[Samba] winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently

Fri Jun 2 06:40:10 UTC 2023

On 01/06/2023 22:51, Bharath Bheemarasetti via samba wrote:
> Hi,
> I recently upgraded a smb server from Ubuntu 18.04 to Ubuntu 20.04 which
> required the Samba version to be upgraded from 4.7.6 to 4.15.13.
> Post the upgrade, winbind authentication fails
> with  NT_STATUS_RPC_SEC_PKG_ERROR intermittently. The error goes away on
> restarting the smb service but comes back after some time. There were no
> isses with the setup before the upgrade.
> Tried clearing the cached tdb files as well but the issue still come back
> after some time.
> 
> Logs (replaced domain, username and workstation values):
> [2023/05/31 17:00:23.634152, 3]
> ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
> Got user=[<user>] domain=[<domain>] workstation=[<workstation>] len1=24
> len2=262
> [2023/05/31 17:00:23.634173, 5]
> ../../source3/auth/auth_util.c:123(make_user_info_map)
> Mapping user [<domain>]\[<user>] from workstation [<workstation>]
> [2023/05/31 17:00:23.634179, 5]
> ../../source3/auth/user_info.c:64(make_user_info)
> attempting to make a user_info for <user> (<user>)
> [2023/05/31 17:00:23.634184, 5]
> ../../source3/auth/user_info.c:72(make_user_info)
> making strings for <user>'s user_info struct
> [2023/05/31 17:00:23.634192, 5]
> ../../source3/auth/user_info.c:117(make_user_info)
> making blobs for <user>'s user_info struct
> [2023/05/31 17:00:23.634198, 3]
> ../../source3/auth/auth.c:200(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [<domain>]\[<user>]@[<workstation>] with the new password interface
> [2023/05/31 17:00:23.634204, 3]
> ../../source3/auth/auth.c:203(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: [<domain>]\[<user>]@[<workstation>]
> [2023/05/31 17:00:23.634209, 5] ../../lib/util/util.c:722(dump_data)
> [0000] F6 7D 2D B1 0B 86 57 D7 .}-...W.
> [2023/05/31 17:00:23.634224, 4]
> ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> [2023/05/31 17:00:23.634235, 4] ../../source3/smbd/uid.c:561(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> [2023/05/31 17:00:23.634240, 4]
> ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2023/05/31 17:00:23.634245, 5]
> ../../libcli/security/security_token.c:52(security_token_debug)
> Security token: (NULL)
> [2023/05/31 17:00:23.634249, 5]
> ../../source3/auth/token_util.c:873(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2023/05/31 17:00:23.639376, 4]
> ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2023/05/31 17:00:23.639388, 5]
> ../../source3/auth/auth.c:258(auth_check_ntlm_password)
> auth_check_ntlm_password: winbind authentication for user [<user>] FAILED
> with error NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1
> [2023/05/31 17:00:23.639406, 2]
> ../../source3/auth/auth.c:344(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [<user>] -> [<user>] FAILED
> with error NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1
> [2023/05/31 17:00:23.639427, 2]
> ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> Auth: [SMB2,(null)] user [<domain>]\[<user>] at [Wed, 31 May 2023
> 17:00:23.639416 UTC] with [NTLMv2] status [NT_STATUS_RPC_SEC_PKG_ERROR]
> workstation [<workstation>] remote host [ipv4:127.0.0.1:41710] mapped to
> [<domain>]\[<user>]. local host [ipv4:127.0.0.138:1445]
> {"timestamp": "2023-05-31T17:00:23.639487+0000", "type": "Authentication",
> "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625,
> "logonId": "0", "logonType": 3, "status": "NT_STATUS_RPC_SEC_PKG_ERROR",
> "localAddress": "ipv4:127.0.0.138:1445", "remoteAddress": "ipv4:
> 127.0.0.1:41710", "serviceDescription": "SMB2", "authDescription": null,
> "clientDomain": "<domain>", "clientAccount": "<user>", "workstation":
> "<workstation>", "becameAccount": null, "becameDomain": null, "becameSid":
> null, "mappedAccount": "<user>", "mappedDomain": "<domain>",
> "netlogonComputer": null, "netlogonTrustAccount": null,
> "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
> "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration":
> 6683}}
> [2023/05/31 17:00:23.639520, 5]
> ../../source3/auth/auth_ntlmssp.c:210(auth3_check_password_send)
> auth3_check_password_send: Checking NTLMSSP password for <domain>\<user>
> failed: NT_STATUS_RPC_SEC_PKG_ERROR, authoritative=1
> [2023/05/31 17:00:23.639533, 4]
> ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2023/05/31 17:00:23.639547, 5]
> ../../auth/ntlmssp/ntlmssp_server.c:813(ntlmssp_server_auth_done)
> ntlmssp_server_auth_done: Checking NTLMSSP password for <domain>\<user>
> failed: NT_STATUS_RPC_SEC_PKG_ERROR
> [2023/05/31 17:00:23.639556, 5]
> ../../auth/gensec/gensec.c:534(gensec_update_done)
> gensec_update_done: ntlmssp[0x55b8d9521400]: NT_STATUS_RPC_SEC_PKG_ERROR
> [2023/05/31 17:00:23.639564, 3]
> ../../auth/gensec/spnego.c:1443(gensec_spnego_server_negTokenTarg_step)
> gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
> NT_STATUS_RPC_SEC_PKG_ERROR
> [2023/05/31 17:00:23.639571, 5]
> ../../auth/gensec/gensec.c:534(gensec_update_done)
> gensec_update_done: spnego[0x55b8d94e1fd0]: NT_STATUS_RPC_SEC_PKG_ERROR
> 
> 
> Below is the configuration:
> security = ads
> server role = member server
> auth methods = winbind
> idmap config * : backend = tdb
> idmap config * : range = 10000-24999999
> winbind enum users = yes
> winbind enum groups = yes
> usershare allow guests = no
> map untrusted to domain = Yes
> allow trusted domains = no

A couple of things possible, from 4.8.0 winbind must be running and your 
smb.conf is, to be blunt, rubbish. You need to set the workgroup, you 
need to have idmap config lines for the workgroup, the 'winbind enum' 
lines only slow things down and 'map untrusted to domain' has been removed.

It might help if you started by reading this wiki page:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and then follow one of the pages it links to.

Rowland