Samba migrate from ver 4.11.11 to 4.12.5

admin at prawda.net.pl admin at prawda.net.pl
Tue Jul 28 06:23:27 UTC 2020 

Hi

I have problem with migrate my samba AD.

My OS Debian10.

I want to connect win10.

 

In Samba ver 4.11.11 all is ok, when I update to 4.12.0 I have problem when
I try use  Active Directory Users and Computers.

In logs debian I see:

 

[2020/07/27 14:57:53.200458,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: ENC-TS Pre-authentication succeeded -- administrator at PRAWDA
using aes256-cts-hmac-sha1-96

[2020/07/27 14:57:53.200592,  3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)

  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[administrator at PRAWDA] at [Mon, 27 Jul 2020 14:57:53.200552 CEST]
with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
remote host [ipv4:192.168.0.123:60625] became [PRAWDA]\[Administrator]
[S-1-5-21-3478243395-2611530980-3289595817-500]. local host [NULL] 

  {"timestamp": "2020-07-27T14:57:53.200820+0200", "type": "Authentication",
"Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624,
"logonId": "80a1f72710dff3cc", "logonType": 3, "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress": "ipv4:192.168.0.123:60625",
"serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null, "clientAccount":
"administrator at PRAWDA", "workstation": null, "becameAccount":
"Administrator", "becameDomain": "PRAWDA", "becameSid":
"S-1-5-21-3478243395-2611530980-3289595817-500", "mappedAccount":
"Administrator", "mappedDomain": "PRAWDA", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "aes256-cts-hmac-sha1-96", "duration": 10843}}

[2020/07/27 14:57:53.201082,  4]
../../source4/auth/sam.c:200(authsam_account_ok)

  authsam_account_ok: Checking SMB password for user administrator at PRAWDA

[2020/07/27 14:57:53.254054,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: AS-REQ authtime: 2020-07-27T14:57:53 starttime: unset endtime:
2020-07-28T00:57:53 renew till: 2020-08-03T14:57:53

[2020/07/27 14:57:53.254252,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
aes256-cts-hmac-sha1-96/arcfour-hmac-md5

[2020/07/27 14:57:53.254296,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
forwardable

[2020/07/27 14:57:53.256871,  3]
../../source4/smbd/service_stream.c:67(stream_terminate_connection)

  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

[2020/07/27 14:57:53.262343,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: TGS-REQ  <mailto:Administrator at PRAWDA.LOCAL>
Administrator at PRAWDA.LOCAL from ipv4:192.168.0.123:60626 for
<mailto:host/komp1.prawda.local at PRAWDA.LOCAL>
host/komp1.prawda.local at PRAWDA.LOCAL [canonicalize, renewable, forwardable]

[2020/07/27 14:57:53.287114,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: TGS-REQ authtime: 2020-07-27T14:57:53 starttime:
2020-07-27T14:57:53 endtime: 2020-07-28T00:57:53 renew till:
2020-08-03T14:57:53

[2020/07/27 14:57:53.290494,  3]
../../source4/smbd/service_stream.c:67(stream_terminate_connection)

  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

[2020/07/27 14:58:04.084116,  3]
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)

  ldb_wrap open of secrets.ldb

[2020/07/27 14:58:04.099849,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: AS-REQ  <mailto:administrator at PRAWDA.LOCAL>
administrator at PRAWDA.LOCAL from ipv4:192.168.0.123:60629 for
<mailto:krbtgt/PRAWDA.LOCAL at PRAWDA.LOCAL> krbtgt/PRAWDA.LOCAL at PRAWDA.LOCAL

[2020/07/27 14:58:04.107501,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Client sent patypes: 128

[2020/07/27 14:58:04.107549,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Looking for PKINIT pa-data --
<mailto:administrator at PRAWDA.LOCAL> administrator at PRAWDA.LOCAL

[2020/07/27 14:58:04.107579,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Looking for ENC-TS pa-data --
<mailto:administrator at PRAWDA.LOCAL> administrator at PRAWDA.LOCAL

[2020/07/27 14:58:04.107631,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: No preauth found, returning PREAUTH-REQUIRED --
<mailto:administrator at PRAWDA.LOCAL> administrator at PRAWDA.LOCAL

[2020/07/27 14:58:04.109805,  3]
../../source4/smbd/service_stream.c:67(stream_terminate_connection)

  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

[2020/07/27 14:58:04.112889,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: AS-REQ  <mailto:administrator at PRAWDA.LOCAL>
administrator at PRAWDA.LOCAL from ipv4:192.168.0.123:60630 for
<mailto:krbtgt/PRAWDA.LOCAL at PRAWDA.LOCAL> krbtgt/PRAWDA.LOCAL at PRAWDA.LOCAL

[2020/07/27 14:58:04.120327,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Client sent patypes: encrypted-timestamp, 128

[2020/07/27 14:58:04.120374,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Looking for PKINIT pa-data --
<mailto:administrator at PRAWDA.LOCAL> administrator at PRAWDA.LOCAL

[2020/07/27 14:58:04.120404,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Looking for ENC-TS pa-data --
<mailto:administrator at PRAWDA.LOCAL> administrator at PRAWDA.LOCAL

[2020/07/27 14:58:04.120543,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: ENC-TS Pre-authentication succeeded --
<mailto:administrator at PRAWDA.LOCAL> administrator at PRAWDA.LOCAL using
aes256-cts-hmac-sha1-96

[2020/07/27 14:58:04.120636,  3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)

  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[administrator at PRAWDA.LOCAL] at [Mon, 27 Jul 2020 14:58:04.120609
CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
[(null)] remote host [ipv4:192.168.0.123:60630] became
[PRAWDA]\[Administrator] [S-1-5-21-3478243395-2611530980-3289595817-500].
local host [NULL] 

  {"timestamp": "2020-07-27T14:58:04.120715+0200", "type": "Authentication",
"Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624,
"logonId": "75676c4ac6b4678", "logonType": 3, "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress": "ipv4:192.168.0.123:60630",
"serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null, "clientAccount": "
<mailto:administrator at PRAWDA.LOCAL> administrator at PRAWDA.LOCAL",
"workstation": null, "becameAccount": "Administrator", "becameDomain":
"PRAWDA", "becameSid": "S-1-5-21-3478243395-2611530980-3289595817-500",
"mappedAccount": "Administrator", "mappedDomain": "PRAWDA",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96",
"duration": 7930}}

[2020/07/27 14:58:04.120854,  4]
../../source4/auth/sam.c:200(authsam_account_ok)

  authsam_account_ok: Checking SMB password for user
<mailto:administrator at PRAWDA.LOCAL> administrator at PRAWDA.LOCAL

[2020/07/27 14:58:04.138052,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: AS-REQ authtime: 2020-07-27T14:58:04 starttime: unset endtime:
2020-07-28T00:58:04 renew till: 2020-08-03T14:58:04

[2020/07/27 14:58:04.138193,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
arcfour-hmac-md5, -133, -128, 24, -135, using
aes256-cts-hmac-sha1-96/arcfour-hmac-md5

[2020/07/27 14:58:04.138235,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
forwardable

[2020/07/27 14:58:04.142001,  3]
../../source4/smbd/service_stream.c:67(stream_terminate_connection)

  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

[2020/07/27 14:58:04.148555,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: TGS-REQ  <mailto:Administrator at PRAWDA.LOCAL>
Administrator at PRAWDA.LOCAL from ipv4:192.168.0.123:60631 for
<mailto:ldap/debian.prawda.local/prawda.local at PRAWDA.LOCAL>
ldap/debian.prawda.local/prawda.local at PRAWDA.LOCAL [renewable, forwardable]

[2020/07/27 14:58:04.151843,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: samba_kdc_fetch: message2entry failed

[2020/07/27 14:58:04.152019,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Server not found in database:
<mailto:ldap/debian.prawda.local/prawda.local at PRAWDA.LOCAL>
ldap/debian.prawda.local/prawda.local at PRAWDA.LOCAL: encryption type 3 not
supported

[2020/07/27 14:58:04.152069,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Failed building TGS-REP to ipv4:192.168.0.123:60631

[2020/07/27 14:58:04.154093,  3]
../../source4/smbd/service_stream.c:67(stream_terminate_connection)

  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

[2020/07/27 14:58:04.155266,  3]
../../source4/smbd/service_stream.c:67(stream_terminate_connection)

  stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT'

[2020/07/27 14:58:04.189794,  3]
../../source4/smbd/service_stream.c:67(stream_terminate_connection)

  stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'

 

 

Win10 in event logs say: The security system has detected an authentication
error for the serve Insufficient system resources 0xc000009a

 

 

I thing I have problem with encryption, ver 4.12 not supported DES and I
see in log:

  Kerberos: Server not found in database:
<mailto:ldap/debian.prawda.local/prawda.local at PRAWDA.LOCAL>
ldap/debian.prawda.local/prawda.local at PRAWDA.LOCAL: encryption type 3 not
supported

 

How migrate old database encryption to supportet in samba 4.12?

Change user password not help.

 

JM

More information about the samba-technical mailing list