[Samba] authentication problem after upgrade to Debian Jessie
Pisch Tamás
pischta at gmail.com
Tue Jul 26 09:06:53 UTC 2016
Hi,
thank you for your answer. Yesterday I solved the problem.
It turned out that getent passwd and getent group gave entries only from
flat files. It related to nsswitch.conf and libnss-ldap. Former was ok, but
later was different on the two servers. On the PDC, there was libnss-ldapd,
but on the BDC there was libnss-ldap installed. According to the Debian
Wiki, libnss-ldapd is simpler, and better in some way, so I switched to it
on the BDC. During installation, it asked the settings (which I don't know,
where it stores unfortunately) and then the authentication worked! With the
distributiun upgrade, the libnss-ldap version changed, and I think, the
configuration file parameters of the libnss-ldap changed, but I kept my old
settings. Maybe it broke the authentication.
Thanks.
2016-07-26 10:43 GMT+02:00 mathias dufresne <infractory at gmail.com>:
> Hi,
>
> SPNEGO is related to SASL which seems to me related to Kerberos (at least
> in AD context). You said you are running Samba domain in "classic mode"
> which should means that this domain is a NT4 domain. And as far as I'm
> aware of NT4 domains don't support Kerberos.
>
> Could you post your smb.conf files please? For both server srv3 and srv7.
>
> 2016-07-22 10:37 GMT+02:00 Pisch Tamás <pischta at gmail.com>:
>
>> Hi,
>>
>> I upgraded our servers from Wheezy to Jessie. I use samba in classic mode,
>> with openldap backend. After the upgrade, on the PDC (srv3) everything
>> seems to be ok, it authetnicates, the netlogon share is accessible on it,
>> but on the BDC (srv7), what is the file server, the authentication doesn't
>> work, shares are inaccessible.
>> I compared and syncronized the configuration files to as similar as
>> possible on the two servers, but it didn't solve this problem (there were
>> other smaller issues, they were solved with the changes).
>> After the upgrade, smbd didn't start at all. I reindexed the ldap
>> databases, and I think it helped to start smbd.
>> The folloving commands give correct results:
>> wbinfo -u
>> wbinfo -g
>> nmblookup -B SRV7 __SAMBA__
>> nmblookup -B DS1021 '*'
>> nmblookup -d 2 '*'
>> nmblookup -M xyz
>>
>> The following commands give errors:
>> smbclient -U admin //SRV7/NETLOGON
>> Enter admin's password:
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> smbclient -L SRV7 -d 10
>> ...
>> Processing section "[global]"
>> doing parameter dos charset = CP852
>> doing parameter unix charset = UTF8
>> doing parameter workgroup = XYZ
>> doing parameter server string = SRV7
>> doing parameter interfaces = lo 192.168.0.7/24
>> doing parameter bind interfaces only = Yes
>> doing parameter security = USER
>> doing parameter passdb backend = ldapsam:"ldap://127.0.0.1:389"
>> doing parameter syslog = 0
>> doing parameter log file = /var/log/samba/log.%m
>> doing parameter max log size = 1000
>> doing parameter smb ports = 139
>> doing parameter server max protocol = SMB2
>> doing parameter name resolve order = host wins bcast
>> doing parameter time server = Yes
>> doing parameter printcap name = /etc/printcap
>> doing parameter logon script = scripts\logon.cmd
>> doing parameter logon path = \\SRV7\profiles\%U
>> doing parameter logon drive = H:
>> doing parameter logon home = \\SRV7\%U
>> doing parameter domain logons = Yes
>> doing parameter preferred master = No
>> doing parameter domain master = No
>> doing parameter dns proxy = No
>> doing parameter wins server = 192.168.0.3
>> doing parameter ldap admin dn = cn=ldapsu,dc=xyz,dc=site
>> doing parameter ldap group suffix = ou=Groups
>> doing parameter ldap idmap suffix = ou=Idmap
>> doing parameter ldap machine suffix = ou=People
>> doing parameter ldap passwd sync = yes
>> doing parameter ldap suffix = dc=xyz,dc=site
>> doing parameter ldap ssl = no
>> doing parameter ldap user suffix = ou=People
>> doing parameter eventlog list = Security Application Syslog
>> doing parameter panic action = /usr/share/samba/panic-action %d
>> doing parameter idmap config * : ldap_user_dn = cn=idmapsu,dc=xyz,dc=site
>> doing parameter idmap config * : ldap_base_dn = ou=Idmap,dc=xyz,dc=site
>> doing parameter idmap config * : ldap_url = ldap://127.0.0.1:389/
>> doing parameter idmap config * : range = 10000-20000
>> doing parameter idmap config * : default = yes
>> doing parameter ldapsam:trusted = yes
>> doing parameter idmap config * : backend = ldap
>> doing parameter acl allow execute always = Yes
>> doing parameter create mask = 0770
>> doing parameter directory mask = 0770
>> doing parameter map acl inherit = Yes
>> doing parameter veto oplock files = /*.pdf/*.pst/
>> doing parameter browseable = No
>> doing parameter csc policy = disable
>> pm_process() returned Yes
>> lp_servicenumber: couldn't find homes
>> added interface lo ip=::1 bcast=
>> netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
>> added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
>> interpret_interface: Adding interface 192.168.0.7/24
>> added interface 192.168.0.7/24 ip=192.168.0.7 bcast=192.168.0.255
>> netmask=255.255.255.0
>> Netbios name list:-
>> my_netbios_names[0]="SRV7"
>> Client started (version 4.2.10-Debian).
>> Enter admin's password:
>> Opening cache file at /var/cache/samba/gencache.tdb
>> Opening cache file at /var/run/samba/gencache_notrans.tdb
>> sitename_fetch: No stored sitename for
>> internal_resolve_name: looking up SRV7#20 (sitename (null))
>> name SRV7#20 found.
>> remove_duplicate_addrs2: looking for duplicate address/port pairs
>> Connecting to 192.168.0.7 at port 445
>> Connecting to 192.168.0.7 at port 139
>> Socket options:
>> SO_KEEPALIVE = 0
>> SO_REUSEADDR = 0
>> SO_BROADCAST = 0
>> TCP_NODELAY = 1
>> TCP_KEEPCNT = 9
>> TCP_KEEPIDLE = 7200
>> TCP_KEEPINTVL = 75
>> IPTOS_LOWDELAY = 0
>> IPTOS_THROUGHPUT = 0
>> SO_REUSEPORT = 0
>> SO_SNDBUF = 2626560
>> SO_RCVBUF = 1061808
>> SO_SNDLOWAT = 1
>> SO_RCVLOWAT = 1
>> SO_SNDTIMEO = 0
>> SO_RCVTIMEO = 0
>> TCP_QUICKACK = 1
>> TCP_DEFER_ACCEPT = 0
>> session request ok
>> Doing spnego session setup (blob length=74)
>> got OID=1.3.6.1.4.1.311.2.2.10
>> got principal=not_defined_in_RFC4178 at please_ignore
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'naclrpc_as_system' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'ntlmssp_resume_ccache' registered
>> GENSEC backend 'http_basic' registered
>> GENSEC backend 'http_ntlm' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> Starting GENSEC mechanism spnego
>> Starting GENSEC submechanism ntlmssp
>> negotiate: struct NEGOTIATE_MESSAGE
>> Signature : 'NTLMSSP'
>> MessageType : NtLmNegotiate (1)
>> NegotiateFlags : 0x62088215 (1644724757)
>> 1: NTLMSSP_NEGOTIATE_UNICODE
>> 0: NTLMSSP_NEGOTIATE_OEM
>> 1: NTLMSSP_REQUEST_TARGET
>> 1: NTLMSSP_NEGOTIATE_SIGN
>> 0: NTLMSSP_NEGOTIATE_SEAL
>> 0: NTLMSSP_NEGOTIATE_DATAGRAM
>> 0: NTLMSSP_NEGOTIATE_LM_KEY
>> 0: NTLMSSP_NEGOTIATE_NETWARE
>> 1: NTLMSSP_NEGOTIATE_NTLM
>> 0: NTLMSSP_NEGOTIATE_NT_ONLY
>> 0: NTLMSSP_ANONYMOUS
>> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> 0: NTLMSSP_TARGET_TYPE_DOMAIN
>> 0: NTLMSSP_TARGET_TYPE_SERVER
>> 0: NTLMSSP_TARGET_TYPE_SHARE
>> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>> 0: NTLMSSP_NEGOTIATE_IDENTIFY
>> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>> 0: NTLMSSP_NEGOTIATE_TARGET_INFO
>> 1: NTLMSSP_NEGOTIATE_VERSION
>> 1: NTLMSSP_NEGOTIATE_128
>> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
>> 0: NTLMSSP_NEGOTIATE_56
>> DomainNameLen : 0x0000 (0)
>> DomainNameMaxLen : 0x0000 (0)
>> DomainName : *
>> DomainName : ''
>> WorkstationLen : 0x0000 (0)
>> WorkstationMaxLen : 0x0000 (0)
>> Workstation : *
>> Workstation : ''
>> Version: struct ntlmssp_VERSION
>> ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
>> ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
>> ProductBuild : 0x0000 (0)
>> Reserved: ARRAY(3)
>> [0] : 0x00 (0)
>> [1] : 0x00 (0)
>> [2] : 0x00 (0)
>> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x62898215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_TARGET_TYPE_DOMAIN
>> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>> NTLMSSP_NEGOTIATE_TARGET_INFO
>> NTLMSSP_NEGOTIATE_VERSION
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x62088215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>> NTLMSSP_NEGOTIATE_VERSION
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x62088215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>> NTLMSSP_NEGOTIATE_VERSION
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> SPNEGO login failed: Logon failure
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> What could be the problem?
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list