Samba 3.0.25c and Samba 3.0.26a on AIX 5.3 - Windows Service Accounts & smbclient issues...

Lamar.Saxon at americredit.com Lamar.Saxon at americredit.com
Thu Nov 29 16:45:09 GMT 2007 

I posted this earlier on the regular samba mailing list with no
responses, so I am hoping someone can review this and see what might be
happening.  I have seen several post similar to mine, so I am wondering
what might have changed.

Thanks !

Just the beginning of a question to anyone who might have experienced
the following issue with Samba 3.0.2[5-6] series and now the 3.0.27a
too.

We currently have service accounts accessing Samba shares on AIX 5.3
servers ( from TL04 - TL06 ).  Most of the processes access the shares
via UNC rather than mapped drives.  After completing the upgrade to
Samba 3.0.26a on the production side, the service accounts started
getting locked out of the domain due to invalid logins; but in most
instances we could connect to the share using the user ID and password
with no issues.  A roll back to Samba 3.0.24 fixed the issue.  Regular
users/accounts are having no issues mapping to shares and working as
normal.

We are using SECURITY = SERVER and specified a DC as the password
server.  From the global settings of the smb.conf:

[global]
        workgroup = AMERICREDIT
        server string = BCERPDB1 AIX SAMBA Server
        interfaces = 10.193.3.138/24
        bind interfaces only = Yes
        security = SERVER
        update encrypted = Yes
        password server = srvdcbnt01.acf.americredit.com
        username map = /usr/local/samba/var/users.map
        restrict anonymous = 2
        lanman auth = No
        ntlm auth = No
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log file = /usr/local/samba/var/log/log.%m
        max log size = 1024
        socket options =
        load printers = No
        wins server = 10.193.7.90
        ldap ssl = no
        socket address = 10.193.3.138
        admin users = mgipso1, tcato1, bhock1, amunoz1, lsaxon1
        create mask = 0664
        directory mask = 0775
        preserve case = No
        short preserve case = No
        delete veto files = Yes
        veto files = /*.eml/
        mangled names = No
        browseable = No
        restrict anonymous = 2

In the logs we see the following:

[2007/10/17 07:29:28, 1]
auth/auth_server.c:check_smbserver_security(362)
  password server SRVDCBNT01.ACF.AMERICREDIT.COM rejected the password:
NT_STATUS_LOGON_FAILURE
[2007/10/17 07:29:28, 0] lib/access.c:check_access(327)
  Denied connection from  (10.192.7.210)
[2007/10/17 07:29:28, 1]
auth/auth_server.c:check_smbserver_security(362)
  password server SRVDCBNT01.ACF.AMERICREDIT.COM rejected the password:
NT_STATUS_LOGON_FAILURE
[2007/10/17 07:29:34, 0] lib/access.c:check_access(327)
  Denied connection from  (10.192.7.210)
[2007/10/17 07:29:34, 1]
auth/auth_server.c:check_smbserver_security(362)
  password server SRVDCBNT01.ACF.AMERICREDIT.COM rejected the password:
NT_STATUS_LOGON_FAILURE
[2007/10/17 07:29:34, 0] lib/access.c:check_access(327)
  Denied connection from  (10.192.7.210)
[2007/10/17 07:29:34, 1]
auth/auth_server.c:check_smbserver_security(362)
  password server SRVDCBNT01.ACF.AMERICREDIT.COM rejected the password:
NT_STATUS_LOGON_FAILURE
[2007/10/17 07:29:43, 0] lib/access.c:check_access(327)
  Denied connection from  (10.192.7.210)
[2007/10/17 07:29:43, 1]
auth/auth_server.c:check_smbserver_security(362)
  password server SRVDCBNT01.ACF.AMERICREDIT.COM rejected the password:
NT_STATUS_LOGON_FAILURE
[2007/10/17 07:29:43, 0] lib/access.c:check_access(327)
  Denied connection from  (10.192.7.210)
[2007/10/17 07:29:43, 1]
auth/auth_server.c:check_smbserver_security(362)
  password server SRVDCBNT01.ACF.AMERICREDIT.COM rejected the password:
NT_STATUS_ACCOUNT_LOCKED_OUT

Also, on the same note after upgrading Samba to 3.0.26a; smbclient has
issues connecting to the same shares while 3.0.24 has none...  3.0.24
smbclient cannot connect to 3.0.26 servers nor can 3.0.26 smbclient
connect to 3.0.26 servers.

3.0.24 smbclient to 3.0.24 Samba Server:

root at bcerpdb1:/usr/local/samba/var/log:> /usr/local/samba/sbin/smbd -V
Version 3.0.24
root at bcerpdb1:/usr/local/samba/var/log:> /usr/local/samba/bin/smbclient
-U lsaxon1 //aoccdw1/datarepos
Password: Domain=[AMERICREDIT] OS=[Unix] Server=[Samba 3.0.24]
smb: \> quit

3.0.24 smbclient to 3.0.26a Samba Server:

root at bcerpdb1:/usr/local/samba/var/log:> /usr/local/samba/bin/smbclient
-U lsaxon1 //aoctoolbox/instimages
Password: session setup failed: NT_STATUS_LOGON_FAILURE
root at bcerpdb1:/usr/local/samba/var/log:>

With debug 5:

root at bcerpdb1:/usr/local/samba/var/log:> /usr/local/samba/bin/smbclient
-d 5 -U lsaxon1 //aoctoolbox/instimages
INFO: Current debug levels:
  all: True/5
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
  quota: False/0
  acls: False/0
  locking: False/0
  msdfs: False/0
  dmapi: False/0
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
doing parameter workgroup = AMERICREDIT
doing parameter server string = BCERPDB1 AIX SAMBA Server
doing parameter interfaces = 10.193.3.138/24
doing parameter bind interfaces only = Yes
doing parameter security = SERVER
doing parameter update encrypted = Yes
doing parameter password server = srvdcbnt01.acf.americredit.com
doing parameter username map = /usr/local/samba/var/users.map
doing parameter restrict anonymous = 2
doing parameter lanman auth = No
doing parameter ntlm auth = No
doing parameter client NTLMv2 auth = Yes
doing parameter client lanman auth = No
doing parameter client plaintext auth = No
doing parameter log file = /usr/local/samba/var/log/log.%m
doing parameter max log size = 1024
doing parameter socket options =
doing parameter load printers = No
doing parameter wins server = 10.193.7.90
doing parameter ldap ssl = no
doing parameter socket address = 10.193.3.138
doing parameter admin users = mgipso1, tcato1, bhock1, amunoz1, lsaxon1
doing parameter create mask = 0664
doing parameter directory mask = 0775
doing parameter preserve case = No
doing parameter short preserve case = No
doing parameter delete veto files = Yes
doing parameter veto files = /*.eml/
doing parameter mangled names = No
doing parameter browseable = No
doing parameter restrict anonymous = 2
pm_process() returned Yes
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
Substituting charset 'ISO8859-1' for LOCALE
added interface ip=10.193.3.138 bcast=10.193.3.255 nmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="BCERPDB1"
Client started (version 3.0.24).
Opening cache file at /usr/local/samba/var/locks/gencache.tdb
name aoctoolbox#20 found.
Connecting to 10.253.148.11 at port 445
socket option SO_KEEPALIVE = 0
socket option SO_REUSEADDR = 0
socket option SO_BROADCAST = 0
socket option TCP_NODELAY = 0
socket option TCP_KEEPCNT = 8
socket option TCP_KEEPIDLE = 360
socket option TCP_KEEPINTVL = 75
socket option IPTOS_LOWDELAY = 0
socket option IPTOS_THROUGHPUT = 0
socket option SO_REUSEPORT = 0
socket option SO_SNDBUF = 262088
socket option SO_RCVBUF = 130320
socket option SO_SNDLOWAT = 16383
socket option SO_RCVLOWAT = 1
socket option SO_SNDTIMEO = 0
socket option SO_RCVTIMEO = 0
 session request ok
size=127
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=36418
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]=    7 (0x7)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]=  256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]=   65 (0x41)
smb_vwv[ 5]=    0 (0x0)
smb_vwv[ 6]=  256 (0x100)
smb_vwv[ 7]= 9216 (0x2400)
smb_vwv[ 8]=  108 (0x6C)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=33011 (0x80F3)
smb_vwv[11]=  128 (0x80)
smb_vwv[12]=49166 (0xC00E)
smb_vwv[13]= 5095 (0x13E7)
smb_vwv[14]=51223 (0xC817)
smb_vwv[15]=11265 (0x2C01)
smb_vwv[16]=    1 (0x1)
smb_bcc=58
size=127
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=36418
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]=    7 (0x7)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]=  256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]=   65 (0x41)
smb_vwv[ 5]=    0 (0x0)
smb_vwv[ 6]=  256 (0x100)
smb_vwv[ 7]= 9216 (0x2400)
smb_vwv[ 8]=  108 (0x6C)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=33011 (0x80F3)
smb_vwv[11]=  128 (0x80)
smb_vwv[12]=49166 (0xC00E)
smb_vwv[13]= 5095 (0x13E7)
smb_vwv[14]=51223 (0xC817)
smb_vwv[15]=11265 (0x2C01)
smb_vwv[16]=    1 (0x1)
smb_bcc=58
Password: Doing spnego session setup (blob length=58)
got OID=1 3 6 1 4 1 311 2 2 10
got principal=NONE
size=346
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=36418
smb_uid=100
smb_mid=2
smt_wct=4
smb_vwv[ 0]=  255 (0xFF)
smb_vwv[ 1]=    0 (0x0)
smb_vwv[ 2]=    0 (0x0)
smb_vwv[ 3]=  241 (0xF1)
smb_bcc=303
size=346
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=36418
smb_uid=100
smb_mid=2
smt_wct=4
smb_vwv[ 0]=  255 (0xFF)
smb_vwv[ 1]=    0 (0x0)
smb_vwv[ 2]=    0 (0x0)
smb_vwv[ 3]=  241 (0xF1)
smb_bcc=303
Got challenge flags:
Got NTLMSSP neg_flags=0x60820215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_CHAL_ACCEPT_RESPONSE
  NTLMSSP_CHAL_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60000215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60000215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - using NTLM1
size=35
smb_com=0x73
smb_rcls=109
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=36418
smb_uid=100
smb_mid=3
smt_wct=0
smb_bcc=0
size=35
smb_com=0x73
smb_rcls=109
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=36418
smb_uid=100
smb_mid=3
smt_wct=0
smb_bcc=0
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE

3.0.26a smbclient to Samba 3.0.24 server is okay:

lsaxon1 at aoctoolbox:/home/lsaxon1:> /usr/local/samba/sbin/smbd -V
Version 3.0.26a
lsaxon1 at aoctoolbox:/home/lsaxon1:> /usr/local/samba/bin/smbclient -U
lsaxon1 //aoccdw1/datarepos
Password:
Domain=[AMERICREDIT] OS=[Unix] Server=[Samba 3.0.24]
smb: \>

3.0.26a smbclient to Samba 3.0.26a server does not work:

lsaxon1 at aoctoolbox:/home/lsaxon1:> /usr/local/samba/bin/smbclient -U
lsaxon1 //aoctoolbox/instimages
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
lsaxon1 at aoctoolbox:/home/lsaxon1:>

with basically the same messages in the debug log from the other
attempt.

I will assist in any way to help resolve this issue or configuration
problem.  Just wondering if anyone else might be experiencing these
issues.  Due to security concerns with 3.0.24, I was hoping to complete
the upgrade to 3.0.26a.

Thanks,
Lamar

Privileged and Confidential.  This e-mail, and any attachments there to, is intended only for use by the addressee(s) named herein and may contain privileged or confidential information.  If you have received this e-mail in error, please notify me immediately by a return e-mail and delete this e-mail.  You are hereby notified that any dissemination, distribution or copying of this e-mail and/or any attachments thereto, is strictly prohibited.

More information about the samba-technical mailing list