Paulo Cesar
2023-Sep-11 17:10 UTC
[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10
Hello everybody. After installing a new AD domain controller with version 4.17.10+dfsg-0+deb12u1~bpo11+1, present in the Debian 11.7 backports repository, I am unable to join workstations running Windows XP SP3 to the domain. The Samba AD server was initially configured with the options "domain-sid=S-1-5-21-9500468976-950304483-95027178", "dns-backend=SAMBA_INTERNAL", "use-rfc2307" and "next-rid=5000000 ". In previous tests, joining the domain with version 4.13.13 was working. I also tested version 4.17.9 (debian main repository) and 4.17.10 (debian-security repository) present in Debian 12 and the failure also occurs in both versions. The tests were carried out with "fresh installations" of the Samba server and with the SMBv1 protocol, as well, as NTLMv1 active in the ADDC server configuration (smb.conf). I also tried enabling NTLMv2 on the Windows XP client but this had no effect. The Windows XP SP3 installation is also "fresh", the local system firewall has been disabled and there is no firewall protecting the AD domain controller (neither local or through a service on the network). When trying to join the domain with the user "administrator" an "internal error" message is presented to the user along with the error "0x54f" (Unable to bind to DS) recorded in the file "C:\Windows\Debug\NetSetup .log" (full logs are available in this message). I have successfully run the join tests with Windows 2003 Server (64-bit) and Windows 7 SP2. Other actions I tried to take to try to solve the problem: - Remove the client machine account running Windows XP from the directory service and purge this data (expunge by samba-tool), with no effect; - Installing KB969084 on Windows XP due to some research on the internet regarding similar problems, with no effect; - Change local security policies, specially related to communication channel signing (in network security options), with no effect; - Change options related to authentication present on the server (smb.conf) but none of the changed settings, alone or together, had any effect. The server's "smb.conf" file: [global] ?? ?dns forwarder = 10.1.1.9 ?? ?interfaces = lo ens18 ?? ?netbios name = SERVERT ?? ?realm = TESTE.SMB4.REDE ?? ?server role = active directory domain controller ?? ?workgroup = TESTE ?? ?idmap_ldb:use rfc2307 = yes ?? ?server services = -nbt ?? ?idmap_ldb:use rfc2307 = yes ?? ?lm interval = 0 ?? ?max log size = 0 ?? ?log level = 3 auth:3 auth_audit:5 auth_audit_json:5 dsdb_json_audit:5 dsdb_password_json_audit:5 dsdb_group_json_audit:5 dsdb_transaction_json_audit:5 ?? ?debug class = yes ?? ?### Legacy auth ### ?? ?lm announce = no ?? ?lanman auth = yes ?? ?#ntlm auth = yes ?? ?ntlm auth = ntlmv1-permitted ?? ?client lanman auth = yes ?? ?client ntlmv2 auth = yes ?? ?client min protocol = NT1 ?? ?server min protocol = NT1 ?? ?#allow nt4 crypto = yes ?? ?#kerberos encryption types = legacy ?? ?#client ipc min protocol = NT1 ?? ?#kdc force enable rc4 weak session keys = yes ?? ?server reject md5 schannel:TESTEXPPC$ = no ?? ?allow nt4 crypto:TESTEXPPC$ = yes ?? ?#client signing = auto ?? ?#server signing = auto ?? ?#server schannel require seal:TESTEXPPC$ = no ?? ? [sysvol] ?? ?path = /var/lib/samba/sysvol ?? ?read only = No [netlogon] ?? ?path = /var/lib/samba/sysvol/teste.smb4.rede/scripts ?? ?read only = No [comp] ?? ?path = /tmp/comp ?? ?read only = no ?? ?public = yes ?? ? The server's "/etc/resolv.conf" file: domain teste.smb4.rede search teste.smb4.rede nameserver 10.1.1.7 nameserver 10.1.1.146 The server's "/etc/hosts" file: 127.0.0.1?? ?localhost 10.1.1.7?? ?servert.teste.smb4.rede?? ?servert # The following lines are desirable for IPv6 capable hosts ::1???? localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters The logs present in the Windows XP SP3 "NetSetup.log" file: 09/11 11:39:06 NetpDoDomainJoin 09/11 11:39:06 NetpMachineValidToJoin: 'TESTEXPPC' 09/11 11:39:06 NetpGetLsaPrimaryDomain: status: 0x0 09/11 11:39:06 NetpMachineValidToJoin: status: 0x0 09/11 11:39:06 NetpJoinDomain 09/11 11:39:06 ?? ?Machine: TESTEXPPC 09/11 11:39:06 ?? ?Domain: teste.smb4.rede 09/11 11:39:06 ?? ?MachineAccountOU: (NULL) 09/11 11:39:06 ?? ?Account: teste.smb4.rede\administrator 09/11 11:39:06 ?? ?Options: 0x27 09/11 11:39:06 ?? ?OS Version: 5.1 09/11 11:39:06 ?? ?Build number: 2600 09/11 11:39:06 ?? ?ServicePack: Service Pack 3 09/11 11:39:06 NetpValidateName: checking to see if 'teste.smb4.rede' is valid as type 3 name 09/11 11:39:06 NetpValidateName: 'teste.smb4.rede' is not a valid NetBIOS domain name: 0x7b 09/11 11:39:06 NetpCheckDomainNameIsValid [ Exists ] for 'teste.smb4.rede' returned 0x0 09/11 11:39:06 NetpValidateName: name 'teste.smb4.rede' is valid for type 3 09/11 11:39:06 NetpDsGetDcName: trying to find DC in domain 'teste.smb4.rede', flags: 0x1020 09/11 11:39:06 NetpDsGetDcName: found DC '\\servert.teste.smb4.rede' in the specified domain 09/11 11:39:06 NetpJoinDomain: status of connecting to dc '\\servert.teste.smb4.rede': 0x0 09/11 11:39:06 NetpGetLsaPrimaryDomain: status: 0x0 09/11 11:39:06 NetpGetDnsHostName: Read NV Hostname: testexppc 09/11 11:39:06 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: teste.smb4.rede 09/11 11:39:06 NetpLsaOpenSecret: status: 0xc0000034 09/11 11:39:06 NetpGetLsaPrimaryDomain: status: 0x0 09/11 11:39:06 NetpLsaOpenSecret: status: 0xc0000034 09/11 11:39:07 NetpManageMachineAccountWithSid: NetUserAdd on '\\servert.teste.smb4.rede' for 'TESTEXPPC$' failed: 0x8b0 09/11 11:39:07 NetpManageMachineAccountWithSid: status of attempting to set password on '\\servert.teste.smb4.rede' for 'TESTEXPPC$': 0x0 09/11 11:39:07 NetpJoinDomain: status of creating account: 0x0 09/11 11:39:07 NetpGetComputerObjectDn: Unable to bind to DS on '\\servert.teste.smb4.rede': 0x54f 09/11 11:39:07 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x54f 09/11 11:39:07 ldap_unbind status: 0x0 09/11 11:39:07 NetpJoinDomain: status of setting DnsHostName and SPN: 0x54f 09/11 11:39:07 NetpJoinDomain: initiaing a rollback due to earlier errors 09/11 11:39:07 NetpGetLsaPrimaryDomain: status: 0x0 09/11 11:39:07 NetpManageMachineAccountWithSid: status of disabling account 'TESTEXPPC$' on '\\servert.teste.smb4.rede': 0x0 09/11 11:39:07 NetpJoinDomain: rollback: status of deleting computer account: 0x0 09/11 11:39:07 NetpLsaOpenSecret: status: 0x0 09/11 11:39:07 NetpJoinDomain: rollback: status of deleting secret: 0x0 09/11 11:39:07 NetpJoinDomain: status of disconnecting from '\\servert.teste.smb4.rede': 0x0 09/11 11:39:07 NetpDoDomainJoin: status: 0x54f Samba server logs during join attempt: [2023/09/11 12:11:25.304407,? 5, class=auth_audit] ../../auth/auth_log.c:752(log_successful_authz_event_human_readable) ? Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Mon, 11 Sep 2023 12:11:25.304394 -03] Remote host [ipv4:10.2.2.122:55378] local host [ipv4:10.1.1.7:135] [2023/09/11 12:11:25.325044,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: Probing for AS-REQ [2023/09/11 12:11:25.325078,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: Probing for TGS-REQ [2023/09/11 12:11:25.325703,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: heim_audit_vaddkv(): kv pair[0] tixaddrs=TYPE_20:54455354455850504320202020202020 [2023/09/11 12:11:25.325728,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: Not a FAST request [2023/09/11 12:11:25.325742,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: TGS-REQ Administrator at TESTE.SMB4.REDE from ipv4:10.2.2.122:58742 for krbtgt/TESTE.SMB4.REDE at TESTE.SMB4.REDE [renewable-ok, canonicalize, renewable, forwarded, forwardable] [2023/09/11 12:11:25.329450,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: heim_audit_setkv_number(): setting kv pair auth=1694445085 [2023/09/11 12:11:25.329470,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: heim_audit_setkv_number(): setting kv pair start=1694445085 [2023/09/11 12:11:25.329476,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: heim_audit_setkv_number(): setting kv pair end=1694481085 [2023/09/11 12:11:25.329481,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: heim_audit_setkv_number(): setting kv pair renew=1695049885 [2023/09/11 12:11:25.329492,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: TGS-REQ authtime: 2023-09-11T12:11:25 starttime: 2023-09-11T12:11:25 endtime: 2023-09-11T22:11:25 renew till: 2023-09-18T12:11:25 [2023/09/11 12:11:25.329501,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: heim_audit_vaddkv(): kv pair[0] canon_client_name=Administrator at TESTE.SMB4.REDE [2023/09/11 12:11:25.329506,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: heim_audit_setkv_number(): setting kv pair pac_attributes=1 [2023/09/11 12:11:25.329631,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: heim_audit_vaddkv(): kv pair[0] etypes=18,-133,-128,3,1,24,-135 [2023/09/11 12:11:25.329642,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, -133, -128, 3, 1, 24, -135, using arcfour-hmac-md5/aes256-cts-hmac-sha1-96 [2023/09/11 12:11:25.329652,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: heim_audit_vaddkv(): kv pair[0] etype=23/18 [2023/09/11 12:11:25.329659,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwarded, forwardable [2023/09/11 12:11:25.329665,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: heim_audit_vaddkv(): kv pair[0] flags=renewable-ok,canonicalize,renewable,forwarded,forwardable [2023/09/11 12:11:25.329798,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.004772 [2023/09/11 12:11:25.329818,? 3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ? Kerberos: TGS-REQ SUCCESS ipv4:10.2.2.122:58742 Administrator at TESTE.SMB4.REDE krbtgt/TESTE.SMB4.REDE at TESTE.SMB4.REDE etype=23/18 pac_attributes=1 canon_client_name=Administrator at TESTE.SMB4.REDE end=1694481085 auth=1694445085 etypes=18,-133,-128,3,1,24,-135 renew=1695049885 elapsed=0.004772 flags=renewable-ok,canonicalize,renewable,forwarded,forwardable start=1694445085 tixaddrs=TYPE_20:54455354455850504320202020202020 [2023/09/11 12:11:25.334025,? 3] ../../source4/samba/service_stream.c:67(stream_terminate_connection) ? stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2023/09/11 12:11:25.337696,? 3, class=ldb] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ? ldb_wrap open of secrets.ldb [2023/09/11 12:11:25.343249,? 3] ../../source4/samba/service_stream.c:67(stream_terminate_connection) ? stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT' [2023/09/11 12:11:25.343438,? 3] ../../source4/samba/service_stream.c:67(stream_terminate_connection) ? stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2023/09/11 12:11:25.348151,? 3, class=ldb] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ? ldb_wrap open of privilege.ldb [2023/09/11 12:11:25.367180,? 4, class=auth_audit] ../../auth/auth_log.c:752(log_successful_authz_event_human_readable) ? Successful AuthZ: [DCE/RPC,ncacn_np] user [TESTE]\[Administrator] [S-1-5-21-9500468976-950304483-95027178-500] at [Mon, 11 Sep 2023 12:11:25.367169 -03] Remote host [ipv4:10.2.2.122:60708] local host [ipv4:10.1.1.7:445] ? {"timestamp": "2023-09-11T12:11:25.433246-0300", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, "status": "Success", "operation": "Modify", "remoteAddress": "ipv4:10.2.2.122:60708", "performedAsSystem": false, "userSid": "S-1-5-21-9500468976-950304483-95027178-500", "dn": "CN=TESTEXPPC,CN=Computers,DC=teste,DC=smb4,DC=rede", "transactionId": "bb37fa00-00b2-46cc-b5f8-0c2f5c47659b", "sessionId": "4bf09255-fd12-4d2c-81df-10f7372a1b8f", "attributes": {"userAccountControl": {"actions": [{"action": "replace", "values": [{"value": "4098"}]}]}}}} [2023/09/11 12:11:25.433326,? 3] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1717(descriptor_prepare_commit) ? descriptor_prepare_commit: changes: num_registrations=0 [2023/09/11 12:11:25.433334,? 3] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1719(descriptor_prepare_commit) ? descriptor_prepare_commit: changes: num_registered=0 [2023/09/11 12:11:25.433338,? 3] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1829(descriptor_prepare_commit) ? descriptor_prepare_commit: changes: num_toplevel=0 [2023/09/11 12:11:25.433342,? 3] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1850(descriptor_prepare_commit) ? descriptor_prepare_commit: changes: num_processed=0 [2023/09/11 12:11:25.433346,? 3] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1851(descriptor_prepare_commit) ? descriptor_prepare_commit: objects: num_processed=0 [2023/09/11 12:11:25.433349,? 3] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1852(descriptor_prepare_commit) ? descriptor_prepare_commit: objects: num_skipped=0 [2023/09/11 12:11:25.449399,? 3] ../../source4/samba/service_stream.c:67(stream_terminate_connection) ? stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2023/09/11 12:11:25.473967,? 3] ../../source4/samba/service_stream.c:67(stream_terminate_connection) ? stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' Only for additional info: I also configured a domain controller in NT4 mode using Samba version 4.17.10 and apparently everything still works (join and user authentication) as expected for Windows XP and other versions that i tested. I searched for a few days before making this post to try to find something on the list that could help me but unfortunately I didn't find anything. I also checked that this problem was not related to bug 9959 (https://bugzilla.samba.org/show_bug.cgi?id=9959), because I saw that the Samba 4.17 code was recently updated to 4.17.11 because of this bug , but there is only a single object with "CN=System" in the directory service, I believe there is no relationship between the reported problems. I also know about the fact that Windows XP is an obsolete system and should no longer be in use but unfortunately it is still used in some specific situations for some of the organizations that I provide services. I am not a native English speaker, I apologize if I made any mistakes regarding the language when constructing this text. My greetings to everyone.
Andrew Bartlett
2023-Sep-11 19:55 UTC
[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10
On Mon, 2023-09-11 at 17:10 +0000, Paulo Cesar via samba wrote:> I also know about the fact that Windows XP is an obsolete system and > should no longer be in use but unfortunately it is still used in some > specific situations for some of the organizations that I provide > services.If I was in this situation, and Windows XP failed but Windows 2003 still worked, I would try to use Windows 2003 for whatever the need is. Hopefully they are compatible enough for whatever special use case you have. But in general, they are much the same codebase, but I wonder if possibly the server got a few more late patches. In mentioning WinXP, I notice they are still issuing some security patches, like this one: https://www.microsoft.com/en-us/download/details.aspx?id=55245 (Also for 2003) https://www.microsoft.com/en-us/download/details.aspx?id=55248 As to debugging, clearly the join fails at: 09/11 11:39:07 NetpGetComputerObjectDn: Unable to bind to DS on '\\servert.teste.smb4.rede': 0x54f 09/11 11:39:07 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x54f 09/11 11:39:07 ldap_unbind status: 0x0 09/11 11:39:07 NetpJoinDomain: status of setting DnsHostName and SPN: 0x54f 09/11 11:39:07 NetpJoinDomain: initiaing a rollback due to earlier errors I would ensure the clocks are already in sync with NTP, then get a network trace taken from the server and turn up the Samba logs to 'log level = 10', with 'debug highres timestamp = yes' and look for the matching packet (a bind presumably) and anything samba indicates about the failure. But this may be a case for a Samba commercial support provider, it looks pretty tricky. Andrew, -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions