[Samba] samba 4.4.2 client can't join 3.x NT4 domain

Dirk Kleinhesselink dkleinh at phy.ucsf.edu
Thu Apr 21 17:41:21 UTC 2016 

With the ubuntu security updates on Monday that broke everything, I 
downgraded my 12.04 3.6x samba packages on my NT4 DC - now my windows 7 
domain members can join and function OK and am looking into a 14.04 client 
that was a member and cannot now join, and the downgrade also failed.  So 
I got 4.4.2 source and built on the system and have tried to join, but it 
fails.  Below is some debug level 5 output from the "net rpc info" from 
4.4.2 for the domain:
net rpc info -s /local/samba/smb.conf -d5 -U domain-admin

4.4.2 seems to be doing some kind of "smb_signing" that I think wasn't 
there in earlier 3.x versions and this fails and so it stops with 
NT_STATUS_ACCESS_DENIED.  Is it a flag or switch I can control in the 
smb.conf file with 4.4.2 to allow it to talk as before ?

Thanks for any help.

The important parts of what I see happening are:

Netbios name list:-
my_netbios_names[0]="MYHOST"
added interface eth0 ip=10.2.190.225 bcast=10.2.191.255 
netmask=255.255.254.0
Opening cache file at /usr/local/samba-4.4.2/var/cache/gencache.tdb
Opening cache file at /usr/local/samba-4.4.2/var/lock/gencache_notrans.tdb
name MYDOMAIN#1B found.
namecache_status_fetch: key NBT/MYDOMAIN#1B.20.10.2.190.10 -> MYDC
Connecting to 10.2.190.10 at port 445
Socket options:
 	SO_KEEPALIVE = 0
 	SO_REUSEADDR = 0
 	SO_BROADCAST = 0
 	TCP_NODELAY = 1
 	TCP_KEEPCNT = 9
 	TCP_KEEPIDLE = 7200
 	TCP_KEEPINTVL = 75
 	IPTOS_LOWDELAY = 0
 	IPTOS_THROUGHPUT = 0
 	SO_REUSEPORT = 0
 	SO_SNDBUF = 87040
 	SO_RCVBUF = 372480
 	SO_SNDLOWAT = 1
 	SO_RCVLOWAT = 1
 	SO_SNDTIMEO = 0
 	SO_RCVTIMEO = 0
 	TCP_QUICKACK = 1
 	TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=42)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=NONE
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_TARGET_TYPE_DOMAIN
   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
   NTLMSSP_NEGOTIATE_TARGET_INFO
   NTLMSSP_NEGOTIATE_VERSION
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
   NTLMSSP_NEGOTIATE_VERSION
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
   NTLMSSP_NEGOTIATE_VERSION
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
   NTLMSSP_NEGOTIATE_VERSION
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
smb_signing_check_pdu: BAD SIG: wanted SMB signature of
[0000] A8 01 1B 56 39 4E 80 FC                             ...V9N..
smb_signing_check_pdu: BAD SIG: got SMB signature of
[0000] 00 00 00 00 00 00 00 00                             ........
smb_signing_good: BAD SIG: seq 1
SPNEGO login failed: Access denied
Could not connect to server MYDC
Connection failed: NT_STATUS_ACCESS_DENIED
failed to make ipc connection: NT_STATUS_ACCESS_DENIED
return code = -1
Freeing parametrics:



-----------------------------------
System Administrator
Center for Integrative Neuroscience
Memory and Aging Center
Institute for Human Genetics
675 Nelson Rising Way, NS-501
San Francisco, CA
415-502-7336
dkleinh at phy.ucsf.edu

More information about the samba mailing list