thr3ads.net - samba - [Samba] Failed to bind to uuid NT_STATUS_LOGON

If this information is useful, please help other people find it:
Share via:

Omnis ludis - games

2024-Jun-05 12:02 UTC

[Samba] Failed to bind to uuid NT_STATUS_LOGON_FAILURE

Good afternoon, tell me, this error occurs on the domain controller samba v
4.19.0, I paired the domain controller with sssd so that authentication
occurs under domain accounts on the domain controller, but as you know,
sssd changes the machine password every 30 days if this option is not
disabled
ad_maximum_machine_account_password_age = 0
I haven?t disabled it for 30 days and as I understand it, the password has
changed and when I call samba-tool drs showrepl the following error occurs
samba-tool drs showrepl -d 5
INFO: Current debug levels:
lpcfg_load: refreshing parameters from /opt/samba/etc/smb.conf
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc1.red-soft.biz[,seal]
Mapped to DCERPC endpoint 135
added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1.test.dom<0x20>
startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was No
such file or directory
Mapped to DCERPC endpoint 49153
added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1.red-soft.biz<0x20>
startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was No
such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 294
Received smb_krb5 packet of length 203
Failed to get kerberos credentials: kinit for DC1$@TEST.DOM failed
(Preauthentication failed)
Wrong username or password: kinit for DC1$@TEST.DOM failed
(Preauthentication failed)
gensec_update_done: gssapi_krb5[0x55d227285240]: NT_STATUS_LOGON_FAILURE
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating
NEG_TOKEN_INIT for ldap/DC1.TEST.DOM failed (next[ntlmssp]):
NT_STATUS_LOGON_FAILURE
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:10.81.0.250[49153,seal,target_hostname=dc1.test.dom,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.81.0.250]
NT_STATUS_LOGON_FAILURE
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
dc1.test.dom failed - drsException: DRS connection to dc1.test.dom failed:
(3221225581, 'The attempted logon is invalid. This is either due to a bad
username or authentication information.')
  File "samba/netcmd/drs.py", line 55, in
samba.netcmd.drs.drsuapi_connect
  File "samba/drs_utils.py", line 78, in
samba.drs_utils.drsuapi_connect


even if you can tell me the direction why this could happen, I will be
grateful, here is my samba config
# Global parameters
[global]
        netbios name = DC1
        realm = TEST.DOM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = TEST
        idmap_ldb:use rfc2307 = yes
        map acl inherit = yes
        allow dns updates = nonsecure
        dsdb:schema update allowed = true
        ldap server require strong auth = no
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = dedicated keytab


[sysvol]
        path = /opt/samba/var/locks/sysvol
        read only = No

[netlogon]
        path = /opt/samba/var/locks/sysvol/red-soft.biz/scripts
        read only = No

Christian Naumer

2024-Jun-05 12:15 UTC

head link

[Samba] Failed to bind to uuid NT_STATUS_LOGON_FAILURE

Hi there,
NEVER ever use sssd on a DC!!!!!! I did this once and sssd moved the DC 
from OU "Domain Controllers" to "Domain Computers". Even if
this did not
happen for you I still repeat "DO NOT DO THIS" Sorry for all the
captal
letters but this nearly broke my AD. I was lucky at the time that I had 
3 more DCs.
You can enable login to the DC with domain accounts without sssd. See here:

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC


Regards


Christian

Am 05.06.24 um 14:02 schrieb Omnis ludis - games via
samba:> Good afternoon, tell me, this error occurs on the domain controller samba v
> 4.19.0, I paired the domain controller with sssd so that authentication
> occurs under domain accounts on the domain controller, but as you know,
> sssd changes the machine password every 30 days if this option is not
> disabled
> ad_maximum_machine_account_password_age = 0
> I haven?t disabled it for 30 days and as I understand it, the password has
> changed and when I call samba-tool drs showrepl the following error occurs
> samba-tool drs showrepl -d 5
> INFO: Current debug levels:
> lpcfg_load: refreshing parameters from /opt/samba/etc/smb.conf
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'ncalrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:dc1.red-soft.biz[,seal]
> Mapped to DCERPC endpoint 135
> added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
> added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
> resolve_lmhosts: Attempting lmhosts lookup for name
dc1.test.dom<0x20>
> startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was
No
> such file or directory
> Mapped to DCERPC endpoint 49153
> added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
> added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
> resolve_lmhosts: Attempting lmhosts lookup for name
dc1.red-soft.biz<0x20>
> startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was
No
> such file or directory
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Received smb_krb5 packet of length 294
> Received smb_krb5 packet of length 203
> Failed to get kerberos credentials: kinit for DC1$@TEST.DOM failed
> (Preauthentication failed)
> Wrong username or password: kinit for DC1$@TEST.DOM failed
> (Preauthentication failed)
> gensec_update_done: gssapi_krb5[0x55d227285240]: NT_STATUS_LOGON_FAILURE
> gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating
> NEG_TOKEN_INIT for ldap/DC1.TEST.DOM failed (next[ntlmssp]):
> NT_STATUS_LOGON_FAILURE
> Starting GENSEC submechanism ntlmssp
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_SEAL
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_TARGET_TYPE_DOMAIN
>    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>    NTLMSSP_NEGOTIATE_TARGET_INFO
>    NTLMSSP_NEGOTIATE_VERSION
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_SEAL
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>    NTLMSSP_NEGOTIATE_VERSION
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_SEAL
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>    NTLMSSP_NEGOTIATE_VERSION
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR
> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>
ncacn_ip_tcp:10.81.0.250[49153,seal,target_hostname=dc1.test.dom,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.81.0.250]
> NT_STATUS_LOGON_FAILURE
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection
to
> dc1.test.dom failed - drsException: DRS connection to dc1.test.dom failed:
> (3221225581, 'The attempted logon is invalid. This is either due to a
bad
> username or authentication information.')
>    File "samba/netcmd/drs.py", line 55, in
samba.netcmd.drs.drsuapi_connect
>    File "samba/drs_utils.py", line 78, in
samba.drs_utils.drsuapi_connect
> 
> 
> even if you can tell me the direction why this could happen, I will be
> grateful, here is my samba config
> # Global parameters
> [global]
>          netbios name = DC1
>          realm = TEST.DOM
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = TEST
>          idmap_ldb:use rfc2307 = yes
>          map acl inherit = yes
>          allow dns updates = nonsecure
>          dsdb:schema update allowed = true
>          ldap server require strong auth = no
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = dedicated keytab
> 
> 
> [sysvol]
>          path = /opt/samba/var/locks/sysvol
>          read only = No
> 
> [netlogon]
>          path = /opt/samba/var/locks/sysvol/red-soft.biz/scripts
>          read only = No

Apparently Analagous Threads

Search for more apparently analagous threads

samba - Jun 2024 - Failed to bind to uuid NT_STATUS_LOGON_FAILURE

[Samba] Failed to bind to uuid NT_STATUS_LOGON_FAILURE

[Samba] Failed to bind to uuid NT_STATUS_LOGON_FAILURE

Apparently Analagous Threads