[Samba] authentication problem after upgrade to Debian Jessie

mathias dufresne infractory at gmail.com
Tue Jul 26 08:43:22 UTC 2016 

Hi,

SPNEGO is related to SASL which seems to me related to Kerberos (at least
in AD context). You said you are running Samba domain in "classic mode"
which should means that this domain is a NT4 domain. And as far as I'm
aware of NT4 domains don't support Kerberos.

Could you post your smb.conf files please? For both server srv3 and srv7.

2016-07-22 10:37 GMT+02:00 Pisch Tamás <pischta at gmail.com>:

> Hi,
>
> I upgraded our servers from Wheezy to Jessie. I use samba in classic mode,
> with openldap backend. After the upgrade, on the PDC (srv3) everything
> seems to be ok, it authetnicates, the netlogon share is accessible on it,
> but on the BDC (srv7), what is the file server, the authentication doesn't
> work, shares are inaccessible.
> I compared and syncronized the configuration files to as similar as
> possible on the two servers, but it didn't solve this problem (there were
> other smaller issues, they were solved with the changes).
> After the upgrade, smbd didn't start at all. I reindexed the ldap
> databases, and I think it helped to start smbd.
> The folloving commands give correct results:
> wbinfo -u
> wbinfo -g
> nmblookup -B SRV7 __SAMBA__
> nmblookup -B DS1021 '*'
> nmblookup -d 2 '*'
> nmblookup -M xyz
>
> The following commands give errors:
> smbclient -U admin //SRV7/NETLOGON
> Enter admin's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> smbclient -L SRV7 -d 10
> ...
> Processing section "[global]"
> doing parameter dos charset = CP852
> doing parameter unix charset = UTF8
> doing parameter workgroup = XYZ
> doing parameter server string = SRV7
> doing parameter interfaces = lo 192.168.0.7/24
> doing parameter bind interfaces only = Yes
> doing parameter security = USER
> doing parameter passdb backend = ldapsam:"ldap://127.0.0.1:389"
> doing parameter syslog = 0
> doing parameter log file = /var/log/samba/log.%m
> doing parameter max log size = 1000
> doing parameter smb ports = 139
> doing parameter server max protocol = SMB2
> doing parameter name resolve order = host wins bcast
> doing parameter time server = Yes
> doing parameter printcap name = /etc/printcap
> doing parameter logon script = scripts\logon.cmd
> doing parameter logon path = \\SRV7\profiles\%U
> doing parameter logon drive = H:
> doing parameter logon home = \\SRV7\%U
> doing parameter domain logons = Yes
> doing parameter preferred master = No
> doing parameter domain master = No
> doing parameter dns proxy = No
> doing parameter wins server = 192.168.0.3
> doing parameter ldap admin dn = cn=ldapsu,dc=xyz,dc=site
> doing parameter ldap group suffix = ou=Groups
> doing parameter ldap idmap suffix = ou=Idmap
> doing parameter ldap machine suffix = ou=People
> doing parameter ldap passwd sync = yes
> doing parameter ldap suffix = dc=xyz,dc=site
> doing parameter ldap ssl = no
> doing parameter ldap user suffix = ou=People
> doing parameter eventlog list = Security Application Syslog
> doing parameter panic action = /usr/share/samba/panic-action %d
> doing parameter idmap config * : ldap_user_dn = cn=idmapsu,dc=xyz,dc=site
> doing parameter idmap config * : ldap_base_dn = ou=Idmap,dc=xyz,dc=site
> doing parameter idmap config * : ldap_url = ldap://127.0.0.1:389/
> doing parameter idmap config * : range = 10000-20000
> doing parameter idmap config * : default = yes
> doing parameter ldapsam:trusted = yes
> doing parameter idmap config * : backend = ldap
> doing parameter acl allow execute always = Yes
> doing parameter create mask = 0770
> doing parameter directory mask = 0770
> doing parameter map acl inherit = Yes
> doing parameter veto oplock files = /*.pdf/*.pst/
> doing parameter browseable = No
> doing parameter csc policy = disable
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface lo ip=::1 bcast=
> netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
> interpret_interface: Adding interface 192.168.0.7/24
> added interface 192.168.0.7/24 ip=192.168.0.7 bcast=192.168.0.255
> netmask=255.255.255.0
> Netbios name list:-
> my_netbios_names[0]="SRV7"
> Client started (version 4.2.10-Debian).
> Enter admin's password:
> Opening cache file at /var/cache/samba/gencache.tdb
> Opening cache file at /var/run/samba/gencache_notrans.tdb
> sitename_fetch: No stored sitename for
> internal_resolve_name: looking up SRV7#20 (sitename (null))
> name SRV7#20 found.
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> Connecting to 192.168.0.7 at port 445
> Connecting to 192.168.0.7 at port 139
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 2626560
> SO_RCVBUF = 1061808
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
>  session request ok
> Doing spnego session setup (blob length=74)
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism ntlmssp
>      negotiate: struct NEGOTIATE_MESSAGE
>         Signature                : 'NTLMSSP'
>         MessageType              : NtLmNegotiate (1)
>         NegotiateFlags           : 0x62088215 (1644724757)
>                1: NTLMSSP_NEGOTIATE_UNICODE
>                0: NTLMSSP_NEGOTIATE_OEM
>                1: NTLMSSP_REQUEST_TARGET
>                1: NTLMSSP_NEGOTIATE_SIGN
>                0: NTLMSSP_NEGOTIATE_SEAL
>                0: NTLMSSP_NEGOTIATE_DATAGRAM
>                0: NTLMSSP_NEGOTIATE_LM_KEY
>                0: NTLMSSP_NEGOTIATE_NETWARE
>                1: NTLMSSP_NEGOTIATE_NTLM
>                0: NTLMSSP_NEGOTIATE_NT_ONLY
>                0: NTLMSSP_ANONYMOUS
>                0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>                0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>                0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>                1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>                0: NTLMSSP_TARGET_TYPE_DOMAIN
>                0: NTLMSSP_TARGET_TYPE_SERVER
>                0: NTLMSSP_TARGET_TYPE_SHARE
>                1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>                0: NTLMSSP_NEGOTIATE_IDENTIFY
>                0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>                0: NTLMSSP_NEGOTIATE_TARGET_INFO
>                1: NTLMSSP_NEGOTIATE_VERSION
>                1: NTLMSSP_NEGOTIATE_128
>                1: NTLMSSP_NEGOTIATE_KEY_EXCH
>                0: NTLMSSP_NEGOTIATE_56
>         DomainNameLen            : 0x0000 (0)
>         DomainNameMaxLen         : 0x0000 (0)
>         DomainName               : *
>             DomainName               : ''
>         WorkstationLen           : 0x0000 (0)
>         WorkstationMaxLen        : 0x0000 (0)
>         Workstation              : *
>             Workstation              : ''
>         Version: struct ntlmssp_VERSION
>             ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
>             ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
>             ProductBuild             : 0x0000 (0)
>             Reserved: ARRAY(3)
>                 [0]                      : 0x00 (0)
>                 [1]                      : 0x00 (0)
>                 [2]                      : 0x00 (0)
>             NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_TARGET_TYPE_DOMAIN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_TARGET_INFO
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> SPNEGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> What could be the problem?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list