[Samba] Samba 4.17 Cannot join Win7 clients to domain

Timo Altun olol13.samba at the-1337.org
Tue May 19 00:12:46 MDT 2015


Hi Davor,

thanks for the answer. They were actually part of a NT4 domain called
mayweg.net (the new realm name). But I did join workgroup "WORKGROUP"
before I tried to join the new domain.
If it's possible that they're sending the information the wrong way because
they were part of a workgroup named after the new realm, is there any way
to clear the old data (apart from a new install)?

Greetings,
Timo

On 18 May 2015 at 17:49, Davor Vusir <davortvusir at gmail.com> wrote:

> Hi Timo!
>
> Timo Altun skrev den 2015-05-16 17:29:
>
> >
> > Hi,
> >
> > I encountered a strange problem...some of my windows machines cannot be
> > joined to an Samba 4.17 AD domain (8 of ~90 clients). These are 7 Win7
> > clients and one WinXP client.
> > The message I receive in windows is: "Logon failure: unknown user name or
> > bad password".
> > All other Win7 and XP machines could be joined...the same OS image has
> been
> > used to install both the machines that could be joined and those that
> > couldn't.
> >
> > The AD DC is on Debian Jessie with Samba 4.17 from debian sources. Win 7
> > clients are Win7 Ultimate SP1, XP is SP3.
> >
> > If I'm interpreting the logs correctly, it seems the clients are trying
> to
> > join as anonymous, even though I enter the administrators account
> > information. I tried using workgroup and realm name, and other domain
> admin
> > accounts to join the computers, but get the same error over and over.
> >
> > Does somebody have a hint where to look? I'd of course like to avoid
> > reinstalling these machines.
> > I attached the smb.conf and the log file of a Win7 PC while I was trying
> to
> > join.
>
>  Maybe the computers are already joined to a workgroup named MAYWEG and
> sendning the authentication request the "wrong" way..? :-)
>
> [2015/05/16 17:04:23.085136,  3]
> ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
>   auth_check_password_send: Checking password for unmapped user
> []\[]@[PC65]
>   auth_check_password_send: mapped user is: [MAYWEG]\[]@[PC65]
>
> >
> > Greetings,
> > Timo
> >
> > *smb.conf:*
> > # Global parameters
> > [global]
> > workgroup = MAYWEG
> > realm = MAYWEG.NET
> > netbios name = SERVER27
> > interfaces = lo, eth0
> > bind interfaces only = Yes
> > server role = active directory domain controller
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind,
> > ntp_signd, kcc, dnsupdate
> > idmap_ldb:use rfc2307 = yes
> >
> >         log file = /var/log/samba/log.%m
> >         log level = 3
> >         max log size = 1000
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/mayweg.net/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> >
> > *Samba-log of a Win7 machine while trying to join:*
> > [2015/05/16 17:04:22.607986,  3]
> ../source3/lib/access.c:338(allow_access)
> >   Allowed connection from 192.168.111.236 (192.168.111.236)
> > [2015/05/16 17:04:22.608616,  3]
> ../source3/smbd/oplock.c:873(init_oplocks)
> >   init_oplocks: initializing messages.
> > [2015/05/16 17:04:22.609217,  3]
> ../source3/smbd/process.c:1802(process_smb)
> >   Transaction 0 of length 159 (0 toread)
> > [2015/05/16 17:04:22.609385,  3]
> > ../source3/smbd/process.c:1405(switch_message)
> >   switch message SMBnegprot (pid 4587) conn 0x0
> > [2015/05/16 17:04:22.611816,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [PC NETWORK PROGRAM 1.0]
> > [2015/05/16 17:04:22.612015,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [LANMAN1.0]
> > [2015/05/16 17:04:22.612176,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [Windows for Workgroups 3.1a]
> > [2015/05/16 17:04:22.612272,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [LM1.2X002]
> > [2015/05/16 17:04:22.612397,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [LANMAN2.1]
> > [2015/05/16 17:04:22.612520,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [NT LM 0.12]
> > [2015/05/16 17:04:22.612643,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [SMB 2.002]
> > [2015/05/16 17:04:22.612989,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [SMB 2.???]
> > [2015/05/16 17:04:22.613738,  3]
> > ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
> >   Selected protocol SMB2_FF
> > [2015/05/16 17:04:22.622803,  2]
> > ../lib/util/modules.c:191(do_smb_load_module)
> >   Module 'samba4' loaded
> > [2015/05/16 17:04:22.626230,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'gssapi_spnego' registered
> > [2015/05/16 17:04:22.626428,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'gssapi_krb5' registered
> > [2015/05/16 17:04:22.626515,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'gssapi_krb5_sasl' registered
> > [2015/05/16 17:04:22.626591,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'schannel' registered
> > [2015/05/16 17:04:22.626657,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'spnego' registered
> > [2015/05/16 17:04:22.626752,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'ntlmssp' registered
> > [2015/05/16 17:04:22.626841,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'krb5' registered
> > [2015/05/16 17:04:22.626911,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'fake_gssapi_krb5' registered
> > [2015/05/16 17:04:22.632051,  3]
> > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> >   ldb_wrap open of secrets.ldb
> > [2015/05/16 17:04:22.638717,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'sam' registered
> > [2015/05/16 17:04:22.638915,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'sam_ignoredomain' registered
> > [2015/05/16 17:04:22.639031,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'anonymous' registered
> > [2015/05/16 17:04:22.639194,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'winbind' registered
> > [2015/05/16 17:04:22.639277,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'winbind_wbclient' registered
> > [2015/05/16 17:04:22.639379,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'name_to_ntstatus' registered
> > [2015/05/16 17:04:22.639460,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'unix' registered
> > [2015/05/16 17:04:22.662528,  3]
> > ../source3/smbd/negprot.c:672(reply_negprot)
> >   Selected protocol SMB 2.???
> > [2015/05/16 17:04:22.663344,  3]
> > ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
> >   Selected protocol SMB2_10
> > [2015/05/16 17:04:22.664437,  3]
> > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> >   ldb_wrap open of secrets.ldb
> > [2015/05/16 17:04:22.690034,  3]
> > ../source3/smbd/server_exit.c:221(exit_server_common)
> >   Server exit (NT_STATUS_CONNECTION_RESET)
> > [2015/05/16 17:04:22.999939,  3]
> ../source3/lib/access.c:338(allow_access)
> >   Allowed connection from 192.168.111.236 (192.168.111.236)
> > [2015/05/16 17:04:23.000705,  3]
> ../source3/smbd/oplock.c:873(init_oplocks)
> >   init_oplocks: initializing messages.
> > [2015/05/16 17:04:23.001398,  3]
> ../source3/smbd/process.c:1802(process_smb)
> >   Transaction 0 of length 108 (0 toread)
> > [2015/05/16 17:04:23.001849,  3]
> > ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
> >   Selected protocol SMB2_10
> > [2015/05/16 17:04:23.013135,  2]
> > ../lib/util/modules.c:191(do_smb_load_module)
> >   Module 'samba4' loaded
> > [2015/05/16 17:04:23.016389,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'gssapi_spnego' registered
> > [2015/05/16 17:04:23.016571,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'gssapi_krb5' registered
> > [2015/05/16 17:04:23.016671,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'gssapi_krb5_sasl' registered
> > [2015/05/16 17:04:23.016750,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'schannel' registered
> > [2015/05/16 17:04:23.016882,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'spnego' registered
> > [2015/05/16 17:04:23.016985,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'ntlmssp' registered
> > [2015/05/16 17:04:23.017066,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'krb5' registered
> > [2015/05/16 17:04:23.017156,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'fake_gssapi_krb5' registered
> > [2015/05/16 17:04:23.022258,  3]
> > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> >   ldb_wrap open of secrets.ldb
> > [2015/05/16 17:04:23.028125,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'sam' registered
> > [2015/05/16 17:04:23.028321,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'sam_ignoredomain' registered
> > [2015/05/16 17:04:23.028421,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'anonymous' registered
> > [2015/05/16 17:04:23.028499,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'winbind' registered
> > [2015/05/16 17:04:23.028593,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'winbind_wbclient' registered
> > [2015/05/16 17:04:23.028677,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'name_to_ntstatus' registered
> > [2015/05/16 17:04:23.028774,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'unix' registered
> > [2015/05/16 17:04:23.054566,  3]
> > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> >   ldb_wrap open of secrets.ldb
> > [2015/05/16 17:04:23.082930,  3]
> > ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
> >   Got NTLMSSP neg_flags=0xe2088297
> > [2015/05/16 17:04:23.084961,  3]
> > ../auth/ntlmssp/ntlmssp_server.c:358(ntlmssp_server_preauth)
> >   Got user=[] domain=[] workstation=[PC65] len1=1 len2=0
> > [2015/05/16 17:04:23.085136,  3]
> > ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
> >   auth_check_password_send: Checking password for unmapped user
> []\[]@[PC65]
> >   auth_check_password_send: mapped user is: [MAYWEG]\[]@[PC65]
> > [2015/05/16 17:04:23.085396,  3]
> > ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)
> >   NTLMSSP Sign/Seal - Initialising with flags:
> > [2015/05/16 17:04:23.085480,  3]
> > ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
> >   Got NTLMSSP neg_flags=0xe2088215
> > [2015/05/16 17:04:23.089748,  3]
> ../source3/lib/access.c:338(allow_access)
> >   Allowed connection from 192.168.111.236 (192.168.111.236)
> > [2015/05/16 17:04:23.090331,  3]
> > ../source3/smbd/service.c:612(make_connection_snum)
> >   Connect path is '/tmp' for service [IPC$]
> > [2015/05/16 17:04:23.090587,  3]
> ../source3/smbd/vfs.c:113(vfs_init_default)
> >   Initialising default vfs hooks
> > [2015/05/16 17:04:23.090745,  3]
> ../source3/smbd/vfs.c:139(vfs_init_custom)
> >   Initialising custom vfs hooks from [/[Default VFS]/]
> > [2015/05/16 17:04:23.090851,  3]
> ../source3/smbd/vfs.c:139(vfs_init_custom)
> >   Initialising custom vfs hooks from [acl_xattr]
> > [2015/05/16 17:04:23.095703,  2]
> > ../lib/util/modules.c:191(do_smb_load_module)
> >   Module 'acl_xattr' loaded
> > [2015/05/16 17:04:23.095910,  3]
> ../source3/smbd/vfs.c:139(vfs_init_custom)
> >   Initialising custom vfs hooks from [dfs_samba4]
> > [2015/05/16 17:04:23.100971,  2]
> > ../lib/util/modules.c:191(do_smb_load_module)
> >   Module 'dfs_samba4' loaded
> > [2015/05/16 17:04:23.101172,  2]
> > ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr)
> >   connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> > and 'force unknown acl user = true' for service IPC$
> > [2015/05/16 17:04:23.109088,  3]
> > ../source3/smbd/service.c:856(make_connection_snum)
> >   192.168.111.236 (ipv4:192.168.111.236:1174) connect to service IPC$
> > initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000008)
> > (pid 4588)
> > [2015/05/16 17:04:31.383878,  3]
> ../source3/smbd/service.c:1130(close_cnum)
> >   192.168.111.236 (ipv4:192.168.111.236:1174) closed connection to
> service
> > IPC$
> > [2015/05/16 17:04:31.387550,  3]
> > ../source3/smbd/server_exit.c:221(exit_server_common)
> >   Server exit (NT_STATUS_CONNECTION_RESET)
> > [2015/05/16 17:04:31.704078,  3]
> ../source3/lib/access.c:338(allow_access)
> >   Allowed connection from 192.168.111.236 (192.168.111.236)
> > [2015/05/16 17:04:31.704942,  3]
> ../source3/smbd/oplock.c:873(init_oplocks)
> >   init_oplocks: initializing messages.
> > [2015/05/16 17:04:31.705594,  3]
> ../source3/smbd/process.c:1802(process_smb)
> >   Transaction 0 of length 159 (0 toread)
> > [2015/05/16 17:04:31.705775,  3]
> > ../source3/smbd/process.c:1405(switch_message)
> >   switch message SMBnegprot (pid 4589) conn 0x0
> > [2015/05/16 17:04:31.708376,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [PC NETWORK PROGRAM 1.0]
> > [2015/05/16 17:04:31.708616,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [LANMAN1.0]
> > [2015/05/16 17:04:31.708763,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [Windows for Workgroups 3.1a]
> > [2015/05/16 17:04:31.708887,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [LM1.2X002]
> > [2015/05/16 17:04:31.709044,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [LANMAN2.1]
> > [2015/05/16 17:04:31.709181,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [NT LM 0.12]
> > [2015/05/16 17:04:31.709309,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [SMB 2.002]
> > [2015/05/16 17:04:31.709438,  3]
> > ../source3/smbd/negprot.c:564(reply_negprot)
> >   Requested protocol [SMB 2.???]
> > [2015/05/16 17:04:31.710062,  3]
> > ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
> >   Selected protocol SMB2_FF
> > [2015/05/16 17:04:31.719910,  2]
> > ../lib/util/modules.c:191(do_smb_load_module)
> >   Module 'samba4' loaded
> > [2015/05/16 17:04:31.723681,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'gssapi_spnego' registered
> > [2015/05/16 17:04:31.723880,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'gssapi_krb5' registered
> > [2015/05/16 17:04:31.723978,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'gssapi_krb5_sasl' registered
> > [2015/05/16 17:04:31.724079,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'schannel' registered
> > [2015/05/16 17:04:31.724173,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'spnego' registered
> > [2015/05/16 17:04:31.724263,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'ntlmssp' registered
> > [2015/05/16 17:04:31.724360,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'krb5' registered
> > [2015/05/16 17:04:31.724449,  3]
> > ../auth/gensec/gensec_start.c:870(gensec_register)
> >   GENSEC backend 'fake_gssapi_krb5' registered
> > [2015/05/16 17:04:31.730008,  3]
> > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> >   ldb_wrap open of secrets.ldb
> > [2015/05/16 17:04:31.736065,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'sam' registered
> > [2015/05/16 17:04:31.736216,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'sam_ignoredomain' registered
> > [2015/05/16 17:04:31.736307,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'anonymous' registered
> > [2015/05/16 17:04:31.736427,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'winbind' registered
> > [2015/05/16 17:04:31.736491,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'winbind_wbclient' registered
> > [2015/05/16 17:04:31.736576,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'name_to_ntstatus' registered
> > [2015/05/16 17:04:31.736668,  3]
> > ../source4/auth/ntlm/auth.c:673(auth_register)
> >   AUTH backend 'unix' registered
> > [2015/05/16 17:04:31.757056,  3]
> > ../source3/smbd/negprot.c:672(reply_negprot)
> >   Selected protocol SMB 2.???
> > [2015/05/16 17:04:31.757823,  3]
> > ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
> >   Selected protocol SMB2_10
> > [2015/05/16 17:04:31.759042,  3]
> > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> >   ldb_wrap open of secrets.ldb
> > [2015/05/16 17:04:31.786446,  3]
> > ../source3/smbd/server_exit.c:221(exit_server_common)
> >   Server exit (NT_STATUS_CONNECTION_RESET)
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list