[Samba] Domain trust between Samba 3.5.9 and Windows 2008 Active Directory crashes lsass.exe which makes AD Domain Controller reboot

Tim Wright Tim.W at gordian.co.uk
Wed Aug 10 06:18:23 MDT 2011


Thanks for saving me some time going down a rabbit hole.

Still at a loss, get this packet:

226     1970-01-01 00:01:51.853391      192.168.153.156 192.168.56.152 SMB 
Session Setup AndX Request, NTLMSSP_AUTH, User: CTGDOMAIN\testuser01

Then a load of other traffic between Samba PDC and AD DC which all seems 
ok (SMB. DCERPC and RPC_NETLOGON packets)  then 12 seconds later get the 
response to packet 226 above and then the DC has rebooted:

274     1970-01-01 00:02:03.425244      192.168.56.152  192.168.153.156 
SMB     Session Setup AndX Response, Error: STATUS_INTERNAL_ERROR

Enabled netlogon max logging ( nltest /dbflag:0x2080ffff ) and see the 
following in the netlogon.log:

08/10 12:16:41 [LOGON] SamLogon: Network logon of CTGDOMAIN\root from 
CTGSOL10 Entered
08/10 12:16:41 [SESSION] CTGDOMAIN: NlSessionSetup: Try Session setup
08/10 12:16:41 [SESSION] CTGDOMAIN: NlSetStatusClientSession: Set 
connection status to 0
08/10 12:16:41 [SESSION] CTGDOMAIN: NlSetStatusClientSession: Set 
connection status to 0
08/10 12:16:41 [SESSION] CTGDOMAIN: NlSessionSetup: negotiated 400201ff 
flags rather than 603fbfff
08/10 12:16:41 [SESSION] CTGDOMAIN: NlSessionSetup: Session setup 
Succeeded

Then nothing till the server reboots (also enabled SAM logging but nothing 
in sam.log)

A session using the NT4 domain trust shows the following in netlogon.log:

08/09 14:44:36 [LOGON] SamLogon: Network logon of LIVENT4DOMAIN\testuser01 
from GORDIAN-FCB4FE1 Entered
08/09 14:44:36 [SESSION] LIVENT4DOMAIN: NlSessionSetup: Try Session setup
08/09 14:44:37 [CRITICAL] NlSessionSetup: Fall back to Authenticate2
08/09 14:44:37 [SESSION] LIVENT4DOMAIN: NlSetStatusClientSession: Set 
connection status to 0
08/09 14:44:37 [SESSION] LIVENT4DOMAIN: NlSetStatusClientSession: Set 
connection status to 0
08/09 14:44:37 [SESSION] LIVENT4DOMAIN: NlSessionSetup: negotiated 
400001ff flags rather than 603fbfff
08/09 14:44:37 [SESSION] LIVENT4DOMAIN: NlSessionSetup: Session setup 
Succeeded
08/09 14:44:37 [LOGON] SamLogon: Network logon of LIVENT4DOMAIN\testuser01 
from GORDIAN-FCB4FE1 Returns 0x0
08/09 14:45:04 [LOGON] SamLogon: Network logon of LIVENT4DOMAIN\testuser01 
from GORDIAN-FCB4FE1 Entered
08/09 14:45:04 [LOGON] SamLogon: Network logon of LIVENT4DOMAIN\testuser01 
from GORDIAN-FCB4FE1 Returns 0x0

Naively, I'm guessing I want to configure Samba so that the session setup 
is the same as the NT4 i.e. Fall back to Authenticate2 but I honestly do 
not really know what any of this means and not finding much when searching 
the web. The NT4 PDC is SP6 and so I'm assuming it's using NTLMv2 which 
should be the same as  Samba (have tried with ntlm auth = Yes and No is 
smb.conf but doesn't seem to make any diff to behaviour).

tim



From:   Volker Lendecke <Volker.Lendecke at sernet.de>
To:     Tim Wright <Tim.W at gordian.co.uk>
Cc:     samba at lists.samba.org
Date:   05/08/2011 12:22
Subject:        Re: [Samba] Domain trust between Samba 3.5.9 and Windows 
2008 Active Directory crashes lsass.exe which makes AD Domain Controller 
reboot



On Fri, Aug 05, 2011 at 11:47:57AM +0100, Tim Wright wrote:
> Have some more information on this - looking at a packet capture of 
> traffic between the AD DC and the Samba PDC, the last packet it sends is 
a 
> "Session Setup AndX Request, NTLMSSP_AUTH" message but the NTLM SSP bit 
of 
> the packet has User and Domain set to NULL. Turned up the debug level on 

> the samba side and see the following in the logs (sorry have include 
> preamble to final message in case it's of any use in diagnosing the 
> problem):

This is definitely not your problem. Just a standard
anonymous session setup. The problem must be MUCH later in
the sniff.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen


                                                                     
                                                                     
                                                                     
                                             
************************************************************
For further information on Gordian Knot Limited ("Gordian") and/or Theta Corporation ("Theta") please visit our website at http://www.gordian.co.uk or call +44 20 7290 9901. 

The contents of this email and any attachments are confidential and may also be privileged.  If you are not the intended recipient of this e-mail you may not copy, forward, disclose or otherwise use any part of it or any attachment in any way or in any form whatsoever.  If you have received this message in error, please notify the sender immediately by telephone or return e-mail and delete it and any attachment(s) from your system. 

Gordian is a company registered in England with company number 2853833 at the following address Lansdowne House, Berkeley Square, London, W1J 6AB, England. 

In accordance with the FSA's Rules Theta is Gordian's client.  Gordian does not have a client relationship with any other person and does not owe regulatory duties to any other person under the Conduct of Business Rules or other parts of the FSA's Rules.  Gordian is not responsible to you for providing the same protections as those afforded to Theta, or for providing advice in relation to investing in Theta.




More information about the samba mailing list