[Samba] unknown authentification failure - Samba 4.0.1 pdc

Rowland Penny rowlandpenny at googlemail.com
Mon Oct 28 12:42:35 MDT 2013

On 28/10/13 18:18, bugblatterbeast wrote:
> Am 28.10.2013 18:30, schrieb Rowland Penny:
>> On 28/10/13 17:03, bugblatterbeast wrote:
>>> Am 28.10.2013 17:08, schrieb Rowland Penny:
>>>> On 28/10/13 15:36, bugblatterbeast wrote:
>>>>> I've just found something in a logfile named "log.%m" (usually the 
>>>>> name of the machine is filled in):
>>>>> [2013/10/28 14:46:19,  0] 
>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>>>>>   NTLMSSP NTLM2 packet check failed due to invalid signature!
>>>>> [2013/10/28 14:47:38,  0] 
>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>>>>>   NTLMSSP NTLM2 packet check failed due to invalid signature!
>>>>> [2013/10/28 14:47:48,  0] 
>>>>> ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
>>>>>   Failed to modify SPNs on 
>>>>> CN=COMPUTERNAME,CN=Computers,DC=DOMAINNAME,DC=local: error in 
>>>>> module acl: Constraint violation (19)
>>>>> This seems to be important... but I still don't understand what it 
>>>>> means and how I can fix it.
>>>>> Am 28.10.2013 15:26, schrieb bugblatterbeast:
>>>>>> Hi,
>>>>>>     one of our clients can't connect to the pdc anymore. All 
>>>>>> attempts lead to an error-message about the wrong username or 
>>>>>> password. We've tried several user-accounts and it's always the 
>>>>>> same...
>>>>>> any username like "domainname\domainuser" with password always 
>>>>>> fails without delay. Either when trying to log on to the 
>>>>>> workstation, or when connecting to a samba share on the 
>>>>>> domain-controller (like "\\domaincontroller\share").
>>>>>> Now, when we log in as a local user and try to connect to a samba 
>>>>>> share on the domain-controller using the WRONG username 
>>>>>> "computername\domainuser" with the NOT MATCHING password of the 
>>>>>> domainuser it works!!!!! We can not only connect to a samba share 
>>>>>> but also join or leave the domain. However it's still impossible 
>>>>>> to logon to the workstation that way...
>>>>>> We've also changed the ip-address and the netbios-name of the 
>>>>>> computer and deleted the computer's domain-account... several 
>>>>>> times without any success.
>>>>>> The most disappointing thing is, that I can't find any 
>>>>>> log-entries on the domain controller. I've already activated 
>>>>>> machine-logs, but there's nothing helpful to be found in 
>>>>>> /var/log/samba.
>>>>>> Thanks in advance, bbb
>>>> Hi, it might help if you opened another post rather than jumping 
>>>> into the middle of a discussion, also a lot more info is going to 
>>>> be needed. i.e. what version(s) of samba are you running, what OS's 
>>>> are you using, smb.conf etc.
>>>> Rowland
>>> Sorry Rowland, I don't understand your complaint. How would I open a 
>>> thread in a mailing list??? I've already wrote that I'm using 4.0.1 
>>> and the smb.conf is quite irrelevant to this problem... still, if 
>>> you think you can help and need any particular information, just ask 
>>> for it...
>> How to open a thread 101
>> open your email client
>> start a new email
>> enter in the To: box the samba list address
>> then think of a subject relevant to your samba problem and enter this 
>> into the Subject box
>> enter, into the email, all relevant info about your problem
>> click the send button
>> If you do all of the above and do not just reply to another message, 
>> you will have opened a NEW topic
>> Also, I thought I did ask for more info!
>> Rowland
>>> @all:
>>> I've found the bug 9316 (reported by Marc Muehlfeld an assigned to 
>>> Andrew Bartlett) and this post from december 2012 with the 
>>> statement: "/... it is a known issue.  We have a set of patches, but 
>>> they need much more work before we can fix that.  It happens when 
>>> the client is trying to change only the case of the 
>>> servicePrincipalName over DRS./" 
>>> (https://lists.samba.org/archive/samba/2012-December/170558.html)
>>> Is there any workaround or perhaps a way to reset those 
>>> servicePrincipalNames??? I've already tried the Microsoft 
>>> suggestion, to suppress the extended protection.
>>> Thanks in advance, bbb
> @rowland:
> I did reply to my own post as you might have noticed. Please mind you 
> manners or stop answering to my posts, if you be so kind. I really 
> don't need the nagging of some cranky wannabe-expert.

AAAGGH, terribly sorry and you are correct, Thunderbird 24 added your 
post as a thread of a previous topic 'How samba is working on 
DC/member', so on that point again I apologise.

> @Mr. Muehlfeld:
> I'm sorry, to bother you. Do you by chance remember how you solved 
> this problem 10 month ago? It would be a grat help.
> @all:
> By the way, I'm out of the office now. If anybody else thinks, that my 
> standard smb.conf or anything else could help solving this particular 
> problem, I'd gladly post it tomorrow.
> Thanks in advance, bbb

More information about the samba mailing list