[Samba] Sudden authentication failures, hex dumps in log.samba

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Mon May 13 05:24:20 MDT 2013 

On 10.5.2013 16:32, Pekka L.J. Jalkanen wrote:
> On 10.5.2013 14:04, Pekka L.J. Jalkanen wrote:
>> Question: how much more verbosity for log.samba would be needed to
>> further investigate this problem? I'd rather not log everything with
>> "-d10" for extended periods of time, because I really can't know how
>> long it will take for the problem to reappear. I've now increased
>> logging from the default level to "-d3".
> 
> "-d3" logging pays off:
> 
> [2013/05/10 14:31:06,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Client no longer in database: someuser at MYDOMAIN.SITE
> [2013/05/10 14:31:06,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Failed building TGS-REP to ipv4:10.10.59.151:4736
> [2013/05/10 14:31:06,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: TGS-REQ someuser at MYDOMAIN.SITE from ipv4:10.10.59.151:4737
> for cifs/w2k3r2dc.mydomain.site at MYDOMAIN.SITE [renewable, forwardable]
> [2013/05/10 14:31:06,  1] ../librpc/ndr/ndr.c:412(ndr_pull_error)
>   ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103)
> 
> Client is Windows XP. I've yet to see this problem on newer clients...
> this and the other one that previously failed are the last two XP
> clients here that still remain in heavy production use.

Somewhat similar error occurred with a Windows 7 machine. But note that
for some reason only the short domain dame was used in reference to the
realm:

[2013/05/13 08:04:53,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ otheruser at MYDOMAIN from ipv4:10.10.59.148:58027 for
krbtgt/MYDOMAIN at MYDOMAIN
[2013/05/13 08:04:53,  1] ../librpc/ndr/ndr.c:412(ndr_pull_error)
  ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103)
[2013/05/13 08:04:53,  0] ../lib/util/util.c:457(dump_data)
  [0000] 00 00 00 00 62 00 00 00   00 00 00 00 20 00 20 00   ....b...
.... . .
  [0010] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0020] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0030] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0040] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0050] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0060] 20 00 20 00 20 00 20 00   20 00 20 00 50 00 00      . . . .  . .P..
[2013/05/13 08:04:53,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: UNKNOWN -- otheruser at MYDOMAIN: no such entry found in hdb

> What is also common with this client and the other that previously
> failed is that they both have once been migrated from a different domain
> (that no longer exists) using MS ADMT. This also applies to the users'
> accounts that were used. Don't know if that really matters, but just for
> the record.

Also the Windows 7 client was once migrated this way.

Both the second case and the third case were also different from the
first one in the way that the users had no problems logging on. However,
even though they said to me that they had had no authentication
problems, I still think that they haven't just noticed, as I found the
following from the event log of the second client:

-----
Event Type:	Warning
Event Source:	LSASRV
Event Category:	SPNEGO (Negotiator)
Event ID:	40960
Date:		10.5.2013
Time:		13:52:42
User:		N/A
Computer:	XPWKSTN2
Description:
The Security System detected an attempted downgrade attack for server
LDAP/samba4dc.mydomain.site.  The failure code from authentication
protocol Kerberos was "Insufficient system resources exist to complete
the API. (0xc000009a)".

Event Type:	Warning
Event Source:	LSASRV
Event Category:	SPNEGO (Negotiator)
Event ID:	40961
Date:		10.5.2013
Time:		13:52:42
User:		N/A
Computer:	XPWKSTN2
Description:
The Security System could not establish a secured connection with the
server LDAP/samba4dc.mydomain.site.  No authentication protocol was
available.

Event Type:	Warning
Event Source:	LSASRV
Event Category:	SPNEGO (Negotiator)
Event ID:	40960
Date:		10.5.2013
Time:		14:31:05
User:		N/A
Computer:	XPWKSTN2
Description:
The Security System detected an attempted downgrade attack for server
cifs/w2k3r2dc.mydomain.site.  The failure code from authentication
protocol Kerberos was "Insufficient system resources exist to complete
the API. (0xc000009a)".

Event Type:	Warning
Event Source:	LSASRV
Event Category:	SPNEGO (Negotiator)
Event ID:	40961
Date:		10.5.2013
Time:		14:31:06
User:		N/A
Computer:	XPWKSTN2
Description:
The Security System could not establish a secured connection with the
server cifs/w2k3r2dc.mydomain.site.  No authentication protocol was
available.
-----

All this is really odd, though, as these machines have been part of the
domain for several months already, and have never caused any errors
vis-à-vis the Windows DC. When the accounts were moved from the old
domain to the new, there was obviously a trust between the two domains,
which is something that Samba doesn't really support, but the trust was
abolished after the migration was complete, and the Samba DC has since
been demoted, purged, rebuild and re-joined the domain, so there
shouldn't be any trust-related stuff around anymore.

> Any ideas how to resolve this problem?

No comments, it seems.

I can see that even if this is a bug in Samba it would be really hard to
reproduce. But it's really frustrating too, because if the
authentication isn't reliable I sort of have to keep the Windows DC around.

So if somebody would have an enlightened suggestion what to do, I'd be
grateful.

The only idea I'm having myself would be to recreate the machine
accounts of the computers in question, but that'd be just a shot in the
dark, and if the problem lies within the user accounts instead, that
wouldn't help.

Pekka L.J. Jalkanen

More information about the samba mailing list