[Samba] samba4.1.2: Allow cryptography algorithms compatible with Windows NT 4.0

Francesco Malvezzi francesco.malvezzi at unimore.it
Thu Dec 5 00:53:41 MST 2013 

Il 05/12/2013 00:10, Andrew Bartlett ha scritto:
> On Wed, 2013-12-04 at 10:40 +0100, Francesco Malvezzi wrote:
>> Hi all,
>>
>> while fiddling with VmWare View without being able to join windows7
>> client to samba4 domain, we stumbled on the following article:
>>
>> http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1028164
>>
>> which says, should we run MS Windows 2008R2 AD, we should enable the
>> "Allow cryptography algorithms compatible with Windows NT 4.0" registry key.
>>
>> Am I correct to suppose a samba-4.1.2 PDC emulates a Windows 2008R2 (as
>> long as cryptography is involved)?
>>
>> Is there a way (if any) to downgrade the cryptography requirements of a
>> samba-4.1.2 domain to meet the "Allow cryptography algorithms compatible
>> with Windows NT 4.0"?
> 
> Is there something that specifically doesn't work for you?

Yes: windows7 clients can't join samba domain.

Longer answer: vmware view technology (a virtual desktop handling suite)
manages domain joins with a agent to be installed on the golden image
which is going to be cloned and deployed.

The agent "overrides" the join process (which would be normally a sysprep).

Unfortunately join fails with a not-very-diagnotic error on the client:

2013-11-29 14:06:20,374 [2544] FATAL CSvmGaService  -
[svmGaService.cpp, 134] Domain join failedError 1326 (0x52e): Errore
durante l'accesso: nome utente sconosciuto o password non valida.

(translation: error during access: unknown username or wrong password)

And on samba4 server (dump taken from a different time):

[this is the log based on IP source address]:
auth_check_password_send: Checking password for unmapped user
[ATENEOAD]\[P7-1203QP-03$]@[P7-1203QP-03]
[2013/12/05 08:24:51.670784,  5]
../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames)
  map_user_info_cracknames: Mapping user [ATENEOAD]\[P7-1203QP-03$] from
workstation [P7-1203QP-03]
  auth_check_password_send: mapped user is:
[ATENEOAD]\[P7-1203QP-03$]@[P7-1203QP-03]
[2013/12/05 08:24:51.673849,  5]
../source4/auth/ntlm/auth.c:66(auth_get_challenge)
  auth_get_challenge: returning previous challenge by module random (normal)
[2013/12/05 08:24:51.673937,  5] ../lib/util/util.c:556(dump_data)
  [0000] A3 A5 B7 74 80 22 4B 33                            ...t."K3
[2013/12/05 08:24:51.685233,  4]
../libcli/auth/ntlm_check.c:359(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password with domain [ATENEOAD]
[2013/12/05 08:24:51.685428,  4]
../libcli/auth/ntlm_check.c:373(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password with uppercased version
of domain [ATENEOAD]
[2013/12/05 08:24:51.685522,  4]
../libcli/auth/ntlm_check.c:386(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password without a domain
[2013/12/05 08:24:51.685594,  3]
../libcli/auth/ntlm_check.c:398(ntlm_password_check)
  ntlm_password_check: NTLMv2 password check failed
[2013/12/05 08:24:51.685647,  3]
../libcli/auth/ntlm_check.c:443(ntlm_password_check)
  ntlm_password_check: Lanman passwords NOT PERMITTED for user P7-1203QP-03$
[2013/12/05 08:24:51.685699,  4]
../libcli/auth/ntlm_check.c:480(ntlm_password_check)
  ntlm_password_check: Checking LMv2 password with domain ATENEOAD
[2013/12/05 08:24:51.685766,  4]
../libcli/auth/ntlm_check.c:509(ntlm_password_check)
  ntlm_password_check: Checking LMv2 password with upper-cased version
of domain ATENEOAD
[2013/12/05 08:24:51.685885,  4]
../libcli/auth/ntlm_check.c:537(ntlm_password_check)
  ntlm_password_check: Checking LMv2 password without a domain
[2013/12/05 08:24:51.685956,  4]
../libcli/auth/ntlm_check.c:568(ntlm_password_check)
  ntlm_password_check: Checking NT MD4 password in LM field
[2013/12/05 08:24:51.686239,  3]
../libcli/auth/ntlm_check.c:587(ntlm_password_check)
  ntlm_password_check: LM password, NT MD4 password in LM field and LMv2
failed for user P7-1203QP-03$
[2013/12/05 08:24:51.686334,  2]
../source4/auth/ntlm/auth.c:420(auth_check_password_recv)
  auth_check_password_recv: sam_ignoredomain authentication for user
[ATENEOAD\P7-1203QP-03$] FAILED with error NT_STATUS_WRONG_PASSWORD
[2013/12/05 08:24:51.686478,  5]
../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_check_password)
  ../auth/ntlmssp/ntlmssp_server.c:454: Checking NTLMSSP password for
ATENEOAD\P7-1203QP-03$ failed: NT_STATUS_WRONG_PASSWORD
[2013/12/05 08:24:51.686567,  2]
../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
[2013/12/05 08:24:51.686647,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1

Which is more or less the same thing I read there:
[log.%m -> kerberos]:
[2013/12/05 08:24:51.484265,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ p7-1203qp-03$@ad.unimore.it from
ipv4:155.185.132.41:49442 for krbtgt/ad.unimore.it at ad.unimore.it
[2013/12/05 08:24:51.496948,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2013/12/05 08:24:51.497057,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.497121,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.497238,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- p7-1203qp-03$@ad.unimore.it
(enctype arcfour-hmac-md5) error Decrypt integrity check failed
[2013/12/05 08:24:51.497313,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.497865,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2013/12/05 08:24:51.497945,  5]
../source4/lib/messaging/messaging.c:554(imessaging_cleanup)
  imessaging: cleaning up /opt/samba/private/smbd.tmp/msg/msg.3904.34
[2013/12/05 08:24:51.498148,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2013/12/05 08:24:51.498734,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ p7-1203qp-03$@ad.unimore.it from
ipv4:155.185.132.41:49443 for krbtgt/ad.unimore.it at ad.unimore.it
[2013/12/05 08:24:51.511348,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2013/12/05 08:24:51.511498,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.511563,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.511675,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- p7-1203qp-03$@ad.unimore.it
(enctype arcfour-hmac-md5) error Decrypt integrity check failed
[2013/12/05 08:24:51.511746,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.512215,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2013/12/05 08:24:51.512289,  5]
../source4/lib/messaging/messaging.c:554(imessaging_cleanup)
  imessaging: cleaning up /opt/samba/private/smbd.tmp/msg/msg.3904.34
[2013/12/05 08:24:51.512401,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2013/12/05 08:24:51.605554,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ p7-1203qp-03$@ad.unimore.it from
ipv4:155.185.132.41:49445 for krbtgt/ad.unimore.it at ad.unimore.it
[2013/12/05 08:24:51.617545,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2013/12/05 08:24:51.617648,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.617718,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.617890,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- p7-1203qp-03$@ad.unimore.it
(enctype arcfour-hmac-md5) error Decrypt integrity check failed
[2013/12/05 08:24:51.617968,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.618555,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2013/12/05 08:24:51.618742,  5]
../source4/lib/messaging/messaging.c:554(imessaging_cleanup)
  imessaging: cleaning up /opt/samba/private/smbd.tmp/msg/msg.3904.34
[2013/12/05 08:24:51.618953,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2013/12/05 08:24:51.619530,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ p7-1203qp-03$@ad.unimore.it from
ipv4:155.185.132.41:49446 for krbtgt/ad.unimore.it at ad.unimore.it
[2013/12/05 08:24:51.632104,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2013/12/05 08:24:51.632198,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.632259,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.632367,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- p7-1203qp-03$@ad.unimore.it
(enctype arcfour-hmac-md5) error Decrypt integrity check failed
[2013/12/05 08:24:51.632486,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.632971,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2013/12/05 08:24:51.633045,  5]
../source4/lib/messaging/messaging.c:554(imessaging_cleanup)
  imessaging: cleaning up /opt/samba/private/smbd.tmp/msg/msg.3904.34
[2013/12/05 08:24:51.633226,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2013/12/05 08:24:51.633786,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ p7-1203qp-03$@ad.unimore.it from
ipv4:155.185.132.41:49447 for krbtgt/ad.unimore.it at ad.unimore.it
[2013/12/05 08:24:51.645438,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2013/12/05 08:24:51.645527,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.645587,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.645692,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- p7-1203qp-03$@ad.unimore.it
(enctype arcfour-hmac-md5) error Decrypt integrity check failed
[2013/12/05 08:24:51.645762,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- p7-1203qp-03$@ad.unimore.it
[2013/12/05 08:24:51.646273,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

On the other hand a few minutes before the windows client did know its
password:

[...]
[2013/12/05 08:37:27.272372,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ P7-1203QP-03$@ad.unimore.it from
ipv4:155.185.132.41:49376 for krbtgt/ad.unimore.it at ad.unimore.it
[2013/12/05 08:37:27.284360,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2013/12/05 08:37:27.284465,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- P7-1203QP-03$@ad.unimore.it
[2013/12/05 08:37:27.284538,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- P7-1203QP-03$@ad.unimore.it
[2013/12/05 08:37:27.284658,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded --
P7-1203QP-03$@ad.unimore.it using arcfour-hmac-md5
[2013/12/05 08:37:27.284724,  4]
../source4/auth/sam.c:170(authsam_account_ok)
  authsam_account_ok: Checking SMB password for user
P7-1203QP-03$@ad.unimore.it
[2013/12/05 08:37:27.284787,  5] ../source4/auth/sam.c:105(logon_hours_ok)
  logon_hours_ok: No hours restrictions for user P7-1203QP-03$@ad.unimore.it
[2013/12/05 08:37:27.285979,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2013-12-05T08:37:27 starttime: unset
endtime: 2013-12-05T18:37:27 renew till: 2013-12-12T08:37:27
[2013/12/05 08:37:27.286137,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
[2013/12/05 08:37:27.286213,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
forwardable
[...]

So, as a wild guess I was thinking the agent indeed knows the machine
password, but fails to encrypt it or fails to use a accepted ciphersuite.

And this hypothesis would confirm the article from vmware knoledgebase:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1028164
about the need of "Allow cryptography algorithms compatible with Windows
NT 4.0" registry key on a MS Windows 2008R2 AD server.

Sorry for the very long post,

Francesco

More information about the samba mailing list