[Samba] Login not possible / machine account issues
Izan Díez Sánchez
ids at empre.es
Tue Jul 5 08:33:07 UTC 2016
Some new info to see if someone can help me out. Everytime this happens the workstation seem to have refreshed its password according to pwdLastSet attribute. However, an error must be in such communication since it blocks any following login until it is rebooted.
Izan Díez Sánchez
ids at empre.es
-----Mensaje original-----
De: Izan Díez Sánchez [mailto:ids at empre.es]
Enviado el: viernes, 24 de junio de 2016 11:59
Para: samba at lists.samba.org
Asunto: Re: [Samba] Login not possible / machine account issues
Hi,
Did you find any solution?
I am facing exactly the same scenario.
-CentOS 6.7
-Samba Version 4.4.3
-BIND_DLZ 9.9.8
Some workstations suddenly are unable to login, unless I reboot or rejoin the domain. The only odd event I see in the client is the one already said:
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: workstation.sub.domain.tld
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server "workstation$". The target name used was "WORKSTATION$". This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SUB.DOMAIN.TLD) is different from the client domain (SUB.DOMAIN.TLD), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Searching in the logs, apparently the domain controller is granting the ticket:
[2016/06/24 10:35:23.082573, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ myuser at mydomain from ipv4:172.31.1.134:56661 for krbtgt/mydomain at mydomain
[2016/06/24 10:35:23.088584, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 128
[2016/06/24 10:35:23.088624, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- myuser at mydomain
[2016/06/24 10:35:23.088640, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain
[2016/06/24 10:35:23.088670, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- myuser at mydomain
[2016/06/24 10:35:23.089174, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2016/06/24 10:35:23.089214, 3] ../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2016/06/24 10:35:23.090052, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ myuser at mydomain from ipv4:199.99.9.199:56662 for krbtgt/mydomain at mydomain
[2016/06/24 10:35:23.095400, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 128
[2016/06/24 10:35:23.095437, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- myuser at mydomain
[2016/06/24 10:35:23.095467, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain
[2016/06/24 10:35:23.095526, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- myuser at mydomain using arcfour-hmac-md5
[2016/06/24 10:35:23.095557, 4] ../source4/auth/sam.c:182(authsam_account_ok)
authsam_account_ok: Checking SMB password for user myuser at mydomain
[2016/06/24 10:35:23.095719, 5] ../source4/auth/sam.c:116(logon_hours_ok)
logon_hours_ok: No hours restrictions for user myuser at mydomain
[2016/06/24 10:35:23.095774, 5] ../source4/auth/sam.c:820(authsam_logon_success_accounting)
lastLogonTimestamp is 131110567801968850
[2016/06/24 10:35:23.095937, 5] ../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp)
sync interval is 14
[2016/06/24 10:35:23.095973, 5] ../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp)
randomised sync interval is 12 (-2)
[2016/06/24 10:35:23.095993, 5] ../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp)
old timestamp is 131110567801968850, threshold 131101941230958000, diff 8626571010850
[2016/06/24 10:35:23.122089, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2016-06-24T10:35:23 starttime: unset endtime: 2016-06-24T20:35:23 renew till: 2016-07-01T10:35:23
[2016/06/24 10:35:23.122204, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using arcfour-hmac-md5/aes256-cts-hmac-sha1-96
[2016/06/24 10:35:23.122242, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
[2016/06/24 10:35:23.122933, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2016/06/24 10:35:23.122968, 3] ../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2016/06/24 10:35:23.124716, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ myuser at MYDOMAIN.EA from ipv4:199.99.9.199:56663 for host/windows7machine.mydomain.ea at MYDOMAIN.EA [canonicalize, renewable, forwardable]
I’ve troubleshot DNS and resolution is working fine for domain controllers (including services) and “windows7machine.mydomain.ea”. It looks like the machine has renewed its Kerberos password and the domain controller (KDC) didn’t notice. Although wouldn’t match with pure AD behavior according to <https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-passwo
rd-process-2/>
https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-passwor
d-process-2/
My kerberos configuration is as simple as:
[libdefaults]
default_realm = MYDOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
I’m not Kerberos expert and maybe could be tuned to avoid this behavior in the active directory. It’s hard to believe no one has experienced something similar.
Regards,
-----Mensaje original-----
De: Samba Maile [mailto:dominik.mailinglist at gmail.com]
Enviado el: martes, 31 de marzo de 2015 13:18
Para: samba at lists.samba.org
Asunto: [Samba] Login not possible / machine account issues
Hi guys,
about a one or two weeks ago I've updated my samba to v4.1.7 which might or might not relate to the problem at hand.
However lately we've seen some issues with users not able to login to workstations (win 7). Windows servers (2008 r2 and newer) were also affected.
Sometimes one or two reboots would solve this problems, on few occasions I had to rejoin the computer account to the domain.
On the workstations and servers I can see this event log entry when login problem occour:
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: workstation.sub.domain.tld
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server "workstation$". The target name used was "WORKSTATION$". This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name
(SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SUB.DOMAIN.TLD) is different from the client domain (SUB.DOMAIN.TLD), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Checking samba logs revealed this entry:
log.samba-[2015/03/28 14:48:58.156066, 2]
../source4/auth/ntlm/auth.c:420(auth_check_password_recv)
log.samba: auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\workstation$] FAILED with error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
log.samba-[2015/03/28 14:48:58.160911, 2]
../source4/auth/ntlm/auth.c:420(auth_check_password_recv)
log.samba: auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\workstation$] FAILED with error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
log.samba-[2015/03/28 14:48:58.298127, 2]
../source4/auth/ntlm/auth.c:420(auth_check_password_recv)
I'm not sure where to start debugging.
Setup:
DC-01 (Ubuntu 12.04 LTS)
DC-02 (Ubuntu 12.04 LTS)
Samba Version 4.1.17 (build from sources) using BIND_DLZ 9.9.5 (Extended Support Version)
the domain was migrated from samba3 with classic upgrade.
I'd love to hear any ideas or suggestions.
Thanks in advance.
Regards,
Dominik
## smb.conf
root at XXX-DC-01:~# cat /usr/local/samba/etc/smb.conf # Global parameters [global]
workgroup = DOMAIN
realm = sub.domain.tld
netbios name = XXX-DC-01
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
kccsrv:samba_kcc = false
tls enabled = yes
tls certfile = /usr/local/samba/private/tls/XXX-dc-01.pem
tls keyfile = /usr/local/samba/private/tls/XXX-dc-01-key_nopas.pem
tls cafile = /usr/local/samba/private/tls/cacert.pem
tls crlfile = /usr/local/samba/private/tls/domain-samba.crl
tls dhparams file = /usr/local/samba/private/tls/dcdhparams.pem
host msdfs = yes
log level = 2
syslog = 2
eventlog list = Application System Security SyslogLinux
[netlogon]
path = /usr/local/samba/var/locks/sysvol/biochem.dshs-koeln.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
---------------------------------------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on this message or any information herein. If you have received this
message by mistake, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.
Visit our web page: www.empre.es
Este mensaje puede contener datos confidenciales o privilegiados.
Si Vd. no es el destinatario ni ha sido autorizado por el mismo para
recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar
ninguna medida basada en este mensaje o en los datos que
contiene. Si Vd. ha recibido este mensaje por error, avise de
forma inmediata al remitente por email y borre el
mensaje. Gracias por su ayuda.
Visite nuestra web: www.empre.es
---------------------------------------------------------------------
Please, Do not print this message unless it is necessary.
Our environment is in our hands.
Antes de imprimir este mensaje, piense si es realmente necesario.
El medio ambiente depende de nosotros.
More information about the samba
mailing list