 09:28:37.299067, 5, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_sign.c:633(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - using NTLM1
[2018/07/09 09:28:37.299462, 3, pid=31899, effective(0, 0), real(0, 0)]
../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: The request is not supported.
[2018/07/09 09:28:37.299558, 3, pid=31899, effective(0, 0), real(0, 0)]
../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to [REDACTED] at port 445
[2018/07/09 09:28:37.299857, 5, pid=31899, effective(0, 0), real(0, 0)]
../lib/util/util_net.c:1055(print_socket_options)
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 46080
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
[2018/07/09 09:28:37.300719, 3, pid=31899, effective(0, 0), real(0, 0)]
../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2018/07/09 09:28:37.300772, 3, pid=31899, effective(0, 0), real(0, 0)]
../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2018/07/09 09:28:37.300800, 3, pid=31899, effective(0, 0), real(0, 0)]
../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178 at please_ignore
[2018/07/09 09:28:37.300905, 5, pid=31899, effective(0, 0), real(0, 0)]
../auth/gensec/gensec_start.c:680(gensec_start_mech)
Starting GENSEC mechanism spnego
[2018/07/09 09:28:37.300927, 5, pid=31899, effective(0, 0), real(0, 0)]
../auth/gensec/gensec_start.c:680(gensec_start_mech)
Starting GENSEC submechanism ntlmssp
[2018/07/09 09:28:37.300950, 1, pid=31899, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:402(ndr_print_debug)
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
[2018/07/09 09:28:37.301526, 3, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2018/07/09 09:28:37.301543, 3, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2018/07/09 09:28:37.301590, 3, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2018/07/09 09:28:37.301602, 3, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2018/07/09 09:28:37.301633, 3, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2018/07/09 09:28:37.301644, 3, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2018/07/09 09:28:37.301681, 5, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_sign.c:633(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - using NTLM1
[2018/07/09 09:28:37.301999, 3, pid=31899, effective(0, 0), real(0, 0)]
../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: The request is not supported.
[2018/07/09 09:28:37.302044, 0, pid=31899, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_domain.c:184(domain_client_validate)
domain_client_validate: Domain password server not available.
[2018/07/09 09:28:37.302060, 5, pid=31899, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [REDACTED] FAILED
with error NT_STATUS_NOT_SUPPORTED
[2018/07/09 09:28:37.302087, 2, pid=31899, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [REDACTED] -> [REDACTED]
FAILED with error NT_STATUS_NOT_SUPPORTED
[2018/07/09 09:28:37.302108, 5, pid=31899, effective(0, 0), real(0, 0)]
../source3/auth/auth_ntlmssp.c:188(auth3_check_password)
Checking NTLMSSP password for [REDACTED] failed: NT_STATUS_NOT_SUPPORTED
[2018/07/09 09:28:37.302131, 5, pid=31899, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_server.c:737(ntlmssp_server_check_password)
../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for
[REDACTED] failed: NT_STATUS_NOT_SUPPORTED
[2018/07/09 09:28:37.302153, 2, pid=31899, effective(0, 0), real(0, 0)]
../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NOT_SUPPORTED
Rowland Penny
2018-Jul-09 09:15 UTC
[Samba] Errors "Domain password server not available" and "SPNEGO login failed: The request is not supported"
On Mon, 9 Jul 2018 10:55:11 +0200 M.Eng. René Schwarz via samba <samba at lists.samba.org> wrote:> Hi, > > > I am running an Ubuntu 14.04 server with Samba > 2:4.3.11+dfsg-0ubuntu0.14.04.14, which just provides storage services > to the network. It is configured to use an existing Active Directory > infrastructure based on Windows servers. > > Since some weeks I am experiencing issues with accessing the network > shares served by Samba (no matter which client/operating system). > Connection/mounting attempts ultimately fail most of the time. I am > seeing errors like "SPNEGO login failed: The request is not > supported." and "domain_client_validate: Domain password server not > available." in the logs. But sometimes, without changes on the server > side, accessing the shares works fine. An excerpt of the full log is > attached below. > > I tried many hours already to solve the problem by modifying the Samba > configuration without success, however, the original configuration > worked fine for years. > > I have no clue how this issue can be solved and would appreciate any > support. > > > Thank you in advance and kind regards, > René > >At first glance it looks like your Ubuntu server is trying to use NTLMv1 against something that no longer uses it. Can you post your smb.conf and tell us what your windows servers are ? Rowland
samba-ml.20.dignative at spamgourmet.com
2018-Jul-09 09:54 UTC
[Samba] Errors "Domain password server not available" and (samba-ml: samba@lists.samba.org exclusive) "SPNEGO login failed: The request is not supported"
On 2018/07/09 11:15, Rowland Penny via samba - samba at lists.samba.org wrote:> At first glance it looks like your Ubuntu server is trying to use > NTLMv1 against something that no longer uses it. > > Can you post your smb.conf and tell us what your windows servers are ?Hi Rowland, thank you very much for your quick response. Yes, please find my reduced smb.conf attached below. I have just removed the 20+ share definitions we have; they are all similar to the example one displayed. Unfortunately, I can't tell you any details about the Windows servers since they are centrally managed (by another organizational unit) and I don't know much about them. Kind regards and thank you for your support, René [global] workgroup = [REDACTED] local master = no server string = %h server (Samba, Ubuntu) wins support = no wins server = [REDACTED] dns proxy = no realm = [REDACTED] security = ads domain master = no domain logons = no machine password timeout = 0 kerberos method = dedicated keytab dedicated keytab file = /etc/opt/quest/vas/host.keytab idmap uid = 1-2147483647 idmap gid = 1-2147483647 encrypt passwords = yes lanman auth = no ntlm auth = no use spnego = yes log file = /var/log/samba/samba.log max log size = 10000 syslog = 0 panic action = /usr/share/samba/panic-action %d server role = standalone server passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes guest account = nobody [data_exchange] path = /srv/shares/data_exchange browsable = yes public = yes writeable = yes guest ok = yes create mask = 0664 force create mode = 0664 directory mask = 2775 force directory mode = 2775 admin users = [REDACTED], [REDACTED] force user = nobody force group = nogroup