[Samba] unknown authentification failure - Samba 4.0.1 pdc

bugblatterbeast samba at bugblatterbeast.de
Mon Oct 28 11:03:18 MDT 2013

Am 28.10.2013 17:08, schrieb Rowland Penny:
> On 28/10/13 15:36, bugblatterbeast wrote:
>> I've just found something in a logfile named "log.%m" (usually the 
>> name of the machine is filled in):
>> [2013/10/28 14:46:19,  0] 
>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>>   NTLMSSP NTLM2 packet check failed due to invalid signature!
>> [2013/10/28 14:47:38,  0] 
>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>>   NTLMSSP NTLM2 packet check failed due to invalid signature!
>> [2013/10/28 14:47:48,  0] 
>> ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
>>   Failed to modify SPNs on 
>> CN=COMPUTERNAME,CN=Computers,DC=DOMAINNAME,DC=local: error in module 
>> acl: Constraint violation (19)
>> This seems to be important... but I still don't understand what it 
>> means and how I can fix it.
>> Am 28.10.2013 15:26, schrieb bugblatterbeast:
>>> Hi,
>>>     one of our clients can't connect to the pdc anymore. All 
>>> attempts lead to an error-message about the wrong username or 
>>> password. We've tried several user-accounts and it's always the same...
>>> any username like "domainname\domainuser" with password always fails 
>>> without delay. Either when trying to log on to the workstation, or 
>>> when connecting to a samba share on the domain-controller (like 
>>> "\\domaincontroller\share").
>>> Now, when we log in as a local user and try to connect to a samba 
>>> share on the domain-controller using the WRONG username 
>>> "computername\domainuser" with the NOT MATCHING password of the 
>>> domainuser it works!!!!! We can not only connect to a samba share 
>>> but also join or leave the domain. However it's still impossible to 
>>> logon to the workstation that way...
>>> We've also changed the ip-address and the netbios-name of the 
>>> computer and deleted the computer's domain-account... several times 
>>> without any success.
>>> The most disappointing thing is, that I can't find any log-entries 
>>> on the domain controller. I've already activated machine-logs, but 
>>> there's nothing helpful to be found in /var/log/samba.
>>> Thanks in advance, bbb
> Hi, it might help if you opened another post rather than jumping into 
> the middle of a discussion, also a lot more info is going to be 
> needed. i.e. what version(s) of samba are you running, what OS's are 
> you using, smb.conf etc.
> Rowland

Sorry Rowland, I don't understand your complaint. How would I open a 
thread in a mailing list??? I've already wrote that I'm using 4.0.1 and 
the smb.conf is quite irrelevant to this problem... still, if you think 
you can help and need any particular information, just ask for it...


I've found the bug 9316 (reported by Marc Muehlfeld an assigned to 
Andrew Bartlett) and this post from december 2012 with the statement: 
"/... it is a known issue.  We have a set of patches, but they need much 
more work before we can fix that.  It happens when the client is trying 
to change only the case of the servicePrincipalName over DRS./" 

Is there any workaround or perhaps a way to reset those 
servicePrincipalNames??? I've already tried the Microsoft suggestion, to 
suppress the extended protection.

Thanks in advance, bbb

More information about the samba mailing list