[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working

Roland Schwingel roland at onevision.com
Mon Jul 6 06:43:10 UTC 2015 

Good morning Rowland and samba list ...

Rowland Penny wrote on 03.07.2015 18:36:32:

 > From: Rowland Penny <rowlandpenny241155 at gmail.com>
 > To: samba at lists.samba.org,
 > Date: 03.07.2015 18:40
 > Subject: Re: [Samba] Migration Samba3 -> Samba4: Accessing domain
 > member server is not working
 > Sent by: samba-bounces at lists.samba.org
 >
 > On 03/07/15 16:31, Roland Schwingel wrote:
 > > Hi ...
 > >
 > > When trying to migrate from samba3 to samba 4.2.2 I am facing a severe
 > > problem that bugs me for hours now. I cannot get a samba 4.2.2
 > > fileserver to work with a samba 4.2.2 PDC as a domain member.
 > >
...
 > Hi, there was some changes made when 4.2.0 came out, these changes may
 > be your problem, see here:
 >
 > https://www.samba.org/samba/history/samba-4.2.0.html
 >
 > Under the heading:  Winbindd/Netlogon improvements

Thanks for the hint. I read that and added "allow nt4 crypto = yes" to 
my 4.2.2 PDC. This changed this a little bit but still gives me no 
working 4.2.2 member server. Adding "require strong key = no" and 
"client NTLMv2 auth = no" to the member servers smb.conf but it did not 
change anything.

Here is the log file on the dedicated member server of one client trying 
to connect my member server:

SID for local machine OSUSE-TEST is: 
S-1-5-21-1853263269-3041869306-167322181
SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
Join to 'MYDOM' is OK
[2015/07/06 08:02:46.342573,  3] ../source3/smbd/oplock.c:1306(init_oplocks)
   init_oplocks: initializing messages.
[2015/07/06 08:02:46.342706,  3] ../source3/smbd/process.c:1879(process_smb)
   Transaction 0 of length 159 (0 toread)
[2015/07/06 08:02:46.342748,  3] 
../source3/smbd/process.c:1489(switch_message)
   switch message SMBnegprot (pid 10895) conn 0x0
[2015/07/06 08:02:46.343225,  3] 
../source3/smbd/negprot.c:575(reply_negprot)
   Requested protocol [PC NETWORK PROGRAM 1.0]
[2015/07/06 08:02:46.343263,  3] 
../source3/smbd/negprot.c:575(reply_negprot)
   Requested protocol [LANMAN1.0]
[2015/07/06 08:02:46.343288,  3] 
../source3/smbd/negprot.c:575(reply_negprot)
   Requested protocol [Windows for Workgroups 3.1a]
[2015/07/06 08:02:46.343302,  3] 
../source3/smbd/negprot.c:575(reply_negprot)
   Requested protocol [LM1.2X002]
[2015/07/06 08:02:46.343313,  3] 
../source3/smbd/negprot.c:575(reply_negprot)
   Requested protocol [LANMAN2.1]
[2015/07/06 08:02:46.343329,  3] 
../source3/smbd/negprot.c:575(reply_negprot)
   Requested protocol [NT LM 0.12]
[2015/07/06 08:02:46.343344,  3] 
../source3/smbd/negprot.c:575(reply_negprot)
   Requested protocol [SMB 2.002]
[2015/07/06 08:02:46.343358,  3] 
../source3/smbd/negprot.c:575(reply_negprot)
   Requested protocol [SMB 2.???]
[2015/07/06 08:02:46.343571,  3] 
../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
   Selected protocol SMB2_FF
[2015/07/06 08:02:46.344934,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'gssapi_spnego' registered
[2015/07/06 08:02:46.344982,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'gssapi_krb5' registered
[2015/07/06 08:02:46.344996,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'gssapi_krb5_sasl' registered
[2015/07/06 08:02:46.356774,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'sasl-DIGEST-MD5' registered
[2015/07/06 08:02:46.356804,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'spnego' registered
[2015/07/06 08:02:46.356819,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'schannel' registered
[2015/07/06 08:02:46.356831,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'naclrpc_as_system' registered
[2015/07/06 08:02:46.356841,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'sasl-EXTERNAL' registered
[2015/07/06 08:02:46.356852,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'ntlmssp' registered
[2015/07/06 08:02:46.356862,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'http_basic' registered
[2015/07/06 08:02:46.356872,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'http_ntlm' registered
[2015/07/06 08:02:46.356883,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'krb5' registered
[2015/07/06 08:02:46.356894,  3] 
../auth/gensec/gensec_start.c:885(gensec_register)
   GENSEC backend 'fake_gssapi_krb5' registered
[2015/07/06 08:02:46.357284,  3] 
../source3/smbd/negprot.c:683(reply_negprot)
   Selected protocol SMB 2.???
[2015/07/06 08:02:46.359312,  3] 
../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
   Selected protocol SMB2_10
[2015/07/06 08:02:46.990929,  3] 
../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
   Got NTLMSSP neg_flags=0xe2088297
[2015/07/06 08:02:46.991652,  3] 
../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth)
   Got user=[roland] domain=[MYDOM] workstation=[DEVINTEL-100] len1=24 
len2=314
[2015/07/06 08:02:46.991697,  3] 
../source3/param/loadparm.c:3647(lp_load_ex)
   lp_load_ex: refreshing parameters
[2015/07/06 08:02:46.991811,  3] 
../source3/param/loadparm.c:564(init_globals)
   Initialising global parameters
[2015/07/06 08:02:46.991927,  3] 
../source3/param/loadparm.c:2597(lp_do_section)
   Processing section "[global]"
[2015/07/06 08:02:46.992040,  2] 
../source3/param/loadparm.c:2614(lp_do_section)
   Processing section "[testshare]"
[2015/07/06 08:02:46.992111,  3] 
../source3/param/loadparm.c:1495(lp_add_ipc)
   adding IPC service
[2015/07/06 08:02:46.994597,  3] 
../source3/libsmb/namequery.c:3103(get_dc_list)
   get_dc_list: preferred server list: "PDCHOST, subnet-ldap"
[2015/07/06 08:02:46.994804,  3] 
../source3/libsmb/namequery.c:2323(resolve_hosts)
   resolve_hosts: Attempting host lookup for name subnet-ldap<0x20>
[2015/07/06 08:02:47.022939,  3] 
../source3/libsmb/namequery_dc.c:207(rpc_dc_name)
   rpc_dc_name: Returning DC PDCHOST (192.168.9.3) for domain MYDOM
[2015/07/06 08:02:47.023024,  3] 
../source3/lib/util_sock.c:617(open_socket_out_send)
   Connecting to 192.168.9.3 at port 445
[2015/07/06 08:02:47.083675,  3] 
../source3/auth/auth.c:178(auth_check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[MYDOM]\[roland]@[DEVINTEL-100] with the new password interface
[2015/07/06 08:02:47.083721,  3] 
../source3/auth/auth.c:181(auth_check_ntlm_password)
   check_ntlm_password:  mapped user is: [MYDOM]\[roland]@[DEVINTEL-100]
[2015/07/06 08:02:47.083862,  3] 
../source3/libsmb/namequery.c:3103(get_dc_list)
   get_dc_list: preferred server list: "PDCHOST, subnet-ldap"
[2015/07/06 08:02:47.084734,  3] 
../source3/libsmb/namequery_dc.c:207(rpc_dc_name)
   rpc_dc_name: Returning DC PDCHOST (192.168.9.3) for domain MYDOM
[2015/07/06 08:02:47.084963,  3] 
../source3/lib/util_sock.c:617(open_socket_out_send)
   Connecting to 192.168.9.3 at port 445
[2015/07/06 08:02:47.188335,  0] 
../source3/auth/auth_domain.c:302(domain_client_validate)
   domain_client_validate: unable to validate password for user roland 
in domain MYDOM to Domain controller PDCHOST. Error was 
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/06 08:02:47.189817,  2] 
../source3/auth/auth.c:315(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [roland] -> [roland] 
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/06 08:02:47.189854,  2] 
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[2015/07/06 08:02:47.190446,  3] 
../source3/smbd/server_exit.c:246(exit_server_common)
   Server exit (NT_STATUS_CONNECTION_RESET)

So the problem is appearing here:
[2015/07/06 08:02:47.188335,  0] 
../source3/auth/auth_domain.c:302(domain_client_validate)
   domain_client_validate: unable to validate password for user roland 
in domain MYDOM to Domain controller PDCHOST. Error was 
NT_STATUS_LOCK_NOT_GRANTED.

Why on earth is this happening? When my win7 testmachine is trying
to access the 4.2.2 PDC directly everything is fine and easy. So I 
believe the setup of the PDC is correct.

In the first 2 lines of the log I see the SIDs dumped.
Both for my domain and for my member server.

SID for local machine OSUSE-TEST is: 
S-1-5-21-1853263269-3041869306-167322181
SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
Join to 'MYDOM' is OK

According to my LDAP the sid for my test member server (OSUSE-TEST) 
should be S-1-5-21-290147797-1639656955-1287535205-61405

Is this maybe a problem? Or is this just the real local sid not the 
domain sid of this machine?

Where shall I look on my 4.2.2 PDC to get more infos on the auth 
problem? The logfiles for the member server are empty on my PDC.

Thanks for all your help! I hope this can be resolved soon!

Roland

More information about the samba mailing list