On Tue, 2018-10-16 at 15:18 -0700, Emil Henry wrote:> Hi Andrew! > > I included it in one response, but may have not done a Reply All. Am resending it. > > Thanks.It is reading the hashes, so it looks like it is working. Dumb question, but are you really sure the password is right? Otherwise, it might be some very odd NTLMv2 thing. Try (on the client) 'client ntlmv2 auth = no' and 'ntlm auth = yes' (on the server) just to rule that out. Also please try with Samba 4.9, Samba 4.1 is very old and there may be something else we have fixed. Thanks, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Hi Andrew! I am not 100% sure that the password is correct. I was told that it was changed to the one I am testing. But, when I try the old password, I get a different error message (NT_STATUS_INVALID_SID). I will attached the output. I added the 'ntlm auth = yes' to the smb.conf. How would I change the client? The version of Samba that we are running is 4.7.1, which is the latest version that is available in the yum repository. Thanks. [root at SMBServer ~]# smbclient //localhost/share -U johndoe -d 10 INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 Processing section "[global]" doing parameter security = user doing parameter ldap user suffix = ou=people doing parameter ldap group suffix = ou=groups doing parameter ldap ssl = off doing parameter ldap passwd sync = yes doing parameter ldap delete dn = no doing parameter workgroup = example.com doing parameter server string = "Samba Drives" doing parameter netbios name = SMBServer doing parameter log file = /var/log/samba/log.%m doing parameter log level = 5 doing parameter max log size = 50 doing parameter ldap suffix = "o=EXAMPLE" doing parameter ldap admin dn = "cn=PUser,ou=Proxies,ou=Auth,o=EXAMPLE" doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com doing parameter ntlm auth = yes pm_process() returned Yes lp_servicenumber: couldn't find homes added interface enp7s0f1 ip=192.168.2.122 bcast=192.168.2.255 netmask=255.255.255.0 added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="SMBServer" Client started (version 4.7.1). Opening cache file at /var/lib/samba/gencache.tdb Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec 31 04:00:00 PM 1969 PST] (-1539746033 seconds in the past) sitename_fetch: No stored sitename for realm '' internal_resolve_name: looking up localhost#20 (sitename (null)) name localhost#20 found. remove_duplicate_addrs2: looking for duplicate address/port pairs Connecting to 127.0.0.1 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 2626560 SO_RCVBUF = 1061296 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 session request ok negotiated dialect[SMB3_11] against server[localhost] got OID=1.3.6.1.4.1.311.2.2.10 Enter EXAMPLE.COM\johndoe's password: GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp negotiate: struct NEGOTIATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmNegotiate (1) NegotiateFlags : 0x62088215 (1644724757) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 DomainNameLen : 0x0000 (0) DomainNameMaxLen : 0x0000 (0) DomainName : * DomainName : '' WorkstationLen : 0x0000 (0) WorkstationMaxLen : 0x0000 (0) Workstation : * Workstation : '' Version: struct ntlmssp_VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) ProductBuild : 0x0000 (0) Reserved: ARRAY(3) [0] : 0x00 (0) [1] : 0x00 (0) [2] : 0x00 (0) NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) Got challenge flags: Got NTLMSSP neg_flags=0x628a8215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_SERVER NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH short string '', sent with NULL termination despite NOTERM flag in IDL NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Indicates the SID structure is not valid. session setup failed: NT_STATUS_INVALID_SID On Tue, Oct 16, 2018 at 5:39 PM Andrew Bartlett <abartlet at samba.org> wrote:> On Tue, 2018-10-16 at 15:18 -0700, Emil Henry wrote: > > Hi Andrew! > > > > I included it in one response, but may have not done a Reply All. Am > resending it. > > > > Thanks. > > It is reading the hashes, so it looks like it is working. Dumb > question, but are you really sure the password is right? > > Otherwise, it might be some very odd NTLMv2 thing. Try (on the client) > 'client ntlmv2 auth = no' and 'ntlm auth = yes' (on the server) just to > rule that out. > > Also please try with Samba 4.9, Samba 4.1 is very old and there may be > something else we have fixed. > > Thanks, > > Andrew Bartlett > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > >
On Tue, 2018-10-16 at 20:20 -0700, Emil Henry wrote:> Hi Andrew! > > I am not 100% sure that the password is correct. I was told that it > was changed to the one I am testing. But, when I try the old > password, I get a different error message (NT_STATUS_INVALID_SID). I > will attached the output.Then it is the old password, and you have other issues you need to sort out. Again, the server-side log will show more about what is wrong, but look up the error message, it typically means your primary group ID is mapped incorrectly in idmap.> I added the 'ntlm auth = yes' to the smb.conf. How would I change the client?The client uses the smb.conf on the host it runs on. But the above suggests that the issue was just a wrong password.> The version of Samba that we are running is 4.7.1, which is the latest version that is available in the yum repository.OK, I must have mis-read that. Sorry, Andrew Bartlett> Thanks. > > [root at SMBServer ~]# smbclient //localhost/share -U johndoe -d 10 > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > Processing section "[global]" > doing parameter security = user > doing parameter ldap user suffix = ou=people > doing parameter ldap group suffix = ou=groups > doing parameter ldap ssl = off > doing parameter ldap passwd sync = yes > doing parameter ldap delete dn = no > doing parameter workgroup = example.com > doing parameter server string = "Samba Drives" > doing parameter netbios name = SMBServer > doing parameter log file = /var/log/samba/log.%m > doing parameter log level = 5 > doing parameter max log size = 50 > doing parameter ldap suffix = "o=EXAMPLE" > doing parameter ldap admin dn = "cn=PUser,ou=Proxies,ou=Auth,o=EXAMPLE" > doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com > doing parameter ntlm auth = yes > pm_process() returned Yes > lp_servicenumber: couldn't find homes > added interface enp7s0f1 ip=192.168.2.122 bcast=192.168.2.255 netmask=255.255.255.0 > added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 netmask=255.255.255.0 > Netbios name list:- > my_netbios_names[0]="SMBServer" > Client started (version 4.7.1). > Opening cache file at /var/lib/samba/gencache.tdb > Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb > Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec 31 04:00:00 PM 1969 PST] (-1539746033 seconds in the past) > sitename_fetch: No stored sitename for realm '' > internal_resolve_name: looking up localhost#20 (sitename (null)) > name localhost#20 found. > remove_duplicate_addrs2: looking for duplicate address/port pairs > Connecting to 127.0.0.1 at port 445 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 2626560 > SO_RCVBUF = 1061296 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > session request ok > negotiated dialect[SMB3_11] against server[localhost] > got OID=1.3.6.1.4.1.311.2.2.10 > Enter EXAMPLE.COM\johndoe's password: > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > Starting GENSEC mechanism spnego > Starting GENSEC submechanism ntlmssp > negotiate: struct NEGOTIATE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmNegotiate (1) > NegotiateFlags : 0x62088215 (1644724757) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 0: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 0: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > 1: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > DomainNameLen : 0x0000 (0) > DomainNameMaxLen : 0x0000 (0) > DomainName : * > DomainName : '' > WorkstationLen : 0x0000 (0) > WorkstationMaxLen : 0x0000 (0) > Workstation : * > Workstation : '' > Version: struct ntlmssp_VERSION > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > ProductBuild : 0x0000 (0) > Reserved: ARRAY(3) > [0] : 0x00 (0) > [1] : 0x00 (0) > [2] : 0x00 (0) > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > Got challenge flags: > Got NTLMSSP neg_flags=0x628a8215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_SERVER > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > short string '', sent with NULL termination despite NOTERM flag in IDL > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > SPNEGO login failed: Indicates the SID structure is not valid. > session setup failed: NT_STATUS_INVALID_SID > > > On Tue, Oct 16, 2018 at 5:39 PM Andrew Bartlett <abartlet at samba.org> wrote: > > On Tue, 2018-10-16 at 15:18 -0700, Emil Henry wrote: > > > Hi Andrew! > > > > > > I included it in one response, but may have not done a Reply All. Am resending it. > > > > > > Thanks. > > > > It is reading the hashes, so it looks like it is working. Dumb > > question, but are you really sure the password is right? > > > > Otherwise, it might be some very odd NTLMv2 thing. Try (on the client) > > 'client ntlmv2 auth = no' and 'ntlm auth = yes' (on the server) just to > > rule that out. > > > > Also please try with Samba 4.9, Samba 4.1 is very old and there may be > > something else we have fixed. > > > > Thanks, > > > > Andrew Bartlett > > > >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Am Dienstag, 16. Oktober 2018, 20:20:49 CEST schrieb Emil Henry via samba:> Hi Andrew! > > I am not 100% sure that the password is correct. I was told that it > was changed to the one I am testing.To be unsure is bad in our business. Their maybe three password stored in ldap for a regular user.> But, when I try the old > password, I get a different error message (NT_STATUS_INVALID_SID).I assume that your server was working before you upgrade to 4.7.1 Until now we dont know if the admin password is correct, so we use anonymous bind for ldap. Invalid Sid happens often on upgrading. If for any reason i.e. wrong ldap admin password smbd can not read ldap db. TRY: # ldapsearch -xLLL 'sambadomainname=*' sambaDomainName sambaSID dn: sambaDomainName=SCHULE,dc=afrika,dc=xx sambaDomainName: SCHULE sambaSID: S-1-5-21-1507708399-2130971284-2230424465 These sid is your domain sid. Compare it with the sid samba uses: # net getdomainsid SID for local machine ALIX is: S-1-5-21-1507708399-2130971284-2230424465 SID for domain SCHULE is: S-1-5-21-1507708399-2130971284-2230424465 you may wish to verify your account sids: # ldapsearch -xLLL 'sambasid=S-1-5-21*' sambaSID|less "man net" will give you the command to reset the domain sid to the old one.> I > will attached the output. > > I added the 'ntlm auth = yes' to the smb.conf. How would I change the > client? > > The version of Samba that we are running is 4.7.1, which is the latest > version that is available in the yum repository. > > Thanks.-- Gruss Harry Jede
Maybe Matching Threads
- domain won't go online
- samba 4.4.2 client can't join 3.x NT4 domain
- DRS Replication between two DC's Failing
- Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
- Errors "Domain password server not available" and "SPNEGO login failed: The request is not supported"