[Samba] Samba 4.17 AD Cannot connect to shares as administrator
Davor Vusir
davortvusir at gmail.com
Mon May 18 09:49:47 MDT 2015
Hi Timo!
Timo Altun skrev den 2015-05-16 17:29:
>
> Hi,
>
> I encountered a strange problem...some of my windows machines cannot be
> joined to an Samba 4.17 AD domain (8 of ~90 clients). These are 7 Win7
> clients and one WinXP client.
> The message I receive in windows is: "Logon failure: unknown user name or
> bad password".
> All other Win7 and XP machines could be joined...the same OS image has
been
> used to install both the machines that could be joined and those that
> couldn't.
>
> The AD DC is on Debian Jessie with Samba 4.17 from debian sources. Win 7
> clients are Win7 Ultimate SP1, XP is SP3.
>
> If I'm interpreting the logs correctly, it seems the clients are trying to
> join as anonymous, even though I enter the administrators account
> information. I tried using workgroup and realm name, and other domain
admin
> accounts to join the computers, but get the same error over and over.
>
> Does somebody have a hint where to look? I'd of course like to avoid
> reinstalling these machines.
> I attached the smb.conf and the log file of a Win7 PC while I was trying
to
> join.
Maybe the computers are already joined to a workgroup named MAYWEG and
sendning the authentication request the "wrong" way..? :-)
[2015/05/16 17:04:23.085136, 3]
../source4/auth/ntlm/auth.c:270(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user []\[]@[PC65]
auth_check_password_send: mapped user is: [MAYWEG]\[]@[PC65]
>
> Greetings,
> Timo
>
> *smb.conf:*
> # Global parameters
> [global]
> workgroup = MAYWEG
> realm = MAYWEG.NET
> netbios name = SERVER27
> interfaces = lo, eth0
> bind interfaces only = Yes
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
> ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> log file = /var/log/samba/log.%m
> log level = 3
> max log size = 1000
>
> [netlogon]
> path = /var/lib/samba/sysvol/mayweg.net/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> *Samba-log of a Win7 machine while trying to join:*
> [2015/05/16 17:04:22.607986, 3] ../source3/lib/access.c:338(allow_access)
> Allowed connection from 192.168.111.236 (192.168.111.236)
> [2015/05/16 17:04:22.608616, 3]
../source3/smbd/oplock.c:873(init_oplocks)
> init_oplocks: initializing messages.
> [2015/05/16 17:04:22.609217, 3]
../source3/smbd/process.c:1802(process_smb)
> Transaction 0 of length 159 (0 toread)
> [2015/05/16 17:04:22.609385, 3]
> ../source3/smbd/process.c:1405(switch_message)
> switch message SMBnegprot (pid 4587) conn 0x0
> [2015/05/16 17:04:22.611816, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [PC NETWORK PROGRAM 1.0]
> [2015/05/16 17:04:22.612015, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [LANMAN1.0]
> [2015/05/16 17:04:22.612176, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [Windows for Workgroups 3.1a]
> [2015/05/16 17:04:22.612272, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [LM1.2X002]
> [2015/05/16 17:04:22.612397, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [LANMAN2.1]
> [2015/05/16 17:04:22.612520, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [NT LM 0.12]
> [2015/05/16 17:04:22.612643, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [SMB 2.002]
> [2015/05/16 17:04:22.612989, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [SMB 2.???]
> [2015/05/16 17:04:22.613738, 3]
> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_FF
> [2015/05/16 17:04:22.622803, 2]
> ../lib/util/modules.c:191(do_smb_load_module)
> Module 'samba4' loaded
> [2015/05/16 17:04:22.626230, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'gssapi_spnego' registered
> [2015/05/16 17:04:22.626428, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'gssapi_krb5' registered
> [2015/05/16 17:04:22.626515, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'gssapi_krb5_sasl' registered
> [2015/05/16 17:04:22.626591, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'schannel' registered
> [2015/05/16 17:04:22.626657, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'spnego' registered
> [2015/05/16 17:04:22.626752, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'ntlmssp' registered
> [2015/05/16 17:04:22.626841, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'krb5' registered
> [2015/05/16 17:04:22.626911, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'fake_gssapi_krb5' registered
> [2015/05/16 17:04:22.632051, 3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2015/05/16 17:04:22.638717, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'sam' registered
> [2015/05/16 17:04:22.638915, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'sam_ignoredomain' registered
> [2015/05/16 17:04:22.639031, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'anonymous' registered
> [2015/05/16 17:04:22.639194, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'winbind' registered
> [2015/05/16 17:04:22.639277, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'winbind_wbclient' registered
> [2015/05/16 17:04:22.639379, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'name_to_ntstatus' registered
> [2015/05/16 17:04:22.639460, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'unix' registered
> [2015/05/16 17:04:22.662528, 3]
> ../source3/smbd/negprot.c:672(reply_negprot)
> Selected protocol SMB 2.???
> [2015/05/16 17:04:22.663344, 3]
> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_10
> [2015/05/16 17:04:22.664437, 3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2015/05/16 17:04:22.690034, 3]
> ../source3/smbd/server_exit.c:221(exit_server_common)
> Server exit (NT_STATUS_CONNECTION_RESET)
> [2015/05/16 17:04:22.999939, 3] ../source3/lib/access.c:338(allow_access)
> Allowed connection from 192.168.111.236 (192.168.111.236)
> [2015/05/16 17:04:23.000705, 3]
../source3/smbd/oplock.c:873(init_oplocks)
> init_oplocks: initializing messages.
> [2015/05/16 17:04:23.001398, 3]
../source3/smbd/process.c:1802(process_smb)
> Transaction 0 of length 108 (0 toread)
> [2015/05/16 17:04:23.001849, 3]
> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_10
> [2015/05/16 17:04:23.013135, 2]
> ../lib/util/modules.c:191(do_smb_load_module)
> Module 'samba4' loaded
> [2015/05/16 17:04:23.016389, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'gssapi_spnego' registered
> [2015/05/16 17:04:23.016571, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'gssapi_krb5' registered
> [2015/05/16 17:04:23.016671, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'gssapi_krb5_sasl' registered
> [2015/05/16 17:04:23.016750, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'schannel' registered
> [2015/05/16 17:04:23.016882, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'spnego' registered
> [2015/05/16 17:04:23.016985, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'ntlmssp' registered
> [2015/05/16 17:04:23.017066, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'krb5' registered
> [2015/05/16 17:04:23.017156, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'fake_gssapi_krb5' registered
> [2015/05/16 17:04:23.022258, 3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2015/05/16 17:04:23.028125, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'sam' registered
> [2015/05/16 17:04:23.028321, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'sam_ignoredomain' registered
> [2015/05/16 17:04:23.028421, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'anonymous' registered
> [2015/05/16 17:04:23.028499, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'winbind' registered
> [2015/05/16 17:04:23.028593, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'winbind_wbclient' registered
> [2015/05/16 17:04:23.028677, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'name_to_ntstatus' registered
> [2015/05/16 17:04:23.028774, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'unix' registered
> [2015/05/16 17:04:23.054566, 3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2015/05/16 17:04:23.082930, 3]
> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0xe2088297
> [2015/05/16 17:04:23.084961, 3]
> ../auth/ntlmssp/ntlmssp_server.c:358(ntlmssp_server_preauth)
> Got user=[] domain=[] workstation=[PC65] len1=1 len2=0
> [2015/05/16 17:04:23.085136, 3]
> ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
> auth_check_password_send: Checking password for unmapped user
[]\[]@[PC65]
> auth_check_password_send: mapped user is: [MAYWEG]\[]@[PC65]
> [2015/05/16 17:04:23.085396, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2015/05/16 17:04:23.085480, 3]
> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0xe2088215
> [2015/05/16 17:04:23.089748, 3] ../source3/lib/access.c:338(allow_access)
> Allowed connection from 192.168.111.236 (192.168.111.236)
> [2015/05/16 17:04:23.090331, 3]
> ../source3/smbd/service.c:612(make_connection_snum)
> Connect path is '/tmp' for service [IPC$]
> [2015/05/16 17:04:23.090587, 3]
../source3/smbd/vfs.c:113(vfs_init_default)
> Initialising default vfs hooks
> [2015/05/16 17:04:23.090745, 3]
../source3/smbd/vfs.c:139(vfs_init_custom)
> Initialising custom vfs hooks from [/[Default VFS]/]
> [2015/05/16 17:04:23.090851, 3]
../source3/smbd/vfs.c:139(vfs_init_custom)
> Initialising custom vfs hooks from [acl_xattr]
> [2015/05/16 17:04:23.095703, 2]
> ../lib/util/modules.c:191(do_smb_load_module)
> Module 'acl_xattr' loaded
> [2015/05/16 17:04:23.095910, 3]
../source3/smbd/vfs.c:139(vfs_init_custom)
> Initialising custom vfs hooks from [dfs_samba4]
> [2015/05/16 17:04:23.100971, 2]
> ../lib/util/modules.c:191(do_smb_load_module)
> Module 'dfs_samba4' loaded
> [2015/05/16 17:04:23.101172, 2]
> ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr)
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service IPC$
> [2015/05/16 17:04:23.109088, 3]
> ../source3/smbd/service.c:856(make_connection_snum)
> 192.168.111.236 (ipv4:192.168.111.236:1174) connect to service IPC$
> initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000008)
> (pid 4588)
> [2015/05/16 17:04:31.383878, 3]
../source3/smbd/service.c:1130(close_cnum)
> 192.168.111.236 (ipv4:192.168.111.236:1174) closed connection to service
> IPC$
> [2015/05/16 17:04:31.387550, 3]
> ../source3/smbd/server_exit.c:221(exit_server_common)
> Server exit (NT_STATUS_CONNECTION_RESET)
> [2015/05/16 17:04:31.704078, 3] ../source3/lib/access.c:338(allow_access)
> Allowed connection from 192.168.111.236 (192.168.111.236)
> [2015/05/16 17:04:31.704942, 3]
../source3/smbd/oplock.c:873(init_oplocks)
> init_oplocks: initializing messages.
> [2015/05/16 17:04:31.705594, 3]
../source3/smbd/process.c:1802(process_smb)
> Transaction 0 of length 159 (0 toread)
> [2015/05/16 17:04:31.705775, 3]
> ../source3/smbd/process.c:1405(switch_message)
> switch message SMBnegprot (pid 4589) conn 0x0
> [2015/05/16 17:04:31.708376, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [PC NETWORK PROGRAM 1.0]
> [2015/05/16 17:04:31.708616, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [LANMAN1.0]
> [2015/05/16 17:04:31.708763, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [Windows for Workgroups 3.1a]
> [2015/05/16 17:04:31.708887, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [LM1.2X002]
> [2015/05/16 17:04:31.709044, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [LANMAN2.1]
> [2015/05/16 17:04:31.709181, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [NT LM 0.12]
> [2015/05/16 17:04:31.709309, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [SMB 2.002]
> [2015/05/16 17:04:31.709438, 3]
> ../source3/smbd/negprot.c:564(reply_negprot)
> Requested protocol [SMB 2.???]
> [2015/05/16 17:04:31.710062, 3]
> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_FF
> [2015/05/16 17:04:31.719910, 2]
> ../lib/util/modules.c:191(do_smb_load_module)
> Module 'samba4' loaded
> [2015/05/16 17:04:31.723681, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'gssapi_spnego' registered
> [2015/05/16 17:04:31.723880, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'gssapi_krb5' registered
> [2015/05/16 17:04:31.723978, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'gssapi_krb5_sasl' registered
> [2015/05/16 17:04:31.724079, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'schannel' registered
> [2015/05/16 17:04:31.724173, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'spnego' registered
> [2015/05/16 17:04:31.724263, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'ntlmssp' registered
> [2015/05/16 17:04:31.724360, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'krb5' registered
> [2015/05/16 17:04:31.724449, 3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
> GENSEC backend 'fake_gssapi_krb5' registered
> [2015/05/16 17:04:31.730008, 3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2015/05/16 17:04:31.736065, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'sam' registered
> [2015/05/16 17:04:31.736216, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'sam_ignoredomain' registered
> [2015/05/16 17:04:31.736307, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'anonymous' registered
> [2015/05/16 17:04:31.736427, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'winbind' registered
> [2015/05/16 17:04:31.736491, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'winbind_wbclient' registered
> [2015/05/16 17:04:31.736576, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'name_to_ntstatus' registered
> [2015/05/16 17:04:31.736668, 3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
> AUTH backend 'unix' registered
> [2015/05/16 17:04:31.757056, 3]
> ../source3/smbd/negprot.c:672(reply_negprot)
> Selected protocol SMB 2.???
> [2015/05/16 17:04:31.757823, 3]
> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_10
> [2015/05/16 17:04:31.759042, 3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2015/05/16 17:04:31.786446, 3]
> ../source3/smbd/server_exit.c:221(exit_server_common)
> Server exit (NT_STATUS_CONNECTION_RESET)
More information about the samba
mailing list