samba - Oct 2019 - Not able to access samba share with domain name

Hi Team,

Issue :- I am not able to access samba share on windows client machine with
domain name but able to access with IP

Further Details:-
We had 2 old samba 3.6.6 setup on hp-ux 11iv3, configured as Active Directory
member server, We upgraded both hp-ux samba to 4.9.0 version.
For a week both setup works fine, In which we were able to access share of both
hp-ux machines by domain name from windows client.
Now we are only able to access 1 share from IP only not with domain name, while
other machine works fine.
smb.conf and other system setting as same in both machine and both machines are
member to same Windows Active Directory Server.

Error message:-
On comparing logs of both machine below seems to be relevant error messages.
[time,  5, pid, effective(0, 0), real(0, 0), class=auth]
../auth/gensec/gensec.c:492(gensec_update_done)
  gensec_update_done: ntlmssp[4c030]: NT_STATUS_INVALID_PARAMETER
tevent_req[83070/../auth/ntlmssp/ntlmssp.c:181]: state[3]
error[-7963671676338569203 (0x917B5ACDC000000D)]  state[struct
gensec_ntlmssp_update_state (83150)] timer[0]
finish[../auth/ntlmssp/ntlmssp.c:189]
[time,  1, pid, effective(0, 0), real(0, 0), class=auth]
../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
  gensec_spnego_server_negTokenInit_step: ntlmssp: parsing NEG_TOKEN_INIT
content failed (next[(NULL)]): NT_STATUS_INVALID_PARAMETER

[time,  5, pid, effective(0, 0), real(0, 0), class=auth]
../auth/gensec/gensec.c:492(gensec_update_done)
  gensec_update_done: spnego[4c150]: NT_STATUS_INVALID_PARAMETER
tevent_req[10cfd0/../auth/gensec/spnego.c:1601]: state[3]
error[-7963671676338569203


Is this a known issue reported earlier ?
We have seen similar issue in below links


https://bugzilla.samba.org/show_bug.cgi?id=14106

https://bugzilla.redhat.com/show_bug.cgi?id=1657428

Regards,
Arjit Kumar

On 07/10/2019 16:45, Kumar, Arjit (SSTO) via samba
wrote:
> Hi Team,
>
> Issue :- I am not able to access samba share on windows client machine with
domain name but able to access with IP
>
> Further Details:-
> We had 2 old samba 3.6.6 setup on hp-ux 11iv3, configured as Active
Directory member server, We upgraded both hp-ux samba to 4.9.0 version.
That is some version jump ;-)
> For a week both setup works fine, In which we were able to access share of
both hp-ux machines by domain name from windows client.
> Now we are only able to access 1 share from IP only not with domain name,
while other machine works fine.
> smb.conf and other system setting as same in both machine and both machines
are member to same Windows Active Directory Server.
This is strange, normally if it was a Samba problem, it would affect 
both machines, but who knows ?

Can you post your smb.conf, there have been a lot of changes between 
3.6.6 and 4.9.0
>
> Error message:-
> On comparing logs of both machine below seems to be relevant error
messages.
> [time,  5, pid, effective(0, 0), real(0, 0), class=auth]
../auth/gensec/gensec.c:492(gensec_update_done)
>    gensec_update_done: ntlmssp[4c030]: NT_STATUS_INVALID_PARAMETER
tevent_req[83070/../auth/ntlmssp/ntlmssp.c:181]: state[3]
error[-7963671676338569203 (0x917B5ACDC000000D)]  state[struct
gensec_ntlmssp_update_state (83150)] timer[0]
finish[../auth/ntlmssp/ntlmssp.c:189]
> [time,  1, pid, effective(0, 0), real(0, 0), class=auth]
../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
>    gensec_spnego_server_negTokenInit_step: ntlmssp: parsing NEG_TOKEN_INIT
content failed (next[(NULL)]): NT_STATUS_INVALID_PARAMETER
>
> [time,  5, pid, effective(0, 0), real(0, 0), class=auth]
../auth/gensec/gensec.c:492(gensec_update_done)
>    gensec_update_done: spnego[4c150]: NT_STATUS_INVALID_PARAMETER
tevent_req[10cfd0/../auth/gensec/spnego.c:1601]: state[3]
error[-7963671676338569203
>
>
> Is this a known issue reported earlier ?
> We have seen similar issue in below links
>
>
> https://bugzilla.samba.org/show_bug.cgi?id=14106
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1657428
>
They may be relevant, but I am unsure from the info provided ;-)

Rowland

On 08/10/2019 05:44, Kumar, Arjit (SSTO) wrote:
> Hi,
>
> Below is the smb.conf file.
>
> global]
> 	workgroup = ADSSERVER  #same for both machine
> 	netbios name = hp-ux  #Specific based on machine domain name
> 	server string = Samba Server
> 	security = DOMAIN
> 	encrypt passwords = Yes
> #	password server = *
> 	password server = IP #same for both machine
> #	syslog = 0
> 	log level = 3
> 	log file = /var/opt/samba/log.%m
> 	max log size = 1000
> 	preferred master = No
> 	local master = No
> 	domain master = No
> 	read only = No
> 	create mask = 0774
> #	short preserve case = No
> 	short preserve case = Yes
> 	dos filetime resolution = Yes
> 	ntlm auth = No
> 	lanman auth = No
> 	client ntlmv2 auth = Yes
> 	client lanman auth = No
> 	client plaintext auth = No
> 	min protocol = SMB2
> 	max protocol = SMB3
> 	unix extensions = No
>
> [homes]
> 	comment = Home Directories
> 	browseable = No
>
There are lots of lines there that you do not need (and some missing 
ones that you do need, more later), but the major problem is 'security = 
DOMAIN', it should be 'security = ADS', try this smb.conf:

[global]
 ??? workgroup = ADSSERVER
 ??? server string = Samba Server
 ??? security = ADS

 ??? log level = 3
 ??? log file = /var/opt/samba/log.%m
 ??? max log size = 1000
 ??? preferred master = No
 ??? local master = No
 ??? domain master = No
 ??? dos filetime resolution = Yes
 ??? server min protocol = SMB2
 ??? client min protocol = SMB2

[homes]
 ??? comment = Home Directories
 ??? browseable = No
 ??? read only = No
 ??? create mask = 0700
 ??? directory mask = 0700
 ??? valid users = %S

But there is still one big problem, there are no authentication lines. I 
would expect to see (at least) something like this:

 ??? idmap config * : backend = tdb
 ??? idmap config * : range = 3000-7999
 ??? idmap config ADSSERVER : backend = rid
 ??? idmap config ADSSERVER : range = 10000-999999

Never used HP-UX, but I would imagine it authenticates similar to Linux, 
but if you do not have the lines above (or similar) are all your users 
in /etc/passwd ?

Rowland