[Samba] problems with windows 2000 terminal server in AD with samba4rc5 (on Ubuntu 12.04.1 64bit) DC

Andrew Bartlett abartlet at samba.org
Wed Nov 21 14:44:36 MST 2012 

On Wed, 2012-11-21 at 09:58 +0100, odix wrote:
> Dear all,
> 
> after upgrading an existing NT4 domain, via "injecting" a samba3 LDAP
> BDC to vampire security database, classicupgrade with samba-tool ...
> everything seems to work like expecting, except the mentioned windows
> 2000 terminal server, see excerpt from log.samba file:
> 
> ...
> [2012/11/18 13:09:26,  0] ../source4/smbd/server.c:475(binary_smbd_main)
>   samba: using 'standard' process model
> [2012/11/18 14:56:10,  0]
> ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
>   Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error
> in module acl: insufficient access rights (50)
> [2012/11/18 14:56:19,  0]
> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>   NTLMSSP NTLM2 packet check failed due to invalid signature!
> [2012/11/18 15:04:41,  0]
> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>   NTLMSSP NTLM2 packet check failed due to invalid signature!
> [2012/11/18 15:07:05,  0]

I think this is a red herring (perhaps due to issues only found with
Windows 2000). 

> ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
>   Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error
> in module acl: Constraint violation (19)

This is probably a real bug - we have a bug listed for this, but the fix
was invasive and not finished, so we had to leave it aside for 4.0.

> [2012/11/18 15:59:47,  0]
> ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch)
>   ../source4/rpc_server/handles.c:102: Attempt to use invalid sid
> S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7
> [2012/11/18 15:59:47,  0]
> ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch)
>   ../source4/rpc_server/handles.c:102: Attempt to use invalid sid
> S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7
> [2012/11/18 15:59:47,  0]
> ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch)
> ...
> 
> also failed to update dns entry:
> Nov 18 17:52:56 sambadc named[752]: client 192.168.12.34#57038:
> request has invalid signature: TSIG 1236950581266-2
> (w2000\$\@XXX.LAN): tsig verify failure (BADSIG)

We would need to get the full details of why this failed.  If you switch
(temporarily) to the internal DNS server, we might be able to give a
better error.  However, many crypto and Kerberos things were 'not quite
right' in Windows 2000, and were made more standards-compliant or
interoperable in later versions, so I'm not totally surprised. 

> I would suggest that it has something todo with the default setting of
> RequireSignOrSeal or RequireStrongKey which defaults to 0 in windows
> 2000 afaik, but I'm not sure. Any other suggestions ?

No, I don't think it is related to either of these. 

Frankly, Windows 2000 is very, very old (as I'm sure you know), and it's
not something we test often, and while we fix bugs when we have them
supported, it is very much a reactionary support modal.

For both of these, a manual update would probably be the best - manually
set the SPNs to whatever it wants them set to, and manually set the DNS
entries.

I'm sorry that I don't have any other magic answers.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list