[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel
Stefan (metze) Metzmacher
metze at samba.org
Mon Dec 2 11:07:32 MST 2013
Hi Garming,
> Decided to try running net rpc join to a DC running the last version of
> Samba 3.5, 3.5.22. With Samba 4.1 and master, I got the following
> message indicating a successful join.
>
>
> 4.1 and similarly master:
>
> netr_LogonGetCapabilities: struct netr_LogonGetCapabilities
> out: struct netr_LogonGetCapabilities
> return_authenticator : *
> return_authenticator: struct netr_Authenticator
> cred: struct netr_Credential
> data : 0000000000000000
> timestamp : (time_t)0
> capabilities : *
> capabilities : union netr_Capabilities(case 1)
> server_capabilities : 0x00000000 (0)
> 0: NETLOGON_NEG_ACCOUNT_LOCKOUT
> 0: NETLOGON_NEG_PERSISTENT_SAMREPL
> 0: NETLOGON_NEG_ARCFOUR
> 0: NETLOGON_NEG_PROMOTION_COUNT
> 0: NETLOGON_NEG_CHANGELOG_BDC
> 0: NETLOGON_NEG_FULL_SYNC_REPL
> 0: NETLOGON_NEG_MULTIPLE_SIDS
> 0: NETLOGON_NEG_REDO
> 0: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
> 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
> 0: NETLOGON_NEG_GENERIC_PASSTHROUGH
> 0: NETLOGON_NEG_CONCURRENT_RPC
> 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
> 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
> 0: NETLOGON_NEG_STRONG_KEYS
> 0: NETLOGON_NEG_TRANSITIVE_TRUSTS
> 0: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
> 0: NETLOGON_NEG_PASSWORD_SET2
> 0: NETLOGON_NEG_GETDOMAININFO
> 0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
> 0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
> 0: NETLOGON_NEG_RODC_PASSTHROUGH
> 0: NETLOGON_NEG_SUPPORTS_AES_SHA2
> 0: NETLOGON_NEG_SUPPORTS_AES
> 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
> 0: NETLOGON_NEG_AUTHENTICATED_RPC
> result : NT_STATUS_NOT_IMPLEMENTED
> We are checking against an old Samba version - NT_STATUS_NOT_IMPLEMENTED
> cli_rpc_pipe_open_schannel_with_key: opened pipe \netlogon to machine
> 192.168.122.249 for domain S3 and bound using schannel.
> Joined domain S3.
> return code = 0
>
>
>
> However, on the new branch, the join appears to fail.
>
>
>
> Failure message on your branch:
> garming at garming-pc:~/samba$ sudo bin/net rpc join -S 192.168.122.249
> -Uroot%password12# -d1
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> in: struct libnet_JoinCtx
> dc_name : '192.168.122.249'
> machine_name : 'GARMING-PC'
> domain_name : *
> domain_name : 'S3'
> account_ou : NULL
> admin_account : ''
> admin_domain : NULL
> machine_password : NULL
> join_flags : 0x000000c1 (193)
> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> 1: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> 1: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> 0: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> os_version : NULL
> os_name : NULL
> create_upn : 0x00 (0)
> upn : NULL
> modify_config : 0x00 (0)
> ads : NULL
> debug : 0x01 (1)
> use_kerberos : 0x00 (0)
> secure_channel_type : SEC_CHAN_WKSTA (2)
> ../source3/rpc_client/cli_pipe.c:471: RPC fault code
> DCERPC_NCA_S_OP_RNG_ERROR received from host 192.168.122.249!
> No realm has been specified! Do you really want to join an Active
> Directory server?
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : 'S3'
> dns_domain_name : NULL
> forest_name : NULL
> dn : NULL
> domain_sid : *
> domain_sid :
> S-1-5-21-1592316062-3819178106-2819773400
> modified_config : 0x00 (0)
> error_string : 'failed to join domain 'S3' over
> rpc: Access denied'
> domain_is_ad : 0x00 (0)
> result : WERR_ACCESS_DENIED
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> in: struct libnet_JoinCtx
> dc_name : '192.168.122.249'
> machine_name : 'GARMING-PC'
> domain_name : *
> domain_name : 'S3'
> account_ou : NULL
> admin_account : 'root'
> admin_domain : NULL
> machine_password : NULL
> join_flags : 0x00000023 (35)
> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> os_version : NULL
> os_name : NULL
> create_upn : 0x00 (0)
> upn : NULL
> modify_config : 0x00 (0)
> ads : NULL
> debug : 0x01 (1)
> use_kerberos : 0x00 (0)
> secure_channel_type : SEC_CHAN_WKSTA (2)
> ../source3/rpc_client/cli_pipe.c:471: RPC fault code
> DCERPC_NCA_S_OP_RNG_ERROR received from host 192.168.122.249!
> No realm has been specified! Do you really want to join an Active
> Directory server?
> netlogon_creds_cli_check failed with NT_STATUS_NOT_IMPLEMENTED
> libnet_join_ok: failed to open schannel session on netlogon pipe to
> server 192.168.122.249 for domain S3. Error was NT_STATUS_NOT_IMPLEMENTED
> libnet_Unjoin:
> libnet_UnjoinCtx: struct libnet_UnjoinCtx
> in: struct libnet_UnjoinCtx
> dc_name : '192.168.122.249'
> machine_name : 'GARMING-PC'
> domain_name : 'S3'
> account_ou : NULL
> admin_account : 'root'
> admin_domain : NULL
> machine_password : NULL
> unjoin_flags : 0x00000005 (5)
> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> 0: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> delete_machine_account : 0x00 (0)
> modify_config : 0x00 (0)
> domain_sid : NULL
> domain_sid : (NULL SID)
> ads : NULL
> debug : 0x01 (1)
> use_kerberos : 0x00 (0)
> libnet_Unjoin:
> libnet_UnjoinCtx: struct libnet_UnjoinCtx
> out: struct libnet_UnjoinCtx
> netbios_domain_name : NULL
> dns_domain_name : NULL
> forest_name : NULL
> modified_config : 0x00 (0)
> error_string : NULL
> disabled_machine_account : 0x01 (1)
> deleted_machine_account : 0x00 (0)
> result : WERR_OK
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : 'S3'
> dns_domain_name : NULL
> forest_name : NULL
> dn : NULL
> domain_sid : *
> domain_sid :
> S-1-5-21-1592316062-3819178106-2819773400
> modified_config : 0x00 (0)
> error_string : 'failed to verify domain
> membership after joining: Not implemented'
> domain_is_ad : 0x00 (0)
> result : WERR_SETUP_NOT_JOINED
> Failed to join domain: failed to verify domain membership after joining:
> Not implemented
>
> return code = -1
>
>
> I ran a git bisect and found the culprit.
>
>
>
> + sudo bin/net rpc join -S 192.168.122.249 -Uroot%password12#
> No realm has been specified! Do you really want to join an Active
> Directory server?
> netlogon_creds_cli_ServerPasswordSet failed:
> NT_STATUS_INVALID_PARAMETER_MIX
> No realm has been specified! Do you really want to join an Active
> Directory server?
> netlogon_creds_cli_check failed with NT_STATUS_NOT_IMPLEMENTED
> libnet_join_ok: failed to open schannel session on netlogon pipe to
> server 192.168.122.249 for domain S3. Error was NT_STATUS_NOT_IMPLEMENTED
> Failed to join domain: failed to verify domain membership after joining:
> Not implemented
> + exit 1
> 7b77662322f741b8fe1d9e408073def55de6ff83 is the first bad commit
> commit 7b77662322f741b8fe1d9e408073def55de6ff83
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Sat Jul 27 11:30:13 2013 +0200
>
> s3:rpc_client: make use of the new netlogon_creds_cli_context
>
> This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
> and lets the secure channel session state be stored in node local
> database.
>
> This is the proper fix for a large number of bugs:
> https://bugzilla.samba.org/show_bug.cgi?id=6563
> https://bugzilla.samba.org/show_bug.cgi?id=7944
> https://bugzilla.samba.org/show_bug.cgi?id=7945
> https://bugzilla.samba.org/show_bug.cgi?id=7568
> https://bugzilla.samba.org/show_bug.cgi?id=8599
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>
> :040000 040000 0c7c4c5bd36a69aa6acf9afbbdc5e9c7c181b58b
> b6081aa2e5cf4e49d6eadc82e404e7c8bd53a1d8 M source3
> bisect run success
>
>
>
>
>
> From the commit message, it doesn't seem that this was expected. If it
> is though, we should probably note it down somewhere. In any case, I
> just wanted to let you know.
Thanks for finding that, it looks like a bug.
metze
More information about the samba-technical
mailing list