[Samba] Domain trust between Samba 3.5.9 and Windows 2008 Active Directory crashes lsass.exe which makes AD Domain Controller reboot
Tim Wright
Tim.W at gordian.co.uk
Wed Aug 10 06:18:23 MDT 2011
Thanks for saving me some time going down a rabbit hole.
Still at a loss, get this packet:
226 1970-01-01 00:01:51.853391 192.168.153.156 192.168.56.152 SMB
Session Setup AndX Request, NTLMSSP_AUTH, User: CTGDOMAIN\testuser01
Then a load of other traffic between Samba PDC and AD DC which all seems
ok (SMB. DCERPC and RPC_NETLOGON packets) then 12 seconds later get the
response to packet 226 above and then the DC has rebooted:
274 1970-01-01 00:02:03.425244 192.168.56.152 192.168.153.156
SMB Session Setup AndX Response, Error: STATUS_INTERNAL_ERROR
Enabled netlogon max logging ( nltest /dbflag:0x2080ffff ) and see the
following in the netlogon.log:
08/10 12:16:41 [LOGON] SamLogon: Network logon of CTGDOMAIN\root from
CTGSOL10 Entered
08/10 12:16:41 [SESSION] CTGDOMAIN: NlSessionSetup: Try Session setup
08/10 12:16:41 [SESSION] CTGDOMAIN: NlSetStatusClientSession: Set
connection status to 0
08/10 12:16:41 [SESSION] CTGDOMAIN: NlSetStatusClientSession: Set
connection status to 0
08/10 12:16:41 [SESSION] CTGDOMAIN: NlSessionSetup: negotiated 400201ff
flags rather than 603fbfff
08/10 12:16:41 [SESSION] CTGDOMAIN: NlSessionSetup: Session setup
Succeeded
Then nothing till the server reboots (also enabled SAM logging but nothing
in sam.log)
A session using the NT4 domain trust shows the following in netlogon.log:
08/09 14:44:36 [LOGON] SamLogon: Network logon of LIVENT4DOMAIN\testuser01
from GORDIAN-FCB4FE1 Entered
08/09 14:44:36 [SESSION] LIVENT4DOMAIN: NlSessionSetup: Try Session setup
08/09 14:44:37 [CRITICAL] NlSessionSetup: Fall back to Authenticate2
08/09 14:44:37 [SESSION] LIVENT4DOMAIN: NlSetStatusClientSession: Set
connection status to 0
08/09 14:44:37 [SESSION] LIVENT4DOMAIN: NlSetStatusClientSession: Set
connection status to 0
08/09 14:44:37 [SESSION] LIVENT4DOMAIN: NlSessionSetup: negotiated
400001ff flags rather than 603fbfff
08/09 14:44:37 [SESSION] LIVENT4DOMAIN: NlSessionSetup: Session setup
Succeeded
08/09 14:44:37 [LOGON] SamLogon: Network logon of LIVENT4DOMAIN\testuser01
from GORDIAN-FCB4FE1 Returns 0x0
08/09 14:45:04 [LOGON] SamLogon: Network logon of LIVENT4DOMAIN\testuser01
from GORDIAN-FCB4FE1 Entered
08/09 14:45:04 [LOGON] SamLogon: Network logon of LIVENT4DOMAIN\testuser01
from GORDIAN-FCB4FE1 Returns 0x0
Naively, I'm guessing I want to configure Samba so that the session setup
is the same as the NT4 i.e. Fall back to Authenticate2 but I honestly do
not really know what any of this means and not finding much when searching
the web. The NT4 PDC is SP6 and so I'm assuming it's using NTLMv2 which
should be the same as Samba (have tried with ntlm auth = Yes and No is
smb.conf but doesn't seem to make any diff to behaviour).
tim
From: Volker Lendecke <Volker.Lendecke at sernet.de>
To: Tim Wright <Tim.W at gordian.co.uk>
Cc: samba at lists.samba.org
Date: 05/08/2011 12:22
Subject: Re: [Samba] Domain trust between Samba 3.5.9 and Windows
2008 Active Directory crashes lsass.exe which makes AD Domain Controller
reboot
On Fri, Aug 05, 2011 at 11:47:57AM +0100, Tim Wright wrote:
> Have some more information on this - looking at a packet capture of
> traffic between the AD DC and the Samba PDC, the last packet it sends is
a
> "Session Setup AndX Request, NTLMSSP_AUTH" message but the NTLM SSP bit
of
> the packet has User and Domain set to NULL. Turned up the debug level on
> the samba side and see the following in the logs (sorry have include
> preamble to final message in case it's of any use in diagnosing the
> problem):
This is definitely not your problem. Just a standard
anonymous session setup. The problem must be MUCH later in
the sniff.
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
************************************************************
For further information on Gordian Knot Limited ("Gordian") and/or Theta Corporation ("Theta") please visit our website at http://www.gordian.co.uk or call +44 20 7290 9901.
The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient of this e-mail you may not copy, forward, disclose or otherwise use any part of it or any attachment in any way or in any form whatsoever. If you have received this message in error, please notify the sender immediately by telephone or return e-mail and delete it and any attachment(s) from your system.
Gordian is a company registered in England with company number 2853833 at the following address Lansdowne House, Berkeley Square, London, W1J 6AB, England.
In accordance with the FSA's Rules Theta is Gordian's client. Gordian does not have a client relationship with any other person and does not owe regulatory duties to any other person under the Conduct of Business Rules or other parts of the FSA's Rules. Gordian is not responsible to you for providing the same protections as those afforded to Theta, or for providing advice in relation to investing in Theta.
More information about the samba
mailing list