[Samba] authentication problem after upgrade to Debian Jessie
Pisch Tamás
pischta at gmail.com
Fri Jul 22 08:37:10 UTC 2016
Hi,
I upgraded our servers from Wheezy to Jessie. I use samba in classic mode,
with openldap backend. After the upgrade, on the PDC (srv3) everything
seems to be ok, it authetnicates, the netlogon share is accessible on it,
but on the BDC (srv7), what is the file server, the authentication doesn't
work, shares are inaccessible.
I compared and syncronized the configuration files to as similar as
possible on the two servers, but it didn't solve this problem (there were
other smaller issues, they were solved with the changes).
After the upgrade, smbd didn't start at all. I reindexed the ldap
databases, and I think it helped to start smbd.
The folloving commands give correct results:
wbinfo -u
wbinfo -g
nmblookup -B SRV7 __SAMBA__
nmblookup -B DS1021 '*'
nmblookup -d 2 '*'
nmblookup -M xyz
The following commands give errors:
smbclient -U admin //SRV7/NETLOGON
Enter admin's password:
session setup failed: NT_STATUS_LOGON_FAILURE
smbclient -L SRV7 -d 10
...
Processing section "[global]"
doing parameter dos charset = CP852
doing parameter unix charset = UTF8
doing parameter workgroup = XYZ
doing parameter server string = SRV7
doing parameter interfaces = lo 192.168.0.7/24
doing parameter bind interfaces only = Yes
doing parameter security = USER
doing parameter passdb backend = ldapsam:"ldap://127.0.0.1:389"
doing parameter syslog = 0
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter smb ports = 139
doing parameter server max protocol = SMB2
doing parameter name resolve order = host wins bcast
doing parameter time server = Yes
doing parameter printcap name = /etc/printcap
doing parameter logon script = scripts\logon.cmd
doing parameter logon path = \\SRV7\profiles\%U
doing parameter logon drive = H:
doing parameter logon home = \\SRV7\%U
doing parameter domain logons = Yes
doing parameter preferred master = No
doing parameter domain master = No
doing parameter dns proxy = No
doing parameter wins server = 192.168.0.3
doing parameter ldap admin dn = cn=ldapsu,dc=xyz,dc=site
doing parameter ldap group suffix = ou=Groups
doing parameter ldap idmap suffix = ou=Idmap
doing parameter ldap machine suffix = ou=People
doing parameter ldap passwd sync = yes
doing parameter ldap suffix = dc=xyz,dc=site
doing parameter ldap ssl = no
doing parameter ldap user suffix = ou=People
doing parameter eventlog list = Security Application Syslog
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter idmap config * : ldap_user_dn = cn=idmapsu,dc=xyz,dc=site
doing parameter idmap config * : ldap_base_dn = ou=Idmap,dc=xyz,dc=site
doing parameter idmap config * : ldap_url = ldap://127.0.0.1:389/
doing parameter idmap config * : range = 10000-20000
doing parameter idmap config * : default = yes
doing parameter ldapsam:trusted = yes
doing parameter idmap config * : backend = ldap
doing parameter acl allow execute always = Yes
doing parameter create mask = 0770
doing parameter directory mask = 0770
doing parameter map acl inherit = Yes
doing parameter veto oplock files = /*.pdf/*.pst/
doing parameter browseable = No
doing parameter csc policy = disable
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface lo ip=::1 bcast=
netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
interpret_interface: Adding interface 192.168.0.7/24
added interface 192.168.0.7/24 ip=192.168.0.7 bcast=192.168.0.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SRV7"
Client started (version 4.2.10-Debian).
Enter admin's password:
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for
internal_resolve_name: looking up SRV7#20 (sitename (null))
name SRV7#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 192.168.0.7 at port 445
Connecting to 192.168.0.7 at port 139
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061808
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
session request ok
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
What could be the problem?
More information about the samba
mailing list