Lorenzo Milesi
2019-Apr-25 15:33 UTC
[Samba] Win7 client error after classicupgrade from S3 to S4
Hi.
We're trying to upgrade an old NT domain to AD. It's our second upgrade,
and while the first was successfull this one has raised some issues for existing
Windows 7 clients.
If we disconnect the computer from the domain and join it back to the new S4 AD
it works. Existing clients throws this error in Samba:
Kerberos: AS-REQ b1rd42nbtmp648$@NT4DOMAIN from ipv4:10.0.0.42:49472 for krbt
gt/NT4DOMAIN at NT4DOMAIN
[2019/04/24 17:05:24.127751, 3] ../source4/auth/kerberos/krb5_init_context.c:80
(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 128
[2019/04/24 17:05:24.127768, 3] ../source4/auth/kerberos/krb5_init_context.c:80
(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data --
b1rd42nbtmp648$@NT4DOMAIN
[2019/04/24 17:05:24.127777, 3] ../source4/auth/kerberos/krb5_init_context.c:80
(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data --
b1rd42nbtmp648$@NT4DOMAIN
[2019/04/24 17:05:24.127799, 3] ../source4/auth/kerberos/krb5_init_context.c:80
(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA --
b1rd42nbtmp648$@NT4DOMAIN (enctype arc four-hmac-md5) error Decrypt integrity
check failed
[2019/04/24 17:05:24.127865, 5] ../source4/dsdb/common/util.c:5158(dsdb_update_
bad_pwd_count) Not updating badPwdCount on
CN=b1rd42nbtmp648,CN=Computers,DC=samba,DC=newdomain,DC=lan after wrong password
[2019/04/24 17:05:24.127877, 3] ../source4/auth/kerberos/krb5_init_context.c:80
(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA --
b1rd42nbtmp648$@NT4DOMAIN
[2019/04/24 17:05:24.128238, 3] ../source4/smbd/service_stream.c:66(stream_term:
We've searched for similar errors but I found we should reset user password,
but this is a machine account.
Can I solve without rejoining all W7 machines?
Thanks
krb5.conf:
[libdefaults]
default_realm = SAMBA.NEWDOMAIN.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
SAMBA.NEWDOMAIN.LAN = {
kdc = 10.0.0.7
admin_server = 10.0.0.7
}
smb.conf:
[global]
workgroup = NT4DOMAIN
realm = samba.newdomain.lan
netbios name = SERVERX7
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
interfaces = 127.0.0.1 10.0.0.7
log level = 4
winbind nss info = rfc2307
idmap config NT4DOMAIN:backend = ad
idmap config NT4DOMAIN:schema_mode = rfc2307
idmap config NT4DOMAIN:range = 10000-999999
winbind enum users = yes
winbind enum groups = yes
logon home = \\%N\%U
logon path = \\%N\profiles\%U
vfs object = acl_xattr
map acl inherit = yes
store dos attributes = yes
--
Lorenzo Milesi - lorenzo.milesi at yetopen.it
YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222
Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection
Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.
Rowland Penny
2019-Apr-25 16:02 UTC
[Samba] Win7 client error after classicupgrade from S3 to S4
On Thu, 25 Apr 2019 17:33:22 +0200 (CEST) Lorenzo Milesi via samba <samba at lists.samba.org> wrote:> Hi. > We're trying to upgrade an old NT domain to AD. It's our second > upgrade, and while the first was successfull this one has raised some > issues for existing Windows 7 clients. If we disconnect the computer > from the domain and join it back to the new S4 AD it works. Existing > clients throws this error in Samba: > > Kerberos: AS-REQ b1rd42nbtmp648$@NT4DOMAIN from ipv4:10.0.0.42:49472 > for krbt gt/NT4DOMAIN at NT4DOMAIN [2019/04/24 17:05:24.127751, > 3] ../source4/auth/kerberos/krb5_init_context.c:80 > (smb_krb5_debug_wrapper) Kerberos: Client sent patypes: > encrypted-timestamp, 128 [2019/04/24 17:05:24.127768, > 3] ../source4/auth/kerberos/krb5_init_context.c:80 > (smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- > b1rd42nbtmp648$@NT4DOMAIN [2019/04/24 17:05:24.127777, > 3] ../source4/auth/kerberos/krb5_init_context.c:80 > (smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- > b1rd42nbtmp648$@NT4DOMAIN [2019/04/24 17:05:24.127799, > 3] ../source4/auth/kerberos/krb5_init_context.c:80 > (smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- > b1rd42nbtmp648$@NT4DOMAIN (enctype arc four-hmac-md5) error Decrypt > integrity check failed [2019/04/24 17:05:24.127865, > 5] ../source4/dsdb/common/util.c:5158(dsdb_update_ bad_pwd_count) Not > updating badPwdCount on > CN=b1rd42nbtmp648,CN=Computers,DC=samba,DC=newdomain,DC=lan after > wrong password [2019/04/24 17:05:24.127877, > 3] ../source4/auth/kerberos/krb5_init_context.c:80 > (smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- > b1rd42nbtmp648$@NT4DOMAIN [2019/04/24 17:05:24.128238, > 3] ../source4/smbd/service_stream.c:66(stream_term: > > > We've searched for similar errors but I found we should reset user > password, but this is a machine account. Can I solve without > rejoining all W7 machines? Thanks > > > krb5.conf: > [libdefaults] > default_realm = SAMBA.NEWDOMAIN.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > SAMBA.NEWDOMAIN.LAN = { > kdc = 10.0.0.7 > admin_server = 10.0.0.7 > } > > smb.conf: > [global] > workgroup = NT4DOMAIN > realm = samba.newdomain.lan > netbios name = SERVERX7 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > interfaces = 127.0.0.1 10.0.0.7 > log level = 4It was going so well, a Samba AD DC using Bind9 as the dns server, then you went and added the lines below.> winbind nss info = rfc2307 > idmap config NT4DOMAIN:backend = ad > idmap config NT4DOMAIN:schema_mode = rfc2307 > idmap config NT4DOMAIN:range = 10000-999999You definitely need to remove the 4 lines above, they have no place in an AD DC smb.conf.> winbind enum users = yes > winbind enum groups = yesWhilst you can have have the two lines above, they are not recommended.> logon home = \\%N\%U > logon path = \\%N\profiles\%U > vfs object = acl_xattr > map acl inherit = yes > store dos attributes = yesAnother five lines that have no place in an AD DC smb.conf, the 'vfs object' line especially. Rowland
Rowland Penny
2019-Apr-25 17:19 UTC
[Samba] Win7 client error after classicupgrade from S3 to S4
On Thu, 25 Apr 2019 18:45:21 +0200 (CEST) Lorenzo Milesi <maxxer at yetopen.it> wrote:> > Another five lines that have no place in an AD DC smb.conf, the 'vfs > > object' line especially. > > thanks for the suggestions, but even with the basic smb.conf file > compiled by the classicupgrade command we have the same issue on > client machines, so it appears those parameters aren't creating the > problemBy having the 'vfs object' line, you had turned off required parts of Samba, this may have lead to your machine passwords not getting updated. You may have to rejoin the domain to reset the machine password, but I would try restarting first. Rowland