[Samba] Domain trust between Samba 3.5.9 and Windows 2008 Active Directory crashes lsass.exe which makes AD Domain Controller reboot
Tim Wright
Tim.W at gordian.co.uk
Wed Jul 27 10:26:10 MDT 2011
Hi
Trying to set up a one way trust between a 2008 Active Directory domain
and a Samba 3.5.9 server which is configured as a PDC.
There is already an existing trust between AD and an NT4 domain so AD has
been configured to support NTLM authentication (see below for full
details).
With no domain trust, using smbclient either anonymously or with a valid
user on the DC (e.g. Administrator) works ok,.
When a domain trust is created as follows:
On samba server
net rpc trustdom add AD <password>
pdbedit -Lw ad\$ shows that the trust account is set up correctly (i.e. I
appearing in the square brackets )
net rpc trustdom list shows the domain trust is ok
On AD DC:
Add new trust for the Samba domain in the normal way using the trust
password above
This validates ok.
Now smbclient -U% still ok but smbclient -UAdministrator causes the DC to
crash,
When it comes back up, the following appears in the Application Eventlog:
Log Name: Application
Source: Application Error
Date: 27/07/2011 16:25:07
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: LIVEDC.ad.gordian.co.uk
Description:
Faulting application lsass.exe, version 6.0.6002.18005, time stamp
0x49e01c84, faulting module ntdll.dll, version 6.0.6002.18005, time stamp
0x49e02d47, exception code 0x80000003, fault offset 0x000348d8, process id
0x244, application start time 0x01cc41619f198970.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-07-27T15:25:07.000Z" />
<EventRecordID>17693</EventRecordID>
<Channel>Application</Channel>
<Computer>LIVEDC.ad.gordian.co.uk</Computer>
<Security />
</System>
followed by
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 27/07/2011 16:25:20
Event ID: 1015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: LIVEDC.ad.gordian.co.uk
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with
status code 255. The machine must now be restarted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit"
Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="49152">1015</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-07-27T15:25:20.000Z" />
<EventRecordID>17694</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>LIVEDC.ad.gordian.co.uk</Computer>
<Security />
</System>
<EventData>
<Data>C:\Windows\system32\lsass.exe</Data>
<Data>255</Data>
</EventData>
</Event>
<EventData>
<Data>lsass.exe</Data>
<Data>6.0.6002.18005</Data>
<Data>49e01c84</Data>
<Data>ntdll.dll</Data>
<Data>6.0.6002.18005</Data>
<Data>49e02d47</Data>
<Data>80000003</Data>
<Data>000348d8</Data>
<Data>244</Data>
<Data>01cc41619f198970</Data>
</EventData>
</Event>
Here's the smb.conf with comments stripped:
[global]
workgroup = CTGDOMAIN
server string = Samba 3.5.9 Server PDC
security = user
hosts allow = 192.168.56. 192.168.153. 127.
load printers = no
log file = /opt/samba/var/log.%m
max log size = 50
interfaces = e1000g0 lo*
bind interfaces only = yes
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
logon path = \\%L\Profiles\%U
wins support = yes
name resolve order = lmhosts wins hosts broadcast
dns proxy = no
add user script = /usr/sbin/useradd %u
add group script = /usr/sbin/groupadd %g
add machine script = /usr/sbin/useradd -g machines -c Machine -d
/dev/null -s /bin/false %u
delete user script = /usr/sbin/userdel %u
delete user from group script = /usr/sbin/userdel %u %g
delete group script = /usr/sbin/groupdel %g
[homes]
comment = Home Directories
browseable = no
writable = yes
[netlogon]
comment = Network Logon Service
path = /opt/samba/lib/netlogon
guest ok = yes
writable = no
share modes = no
[Profiles]
path = /opt/samba/profiles
browseable = no
guest ok = yes
Has anyone else seen this issue or have any ideas about the best way to
debug?
thanks
tim
P.S. AD policy configuration
Network access: Allow anonymous SID/Name translation ENABLED
Network access: Do not allow anonymous enumeration of SAM accounts
DISABLED
Network access: Do not allow anonymous enumeration of SAM accounts and
shares DISABLED
Network access: Let Everyone permissions apply to anonymous users
ENABLED
Network access: Named pipes can be accessed anonymously ENABLED
Network access: Restrict anonymous access to Named Pipes and shares
DISABLED
Network security: LAN Manager authentication level "Send NTLM response
only"
Microsoft network client: Digitally sign communications (always)
DISABLED
Microsoft network client: Digitally sign communications (if server
agrees) ENABLED
Microsoft network server: Digitally sign communications (always)
DISABLED
Microsoft network server: Digitally sign communications (if client
agrees) ENABLED
Domain member: Digitally encrypt or sign secure channel data (always)
DISABLED
Domain member: Digitally encrypt secure channel data (when it is
possible) ENABLED
Domain member: Digitally sign secure channel data (when it is possible)
ENABLED
Domain member: Require strong (Windows 2000 or later) session key
DISABLED
Also have enabled the "Allow cryptography algorithms compatible with
Windows NT 4.0" policy
************************************************************
For further information on Gordian Knot Limited ("Gordian") and/or Theta Corporation ("Theta") please visit our website at http://www.gordian.co.uk or call +44 20 7290 9901.
The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient of this e-mail you may not copy, forward, disclose or otherwise use any part of it or any attachment in any way or in any form whatsoever. If you have received this message in error, please notify the sender immediately by telephone or return e-mail and delete it and any attachment(s) from your system.
Gordian is a company registered in England with company number 2853833 at the following address Lansdowne House, Berkeley Square, London, W1J 6AB, England.
In accordance with the FSA's Rules Theta is Gordian's client. Gordian does not have a client relationship with any other person and does not owe regulatory duties to any other person under the Conduct of Business Rules or other parts of the FSA's Rules. Gordian is not responsible to you for providing the same protections as those afforded to Theta, or for providing advice in relation to investing in Theta.
More information about the samba
mailing list