[Samba] Domain trust between Samba 3.5.9 and Windows 2008 Active Directory crashes lsass.exe which makes AD Domain Controller reboot

Tim Wright Tim.W at gordian.co.uk
Fri Aug 5 04:47:57 MDT 2011 

Have some more information on this - looking at a packet capture of 
traffic between the AD DC and the Samba PDC, the last packet it sends is a 
"Session Setup AndX Request, NTLMSSP_AUTH" message but the NTLM SSP bit of 
the packet has User and Domain set to NULL. Turned up the debug level on 
the samba side and see the following in the logs (sorry have include 
preamble to final message in case it's of any use in diagnosing the 
problem):

2011/08/05 11:06:04.401900,  5] 
auth/auth.c:481(make_auth_context_subsystem)
  Making default auth method list for DC, security=user, encrypt passwords 
= yes
[2011/08/05 11:06:04.402126,  5] auth/auth.c:46(smb_register_auth)
  Attempting to register auth backend sam
[2011/08/05 11:06:04.402268,  5] auth/auth.c:58(smb_register_auth)
  Successfully added auth method 'sam'
[2011/08/05 11:06:04.402379,  5] auth/auth.c:46(smb_register_auth)
  Attempting to register auth backend sam_ignoredomain
[2011/08/05 11:06:04.402487,  5] auth/auth.c:58(smb_register_auth)
  Successfully added auth method 'sam_ignoredomain'
[2011/08/05 11:06:04.402603,  5] auth/auth.c:46(smb_register_auth)
  Attempting to register auth backend unix
[2011/08/05 11:06:04.402711,  5] auth/auth.c:58(smb_register_auth)
  Successfully added auth method 'unix'
[2011/08/05 11:06:04.402816,  5] auth/auth.c:46(smb_register_auth)
  Attempting to register auth backend winbind
[2011/08/05 11:06:04.402929,  5] auth/auth.c:58(smb_register_auth)
  Successfully added auth method 'winbind'
[2011/08/05 11:06:04.403042,  5] auth/auth.c:46(smb_register_auth)
  Attempting to register auth backend wbc
[2011/08/05 11:06:04.403150,  5] auth/auth.c:58(smb_register_auth)
  Successfully added auth method 'wbc'
[2011/08/05 11:06:04.403289,  5] auth/auth.c:46(smb_register_auth)
  Attempting to register auth backend smbserver
[2011/08/05 11:06:04.403398,  5] auth/auth.c:58(smb_register_auth)
  Successfully added auth method 'smbserver'
[2011/08/05 11:06:04.403531,  5] auth/auth.c:46(smb_register_auth)
  Attempting to register auth backend trustdomain
[2011/08/05 11:06:04.403649,  5] auth/auth.c:58(smb_register_auth)
  Successfully added auth method 'trustdomain'
[2011/08/05 11:06:04.403755,  5] auth/auth.c:46(smb_register_auth)
  Attempting to register auth backend ntdomain
[2011/08/05 11:06:04.403862,  5] auth/auth.c:58(smb_register_auth)
  Successfully added auth method 'ntdomain'
[2011/08/05 11:06:04.403968,  5] auth/auth.c:46(smb_register_auth)
  Attempting to register auth backend guest
[2011/08/05 11:06:04.404075,  5] auth/auth.c:58(smb_register_auth)
  Successfully added auth method 'guest'
[2011/08/05 11:06:04.404190,  5] auth/auth.c:46(smb_register_auth)
  Attempting to register auth backend netlogond
[2011/08/05 11:06:04.404298,  5] auth/auth.c:58(smb_register_auth)
  Successfully added auth method 'netlogond'
[2011/08/05 11:06:04.404404,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match guest
[2011/08/05 11:06:04.404533,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method guest has a valid init
[2011/08/05 11:06:04.404650,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam
[2011/08/05 11:06:04.404760,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method sam has a valid init
[2011/08/05 11:06:04.404868,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match 
winbind:trustdoma
in
[2011/08/05 11:06:04.404978,  5] auth/auth.c:383(load_auth_module)
[2011/08/05 11:06:04.404978,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match trustdomain
[2011/08/05 11:06:04.405098,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method trustdomain has a valid init
[2011/08/05 11:06:04.405205,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method winbind has a valid init
[2011/08/05 11:06:04.405501,  3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe2088297
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_NEGOTIATE_OEM
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_LM_KEY
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_NEGOTIATE_VERSION
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
    NTLMSSP_NEGOTIATE_56
[2011/08/05 11:06:04.406184,  5] auth/auth.c:97(get_ntlm_challenge)
  auth_get_challenge: module guest did not want to specify a challenge
[2011/08/05 11:06:04.406292,  5] auth/auth.c:97(get_ntlm_challenge)
  auth_get_challenge: module sam did not want to specify a challenge
[2011/08/05 11:06:04.406408,  5] auth/auth.c:97(get_ntlm_challenge)
  auth_get_challenge: module winbind did not want to specify a challenge
[2011/08/05 11:06:04.406521,  5] auth/auth.c:132(get_ntlm_challenge)
  auth_context challenge created by random
[2011/08/05 11:06:04.406627,  5] auth/auth.c:133(get_ntlm_challenge)
  challenge is:
[2011/08/05 11:06:04.406730,  5] ../lib/util/util.c:278(_dump_data)
  [0000] 74 0C 51 36 68 7B 3F 72                            t.Q6h{?r
[2011/08/05 11:06:04.407383,  5] lib/util.c:617(show_msg)
[2011/08/05 11:06:04.407446,  5] lib/util.c:627(show_msg)
  size=264
  smb_com=0x73
  smb_rcls=22
  smb_reh=0
  smb_err=49152
  smb_flg=136
  smb_flg2=51203
  smb_tid=65535
  smb_pid=65279
  smb_uid=100
  smb_mid=64
  smt_wct=4
  smb_vwv[ 0]=  255 (0xFF)
  smb_vwv[ 1]=    0 (0x0)
  smb_vwv[ 2]=    0 (0x0)
  smb_vwv[ 3]=  167 (0xA7)
  smb_bcc=221
[2011/08/05 11:06:04.409709,  6] smbd/process.c:1486(process_smb)
  got message type 0x0 of len 0xbc
[2011/08/05 11:06:04.409835,  3] smbd/process.c:1489(process_smb)
  Transaction 2 of length 192 (0 toread)
[2011/08/05 11:06:04.409948,  5] lib/util.c:617(show_msg)
[2011/08/05 11:06:04.410006,  5] lib/util.c:627(show_msg)
  size=188
  smb_com=0x73
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=24
  smb_flg2=51207
  smb_tid=65535
  smb_pid=65279
  smb_uid=100
  smb_mid=128
  smt_wct=12
  smb_vwv[ 0]=  255 (0xFF)
  smb_vwv[ 1]=    0 (0x0)
  smb_vwv[ 2]=16644 (0x4104)
  smb_vwv[ 3]=   50 (0x32)
  smb_vwv[ 4]=    0 (0x0)
  smb_vwv[ 5]=    0 (0x0)
  smb_vwv[ 6]=    0 (0x0)
  smb_vwv[ 7]=  125 (0x7D)
  smb_vwv[ 8]=    0 (0x0)
  smb_vwv[ 9]=    0 (0x0)
  smb_vwv[10]=  212 (0xD4)
  smb_vwv[11]=40960 (0xA000)
  smb_bcc=129
[2011/08/05 11:06:04.412256,  3] smbd/process.c:1298(switch_message)
  switch message SMBsesssetupX (pid 18499) conn 0x0
[2011/08/05 11:06:04.412370,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/08/05 11:06:04.412482,  5] 
auth/token_util.c:525(debug_nt_user_token)
  NT user token: (NULL)
[2011/08/05 11:06:04.412596,  5] 
auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2011/08/05 11:06:04.412860,  5] smbd/uid.c:369(change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2011/08/05 11:06:04.413027,  3] 
smbd/sesssetup.c:1458(reply_sesssetup_and_X)
  wct=12 flg2=0xc807
[2011/08/05 11:06:04.413135,  2] 
smbd/sesssetup.c:1413(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old
resources.
[2011/08/05 11:06:04.413279,  3] 
smbd/sesssetup.c:1212(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2011/08/05 11:06:04.413446,  3] 
smbd/sesssetup.c:1254(reply_sesssetup_and_X_spnego)
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2011/08/05 11:06:04.413632,  3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
  Got user=[] domain=[] workstation=[LIVEDC] len1=1 len2=0

tim
                                                                     
                                                                     
                                                                     
                                             
************************************************************
For further information on Gordian Knot Limited ("Gordian") and/or Theta Corporation ("Theta") please visit our website at http://www.gordian.co.uk or call +44 20 7290 9901. 

The contents of this email and any attachments are confidential and may also be privileged.  If you are not the intended recipient of this e-mail you may not copy, forward, disclose or otherwise use any part of it or any attachment in any way or in any form whatsoever.  If you have received this message in error, please notify the sender immediately by telephone or return e-mail and delete it and any attachment(s) from your system. 

Gordian is a company registered in England with company number 2853833 at the following address Lansdowne House, Berkeley Square, London, W1J 6AB, England. 

In accordance with the FSA's Rules Theta is Gordian's client.  Gordian does not have a client relationship with any other person and does not owe regulatory duties to any other person under the Conduct of Business Rules or other parts of the FSA's Rules.  Gordian is not responsible to you for providing the same protections as those afforded to Theta, or for providing advice in relation to investing in Theta.

More information about the samba mailing list