[Samba] samba 4.4.2 client can't join 3.x NT4 domain
Dirk Kleinhesselink
dkleinh at phy.ucsf.edu
Thu Apr 21 17:41:21 UTC 2016
With the ubuntu security updates on Monday that broke everything, I
downgraded my 12.04 3.6x samba packages on my NT4 DC - now my windows 7
domain members can join and function OK and am looking into a 14.04 client
that was a member and cannot now join, and the downgrade also failed. So
I got 4.4.2 source and built on the system and have tried to join, but it
fails. Below is some debug level 5 output from the "net rpc info" from
4.4.2 for the domain:
net rpc info -s /local/samba/smb.conf -d5 -U domain-admin
4.4.2 seems to be doing some kind of "smb_signing" that I think wasn't
there in earlier 3.x versions and this fails and so it stops with
NT_STATUS_ACCESS_DENIED. Is it a flag or switch I can control in the
smb.conf file with 4.4.2 to allow it to talk as before ?
Thanks for any help.
The important parts of what I see happening are:
Netbios name list:-
my_netbios_names[0]="MYHOST"
added interface eth0 ip=10.2.190.225 bcast=10.2.191.255
netmask=255.255.254.0
Opening cache file at /usr/local/samba-4.4.2/var/cache/gencache.tdb
Opening cache file at /usr/local/samba-4.4.2/var/lock/gencache_notrans.tdb
name MYDOMAIN#1B found.
namecache_status_fetch: key NBT/MYDOMAIN#1B.20.10.2.190.10 -> MYDC
Connecting to 10.2.190.10 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=42)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=NONE
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
smb_signing_check_pdu: BAD SIG: wanted SMB signature of
[0000] A8 01 1B 56 39 4E 80 FC ...V9N..
smb_signing_check_pdu: BAD SIG: got SMB signature of
[0000] 00 00 00 00 00 00 00 00 ........
smb_signing_good: BAD SIG: seq 1
SPNEGO login failed: Access denied
Could not connect to server MYDC
Connection failed: NT_STATUS_ACCESS_DENIED
failed to make ipc connection: NT_STATUS_ACCESS_DENIED
return code = -1
Freeing parametrics:
-----------------------------------
System Administrator
Center for Integrative Neuroscience
Memory and Aging Center
Institute for Human Genetics
675 Nelson Rising Way, NS-501
San Francisco, CA
415-502-7336
dkleinh at phy.ucsf.edu
More information about the samba
mailing list