[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working

Rowland Penny rowlandpenny241155 at gmail.com
Mon Jul 6 08:03:20 UTC 2015 

On 06/07/15 08:53, Roland Schwingel wrote:
>
> Good morning Rowland and samba list ...
>
> Rowland Penny wrote on 03.07.2015 18:36:32:
>
> > From: Rowland Penny <rowlandpenny241155 at gmail.com>
> > To: samba at lists.samba.org,
> > Date: 03.07.2015 18:40
> > Subject: Re: [Samba] Migration Samba3 -> Samba4: Accessing domain
> > member server is not working
> > Sent by: samba-bounces at lists.samba.org
> >
> > On 03/07/15 16:31, Roland Schwingel wrote:
> > > Hi ...
> > >
> > > When trying to migrate from samba3 to samba 4.2.2 I am facing a 
> severe
> > > problem that bugs me for hours now. I cannot get a samba 4.2.2
> > > fileserver to work with a samba 4.2.2 PDC as a domain member.
> > >
> ...
> > Hi, there was some changes made when 4.2.0 came out, these changes may
> > be your problem, see here:
> >
> > https://www.samba.org/samba/history/samba-4.2.0.html
> >
> > Under the heading:  Winbindd/Netlogon improvements
>
> Thanks for the hint. I read that and added "allow nt4 crypto = yes" to 
> my 4.2.2 PDC. This changed this a little bit but still gives me no 
> working 4.2.2 member server. Adding "require strong key = no" and 
> "client NTLMv2 auth = no" to the member servers smb.conf but it did 
> not change anything.
>
> Here is the log file on the dedicated member server of one client 
> trying to connect my member server:
>
> SID for local machine OSUSE-TEST is: 
> S-1-5-21-1853263269-3041869306-167322181
> SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
> Join to 'MYDOM' is OK
> [2015/07/06 08:02:46.342573,  3] 
> ../source3/smbd/oplock.c:1306(init_oplocks)
>   init_oplocks: initializing messages.
> [2015/07/06 08:02:46.342706,  3] 
> ../source3/smbd/process.c:1879(process_smb)
>   Transaction 0 of length 159 (0 toread)
> [2015/07/06 08:02:46.342748,  3] 
> ../source3/smbd/process.c:1489(switch_message)
>   switch message SMBnegprot (pid 10895) conn 0x0
> [2015/07/06 08:02:46.343225,  3] 
> ../source3/smbd/negprot.c:575(reply_negprot)
>   Requested protocol [PC NETWORK PROGRAM 1.0]
> [2015/07/06 08:02:46.343263,  3] 
> ../source3/smbd/negprot.c:575(reply_negprot)
>   Requested protocol [LANMAN1.0]
> [2015/07/06 08:02:46.343288,  3] 
> ../source3/smbd/negprot.c:575(reply_negprot)
>   Requested protocol [Windows for Workgroups 3.1a]
> [2015/07/06 08:02:46.343302,  3] 
> ../source3/smbd/negprot.c:575(reply_negprot)
>   Requested protocol [LM1.2X002]
> [2015/07/06 08:02:46.343313,  3] 
> ../source3/smbd/negprot.c:575(reply_negprot)
>   Requested protocol [LANMAN2.1]
> [2015/07/06 08:02:46.343329,  3] 
> ../source3/smbd/negprot.c:575(reply_negprot)
>   Requested protocol [NT LM 0.12]
> [2015/07/06 08:02:46.343344,  3] 
> ../source3/smbd/negprot.c:575(reply_negprot)
>   Requested protocol [SMB 2.002]
> [2015/07/06 08:02:46.343358,  3] 
> ../source3/smbd/negprot.c:575(reply_negprot)
>   Requested protocol [SMB 2.???]
> [2015/07/06 08:02:46.343571,  3] 
> ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
>   Selected protocol SMB2_FF
> [2015/07/06 08:02:46.344934,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'gssapi_spnego' registered
> [2015/07/06 08:02:46.344982,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'gssapi_krb5' registered
> [2015/07/06 08:02:46.344996,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'gssapi_krb5_sasl' registered
> [2015/07/06 08:02:46.356774,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'sasl-DIGEST-MD5' registered
> [2015/07/06 08:02:46.356804,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'spnego' registered
> [2015/07/06 08:02:46.356819,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'schannel' registered
> [2015/07/06 08:02:46.356831,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'naclrpc_as_system' registered
> [2015/07/06 08:02:46.356841,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'sasl-EXTERNAL' registered
> [2015/07/06 08:02:46.356852,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'ntlmssp' registered
> [2015/07/06 08:02:46.356862,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'http_basic' registered
> [2015/07/06 08:02:46.356872,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'http_ntlm' registered
> [2015/07/06 08:02:46.356883,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'krb5' registered
> [2015/07/06 08:02:46.356894,  3] 
> ../auth/gensec/gensec_start.c:885(gensec_register)
>   GENSEC backend 'fake_gssapi_krb5' registered
> [2015/07/06 08:02:46.357284,  3] 
> ../source3/smbd/negprot.c:683(reply_negprot)
>   Selected protocol SMB 2.???
> [2015/07/06 08:02:46.359312,  3] 
> ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
>   Selected protocol SMB2_10
> [2015/07/06 08:02:46.990929,  3] 
> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0xe2088297
> [2015/07/06 08:02:46.991652,  3] 
> ../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth)
>   Got user=[roland] domain=[MYDOM] workstation=[DEVINTEL-100] len1=24 
> len2=314
> [2015/07/06 08:02:46.991697,  3] 
> ../source3/param/loadparm.c:3647(lp_load_ex)
>   lp_load_ex: refreshing parameters
> [2015/07/06 08:02:46.991811,  3] 
> ../source3/param/loadparm.c:564(init_globals)
>   Initialising global parameters
> [2015/07/06 08:02:46.991927,  3] 
> ../source3/param/loadparm.c:2597(lp_do_section)
>   Processing section "[global]"
> [2015/07/06 08:02:46.992040,  2] 
> ../source3/param/loadparm.c:2614(lp_do_section)
>   Processing section "[testshare]"
> [2015/07/06 08:02:46.992111,  3] 
> ../source3/param/loadparm.c:1495(lp_add_ipc)
>   adding IPC service
> [2015/07/06 08:02:46.994597,  3] 
> ../source3/libsmb/namequery.c:3103(get_dc_list)
>   get_dc_list: preferred server list: "PDCHOST, subnet-ldap"
> [2015/07/06 08:02:46.994804,  3] 
> ../source3/libsmb/namequery.c:2323(resolve_hosts)
>   resolve_hosts: Attempting host lookup for name subnet-ldap<0x20>
> [2015/07/06 08:02:47.022939,  3] 
> ../source3/libsmb/namequery_dc.c:207(rpc_dc_name)
>   rpc_dc_name: Returning DC PDCHOST (192.168.9.3) for domain MYDOM
> [2015/07/06 08:02:47.023024,  3] 
> ../source3/lib/util_sock.c:617(open_socket_out_send)
>   Connecting to 192.168.9.3 at port 445
> [2015/07/06 08:02:47.083675,  3] 
> ../source3/auth/auth.c:178(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user 
> [MYDOM]\[roland]@[DEVINTEL-100] with the new password interface
> [2015/07/06 08:02:47.083721,  3] 
> ../source3/auth/auth.c:181(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is: [MYDOM]\[roland]@[DEVINTEL-100]
> [2015/07/06 08:02:47.083862,  3] 
> ../source3/libsmb/namequery.c:3103(get_dc_list)
>   get_dc_list: preferred server list: "PDCHOST, subnet-ldap"
> [2015/07/06 08:02:47.084734,  3] 
> ../source3/libsmb/namequery_dc.c:207(rpc_dc_name)
>   rpc_dc_name: Returning DC PDCHOST (192.168.9.3) for domain MYDOM
> [2015/07/06 08:02:47.084963,  3] 
> ../source3/lib/util_sock.c:617(open_socket_out_send)
>   Connecting to 192.168.9.3 at port 445
> [2015/07/06 08:02:47.188335,  0] 
> ../source3/auth/auth_domain.c:302(domain_client_validate)
>   domain_client_validate: unable to validate password for user roland 
> in domain MYDOM to Domain controller PDCHOST. Error was 
> NT_STATUS_LOCK_NOT_GRANTED.
> [2015/07/06 08:02:47.189817,  2] 
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [roland] -> [roland] 
> FAILED with error NT_STATUS_LOCK_NOT_GRANTED
> [2015/07/06 08:02:47.189854,  2] 
> ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
> [2015/07/06 08:02:47.190446,  3] 
> ../source3/smbd/server_exit.c:246(exit_server_common)
>   Server exit (NT_STATUS_CONNECTION_RESET)
>
> So the problem is appearing here:
> [2015/07/06 08:02:47.188335,  0] 
> ../source3/auth/auth_domain.c:302(domain_client_validate)
>   domain_client_validate: unable to validate password for user roland 
> in domain MYDOM to Domain controller PDCHOST. Error was 
> NT_STATUS_LOCK_NOT_GRANTED.
>
> Why on earth is this happening? When my win7 testmachine is trying
> to access the 4.2.2 PDC directly everything is fine and easy. So I 
> believe the setup of the PDC is correct.
>
> In the first 2 lines of the log I see the SIDs dumped.
> Both for my domain and for my member server.
>
> SID for local machine OSUSE-TEST is: 
> S-1-5-21-1853263269-3041869306-167322181
> SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
> Join to 'MYDOM' is OK
>
> According to my LDAP the sid for my test member server (OSUSE-TEST) 
> should be S-1-5-21-290147797-1639656955-1287535205-61405

Just what do you mean by 'According to my LDAP' ?
Have *you* set the SID somewhere?


>
> Is this maybe a problem? Or is this just the real local sid not the 
> domain sid of this machine?

The local SID is *never* the domain SID, you should use the domain SID.

Rowland

>
> Where shall I look on my 4.2.2 PDC to get more infos on the auth 
> problem? The logfiles for the member server are empty on my PDC.
>
> Thanks for all your help! I hope this can be resolved soon!
>
> Roland

More information about the samba mailing list