[Samba] unknown authentification failure - Samba 4.0.1 pdc

Gregory Sloop gregs at sloop.net
Mon Oct 28 11:25:23 MDT 2013

Let me see if I understand this correctly:

1) You have a single station that can't use domain credentials to login
when the station is joined to the domain, right? [With some odd other
symptoms where you can issue a non-existant user/password set and
connect to shares - which sounds like a bad/mis-configured smb.conf
file to me - and probably unrelated to your root issue.]

2) Yet *all* the other stations work just fine.

3) You think this is a bug in Samba?

I certainly can't say for sure - I'm not at all clear exactly what's
going on in your situation, but several observations.

The bug you link to is quite old, and there have been many revisions
to the code since then. [The version you're running is quite old too, if
it's really 4.01 - how about upgrading to something more recent.]

Second: The linked bug didn't produce ANY results similar to what you
have, except for qasi-similar error messages.

Third: In any situation where a single station has a problem, and none
of the others do, it's incredibly rare that I'd start focusing on
Samba as the source of the problem. If the problem was universal and
all stations failed in the same way, I'd perhaps start thinking it's a
Samba bug, but not in your situation.

How about rebuilding the station OS and seeing it it continues? [I'd
guess it won't.]


b> Am 28.10.2013 17:08, schrieb Rowland Penny:
>> On 28/10/13 15:36, bugblatterbeast wrote:
>>> I've just found something in a logfile named "log.%m" (usually the 
>>> name of the machine is filled in):
>>> [2013/10/28 14:46:19,  0] 
>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>>>   NTLMSSP NTLM2 packet check failed due to invalid signature!
>>> [2013/10/28 14:47:38,  0] 
>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>>>   NTLMSSP NTLM2 packet check failed due to invalid signature!
>>> [2013/10/28 14:47:48,  0] 
>>> ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
>>>   Failed to modify SPNs on 
>>> CN=COMPUTERNAME,CN=Computers,DC=DOMAINNAME,DC=local: error in module 
>>> acl: Constraint violation (19)
>>> This seems to be important... but I still don't understand what it 
>>> means and how I can fix it.
>>> Am 28.10.2013 15:26, schrieb bugblatterbeast:
>>>> Hi,
>>>>     one of our clients can't connect to the pdc anymore. All 
>>>> attempts lead to an error-message about the wrong username or 
>>>> password. We've tried several user-accounts and it's always the same...
>>>> any username like "domainname\domainuser" with password always fails 
>>>> without delay. Either when trying to log on to the workstation, or 
>>>> when connecting to a samba share on the domain-controller (like 
>>>> "\\domaincontroller\share").
>>>> Now, when we log in as a local user and try to connect to a samba 
>>>> share on the domain-controller using the WRONG username 
>>>> "computername\domainuser" with the NOT MATCHING password of the 
>>>> domainuser it works!!!!! We can not only connect to a samba share 
>>>> but also join or leave the domain. However it's still impossible to 
>>>> logon to the workstation that way...
>>>> We've also changed the ip-address and the netbios-name of the 
>>>> computer and deleted the computer's domain-account... several times 
>>>> without any success.
>>>> The most disappointing thing is, that I can't find any log-entries 
>>>> on the domain controller. I've already activated machine-logs, but 
>>>> there's nothing helpful to be found in /var/log/samba.
>>>> Thanks in advance, bbb
>> Hi, it might help if you opened another post rather than jumping into 
>> the middle of a discussion, also a lot more info is going to be 
>> needed. i.e. what version(s) of samba are you running, what OS's are 
>> you using, smb.conf etc.
>> Rowland

b> Sorry Rowland, I don't understand your complaint. How would I open a 
b> thread in a mailing list??? I've already wrote that I'm using 4.0.1 and
b> the smb.conf is quite irrelevant to this problem... still, if you think
b> you can help and need any particular information, just ask for it...

b> @all:

b> I've found the bug 9316 (reported by Marc Muehlfeld an assigned to 
b> Andrew Bartlett) and this post from december 2012 with the statement: 
b> "/... it is a known issue.  We have a set of patches, but they need much
b> more work before we can fix that.  It happens when the client is trying
b> to change only the case of the servicePrincipalName over DRS./" 
b> (https://lists.samba.org/archive/samba/2012-December/170558.html)

b> Is there any workaround or perhaps a way to reset those 
b> servicePrincipalNames??? I've already tried the Microsoft suggestion, to
b> suppress the extended protection.

b> Thanks in advance, bbb

More information about the samba mailing list