[Samba] unknown authentification failure - Samba 4.0.1 pdc

bugblatterbeast samba at bugblatterbeast.de
Mon Oct 28 12:18:02 MDT 2013

Am 28.10.2013 18:30, schrieb Rowland Penny:
> On 28/10/13 17:03, bugblatterbeast wrote:
>> Am 28.10.2013 17:08, schrieb Rowland Penny:
>>> On 28/10/13 15:36, bugblatterbeast wrote:
>>>> I've just found something in a logfile named "log.%m" (usually the 
>>>> name of the machine is filled in):
>>>> [2013/10/28 14:46:19,  0] 
>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>>>>   NTLMSSP NTLM2 packet check failed due to invalid signature!
>>>> [2013/10/28 14:47:38,  0] 
>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>>>>   NTLMSSP NTLM2 packet check failed due to invalid signature!
>>>> [2013/10/28 14:47:48,  0] 
>>>> ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
>>>>   Failed to modify SPNs on 
>>>> CN=COMPUTERNAME,CN=Computers,DC=DOMAINNAME,DC=local: error in 
>>>> module acl: Constraint violation (19)
>>>> This seems to be important... but I still don't understand what it 
>>>> means and how I can fix it.
>>>> Am 28.10.2013 15:26, schrieb bugblatterbeast:
>>>>> Hi,
>>>>>     one of our clients can't connect to the pdc anymore. All 
>>>>> attempts lead to an error-message about the wrong username or 
>>>>> password. We've tried several user-accounts and it's always the 
>>>>> same...
>>>>> any username like "domainname\domainuser" with password always 
>>>>> fails without delay. Either when trying to log on to the 
>>>>> workstation, or when connecting to a samba share on the 
>>>>> domain-controller (like "\\domaincontroller\share").
>>>>> Now, when we log in as a local user and try to connect to a samba 
>>>>> share on the domain-controller using the WRONG username 
>>>>> "computername\domainuser" with the NOT MATCHING password of the 
>>>>> domainuser it works!!!!! We can not only connect to a samba share 
>>>>> but also join or leave the domain. However it's still impossible 
>>>>> to logon to the workstation that way...
>>>>> We've also changed the ip-address and the netbios-name of the 
>>>>> computer and deleted the computer's domain-account... several 
>>>>> times without any success.
>>>>> The most disappointing thing is, that I can't find any log-entries 
>>>>> on the domain controller. I've already activated machine-logs, but 
>>>>> there's nothing helpful to be found in /var/log/samba.
>>>>> Thanks in advance, bbb
>>> Hi, it might help if you opened another post rather than jumping 
>>> into the middle of a discussion, also a lot more info is going to be 
>>> needed. i.e. what version(s) of samba are you running, what OS's are 
>>> you using, smb.conf etc.
>>> Rowland
>> Sorry Rowland, I don't understand your complaint. How would I open a 
>> thread in a mailing list??? I've already wrote that I'm using 4.0.1 
>> and the smb.conf is quite irrelevant to this problem... still, if you 
>> think you can help and need any particular information, just ask for 
>> it...
> How to open a thread 101
> open your email client
> start a new email
> enter in the To: box the samba list address
> then think of a subject relevant to your samba problem and enter this 
> into the Subject box
> enter, into the email, all relevant info about your problem
> click the send button
> If you do all of the above and do not just reply to another message, 
> you will have opened a NEW topic
> Also, I thought I did ask for more info!
> Rowland
>> @all:
>> I've found the bug 9316 (reported by Marc Muehlfeld an assigned to 
>> Andrew Bartlett) and this post from december 2012 with the statement: 
>> "/... it is a known issue.  We have a set of patches, but they need 
>> much more work before we can fix that.  It happens when the client is 
>> trying to change only the case of the servicePrincipalName over 
>> DRS./" (https://lists.samba.org/archive/samba/2012-December/170558.html)
>> Is there any workaround or perhaps a way to reset those 
>> servicePrincipalNames??? I've already tried the Microsoft suggestion, 
>> to suppress the extended protection.
>> Thanks in advance, bbb


I did reply to my own post as you might have noticed. Please mind you 
manners or stop answering to my posts, if you be so kind. I really don't 
need the nagging of some cranky wannabe-expert.

@Mr. Muehlfeld:

I'm sorry, to bother you. Do you by chance remember how you solved this 
problem 10 month ago? It would be a grat help.


By the way, I'm out of the office now. If anybody else thinks, that my 
standard smb.conf or anything else could help solving this particular 
problem, I'd gladly post it tomorrow.

Thanks in advance, bbb

More information about the samba mailing list