[Samba] Win7 - Samba 3.5.4 trust relationship
Ivan H Dichev
idichev at csc.com
Fri Jul 1 03:03:43 MDT 2011
Hello all,
I guess that everyone knows the message "the trust relation between this
workstation and the primary domain failed" when joining Win7 into samba
domain. Unfortunately, the same problem appeared few hours/days after the
machine was successfully joined in the domain(with reg keys from
https://wiki.samba.org/index.php/Windows7) and user able to use it for
awhile. Then at random intervals, when the user tries to login again, he
sees the "trust" message and has to type his password 3-5 or more times
before successful login.
The setup includes PDC and BDC, both running on RHEL (5.5 and 5.6)64bit
with samba 3.5.4-0.70.el5_6.1 + LDAP(fedora-ds) for user and computer
authentication.20xWin 7 machines and 500xWinXP(xp has no problems).
I've read about similar symptoms when Win7 tries to change its machine
password on every 30 days. Therefore some additional regs were added:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"DisablePasswordChange"=dword:00000001
"MaximumPasswordAge"=dword:1000000
and this didn't help. I've compared the machine password values on both
LDAP servers - they are same and synchronization is working fine.
In the wild, some people report that this issue is fixed when the
"lmcompatibilitylevel" is limited to LM and NTLM authentication(NTLMv2 if
negotiated), but this couldn't help too.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"lmcompatibilitylevel"=dword:00000001
As I understood from `man 5 smb.conf`, the default Samba behaviour when
nothing is specified for "client ntlmv2 auth", "client plaintext auth",
"lanman auth", "client lanman auth" and "ntlm auth", is to enable only
NTLMv1. Is that correct, because all Win7s can authenticate even with
NTLMv2 enabled only ?!(it is not password cache ... i tried with new
username which was never used on the workstation before).
My log options in smb.conf are: log level = 0 auth:10 lanman:10
Here is the log when the user is experiencing the issue:
[2011/06/30 14:31:17.726884, 5] auth/auth_util.c:211(make_user_info_map)
Mapping user []\[] from workstation [TESTMACHINE]
[2011/06/30 14:31:17.726952, 5] auth/auth_util.c:232(make_user_info_map)
Mapped domain from [] to [DOMAIN] for user [] from workstation
[TESTMACHINE]
[2011/06/30 14:31:17.726978, 5] auth/auth_util.c:122(make_user_info)
attempting to make a user_info for ()
[2011/06/30 14:31:17.727000, 5] auth/auth_util.c:132(make_user_info)
making strings for 's user_info struct
[2011/06/30 14:31:17.727021, 5] auth/auth_util.c:164(make_user_info)
making blobs for 's user_info struct
[2011/06/30 14:31:17.727042, 10] auth/auth_util.c:182(make_user_info)
made an encrypted user_info for ()
[2011/06/30 14:31:17.727065, 3] auth/auth.c:216(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[]\[]@[TESTMACHINE] with the new password interface
[2011/06/30 14:31:17.727090, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[]@[TESTMACHINE]
[2011/06/30 14:31:17.727111, 10] auth/auth.c:228(check_ntlm_password)
check_ntlm_password: auth_context challenge created by random
[2011/06/30 14:31:17.727132, 10] auth/auth.c:230(check_ntlm_password)
challenge is:
[2011/06/30 14:31:17.767852, 3] auth/auth.c:265(check_ntlm_password)
check_ntlm_password: guest authentication for user [] succeeded
[2011/06/30 14:31:17.767920, 5] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: guest authentication for user [] -> [] -> [nobody]
succeeded
[2011/06/30 14:31:17.767943, 5] auth/auth_util.c:2119(free_user_info)
attempting to free (and zero) a user_info structure
[2011/06/30 14:31:17.767965, 10] auth/auth_util.c:2123(free_user_info)
structure was created for
[2011/06/30 14:31:17.772407, 10] auth/auth_util.c:753(create_local_token)
Could not convert SID S-1-1-0 to gid, ignoring it
[2011/06/30 14:31:17.773632, 10] auth/auth_util.c:753(create_local_token)
Could not convert SID S-1-5-2 to gid, ignoring it
[2011/06/30 14:31:17.774822, 10] auth/auth_util.c:753(create_local_token)
Could not convert SID S-1-5-32-546 to gid, ignoring it
[2011/06/30 14:31:17.774906, 10]
auth/token_util.c:531(debug_nt_user_token)
NT user token of user S-1-5-21-3341649654-3636416974-85384702-501
contains 5 SIDs
SID[ 0]: S-1-5-21-3341649654-3636416974-85384702-501
SID[ 1]: S-1-1-0
SID[ 2]: S-1-5-2
SID[ 3]: S-1-5-32-546
SID[ 4]: S-1-22-1-99
SE_PRIV 0x0 0x0 0x0 0x0
[2011/06/30 14:31:17.774996, 10]
auth/token_util.c:551(debug_unix_user_token)
UNIX token of user 99
Primary group is 99 and contains 0 supplementary groups
[2011/06/30 14:31:17.785859, 0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client TESTMACHINE machine account TESTMACHINE$
[2011/06/30 14:31:25.321099, 5]
auth/auth.c:481(make_auth_context_subsystem)
Making default auth method list for DC, security=user, encrypt passwords
= yes
After a few tries we successfully login:
[2011/06/30 14:31:25.322605, 10] auth/auth_util.c:182(make_user_info)
made an encrypted user_info for TESTMACHINE$ (TESTMACHINE$)
[2011/06/30 14:31:25.322626, 3] auth/auth.c:216(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[DOMAIN]\[TESTMACHINE$]@[TESTMACHINE] with the new password interface
[2011/06/30 14:31:25.322651, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is:
[DOMAIN]\[TESTMACHINE$]@[TESTMACHINE]
[2011/06/30 14:31:25.322672, 10] auth/auth.c:228(check_ntlm_password)
check_ntlm_password: auth_context challenge created by NTLMSSP callback
(NTLM2)
[2011/06/30 14:31:25.322693, 10] auth/auth.c:230(check_ntlm_password)
challenge is:
[2011/06/30 14:31:25.322717, 10] auth/auth.c:256(check_ntlm_password)
check_ntlm_password: guest had nothing to say
[2011/06/30 14:31:25.327291, 4] auth/auth_sam.c:180(sam_account_ok)
sam_account_ok: Checking SMB password for user TESTMACHINE$
[2011/06/30 14:31:25.327439, 5] auth/auth_sam.c:162(logon_hours_ok)
logon_hours_ok: user TESTMACHINE$ allowed to logon at this time (Thu Jun
30 11:31:25 2011
)
[2011/06/30 14:31:25.382399, 5]
auth/auth_util.c:649(make_server_info_sam)
make_server_info_sam: made server info for user TESTMACHINE$ ->
TESTMACHINE$
[2011/06/30 14:31:25.382496, 3] auth/auth.c:265(check_ntlm_password)
check_ntlm_password: sam authentication for user [TESTMACHINE$]
succeeded
[2011/06/30 14:31:25.382541, 5] auth/auth.c:291(check_ntlm_password)
check_ntlm_password: PAM Account for user [TESTMACHINE$] succeeded
[2011/06/30 14:31:25.382572, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [TESTMACHINE$] ->
[TESTMACHINE$] -> [TESTMACHINE$] succeeded
[2011/06/30 14:31:25.382643, 5] auth/auth_util.c:2119(free_user_info)
attempting to free (and zero) a user_info structure
[2011/06/30 14:31:25.382665, 10] auth/auth_util.c:2123(free_user_info)
structure was created for TESTMACHINE$
[2011/06/30 14:31:25.386736, 10] auth/auth_util.c:753(create_local_token)
Could not convert SID S-1-1-0 to gid, ignoring it
[2011/06/30 14:31:25.387737, 10] auth/auth_util.c:753(create_local_token)
Could not convert SID S-1-5-2 to gid, ignoring it
[2011/06/30 14:31:25.388766, 10] auth/auth_util.c:753(create_local_token)
Could not convert SID S-1-5-11 to gid, ignoring it
[2011/06/30 14:31:25.388853, 10]
auth/token_util.c:531(debug_nt_user_token)
NT user token of user S-1-5-21-3341649654-3636416974-85384702-67110721
contains 7 SIDs
SID[ 0]: S-1-5-21-3341649654-3636416974-85384702-67110721
SID[ 1]: S-1-5-21-3341649654-3636416974-85384702-515
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-22-1-7016
SID[ 6]: S-1-22-2-515
SE_PRIV 0x0 0x0 0x0 0x0
[2011/06/30 14:31:25.388963, 10]
auth/token_util.c:551(debug_unix_user_token)
UNIX token of user 7016
Primary group is 515 and contains 1 supplementary groups
Group[ 0]: 515
[2011/06/30 14:31:25.428362, 5]
auth/auth.c:481(make_auth_context_subsystem)
Making default auth method list for DC, security=user, encrypt passwords
= yes
[2011/06/30 14:31:25.428435, 5] auth/auth.c:383(load_auth_module)
load_auth_module: Attempting to find an auth method to match guest
[2011/06/30 14:31:25.428461, 5] auth/auth.c:408(load_auth_module)
load_auth_module: auth method guest has a valid init
[2011/06/30 14:31:25.428484, 5] auth/auth.c:383(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam
[2011/06/30 14:31:25.428506, 5] auth/auth.c:408(load_auth_module)
load_auth_module: auth method sam has a valid init
[2011/06/30 14:31:25.428527, 5] auth/auth.c:383(load_auth_module)
load_auth_module: Attempting to find an auth method to match
winbind:trustdomain
[2011/06/30 14:31:25.428549, 5] auth/auth.c:383(load_auth_module)
load_auth_module: Attempting to find an auth method to match trustdomain
[2011/06/30 14:31:25.428581, 5] auth/auth.c:408(load_auth_module)
load_auth_module: auth method trustdomain has a valid init
[2011/06/30 14:31:25.428602, 5] auth/auth.c:408(load_auth_module)
load_auth_module: auth method winbind has a valid init
[2011/06/30 14:31:25.428624, 5] auth/auth.c:97(get_ntlm_challenge)
auth_get_challenge: module guest did not want to specify a challenge
[2011/06/30 14:31:25.428645, 5] auth/auth.c:97(get_ntlm_challenge)
auth_get_challenge: module sam did not want to specify a challenge
[2011/06/30 14:31:25.428666, 5] auth/auth.c:97(get_ntlm_challenge)
auth_get_challenge: module winbind did not want to specify a challenge
[2011/06/30 14:31:25.428694, 5] auth/auth.c:132(get_ntlm_challenge)
auth_context challenge created by random
[2011/06/30 14:31:25.428717, 5] auth/auth.c:133(get_ntlm_challenge)
challenge is:
[2011/06/30 14:31:25.429072, 5] auth/auth_util.c:211(make_user_info_map)
Mapping user [DOMAIN]\[dichev] from workstation [TESTMACHINE]
[2011/06/30 14:31:25.429097, 5] auth/auth_util.c:122(make_user_info)
attempting to make a user_info for dichev (dichev)
[2011/06/30 14:31:25.429119, 5] auth/auth_util.c:132(make_user_info)
making strings for dichev's user_info struct
[2011/06/30 14:31:25.429141, 5] auth/auth_util.c:164(make_user_info)
making blobs for dichev's user_info struct
[2011/06/30 14:31:25.429162, 10] auth/auth_util.c:182(make_user_info)
made an encrypted user_info for dichev (dichev)
[2011/06/30 14:31:25.429184, 3] auth/auth.c:216(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[DOMAIN]\[dichev]@[TESTMACHINE] with the new password interface
[2011/06/30 14:31:25.429209, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[dichev]@[TESTMACHINE]
[2011/06/30 14:31:25.429265, 10] auth/auth.c:228(check_ntlm_password)
check_ntlm_password: auth_context challenge created by random
[2011/06/30 14:31:25.429287, 10] auth/auth.c:230(check_ntlm_password)
challenge is:
[2011/06/30 14:31:25.429314, 10] auth/auth.c:256(check_ntlm_password)
check_ntlm_password: guest had nothing to say
[2011/06/30 14:31:25.431988, 4] auth/auth_sam.c:180(sam_account_ok)
sam_account_ok: Checking SMB password for user dichev
[2011/06/30 14:31:25.432048, 5] auth/auth_sam.c:162(logon_hours_ok)
logon_hours_ok: user dichev allowed to logon at this time (Thu Jun 30
11:31:25 2011)
[2011/06/30 14:31:25.438531, 5]
auth/auth_util.c:649(make_server_info_sam)
make_server_info_sam: made server info for user dichev -> dichev
[2011/06/30 14:31:25.438636, 3] auth/auth.c:265(check_ntlm_password)
check_ntlm_password: sam authentication for user [dichev] succeeded
[2011/06/30 14:31:25.438679, 5] auth/auth.c:291(check_ntlm_password)
check_ntlm_password: PAM Account for user [dichev] succeeded
[2011/06/30 14:31:25.438701, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [dichev] -> [dichev] ->
[dichev] succeeded
[2011/06/30 14:31:25.438726, 5] auth/auth_util.c:2119(free_user_info)
attempting to free (and zero) a user_info structure
[2011/06/30 14:31:25.438747, 10] auth/auth_util.c:2123(free_user_info)
It seems that in the first(the bad) request the machine does not report
the domain name and its machine name ... don't know why.
All ideas appreciated !!
tks
Ivan Dichev
More information about the samba
mailing list