[Samba] samba-4.2.0 join samba3 PDC
Francesco Malvezzi
francesco.malvezzi at unimore.it
Tue Apr 21 01:37:18 MDT 2015
> hi all,
>
> my working samba-4.1.7 member of a samba3 domain (samba-3.5.3) failed
> while updating to samba-4.2.0. Users were no longer able to access
> shares because the trust account was broken.
>
> According to release notes (Winbindd/Netlogon improvements):
>
> For the client side we have the following new options:
> "require strong key" (yes by default), "reject md5 servers" (no by default).
> E.g. for Samba 3.0.37 you need "require strong key = no" and
> for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth =
> no",
>
> so in samba-4.2.0 member's smb.conf I put:
>
> require strong key = no
> client NTLMv2 auth = no
>
> but yet trust account wasn't able to authenticate on domain PDC.
>
> Which are the correct switches to allow a samba-4.2.0 member to join a
> samba3 PDC?
>
> thank you,
>
> Francesco
>
Further exploring my issue (in the meanwhile I upgraded to samba-4.2.1),
I noticed that after a couple of failed login (NT_STATUS_ACCESS_DENIED,
NT_STATUS_LOCK_NOT_GRANTED),
[...]
rpc_dc_name: Returning DC DOMAIN (*.*.*.*) for domain MY_DOMAIN
[2015/04/21 09:33:31.817284, 3]
../source3/lib/util_sock.c:617(open_socket_out_send)
Connecting to 155.185.253.19 at port 445
[2015/04/21 09:33:31.846741, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user a_user in
domain MY_DOMAIN to Domain controller DOMAIN. Error was
NT_STATUS_LOCK_NOT_GRANTED.
[2015/04/21 09:33:31.847745, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [a_user] -> [a_user]
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/04/21 09:33:31.847813, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[...]
I receive a segfault.
Is the following stack worth being explored?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007f47ff59606e in waitpid () from /lib/x86_64-linux-gnu/libc.so.6
#0 0x00007f47ff59606e in waitpid () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f47ff52a989 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f4800be3c21 in smb_panic_s3 (why=0x7f4802f96c0d "internal
error") at ../source3/lib/util.c:801
#3 0x00007f4802f8fe3b in smb_panic (why=0x7f4802f96c0d "internal
error") at ../lib/util/fault.c:166
#4 0x00007f4802f8fb43 in fault_report (sig=11) at ../lib/util/fault.c:83
#5 0x00007f4802f8fb58 in sig_fault (sig=11) at ../lib/util/fault.c:94
#6 <signal handler called>
#7 0x00007f48048bf4d0 in ?? ()
#8 0x00007f47fd128699 in dbwrap_parse_record (db=0x7f48048bf4b0,
key=..., parser=0x7f47fd549b8d <netlogon_creds_cli_fetch_parser>,
private_data=0x7fff0ba1c770) at ../lib/dbwrap/dbwrap.c:387
#9 0x00007f47fd54a5d6 in netlogon_creds_cli_lock_fetch
(req=0x7f48048df320) at ../libcli/auth/netlogon_creds_cli.c:849
#10 0x00007f47fd54a3d2 in netlogon_creds_cli_lock_send
(mem_ctx=0x7f48048cbe30, ev=0x7f48048c49a0, context=0x7f48048c63e0) at
../libcli/auth/netlogon_creds_cli.c:796
#11 0x00007f47fd54d65c in netlogon_creds_cli_LogonSamLogon_start
(req=0x7f48048cbca0) at ../libcli/auth/netlogon_creds_cli.c:2292
#12 0x00007f47fd54d19b in netlogon_creds_cli_LogonSamLogon_send
(mem_ctx=0x7f48048c64b0, ev=0x7f48048c49a0, context=0x7f48048c63e0,
b=0x7f48048c6ef0, logon_level=NetlogonNetworkInformation,
logon=0x7f48048b8ee0, flags=0) at ../libcli/auth/netlogon_creds_cli.c:2147
#13 0x00007f47fd54e12d in netlogon_creds_cli_LogonSamLogon
(context=0x7f48048c63e0, b=0x7f48048c6ef0,
logon_level=NetlogonNetworkInformation, logon=0x7f48048b8ee0,
mem_ctx=0x7f48048c4c30, validation_level=0x7fff0ba1c9ce,
validation=0x7fff0ba1c9e0, authoritative=0x7fff0ba1cabf "",
flags=0x7fff0ba1cae8) at ../libcli/auth/netlogon_creds_cli.c:2553
#14 0x00007f47f89ed925 in rpccli_netlogon_network_logon
(creds=0x7f48048c63e0, binding_handle=0x7f48048c6ef0,
mem_ctx=0x7f48048c4c30, logon_parameters=2080, username=0x7f48048be210
"a_user", domain=0x7f48048de740 "UNIMORE", workstation=0x7f48048c5890
"ORTO", chal=0x7f48048ccc60 "8\332G\332\317\036Ó
\221", lm_response=...,
nt_response=..., authoritative=0x7fff0ba1cabf "", flags=0x7fff0ba1cae8,
info3=0x7fff0ba1caf0) at ../source3/rpc_client/cli_netlogon.c:476
#15 0x00007f4800e521f1 in domain_client_validate
(mem_ctx=0x7f48048c4c30, user_info=0x7f48048a8870, domain=0x7f480489e770
"UNIMORE", chal=0x7f48048ccc60 "8\332G\332\317\036Ó
\221",
server_info=0x7fff0ba1ce30, dc_name=0x7fff0ba1cbf0 "DOMAIN",
dc_ss=0x7fff0ba1cb70) at ../source3/auth/auth_domain.c:278
#16 0x00007f4800e52669 in check_ntdomain_security
(auth_context=0x7f48048c0170, my_private_data=0x0,
mem_ctx=0x7f48048c4c30, user_info=0x7f48048a8870,
server_info=0x7fff0ba1ce30) at ../source3/auth/auth_domain.c:377
#17 0x00007f4800e4ce64 in check_winbind_security
(auth_context=0x7f48048c0170, my_private_data=0x7f48048c0670,
mem_ctx=0x7f48048c4c30, user_info=0x7f48048a8870,
server_info=0x7fff0ba1ce30) at ../source3/auth/auth_winbind.c:117
#18 0x00007f4800e533aa in auth_check_ntlm_password
(mem_ctx=0x7f48048cc510, auth_context=0x7f48048c0170,
user_info=0x7f48048a8870, pserver_info=0x7fff0ba1cf00) at
../source3/auth/auth.c:225
#19 0x00007f4800e554b3 in auth3_check_password
(auth4_context=0x7f48048c0720, mem_ctx=0x7f48048cc510,
user_info=0x7f48048cd0c0, server_returned_info=0x7f48048cc510,
session_key=0x7f48048ccee0, lm_session_key=0x7f48048ccef0) at
../source3/auth/auth_ntlmssp.c:179
#20 0x00007f47fb6fbaba in ntlmssp_server_check_password
(gensec_security=0x7f48048cc1f0, gensec_ntlmssp=0x7f48048cc510,
mem_ctx=0x7f48048ccee0, user_session_key=0x7f48048ccee0,
lm_session_key=0x7f48048ccef0) at ../auth/ntlmssp/ntlmssp_server.c:447
#21 0x00007f47fb6fc598 in gensec_ntlmssp_server_auth
(gensec_security=0x7f48048cc1f0, out_mem_ctx=0x7f48048cc080, in=...,
out=0x7fff0ba1d1e0) at ../auth/ntlmssp/ntlmssp_server.c:646
#22 0x00007f47fb6f8afd in gensec_ntlmssp_update
(gensec_security=0x7f48048cc1f0, out_mem_ctx=0x7f48048cc080,
ev=0x7f48048c1af0, input=..., out=0x7fff0ba1d1e0) at
../auth/ntlmssp/ntlmssp.c:163
#23 0x00007f47fb703c81 in gensec_update_ev
(gensec_security=0x7f48048cc1f0, out_mem_ctx=0x7f48048cc080,
ev=0x7f48048c1af0, in=..., out=0x7fff0ba1d1e0) at
../auth/gensec/gensec.c:235
#24 0x00007f47fb6f450c in gensec_spnego_update
(gensec_security=0x7f48048c1360, out_mem_ctx=0x7f48048cc080,
ev=0x7f48048c1af0, in=..., out=0x7f48048cc0d0) at
../auth/gensec/spnego.c:945
#25 0x00007f47fb6f5532 in gensec_spnego_update_wrapper
(gensec_security=0x7f48048c1360, out_mem_ctx=0x7f48048c1690,
ev=0x7f48048c1af0, in=..., out=0x7fff0ba1d5b0) at
../auth/gensec/spnego.c:1312
#26 0x00007f47fb703c81 in gensec_update_ev
(gensec_security=0x7f48048c1360, out_mem_ctx=0x7f48048c1690,
ev=0x7f48048c1af0, in=..., out=0x7fff0ba1d5b0) at
../auth/gensec/gensec.c:235
#27 0x00007f47fb703f90 in gensec_update (gensec_security=0x7f48048c1360,
out_mem_ctx=0x7f48048c1690, in=..., out=0x7fff0ba1d5b0) at
../auth/gensec/gensec.c:326
#28 0x00007f4802abd569 in reply_sesssetup_and_X_spnego
(req=0x7f48048c1860) at ../source3/smbd/sesssetup.c:260
#29 0x00007f4802abec03 in reply_sesssetup_and_X (req=0x7f48048c1860) at
../source3/smbd/sesssetup.c:646
#30 0x00007f4802b16fd7 in switch_message (type=115 's',
req=0x7f48048c1860) at ../source3/smbd/process.c:1648
#31 0x00007f4802b17198 in construct_reply (xconn=0x7f48048b5db0,
inbuf=0x0, size=264, unread_bytes=0, seqnum=0, encrypted=false,
deferred_pcd=0x0) at ../source3/smbd/process.c:1684
#32 0x00007f4802b18294 in process_smb (xconn=0x7f48048b5db0,
inbuf=0x7f48048c16f0 "", nread=264, unread_bytes=0, seqnum=0,
encrypted=false, deferred_pcd=0x0) at ../source3/smbd/process.c:1930
#33 0x00007f4802b19598 in smbd_server_connection_read_handler
(xconn=0x7f48048b5db0, fd=40) at ../source3/smbd/process.c:2529
#34 0x00007f4802b1967b in smbd_server_connection_handler
(ev=0x7f48048a5a50, fde=0x7f48048b9bf0, flags=1,
private_data=0x7f48048b5db0) at ../source3/smbd/process.c:2556
#35 0x00007f4800c0097e in run_events_poll (ev=0x7f48048a5a50, pollrtn=1,
pfds=0x7f48048b92c0, num_pfds=4) at ../source3/lib/events.c:257
#36 0x00007f4800c00c4a in s3_event_loop_once (ev=0x7f48048a5a50,
location=0x7f4802ca3bb0 "../source3/smbd/process.c:3992") at
../source3/lib/events.c:326
#37 0x00007f4802191942 in _tevent_loop_once (ev=0x7f48048a5a50,
location=0x7f4802ca3bb0 "../source3/smbd/process.c:3992") at
../lib/tevent/tevent.c:533
#38 0x00007f4802191b96 in tevent_common_loop_wait (ev=0x7f48048a5a50,
location=0x7f4802ca3bb0 "../source3/smbd/process.c:3992") at
../lib/tevent/tevent.c:637
#39 0x00007f4802191c61 in _tevent_loop_wait (ev=0x7f48048a5a50,
location=0x7f4802ca3bb0 "../source3/smbd/process.c:3992") at
../lib/tevent/tevent.c:656
#40 0x00007f4802b1dbe4 in smbd_process (ev_ctx=0x7f48048a5a50,
msg_ctx=0x7f48048a5b40, sock_fd=40, interactive=false) at
../source3/smbd/process.c:3992
#41 0x00007f48035e8374 in smbd_accept_connection (ev=0x7f48048a5a50,
fde=0x7f48048b9b60, flags=1, private_data=0x7f48048b9ad0) at
../source3/smbd/server.c:627
#42 0x00007f4800c0097e in run_events_poll (ev=0x7f48048a5a50, pollrtn=1,
pfds=0x7f48048b92c0, num_pfds=6) at ../source3/lib/events.c:257
#43 0x00007f4800c00c4a in s3_event_loop_once (ev=0x7f48048a5a50,
location=0x7f48035ed0c8 "../source3/smbd/server.c:985") at
../source3/lib/events.c:326
#44 0x00007f4802191942 in _tevent_loop_once (ev=0x7f48048a5a50,
location=0x7f48035ed0c8 "../source3/smbd/server.c:985") at
../lib/tevent/tevent.c:533
#45 0x00007f4802191b96 in tevent_common_loop_wait (ev=0x7f48048a5a50,
location=0x7f48035ed0c8 "../source3/smbd/server.c:985") at
../lib/tevent/tevent.c:637
#46 0x00007f4802191c61 in _tevent_loop_wait (ev=0x7f48048a5a50,
location=0x7f48035ed0c8 "../source3/smbd/server.c:985") at
../lib/tevent/tevent.c:656
#47 0x00007f48035e9109 in smbd_parent_loop (ev_ctx=0x7f48048a5a50,
parent=0x7f48048a60d0) at ../source3/smbd/server.c:985
#48 0x00007f48035eaa47 in main (argc=2, argv=0x7fff0ba1e598) at
../source3/smbd/server.c:1626
If it's worth, what should I add to help you pinpoint the problem?
thank you,
Francesco
More information about the samba
mailing list