[Samba] Samba4: W2k clients cannot set / sync time with samba4 AD DC

?icro MEGAS micromegas at mail333.com
Thu Apr 25 01:47:11 MDT 2013 

As a follow-up to this thread 
(https://lists.samba.org/archive/samba/2013-April/172892.html) I have 
created an extra topic, because this is related only to NTP/time sync.

I have done some more tests on this topic, as this really hurts and I 
wouldn't be able to migrate to samba4 in productional environment. We 
are still using lots of W2k clients which cannot be replaced or 
upgraded. Well, I have done some network packet sniffing and as I 
suspected, it seems that the w2k clients really needs to authenticate 
first to be able to use the net time sync command. Here some information
 for clarification:

- everything installed and configured like described on the samba4 HowTo

-
 It affects all my W2k test clients I have tried, not only one. None of 
my w2k clients are able to get the correct time from samba4 AD DC.

-
 WinXP and Win7 are not affected by this, they work fine, from scratch. 
They can sync with my samba4 AD DC and get the time correctly

- I realized that w2k client cannot use "net time" commands when trying to execute them on W2k DOS command prompt window.

 *
 If the w2k client is logged in as local administrator, then he will 
receives an "error code 5 - access denied" when trying to execute "net 
time" or even "net time /set".
 * If the w2k client is logged in as 
an normal domain user without admin privileges, "net time" command will 
work, but "net time /set" will fail with "system error 1314 - client has
 no privilege to adjust time". 
 * If the w2k client is logged in 
with a domain admin account and therefore with admin privileges, "net 
time" will work and the command "net time /set" will set correctly the 
time synced with the samba4 AD DC. This is the only way to have the w2k 
time set to the corresponding samba4 AD DC time. 

Now what 
happens if I put the time to a wrong time (e.g. 6hours back), reboot the
 w2k client, and log-in with a domain admin account? Unfortunately the 
windows time service do NOT update the correct time, although a domain 
admin is logged in. Even not if I restart the windows time service. The 
time only will be set if I manually execute the command "net time /set" 
as explained before.

I logged out again from w2k machine and 
logged in with win2k's local administrator account. As I explained 
before, "net time /set" will return an "error code 5  - access denied". I
 have sniffed that procedure. Then I entered "runas 
/user:MYDOM\domadminuser "net time /set"" and entered the password for 
this user when prompted. Et-voilà --> it works! As soon as I 
authenticate as domain administrator I am able to use this command. I 
also sniffed the packets for this executed command.

You can get the sniffed packet results by tcpdump here --> http://paste.ubuntu.com/5600267/

Hope to get some feedback of the devs, it seems that this is related to SMB and not to NTP itself ?

Any feedback appreciated, thanks and greetings...
Lucas

Пнд 22 Апр 2013 19:17:03 +0400, ?icro MEGAS  написал:
@samba-devs:
 Could this be related to samba4 services/shares? I have googled a lot 
about this error message 5 when using "net time" command, and it seems 
that there is a relation to the share on the server. I don't understand 
which share/service is affected for that. I have tried to check how "net
 time" react on my existing samba3 domain with s3 PDC. I tried at 
several Win2000 clients on my existing productional samba3 domain, and 
--> "net time ..." works fine there without any errors. So it could 
be a problem within samba4 somehow? Would be nice to get a reply of a 
dev who can clarify that.

It must be something to have to do with samba4,  because in a samba3 environment this command works fine.

Any feedback and help appreciated,
thanks... 

Lucas

Пнд 22 Апр 2013 18:08:41 +0400, ?icro MEGAS  написал:
Hello again,

I
 just have found out which the dynamic updates didn't work. The reason 
was, that time synchronization of my win2k clients did NOT WORK 
correctly, so they were not in sync with my samba4 AD DC. This is 
necessary for Kerberso and therefore for signed updates. If the client 
is not in sync with the samba4 domain controller, the updates do NOT 
occur. So this is what I have found out:

although I am logged in 
with the local administrator account to the windows 2000 host and I am 
able to manually modify/adjust the windows time, I am NOT ABLE to use a 
"net time" command. I open a DOS command prompt on the w2k host (while 
being a local administrator): I enter "net time" and press enter. I get 
at once the error message:

System error 5 occured.

Access denied

(I translated this from german).

Then
 I tried to authenticate to my samba4 AD domain as administrator. I 
entered in the DOS command prompt "net use \\mys4srv 
/user:MYDOM\administrator", entered my password when prompted and the 
auth suceeded. So at this point I am authenticated against my samba4 AD 
domain. Now I can re-execute "net time" and it works fine. After this 
authentication the windows client automatically was able to sync its 
time with my samba4 AD domain controller, as the default update 
mechanism Nt5DS is used (=that stands for time sync with the dc in the 
domain). Now I don't understand, why I had to authenticate first at my 
domain, to allow this to work?? Win7 and WinXP hosts don't show this 
behavior, they work from scratch and can sync their time.

I did 
not have applied any GPOs before, so everything is default. Anyone knows
 about this odd behaviour and can help to fix that? Any help 
appreciated. Thanks to all.

Regards,
Lucas.

Пнд 22 Апр 2013 16:08:06 +0400, ?icro MEGAS  написал:
Hi all,

I am running samba 4.0.5 as Active-Directory Domain Controller with 
bind9 9.8 and I am using the BIND9_DLZ mech. I have setup my DNS quite 
exactly as described on the samba4_dns HowTo, but I am facing following 
problems:

Win2000 clients are NOT ABLE to update/add/delete dynamic dns 
ressource records to the DNS database, because it seems they cannot be 
verified by samba4? The BIND9 log with debug level 3 shows error 
messages like that:

[...]

22-Apr-2013 13:50:56.373 update-security: error: client 172.16.200.66#1343: upda

te 'ad.mycompany.com/IN' denied

[...]

22-Apr-2013 13:50:56.392 client: debug 3: client 172.16.200.66#1344: read

22-Apr-2013 13:50:56.392 client: debug 3: client @0x7f9a576948d0: accept

22-Apr-2013 13:50:56.395 client: debug 3: client 172.16.200.66#1344: TCP request

22-Apr-2013 13:50:56.395 client: debug 3: client 172.16.200.66#1344: query

22-Apr-2013 13:50:56.396 general: debug 3: failed gss_inquire_cred: GSSAPI error

: Major = Unspecified GSS failure.  Minor code may provide more information, Min

or = Credentials cache file '/tmp/krb5cc_110' not found.

22-Apr-2013 13:50:56.403 general: debug 3: gss-api source name (accept) is smb4t

estwin2k$@AD.MYCOMPANY.COM

22-Apr-2013 13:50:56.403 client: debug 3: client 172.16.200.66#1344: send

22-Apr-2013 13:50:56.403 client: debug 3: client 172.16.200.66#1344: sendto

22-Apr-2013 13:50:56.404 client: debug 3: client 172.16.200.66#1344: senddone

[...]

22-Apr-2013 13:50:56.536 client: debug 3: client 172.16.200.66#1346: TCP request

22-Apr-2013 13:50:56.536 client: debug 3: client 172.16.200.66#1346: query

22-Apr-2013 13:50:56.537 general: debug 3: failed gss_inquire_cred: GSSAPI error

: Major = Unspecified GSS failure.  Minor code may provide more information, Min

or = Credentials cache file '/tmp/krb5cc_110' not found.

22-Apr-2013 13:50:56.543 general: debug 3: gss-api source name (accept) is smb4t

estwin2k$@AD.MYCOMPANY.COM

22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: send

22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: sendto

22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: senddone

22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: next

22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: endrequest

22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: read

22-Apr-2013 13:50:56.549 client: debug 3: client 172.16.200.66#1346: next

22-Apr-2013 13:50:56.549 client: debug 3: client 172.16.200.66#1346: endrequest

22-Apr-2013 13:50:56.549 client: debug 3: client 172.16.200.66#1346: closetcp

22-Apr-2013 13:50:56.563 client: debug 3: client 172.16.200.66#1347: UDP request

22-Apr-2013 13:50:56.564 general: debug 3: GSS verify error: GSSAPI error: Major

= A token had an invalid Message Integrity Check (MIC), Minor = Unknown error.

[...]

22-Apr-2013 13:50:56.707 security: error: client 172.16.200.66#1351: request has

 invalid signature: TSIG 910533066770-2 (smb4testwin2k\$\@AD.MYCOMPANY.COM)

: tsig verify failure (BADSIG)

Anyone knows more about that and know how to debug/fix that? Any help appreciated. Thanks a lot.

Lucas.

More information about the samba mailing list