[Samba] unknown authentification failure - Samba 4.0.1 pdc

[Rowland Penny]

On 28/10/13 17:03, bugblatterbeast wrote:
> Am 28.10.2013 17:08, schrieb Rowland Penny:
>> On 28/10/13 15:36, bugblatterbeast wrote:
>>> I've just found something in a logfile named "log.%m" (usually the 
>>> name of the machine is filled in):
>>>
>>> [2013/10/28 14:46:19,  0] 
>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>>>   NTLMSSP NTLM2 packet check failed due to invalid signature!
>>> [2013/10/28 14:47:38,  0] 
>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>>>   NTLMSSP NTLM2 packet check failed due to invalid signature!
>>> [2013/10/28 14:47:48,  0] 
>>> ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
>>>   Failed to modify SPNs on 
>>> CN=COMPUTERNAME,CN=Computers,DC=DOMAINNAME,DC=local: error in module 
>>> acl: Constraint violation (19)
>>>
>>> This seems to be important... but I still don't understand what it 
>>> means and how I can fix it.
>>>
>>>
>>>
>>> Am 28.10.2013 15:26, schrieb bugblatterbeast:
>>>> Hi,
>>>>
>>>>
>>>>     one of our clients can't connect to the pdc anymore. All 
>>>> attempts lead to an error-message about the wrong username or 
>>>> password. We've tried several user-accounts and it's always the 
>>>> same...
>>>>
>>>> any username like "domainname\domainuser" with password always 
>>>> fails without delay. Either when trying to log on to the 
>>>> workstation, or when connecting to a samba share on the 
>>>> domain-controller (like "\\domaincontroller\share").
>>>>
>>>> Now, when we log in as a local user and try to connect to a samba 
>>>> share on the domain-controller using the WRONG username 
>>>> "computername\domainuser" with the NOT MATCHING password of the 
>>>> domainuser it works!!!!! We can not only connect to a samba share 
>>>> but also join or leave the domain. However it's still impossible to 
>>>> logon to the workstation that way...
>>>>
>>>> We've also changed the ip-address and the netbios-name of the 
>>>> computer and deleted the computer's domain-account... several times 
>>>> without any success.
>>>>
>>>> The most disappointing thing is, that I can't find any log-entries 
>>>> on the domain controller. I've already activated machine-logs, but 
>>>> there's nothing helpful to be found in /var/log/samba.
>>>>
>>>>
>>>> Thanks in advance, bbb
>>>
>> Hi, it might help if you opened another post rather than jumping into 
>> the middle of a discussion, also a lot more info is going to be 
>> needed. i.e. what version(s) of samba are you running, what OS's are 
>> you using, smb.conf etc.
>>
>> Rowland
>
> Sorry Rowland, I don't understand your complaint. How would I open a 
> thread in a mailing list??? I've already wrote that I'm using 4.0.1 
> and the smb.conf is quite irrelevant to this problem... still, if you 
> think you can help and need any particular information, just ask for 
> it...

How to open a thread 101

open your email client
start a new email
enter in the To: box the samba list address
then think of a subject relevant to your samba problem and enter this 
into the Subject box
enter, into the email, all relevant info about your problem
click the send button

If you do all of the above and do not just reply to another message, you 
will have opened a NEW topic

Also, I thought I did ask for more info!

Rowland
>
> @all:
>
> I've found the bug 9316 (reported by Marc Muehlfeld an assigned to 
> Andrew Bartlett) and this post from december 2012 with the statement: 
> "/... it is a known issue.  We have a set of patches, but they need 
> much more work before we can fix that.  It happens when the client is 
> trying to change only the case of the servicePrincipalName over DRS./" 
> (https://lists.samba.org/archive/samba/2012-December/170558.html)
>
> Is there any workaround or perhaps a way to reset those 
> servicePrincipalNames??? I've already tried the Microsoft suggestion, 
> to suppress the extended protection.
>
> Thanks in advance, bbb