[Samba] Samba 4.17 AD Cannot connect to shares as administrator

Davor Vusir davortvusir at gmail.com
Mon May 18 09:49:47 MDT 2015


Hi Timo!

Timo Altun skrev den 2015-05-16 17:29:

>
> Hi,
>
> I encountered a strange problem...some of my windows machines cannot be
> joined to an Samba 4.17 AD domain (8 of ~90 clients). These are 7 Win7
> clients and one WinXP client.
> The message I receive in windows is: "Logon failure: unknown user name or
> bad password".
> All other Win7 and XP machines could be joined...the same OS image has
been
> used to install both the machines that could be joined and those that
> couldn't.
>
> The AD DC is on Debian Jessie with Samba 4.17 from debian sources. Win 7
> clients are Win7 Ultimate SP1, XP is SP3.
>
> If I'm interpreting the logs correctly, it seems the clients are trying to
> join as anonymous, even though I enter the administrators account
> information. I tried using workgroup and realm name, and other domain
admin
> accounts to join the computers, but get the same error over and over.
>
> Does somebody have a hint where to look? I'd of course like to avoid
> reinstalling these machines.
> I attached the smb.conf and the log file of a Win7 PC while I was trying
to
> join.

 Maybe the computers are already joined to a workgroup named MAYWEG and
sendning the authentication request the "wrong" way..? :-)

[2015/05/16 17:04:23.085136,  3]
../source4/auth/ntlm/auth.c:270(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user []\[]@[PC65]
  auth_check_password_send: mapped user is: [MAYWEG]\[]@[PC65]

>
> Greetings,
> Timo
>
> *smb.conf:*
> # Global parameters
> [global]
> workgroup = MAYWEG
> realm = MAYWEG.NET
> netbios name = SERVER27
> interfaces = lo, eth0
> bind interfaces only = Yes
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
> ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
>         log file = /var/log/samba/log.%m
>         log level = 3
>         max log size = 1000
>
> [netlogon]
> path = /var/lib/samba/sysvol/mayweg.net/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> *Samba-log of a Win7 machine while trying to join:*
> [2015/05/16 17:04:22.607986,  3] ../source3/lib/access.c:338(allow_access)
>   Allowed connection from 192.168.111.236 (192.168.111.236)
> [2015/05/16 17:04:22.608616,  3]
../source3/smbd/oplock.c:873(init_oplocks)
>   init_oplocks: initializing messages.
> [2015/05/16 17:04:22.609217,  3]
../source3/smbd/process.c:1802(process_smb)
>   Transaction 0 of length 159 (0 toread)
> [2015/05/16 17:04:22.609385,  3]
> ../source3/smbd/process.c:1405(switch_message)
>   switch message SMBnegprot (pid 4587) conn 0x0
> [2015/05/16 17:04:22.611816,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [PC NETWORK PROGRAM 1.0]
> [2015/05/16 17:04:22.612015,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [LANMAN1.0]
> [2015/05/16 17:04:22.612176,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [Windows for Workgroups 3.1a]
> [2015/05/16 17:04:22.612272,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [LM1.2X002]
> [2015/05/16 17:04:22.612397,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [LANMAN2.1]
> [2015/05/16 17:04:22.612520,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [NT LM 0.12]
> [2015/05/16 17:04:22.612643,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [SMB 2.002]
> [2015/05/16 17:04:22.612989,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [SMB 2.???]
> [2015/05/16 17:04:22.613738,  3]
> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
>   Selected protocol SMB2_FF
> [2015/05/16 17:04:22.622803,  2]
> ../lib/util/modules.c:191(do_smb_load_module)
>   Module 'samba4' loaded
> [2015/05/16 17:04:22.626230,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'gssapi_spnego' registered
> [2015/05/16 17:04:22.626428,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'gssapi_krb5' registered
> [2015/05/16 17:04:22.626515,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'gssapi_krb5_sasl' registered
> [2015/05/16 17:04:22.626591,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'schannel' registered
> [2015/05/16 17:04:22.626657,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'spnego' registered
> [2015/05/16 17:04:22.626752,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'ntlmssp' registered
> [2015/05/16 17:04:22.626841,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'krb5' registered
> [2015/05/16 17:04:22.626911,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'fake_gssapi_krb5' registered
> [2015/05/16 17:04:22.632051,  3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2015/05/16 17:04:22.638717,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'sam' registered
> [2015/05/16 17:04:22.638915,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'sam_ignoredomain' registered
> [2015/05/16 17:04:22.639031,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'anonymous' registered
> [2015/05/16 17:04:22.639194,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'winbind' registered
> [2015/05/16 17:04:22.639277,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'winbind_wbclient' registered
> [2015/05/16 17:04:22.639379,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'name_to_ntstatus' registered
> [2015/05/16 17:04:22.639460,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'unix' registered
> [2015/05/16 17:04:22.662528,  3]
> ../source3/smbd/negprot.c:672(reply_negprot)
>   Selected protocol SMB 2.???
> [2015/05/16 17:04:22.663344,  3]
> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
>   Selected protocol SMB2_10
> [2015/05/16 17:04:22.664437,  3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2015/05/16 17:04:22.690034,  3]
> ../source3/smbd/server_exit.c:221(exit_server_common)
>   Server exit (NT_STATUS_CONNECTION_RESET)
> [2015/05/16 17:04:22.999939,  3] ../source3/lib/access.c:338(allow_access)
>   Allowed connection from 192.168.111.236 (192.168.111.236)
> [2015/05/16 17:04:23.000705,  3]
../source3/smbd/oplock.c:873(init_oplocks)
>   init_oplocks: initializing messages.
> [2015/05/16 17:04:23.001398,  3]
../source3/smbd/process.c:1802(process_smb)
>   Transaction 0 of length 108 (0 toread)
> [2015/05/16 17:04:23.001849,  3]
> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
>   Selected protocol SMB2_10
> [2015/05/16 17:04:23.013135,  2]
> ../lib/util/modules.c:191(do_smb_load_module)
>   Module 'samba4' loaded
> [2015/05/16 17:04:23.016389,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'gssapi_spnego' registered
> [2015/05/16 17:04:23.016571,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'gssapi_krb5' registered
> [2015/05/16 17:04:23.016671,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'gssapi_krb5_sasl' registered
> [2015/05/16 17:04:23.016750,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'schannel' registered
> [2015/05/16 17:04:23.016882,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'spnego' registered
> [2015/05/16 17:04:23.016985,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'ntlmssp' registered
> [2015/05/16 17:04:23.017066,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'krb5' registered
> [2015/05/16 17:04:23.017156,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'fake_gssapi_krb5' registered
> [2015/05/16 17:04:23.022258,  3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2015/05/16 17:04:23.028125,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'sam' registered
> [2015/05/16 17:04:23.028321,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'sam_ignoredomain' registered
> [2015/05/16 17:04:23.028421,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'anonymous' registered
> [2015/05/16 17:04:23.028499,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'winbind' registered
> [2015/05/16 17:04:23.028593,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'winbind_wbclient' registered
> [2015/05/16 17:04:23.028677,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'name_to_ntstatus' registered
> [2015/05/16 17:04:23.028774,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'unix' registered
> [2015/05/16 17:04:23.054566,  3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2015/05/16 17:04:23.082930,  3]
> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0xe2088297
> [2015/05/16 17:04:23.084961,  3]
> ../auth/ntlmssp/ntlmssp_server.c:358(ntlmssp_server_preauth)
>   Got user=[] domain=[] workstation=[PC65] len1=1 len2=0
> [2015/05/16 17:04:23.085136,  3]
> ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
>   auth_check_password_send: Checking password for unmapped user
[]\[]@[PC65]
>   auth_check_password_send: mapped user is: [MAYWEG]\[]@[PC65]
> [2015/05/16 17:04:23.085396,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2015/05/16 17:04:23.085480,  3]
> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0xe2088215
> [2015/05/16 17:04:23.089748,  3] ../source3/lib/access.c:338(allow_access)
>   Allowed connection from 192.168.111.236 (192.168.111.236)
> [2015/05/16 17:04:23.090331,  3]
> ../source3/smbd/service.c:612(make_connection_snum)
>   Connect path is '/tmp' for service [IPC$]
> [2015/05/16 17:04:23.090587,  3]
../source3/smbd/vfs.c:113(vfs_init_default)
>   Initialising default vfs hooks
> [2015/05/16 17:04:23.090745,  3]
../source3/smbd/vfs.c:139(vfs_init_custom)
>   Initialising custom vfs hooks from [/[Default VFS]/]
> [2015/05/16 17:04:23.090851,  3]
../source3/smbd/vfs.c:139(vfs_init_custom)
>   Initialising custom vfs hooks from [acl_xattr]
> [2015/05/16 17:04:23.095703,  2]
> ../lib/util/modules.c:191(do_smb_load_module)
>   Module 'acl_xattr' loaded
> [2015/05/16 17:04:23.095910,  3]
../source3/smbd/vfs.c:139(vfs_init_custom)
>   Initialising custom vfs hooks from [dfs_samba4]
> [2015/05/16 17:04:23.100971,  2]
> ../lib/util/modules.c:191(do_smb_load_module)
>   Module 'dfs_samba4' loaded
> [2015/05/16 17:04:23.101172,  2]
> ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr)
>   connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service IPC$
> [2015/05/16 17:04:23.109088,  3]
> ../source3/smbd/service.c:856(make_connection_snum)
>   192.168.111.236 (ipv4:192.168.111.236:1174) connect to service IPC$
> initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000008)
> (pid 4588)
> [2015/05/16 17:04:31.383878,  3]
../source3/smbd/service.c:1130(close_cnum)
>   192.168.111.236 (ipv4:192.168.111.236:1174) closed connection to service
> IPC$
> [2015/05/16 17:04:31.387550,  3]
> ../source3/smbd/server_exit.c:221(exit_server_common)
>   Server exit (NT_STATUS_CONNECTION_RESET)
> [2015/05/16 17:04:31.704078,  3] ../source3/lib/access.c:338(allow_access)
>   Allowed connection from 192.168.111.236 (192.168.111.236)
> [2015/05/16 17:04:31.704942,  3]
../source3/smbd/oplock.c:873(init_oplocks)
>   init_oplocks: initializing messages.
> [2015/05/16 17:04:31.705594,  3]
../source3/smbd/process.c:1802(process_smb)
>   Transaction 0 of length 159 (0 toread)
> [2015/05/16 17:04:31.705775,  3]
> ../source3/smbd/process.c:1405(switch_message)
>   switch message SMBnegprot (pid 4589) conn 0x0
> [2015/05/16 17:04:31.708376,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [PC NETWORK PROGRAM 1.0]
> [2015/05/16 17:04:31.708616,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [LANMAN1.0]
> [2015/05/16 17:04:31.708763,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [Windows for Workgroups 3.1a]
> [2015/05/16 17:04:31.708887,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [LM1.2X002]
> [2015/05/16 17:04:31.709044,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [LANMAN2.1]
> [2015/05/16 17:04:31.709181,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [NT LM 0.12]
> [2015/05/16 17:04:31.709309,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [SMB 2.002]
> [2015/05/16 17:04:31.709438,  3]
> ../source3/smbd/negprot.c:564(reply_negprot)
>   Requested protocol [SMB 2.???]
> [2015/05/16 17:04:31.710062,  3]
> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
>   Selected protocol SMB2_FF
> [2015/05/16 17:04:31.719910,  2]
> ../lib/util/modules.c:191(do_smb_load_module)
>   Module 'samba4' loaded
> [2015/05/16 17:04:31.723681,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'gssapi_spnego' registered
> [2015/05/16 17:04:31.723880,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'gssapi_krb5' registered
> [2015/05/16 17:04:31.723978,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'gssapi_krb5_sasl' registered
> [2015/05/16 17:04:31.724079,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'schannel' registered
> [2015/05/16 17:04:31.724173,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'spnego' registered
> [2015/05/16 17:04:31.724263,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'ntlmssp' registered
> [2015/05/16 17:04:31.724360,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'krb5' registered
> [2015/05/16 17:04:31.724449,  3]
> ../auth/gensec/gensec_start.c:870(gensec_register)
>   GENSEC backend 'fake_gssapi_krb5' registered
> [2015/05/16 17:04:31.730008,  3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2015/05/16 17:04:31.736065,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'sam' registered
> [2015/05/16 17:04:31.736216,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'sam_ignoredomain' registered
> [2015/05/16 17:04:31.736307,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'anonymous' registered
> [2015/05/16 17:04:31.736427,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'winbind' registered
> [2015/05/16 17:04:31.736491,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'winbind_wbclient' registered
> [2015/05/16 17:04:31.736576,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'name_to_ntstatus' registered
> [2015/05/16 17:04:31.736668,  3]
> ../source4/auth/ntlm/auth.c:673(auth_register)
>   AUTH backend 'unix' registered
> [2015/05/16 17:04:31.757056,  3]
> ../source3/smbd/negprot.c:672(reply_negprot)
>   Selected protocol SMB 2.???
> [2015/05/16 17:04:31.757823,  3]
> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
>   Selected protocol SMB2_10
> [2015/05/16 17:04:31.759042,  3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2015/05/16 17:04:31.786446,  3]
> ../source3/smbd/server_exit.c:221(exit_server_common)
>   Server exit (NT_STATUS_CONNECTION_RESET)


More information about the samba mailing list