[Samba] Samba after upgrade+migration, Win7 workstation trusts lost

Dave Beach drbeach4 at gmail.com
Mon Feb 29 00:04:38 UTC 2016 

Hello list - I am not sure my messages are getting out to the list, so I
will attempt in this message to summarize the problems I am having that have
been the subject of a few other posts.

 

I recently upgraded from a command-line Slackware installation to Debian
Jessie. As part of that exercise, Samba was upgraded from 3.5.x to 4.1.17.
My upgrade method was probably not idea: I recursively copied all files from
the system root to an external USB hard disk, installed new hard disks, did
the Debian install. I say this to emphasize the point that I have all the
files (and, indeed, the hard disk) from the previous installation available
to me. I started with the new sample Samba config file, and copied what
seemed to be relevant items from my previous config file. I copied
secrets.tdb from the previous implementation to the appropriate new
directory.

 

I use ldap as my password backend, and have finally managed to get that
working.

 

Testparm runs cleanly, and Samba starts.

 

I am having two problems:

 

First, trusts have been lost with the Win7 workstations in the domain. I
would like to recover those trusts with no effect to the user accounts on
the workstations. All workstations use local profiles. I can log on to the
workstations using cached credentials, but any attempt to log on to them
with Samba running on the server fails. So, I stop Samba on the server, log
on to the workstations, restart Samba on the server. Doing this, I can map
drives on the workstations to shares on the server.

 

The server log for these unsuccessful logons reveals the following:

 

[2016/02/28 07:29:41.326070,  3]
../source3/lib/smbldap.c:1013(smbldap_connect_system)

  ldap_connect_system: successful connection to the LDAP server

[2016/02/28 07:29:41.327306,  2]
../source3/passdb/pdb_ldap.c:524(init_sam_from_ldap)

  init_sam_from_ldap: Entry found for user: pc-dave$

[2016/02/28 07:29:41.421827,  3]
../source3/passdb/lookup_sid.c:1560(get_primary_group_sid)

  Forcing Primary Group to 'Domain Users' for pc-dave$

[2016/02/28 07:29:41.422496,  3]
../source3/rpc_server/samr/srv_samr_nt.c:2947(_samr_QueryUserInfo)

  User:[pc-dave$]

[2016/02/28 07:29:41.422738,  3]
../source3/rpc_server/samr/srv_samr_nt.c:2947(_samr_QueryUserInfo)

  User:[pc-dave$]

[2016/02/28 07:29:41.422862,  3]
../source3/rpc_server/samr/srv_samr_nt.c:2650(get_user_info_18)

  User:[pc-dave$] 0x80

[2016/02/28 07:29:41.423014,  2]
../libcli/auth/credentials.c:381(netlogon_creds_server_check_internal)

  credentials check failed

[2016/02/28 07:29:41.423066,  0]
../source3/rpc_server/netlogon/srv_netlog_nt.c:997(_netr_ServerAuthenticate3
)

  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client PC-DAVE machine account PC-DAVE$

[2016/02/28 07:29:41.424260,  3]
../source3/rpc_server/srv_pipe_hnd.c:122(free_pipe_context)

  free_pipe_context: destroying talloc pool of size 30

[2016/02/28 07:29:41.425680,  3]
../source3/rpc_server/srv_pipe.c:1371(api_rpcTNP)

  api_rpcTNP: rpc command: NETR_SERVERREQCHALLENGE

[2016/02/28 07:29:41.426741,  3]
../source3/rpc_server/srv_pipe_hnd.c:122(free_pipe_context)

  free_pipe_context: destroying talloc pool of size 30

[2016/02/28 07:29:41.427734,  3]
../source3/rpc_server/srv_pipe.c:1371(api_rpcTNP)

  api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE3

[2016/02/28 07:29:41.427972,  2]
../source3/rpc_server/samr/srv_samr_nt.c:4004(_samr_LookupDomain)

  Returning domain sid for domain DRBHOME ->
S-1-5-21-379225270-2612589903-3976116126

[2016/02/28 07:29:41.428800,  2]
../source3/passdb/pdb_ldap.c:524(init_sam_from_ldap)

  init_sam_from_ldap: Entry found for user: pc-dave$

[2016/02/28 07:29:41.430068,  3]
../source3/passdb/lookup_sid.c:1560(get_primary_group_sid)

  Forcing Primary Group to 'Domain Users' for pc-dave$

[2016/02/28 07:29:41.430827,  3]
../source3/rpc_server/samr/srv_samr_nt.c:2947(_samr_QueryUserInfo)

  User:[pc-dave$]

[2016/02/28 07:29:41.431081,  3]
../source3/rpc_server/samr/srv_samr_nt.c:2947(_samr_QueryUserInfo)

  User:[pc-dave$]

[2016/02/28 07:29:41.431203,  3]
../source3/rpc_server/samr/srv_samr_nt.c:2650(get_user_info_18)

  User:[pc-dave$] 0x80

[2016/02/28 07:29:41.431364,  2]
../libcli/auth/credentials.c:381(netlogon_creds_server_check_internal)

  credentials check failed

[2016/02/28 07:29:41.431467,  0]
../source3/rpc_server/netlogon/srv_netlog_nt.c:997(_netr_ServerAuthenticate3
)

  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client PC-DAVE machine account PC-DAVE$

 

 

The second problem I am having is that I cannot join workstations to the
domain. While trying to debug the first problem, I dropped one workstation
from the domain and tried to rejoin it. The server log evidence suggests
that LANMAN passwords are not permitted for the root account; root is the
account I used to use in the old Samba to join workstations.

 

Here's a log snippet:

 

[2016/02/28 08:51:03.846521,  3]
../source3/auth/auth.c:177(auth_check_ntlm_password)

  check_ntlm_password:  Checking password for unmapped user
[DRBHOME]\[root]@[PC-TV] with the new password interface

[2016/02/28 08:51:03.846613,  3]
../source3/auth/auth.c:180(auth_check_ntlm_password)

  check_ntlm_password:  mapped user is: [DRBHOME]\[root]@[PC-TV]

[2016/02/28 08:51:03.847018,  2]
../source3/lib/smbldap.c:794(smbldap_open_connection)

  smbldap_open_connection: connection opened

[2016/02/28 08:51:03.848885,  3]
../source3/lib/smbldap.c:1013(smbldap_connect_system)

  ldap_connect_system: successful connection to the LDAP server

[2016/02/28 08:51:03.850001,  2]
../source3/passdb/pdb_ldap.c:524(init_sam_from_ldap)

  init_sam_from_ldap: Entry found for user: root

[2016/02/28 08:51:03.852731,  3]
../source3/passdb/lookup_sid.c:1560(get_primary_group_sid)

  Forcing Primary Group to 'Domain Users' for root

[2016/02/28 08:51:03.853376,  3]
../libcli/auth/ntlm_check.c:398(ntlm_password_check)

  ntlm_password_check: NTLMv2 password check failed

[2016/02/28 08:51:03.853476,  3]
../libcli/auth/ntlm_check.c:443(ntlm_password_check)

  ntlm_password_check: Lanman passwords NOT PERMITTED for user root

[2016/02/28 08:51:03.853766,  3]
../libcli/auth/ntlm_check.c:587(ntlm_password_check)

  ntlm_password_check: LM password, NT MD4 password in LM field and LMv2
failed for user root

[2016/02/28 08:51:03.853974,  2]
../source3/passdb/pdb_ldap.c:1139(init_ldap_from_sam)

  init_ldap_from_sam: Setting entry for user: root

[2016/02/28 08:51:03.854105,  3]
../source3/auth/auth_winbind.c:60(check_winbind_security)

  check_winbind_security: Not using winbind, requested domain [DRBHOME] was
for this SAM.

[2016/02/28 08:51:03.854183,  2]
../source3/auth/auth.c:288(auth_check_ntlm_password)

  check_ntlm_password:  Authentication for user [root] -> [root] FAILED with
error NT_STATUS_WRONG_PASSWORD

[2016/02/28 08:51:03.854326,  2]
../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)

  SPNEGO login failed: NT_STATUS_WRONG_PASSWORD

[2016/02/28 08:51:03.855690,  3]
../source3/smbd/server_exit.c:221(exit_server_common)

  Server exit (NT_STATUS_CONNECTION_RESET)

 

Here is part of my smb.conf, excluding only share information, as well as
comment lines and disabled parameters:

 

[global]

   workgroup = DRBHOME

   dns proxy = no

    interfaces = eth1

    bind interfaces only = yes

   log file = /var/log/samba/log.%m

   max log size = 8192

   syslog = 0

   panic action = /usr/share/samba/panic-action %d

    server role = classic primary domain controller

    passdb backend = ldapsam

    obey pam restrictions = no

   unix password sync = yes

  passwd program = /usr/sbin/smbldap-passwd -u %u

   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .

    map to guest = never

   logon script = netlogon.cmd

  add user script = /usr/sbin/smbldap-useradd -m "%u"

  add machine script = /usr/sbin/smbldap-useradd -w "%u"

  add group script = /usr/sbin/smbldap-groupadd -p "%g"

time server = yes

security = user

domain logons = yes

domain master = yes

lanman auth = no

ldap admin dn = "cn=admin,dc=drbhome,dc=ca"

ldap delete dn = yes

ldap group suffix = ou=Groups

ldap idmap suffix = ou=Users

ldap machine suffix = ou=Computers

ldap passwd sync = yes

ldap ssl = off

ldap suffix = "dc=drbhome,dc=ca"

ldap user suffix = ou=Users

local master = yes

log level = 3

name resolve order = lmhosts host bcast

netbios name = DRBGATE

os level = 20

preferred master = yes

client lanman auth = no

client ntlmv2 auth = yes

client plaintext auth = no

add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"

deadtime = 5

delete group script = /usr/sbin/smbldap-groupdel "%g%

delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"

delete user script = /usr/sbin/smbldap-userdel "%u"

encrypt passwords = yes

hosts allow = 192.168.2. 127.

set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

More information about the samba mailing list