Omnis ludis - games
2024-Jun-05 12:02 UTC
[Samba] Failed to bind to uuid NT_STATUS_LOGON_FAILURE
Good afternoon, tell me, this error occurs on the domain controller samba v 4.19.0, I paired the domain controller with sssd so that authentication occurs under domain accounts on the domain controller, but as you know, sssd changes the machine password every 30 days if this option is not disabled ad_maximum_machine_account_password_age = 0 I haven?t disabled it for 30 days and as I understand it, the password has changed and when I call samba-tool drs showrepl the following error occurs samba-tool drs showrepl -d 5 INFO: Current debug levels: lpcfg_load: refreshing parameters from /opt/samba/etc/smb.conf ldb_wrap open of secrets.ldb GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'ncalrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:dc1.red-soft.biz[,seal] Mapped to DCERPC endpoint 135 added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0 added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0 resolve_lmhosts: Attempting lmhosts lookup for name dc1.test.dom<0x20> startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was No such file or directory Mapped to DCERPC endpoint 49153 added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0 added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0 resolve_lmhosts: Attempting lmhosts lookup for name dc1.red-soft.biz<0x20> startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was No such file or directory Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Received smb_krb5 packet of length 294 Received smb_krb5 packet of length 203 Failed to get kerberos credentials: kinit for DC1$@TEST.DOM failed (Preauthentication failed) Wrong username or password: kinit for DC1$@TEST.DOM failed (Preauthentication failed) gensec_update_done: gssapi_krb5[0x55d227285240]: NT_STATUS_LOGON_FAILURE gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/DC1.TEST.DOM failed (next[ntlmssp]): NT_STATUS_LOGON_FAILURE Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:10.81.0.250[49153,seal,target_hostname=dc1.test.dom,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.81.0.250] NT_STATUS_LOGON_FAILURE ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to dc1.test.dom failed - drsException: DRS connection to dc1.test.dom failed: (3221225581, 'The attempted logon is invalid. This is either due to a bad username or authentication information.') File "samba/netcmd/drs.py", line 55, in samba.netcmd.drs.drsuapi_connect File "samba/drs_utils.py", line 78, in samba.drs_utils.drsuapi_connect even if you can tell me the direction why this could happen, I will be grateful, here is my samba config # Global parameters [global] netbios name = DC1 realm = TEST.DOM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = TEST idmap_ldb:use rfc2307 = yes map acl inherit = yes allow dns updates = nonsecure dsdb:schema update allowed = true ldap server require strong auth = no dedicated keytab file = /etc/krb5.keytab kerberos method = dedicated keytab [sysvol] path = /opt/samba/var/locks/sysvol read only = No [netlogon] path = /opt/samba/var/locks/sysvol/red-soft.biz/scripts read only = No
Christian Naumer
2024-Jun-05 12:15 UTC
[Samba] Failed to bind to uuid NT_STATUS_LOGON_FAILURE
Hi there, NEVER ever use sssd on a DC!!!!!! I did this once and sssd moved the DC from OU "Domain Controllers" to "Domain Computers". Even if this did not happen for you I still repeat "DO NOT DO THIS" Sorry for all the captal letters but this nearly broke my AD. I was lucky at the time that I had 3 more DCs. You can enable login to the DC with domain accounts without sssd. See here: https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC Regards Christian Am 05.06.24 um 14:02 schrieb Omnis ludis - games via samba:> Good afternoon, tell me, this error occurs on the domain controller samba v > 4.19.0, I paired the domain controller with sssd so that authentication > occurs under domain accounts on the domain controller, but as you know, > sssd changes the machine password every 30 days if this option is not > disabled > ad_maximum_machine_account_password_age = 0 > I haven?t disabled it for 30 days and as I understand it, the password has > changed and when I call samba-tool drs showrepl the following error occurs > samba-tool drs showrepl -d 5 > INFO: Current debug levels: > lpcfg_load: refreshing parameters from /opt/samba/etc/smb.conf > ldb_wrap open of secrets.ldb > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'ncalrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Using binding ncacn_ip_tcp:dc1.red-soft.biz[,seal] > Mapped to DCERPC endpoint 135 > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0 > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0 > resolve_lmhosts: Attempting lmhosts lookup for name dc1.test.dom<0x20> > startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was No > such file or directory > Mapped to DCERPC endpoint 49153 > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0 > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0 > resolve_lmhosts: Attempting lmhosts lookup for name dc1.red-soft.biz<0x20> > startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was No > such file or directory > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gssapi_krb5 > Received smb_krb5 packet of length 294 > Received smb_krb5 packet of length 203 > Failed to get kerberos credentials: kinit for DC1$@TEST.DOM failed > (Preauthentication failed) > Wrong username or password: kinit for DC1$@TEST.DOM failed > (Preauthentication failed) > gensec_update_done: gssapi_krb5[0x55d227285240]: NT_STATUS_LOGON_FAILURE > gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating > NEG_TOKEN_INIT for ldap/DC1.TEST.DOM failed (next[ntlmssp]): > NT_STATUS_LOGON_FAILURE > Starting GENSEC submechanism ntlmssp > Got challenge flags: > Got NTLMSSP neg_flags=0x62898235 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_SEAL > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_DOMAIN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_SEAL > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_SEAL > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > ncacn_ip_tcp:10.81.0.250[49153,seal,target_hostname=dc1.test.dom,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.81.0.250] > NT_STATUS_LOGON_FAILURE > ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to > dc1.test.dom failed - drsException: DRS connection to dc1.test.dom failed: > (3221225581, 'The attempted logon is invalid. This is either due to a bad > username or authentication information.') > File "samba/netcmd/drs.py", line 55, in samba.netcmd.drs.drsuapi_connect > File "samba/drs_utils.py", line 78, in samba.drs_utils.drsuapi_connect > > > even if you can tell me the direction why this could happen, I will be > grateful, here is my samba config > # Global parameters > [global] > netbios name = DC1 > realm = TEST.DOM > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = TEST > idmap_ldb:use rfc2307 = yes > map acl inherit = yes > allow dns updates = nonsecure > dsdb:schema update allowed = true > ldap server require strong auth = no > dedicated keytab file = /etc/krb5.keytab > kerberos method = dedicated keytab > > > [sysvol] > path = /opt/samba/var/locks/sysvol > read only = No > > [netlogon] > path = /opt/samba/var/locks/sysvol/red-soft.biz/scripts > read only = No