[Samba] Intermittent Win7 trust issues
Dave Beach
drbeach4 at gmail.com
Tue Mar 15 01:23:21 UTC 2016
Hello list!
I'm trying to debug a problem that surfaced after a Samba upgrade from
v3.5.x to v4.1.17.
The problem is that Win7 workstations appear to randomly experience domain
trust issues logging in, although they can log in some times, they are
unsuccessful at other times. I cannot so far predict what would result in or
influence this behaviour. These are workstations on which nothing has
changed as a result of the Samba upgrade, and which did not exhibit any such
problems with the previous Samba version.
Smb.conf parameters below, followed by what seems to my untrained eye to be
a relevant log snippet from the server for one of the workstations in
question (PC-DAVE). Although I can clearly see the error in the log, my
untrained eye is not yet capable of discerning its cause. I have arbitrarily
copied only a portion of the log given its size (I've set logging to 10 in
an attempt to debug the problem, and it's a sizeable log - so I felt some
obligation to keep it to a dull roar for posting here).
I use local profiles only, so when the trust issue raises its ugly head I
stop Samba on the server, log on to the workstation, restart Samba. I can
then map drives on the server, etc. Samba appears to be starting up
correctly (testparm throws no errors, no errors in the log file).
I'm very stumped by the fact that the trust issue is intermittent.
Help gratefully accepted.
## smb.conf, exclusive of share information ###
workgroup = DRBHOME
dns proxy = no
interfaces = eth1
bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 8192
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = classic primary domain controller
passdb backend = ldapsam
obey pam restrictions = no
unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
map to guest = never
logon script = netlogon.cmd
add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
time server = yes
security = user
server string = DRBGATE
domain logons = yes
domain master = yes
lanman auth = no
ldap admin dn = "cn=admin,dc=drbhome,dc=ca"
ldap delete dn = yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap ssl = off
ldap suffix = "dc=drbhome,dc=ca"
ldap user suffix = ou=Users
local master = yes
log level = 10
name resolve order = lmhosts host bcast
netbios name = DRBGATE
os level = 20
preferred master = yes
client lanman auth = no
client ntlmv2 auth = yes
client plaintext auth = no
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
deadtime = 5
delete group script = /usr/sbin/smbldap-groupdel "%g%
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
encrypt passwords = yes
hosts allow = 192.168.2. 127.
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
## end smb.conf ##
## Log file snippet ##
[2016/03/13 18:11:24.668890, 1, pid=1422, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
samr_QueryUserInfo2: struct samr_QueryUserInfo2
out: struct samr_QueryUserInfo2
info : *
info : *
info : union samr_UserInfo(case
18)
info18: struct samr_UserInfo18
nt_pwd: struct samr_Password
hash :
63866ca03c2befbe90c29e51c48cae7e
lm_pwd: struct samr_Password
hash :
00000000000000000000000000000000
nt_pwd_active : 0x01 (1)
lm_pwd_active : 0x00 (0)
password_expired : 0x00 (0)
result : NT_STATUS_OK
[2016/03/13 18:11:24.669125, 4, pid=1422, effective(65534, 65534),
real(65534, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 1
[2016/03/13 18:11:24.669167, 1, pid=1422, effective(65534, 65534),
real(65534, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
00000012-0000-0000-e556-8ce58e050000
[2016/03/13 18:11:24.669266, 6, pid=1422, effective(65534, 65534),
real(65534, 0), class=rpc_srv]
../source3/rpc_server/rpc_handles.c:337(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 12 00 00 00 00 00 00 00 E5 56 8C
E5 ........ .....V..
[0010] 8E 05 00 00 ....
[2016/03/13 18:11:24.669333, 6, pid=1422, effective(65534, 65534),
real(65534, 0), class=rpc_srv]
../source3/rpc_server/rpc_handles.c:386(close_policy_hnd)
Closed policy
[2016/03/13 18:11:24.669363, 1, pid=1422, effective(65534, 65534),
real(65534, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
00000000-0000-0000-0000-000000000000
result : NT_STATUS_OK
[2016/03/13 18:11:24.669482, 10, pid=1422, effective(65534, 65534),
real(65534, 0), class=rpc_srv]
../source3/rpc_server/rpc_handles.c:416(close_policy_by_pipe)
Deleted handle list for RPC connection \samr
[2016/03/13 18:11:24.669536, 2, pid=1422, effective(65534, 65534),
real(65534, 0)]
../libcli/auth/credentials.c:381(netlogon_creds_server_check_internal)
credentials check failed
[2016/03/13 18:11:24.669577, 0, pid=1422, effective(65534, 65534),
real(65534, 0), class=rpc_srv]
../source3/rpc_server/netlogon/srv_netlog_nt.c:997(_netr_ServerAuthenticate3
)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client PC-DAVE machine account PC-DAVE$
[2016/03/13 18:11:24.669611, 1, pid=1422, effective(65534, 65534),
real(65534, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
out: struct netr_ServerAuthenticate3
return_credentials : *
return_credentials: struct netr_Credential
data : 0000000000000000
negotiate_flags : *
negotiate_flags : 0x410241ff (1090667007)
1: NETLOGON_NEG_ACCOUNT_LOCKOUT
1: NETLOGON_NEG_PERSISTENT_SAMREPL
1: NETLOGON_NEG_ARCFOUR
1: NETLOGON_NEG_PROMOTION_COUNT
1: NETLOGON_NEG_CHANGELOG_BDC
1: NETLOGON_NEG_FULL_SYNC_REPL
1: NETLOGON_NEG_MULTIPLE_SIDS
1: NETLOGON_NEG_REDO
1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
0: NETLOGON_NEG_GENERIC_PASSTHROUGH
0: NETLOGON_NEG_CONCURRENT_RPC
0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
1: NETLOGON_NEG_STRONG_KEYS
0: NETLOGON_NEG_TRANSITIVE_TRUSTS
0: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
1: NETLOGON_NEG_PASSWORD_SET2
0: NETLOGON_NEG_GETDOMAININFO
0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
0: NETLOGON_NEG_RODC_PASSTHROUGH
0: NETLOGON_NEG_SUPPORTS_AES_SHA2
1: NETLOGON_NEG_SUPPORTS_AES
0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
1: NETLOGON_NEG_AUTHENTICATED_RPC
rid : *
rid : 0x00000000 (0)
result : NT_STATUS_ACCESS_DENIED
## end log file snippet ##
More information about the samba
mailing list