[Samba] When accessing the User Properties only SIDs are shown instead of real name

Anantha Raghava raghav at exzatech.net
Fri Mar 22 17:05:08 UTC 2024 

Hi,

Continuing our effort to get to the root of the problem cited, we 
noticed that Windows 10 PC and Windows 2019 server are throwing Netlogon 
failure Event ID 3210, Source Netlogon. Digging it further, we noticed 
from netlogon logs that access is being denied because of unmatching 
capabilities 0xc003000c. However, we do not see any error message in 
Samba Logs.

Samba log:

{"timestamp": ........, "type": "Authentication", "Authentication": 
{"version: {"major": 1, "minor": 2}, "eventId": 4624, "logonType": 3, 
"status": "NT_STATUS_OK", "localAddress": "ipv4:172.16.202.175:49152", 
"remoteAddreeess": "ipv4:172.16.225.177:65013", "serviceDescription": 
"NETLOGON", "authDescription": "ServiceAuthenticate", "clientDomain": 
"KTKBANKLTD", "clientAccount": "ADMGT$", "workstation": null, 
"becameAccount": "ADMGT$", "becameDomain": "KTKBANKLTD", "becameSid": 
"S-1-5-21-2327230821-3654296898-2374465889-38655", "mappedAccount": 
"ADMGT$", "mappedDomain": null, "netlogonComputer": "ADMGT", 
"netlogonTrustAccount": "ADMGT$", "netlogonNegotiateFlags": 
"0x612FFFFF", "netlogon Secure ChannelType": 2, 
"netlogonTrustAccountSid": 
"S-1-5-21-2327230821-3654296898-2374465889-38655", "passwordType": 
"HMAC-SHA256"}}

Windows Netlogon Log::

03/22 18:37:10 [LOGON] [44436]        Dom Sid: 
S-1-5-21-2327230821-3654296898-2374465889
03/22 18:37:10 [INIT] [44436] Starting RPC server.
03/22 18:37:10 [SESSION] [44436] KTKBANKLTD: NlSessionSetup: Try Session 
setup
03/22 18:37:10 [SESSION] [44436] KTKBANKLTD: NlDiscoverDc: Start 
Synchronous Discovery
03/22 18:37:10 [MISC] [1060] NetpDcInitializeContext: 
DSGETDC_VALID_FLAGS is c1fffff1
03/22 18:37:10 [MISC] [44436] NetpDcInitializeContext: 
DSGETDC_VALID_FLAGS is c1fffff1
03/22 18:37:10 [CRITICAL] [44436] NlCacheJoinDomainControllerInfo: 
Failed to open JoinDomain breadcrumb in registry; assuming
03/22 18:37:10 [CRITICAL] [44436] NlCacheJoinDomainControllerInfo:   
therefore that this is not a post-join scenario.
03/22 18:37:10 [CRITICAL] [44436] NetpDcGetName: 
NlCacheJoinDomainControllerInfo returned success
03/22 18:37:10 [MISC] [44436] NetpDcGetName: ktkbankltd.com. using 
cached information ( NlDcCacheEntry = 0x000001CC1CAF4620 )
03/22 18:37:10 [PERF] [44436] NlAllocateClientSession: New Perf Instance 
(000001CC1CB16488): "\\pdc.ktkbankltd.com"
     ClientSession: 000001CC1D0EE850
03/22 18:37:10 [SESSION] [44436] KTKBANKLTD: NlDiscoverDc: Found DC 
\\pdc.ktkbankltd.com
03/22 18:37:10 [MAILSLOT] [1060] NetpDcPingListIp: ktkbankltd.com: 
Sending UDP ping to 172.16.202.176
03/22 18:37:10 [MISC] [1060] NetpDcAllocateCacheEntry: new entry 
0x000001CC1D1932F0 -> DC:DC4 DnsDomName:ktkbankltd.com Flags:0x13fc
03/22 18:37:10 [CRITICAL] [1060] NetpDcMatchResponse: DC4: 
ktkbankltd.com: response not from a WinThreshold dc. 0x13fc
03/22 18:37:10 [MISC] [1060] NetpDcDerefCacheEntry: destroying entry 
0x000001CC1D1932F0
03/22 18:37:11 [SESSION] [44436] KTKBANKLTD: NlSessionSetup: Negotiated 
flags with server are 0x612fffff
03/22 18:37:11 [SESSION] [44436] KTKBANKLTD: NlSetStatusClientSession: 
Set connection status to 0
03/22 18:37:11 [SESSION] [44436] KTKBANKLTD: NlSessionSetup: negotiated 
612fffff flags rather than e12fffff
03/22 18:37:11 [MAILSLOT] [1060] NetpDcPingListIp: ktkbankltd.com: 
Sending UDP ping to 172.20.107.31
03/22 18:37:11 [CRITICAL] [44436] NlPrintRpcDebug: Dumping extended 
error for I_NetLogonGetCapabilities with 0xc003000c
03/22 18:37:11 [CRITICAL] [44436]  [0] ProcessID is 1116
03/22 18:37:11 [CRITICAL] [44436]  [0] System Time is: 3/22/2024 13:7:11:178
03/22 18:37:11 [CRITICAL] [44436]  [0] Generating component is 2
03/22 18:37:11 [CRITICAL] [44436]  [0] Status is 1783
03/22 18:37:11 [CRITICAL] [44436]  [0] Detection location is 1750
03/22 18:37:11 [CRITICAL] [44436]  [0] Flags is 0
03/22 18:37:11 [CRITICAL] [44436]  [0] NumberOfParameters is 1
03/22 18:37:11 [CRITICAL] [44436]      Long val: 1783
03/22 18:37:11 [CRITICAL] [44436] KTKBANKLTD: 
NlConfirmRequestedCapabilities: denying access after status: 0xc003000c
03/22 18:37:11 [SESSION] [44436] KTKBANKLTD: NlSessionSetup: denying 
access because of unmatching capabilities 0xC003000C
03/22 18:37:11 [MISC] [44436] Eventlog: 3210 (1) "KTKBANKLTD" 
"\\pdc.ktkbankltd.com" 2f8270f1 5bc8d5e7 34c3e164 6665df64 .p./...[d..4d.ef
03/22 18:37:11 [SESSION] [44436] KTKBANKLTD: NlSetStatusClientSession: 
Set connection status to c0000022
03/22 18:37:11 [SESSION] [44436] KTKBANKLTD: NlSetStatusClientSession: 
Unbind from server \\pdc.ktkbankltd.com (TCP) 0.
03/22 18:37:11 [SESSION] [44436] KTKBANKLTD: NlSessionSetup: Session 
setup Failed
03/22 18:37:11 [INIT] [44436] Started successfully

Netlogon is failing on few selected Windows 2019 servers and Windows 10 
PCs. Is this resulting in the issue cited?

As I have checked, time is properly synchronised between DC and Members.

Thanks & Regards,

Anantha Raghava H A
Exza Technology Consulting & Services
Email: raghav at exzatech.net
URL: https://www.exzatech.net


Ndryve – A New Age Content Collaboration Workspace
*Your data intrinsically empowers its recipients, for good or bad.*

Try Ndryve at https://www.ndryve.net

Share your feedback, reviews, and ask your questions on Ndryve at our 
Forums <https://www.exzatech.net/forum/ndryve-2>

*Ndryve - Connect & Collaborate*


DISCLAIMER:
This e-mail communication and any attachments may be privileged and 
confidential to Exza Technology Consulting & Services, Bangalore, and 
are intended only for the use of the recipients named above If you are 
not the addressee you may not copy, forward, disclose or use any part of 
it. If you have received this message in error, please delete it and all 
copies from your system and notify the sender immediately by return 
e-mail. Internet communications cannot be guaranteed to be timely, 
secure, error or virus-free. The sender does not accept liability for 
any errors or omissions.

Do not print this e-mail unless required. Save Paper & trees.


On 22/03/24 5:39 pm, Anantha Raghava via samba wrote:
> Hi,
>
> In samba logs I see these entries.
>
> {"timestamp": "2024-03-22T17:00:13.553400+0530", "type": 
> "Authentication",
> "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624,
> "logonId": "d42e868adc3300ef", "logonType": 3, "status": "NT_STATUS_OK",
> "localAddress": null, "remoteAddress": "ipv4:172.16.202.22:41699",
> "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS
> Pre-authentication", "clientDomain": null, "clientAccount":
> "servicenow at ktkbankltd", "workstation": null, "becameAccount": 
> "Servicenow",
> "becameDomain": "KTKBANKLTD", "becameSid":
> "S-1-5-21-2327230821-3654296898-2374465889-86939", "mappedAccount":
> "Servicenow", "mappedDomain": "KTKBANKLTD", "netlogonComputer": null,
> "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> "passwordType": "aes256-cts-hmac-sha1-96", "duration": 61502}}
>
> We are actually trying to add the user "ServiceNow" to Local 
> Administrators Group. Before adding while selecting, it properly shows 
> name and SID in (). However, the moment we apply, only SID is shown, 
> not the friendly name.
>
> Thanks & Regards,
>
> Anantha Raghava H A
>
>
> DISCLAIMER:
> This e-mail communication and any attachments may be privileged and 
> confidential to Exza Technology Consulting & Services, Bangalore, and 
> are intended only for the use of the recipients named above If you are 
> not the addressee you may not copy, forward, disclose or use any part 
> of it. If you have received this message in error, please delete it 
> and all copies from your system and notify the sender immediately by 
> return e-mail. Internet communications cannot be guaranteed to be 
> timely, secure, error or virus-free. The sender does not accept 
> liability for any errors or omissions.
>
> Do not print this e-mail unless required. Save Paper & trees.
>
>
> On 22/03/24 3:42 pm, Anantha Raghava via samba wrote:
>> Hello Rowland,
>>
>> 1. We always have been using self compiled samba not the binaries. In 
>> fact, when we started we started on CentOS and then when CentOS 
>> became an upstream edition, we moved to RHEL, but continued with self 
>> compiled samba, never moved to prebuilt binaries.
>>
>> 2. SSSD - We are not using sssd anywhere. We have many Linux Servers 
>> but those are not members of AD domain. Only the web applications 
>> running from Linux Servers are integrated with AD and other SSO 
>> layers for authentication. Whereas all Windows PCs and Windows 
>> Servers are members of AD Domain.
>>
>> 3. We discovered this issue when we started evaluation of "Service 
>> Now" for our asset management needs. Initially we were using PDQ 
>> Inventory which we had to discard since our security team disabled 
>> the ADMIN$ share. PDQ depended on ADMIN$ share for asset discovery. 
>> Service Now is able to discover most of the assets, but on Windows 
>> members we are observing the above issue, that particular member is 
>> not getting discovered and even the network shares are not working.
>>
>> 4. We are using samba internal DNS and all name resolutions are 
>> working properly - Forward and reverse both are working properly. No 
>> Issues.
>>
>> Do think enabling TCP IP NetBIOS Helper Service on Windows members 
>> will help? I have not really checked this.
>>
>> Thanks & Regards,
>>
>> Anantha Raghava H A
>>
>>
>> DISCLAIMER:
>> This e-mail communication and any attachments may be privileged and 
>> confidential to Exza Technology Consulting & Services, Bangalore, and 
>> are intended only for the use of the recipients named above If you 
>> are not the addressee you may not copy, forward, disclose or use any 
>> part of it. If you have received this message in error, please delete 
>> it and all copies from your system and notify the sender immediately 
>> by return e-mail. Internet communications cannot be guaranteed to be 
>> timely, secure, error or virus-free. The sender does not accept 
>> liability for any errors or omissions.
>>
>> Do not print this e-mail unless required. Save Paper & trees.
>>
>>
>> On 22/03/24 3:14 pm, Rowland Penny via samba wrote:
>>> On Thu, 21 Mar 2024 22:10:20 +0530
>>> Anantha Raghava via samba<samba at lists.samba.org>  wrote:
>>>
>>>> Hello Rowland
>>>>
>>>> Samba is running on RHEL 8.9 (subscribed edition)
>>> Then why are you not asking redhat ?
>>> I am not saying I will not try to help you, but I would have thought
>>> that redhat would have been your first port of call.
>>>
>>>> Domain is ktkbankltd.com and the work group is ktkbankltd. This is
>>>> the AD domain, not reachable from internet.
>>> fair enough
>>>
>>>> We have 5 servers named pdc.ktkbankltd.com, dc1.ktkbankltd.com,
>>>> dc2.ktkbankltd.com, dc3.ktkbankltd.com and dc4.ktkbankltd.com The
>>>> name PDC is just the name, unlike NT4 domain. These servers were
>>>> initially installed during 2016 and we started with Samba-AD 4.8, we
>>>> are upgrading the versions over a period and currently we are using
>>>> 4.18.1.
>>> Ah, light dawns, you are running RHEL in an unsupported (by redhat)
>>> way, which is why you are running a self compiled version of Samba.
>>>
>>>> WORKGROUP entered twice - Thanks for notifying.
>>> Are you also running sssd anywhere ?
>>>
>>>> Pattern for non-mapped SIDs - There is no specific pattern. It may be
>>>> user, or a group or a computer object. Interesting thing is, in most
>>>> of the members it appears properly, However, we cannot say which
>>>> member we face this problem. It appears randomly. Another important
>>>> point to note
>>>> - From the member which has this problem, when we try to access the
>>>> shares using <ip-address>/share, it fails to open. However, when we
>>>> access the same share using <hostname>/share, it works fine.
>>> Now that is strange, using the ipaddress means using rpc and using the
>>> hostname usually means using kerberos and rpc is usually the most
>>> reliable.
>>>
>>>> I confirm that we have not deleted any user or group or computer
>>>> object from AD which may result in this particular problem. To think
>>>> that this could be a DNS issue, it randomly appears in different
>>>> clients and not all.
>>> I take it that you are using the AD DCs as the dns servers for the AD
>>> domain.
>>>
>>> Rowland
>>>
>>>
>>>

More information about the samba mailing list