[Samba] Intermittent Win7 trust issues
L.P.H. van Belle
belle at bazuin.nl
Tue Mar 15 07:39:23 UTC 2016
With samba 4 <-> win7 (* or win8-10) trust issues.
Then you have a few things to check
Start with checking if your time is in sync.
Check the windows even log, for errors, look them up.
If its a "bootcamp-ed" windows 7 install ( aka on a imac ), boot in apple, update bootcamp.
Last, if you used an imaged windows 7, did you forgot to sysprep maybe?
And correct, samba 3.x was more flexible with the SID of the computers, yes.
So if im guessing, your problem is the forgotten sysprep.
If thats so, remove the computer from the domain, run sysprep, give computer
The same name a gain, and re-join.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dave Beach
> Verzonden: dinsdag 15 maart 2016 2:23
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Intermittent Win7 trust issues
>
> Hello list!
>
>
>
> I'm trying to debug a problem that surfaced after a Samba upgrade from
> v3.5.x to v4.1.17.
>
>
>
> The problem is that Win7 workstations appear to randomly experience domain
> trust issues logging in, although they can log in some times, they are
> unsuccessful at other times. I cannot so far predict what would result in
> or
> influence this behaviour. These are workstations on which nothing has
> changed as a result of the Samba upgrade, and which did not exhibit any
> such
> problems with the previous Samba version.
>
>
>
> Smb.conf parameters below, followed by what seems to my untrained eye to
> be
> a relevant log snippet from the server for one of the workstations in
> question (PC-DAVE). Although I can clearly see the error in the log, my
> untrained eye is not yet capable of discerning its cause. I have
> arbitrarily
> copied only a portion of the log given its size (I've set logging to 10 in
> an attempt to debug the problem, and it's a sizeable log - so I felt some
> obligation to keep it to a dull roar for posting here).
>
>
>
> I use local profiles only, so when the trust issue raises its ugly head I
> stop Samba on the server, log on to the workstation, restart Samba. I can
> then map drives on the server, etc. Samba appears to be starting up
> correctly (testparm throws no errors, no errors in the log file).
>
>
>
> I'm very stumped by the fact that the trust issue is intermittent.
>
>
>
> Help gratefully accepted.
>
>
>
>
>
> ## smb.conf, exclusive of share information ###
>
>
>
> workgroup = DRBHOME
>
> dns proxy = no
>
> interfaces = eth1
>
> bind interfaces only = yes
>
> log file = /var/log/samba/log.%m
>
> max log size = 8192
>
> syslog = 0
>
> panic action = /usr/share/samba/panic-action %d
>
> server role = classic primary domain controller
>
> passdb backend = ldapsam
>
> obey pam restrictions = no
>
> unix password sync = yes
>
> passwd program = /usr/sbin/smbldap-passwd -u %u
>
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:*
> %n\n *password\supdated\ssuccessfully* .
>
> map to guest = never
>
> logon script = netlogon.cmd
>
> add user script = /usr/sbin/smbldap-useradd -m "%u"
>
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
>
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
>
> time server = yes
>
> security = user
>
> server string = DRBGATE
>
> domain logons = yes
>
> domain master = yes
>
> lanman auth = no
>
> ldap admin dn = "cn=admin,dc=drbhome,dc=ca"
>
> ldap delete dn = yes
>
> ldap group suffix = ou=Groups
>
> ldap idmap suffix = ou=Users
>
> ldap machine suffix = ou=Computers
>
> ldap passwd sync = yes
>
> ldap ssl = off
>
> ldap suffix = "dc=drbhome,dc=ca"
>
> ldap user suffix = ou=Users
>
> local master = yes
>
> log level = 10
>
> name resolve order = lmhosts host bcast
>
> netbios name = DRBGATE
>
> os level = 20
>
> preferred master = yes
>
> client lanman auth = no
>
> client ntlmv2 auth = yes
>
> client plaintext auth = no
>
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>
> deadtime = 5
>
> delete group script = /usr/sbin/smbldap-groupdel "%g%
>
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
>
> delete user script = /usr/sbin/smbldap-userdel "%u"
>
> encrypt passwords = yes
>
> hosts allow = 192.168.2. 127.
>
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>
>
>
> ## end smb.conf ##
>
>
>
>
>
> ## Log file snippet ##
>
>
>
> [2016/03/13 18:11:24.668890, 1, pid=1422, effective(0, 0), real(0, 0)]
> ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
>
> samr_QueryUserInfo2: struct samr_QueryUserInfo2
>
> out: struct samr_QueryUserInfo2
>
> info : *
>
> info : *
>
> info : union samr_UserInfo(case
> 18)
>
> info18: struct samr_UserInfo18
>
> nt_pwd: struct samr_Password
>
> hash :
> 63866ca03c2befbe90c29e51c48cae7e
>
> lm_pwd: struct samr_Password
>
> hash :
> 00000000000000000000000000000000
>
> nt_pwd_active : 0x01 (1)
>
> lm_pwd_active : 0x00 (0)
>
> password_expired : 0x00 (0)
>
> result : NT_STATUS_OK
>
> [2016/03/13 18:11:24.669125, 4, pid=1422, effective(65534, 65534),
> real(65534, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>
> pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 1
>
> [2016/03/13 18:11:24.669167, 1, pid=1422, effective(65534, 65534),
> real(65534, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
>
> samr_Close: struct samr_Close
>
> in: struct samr_Close
>
> handle : *
>
> handle: struct policy_handle
>
> handle_type : 0x00000000 (0)
>
> uuid :
> 00000012-0000-0000-e556-8ce58e050000
>
> [2016/03/13 18:11:24.669266, 6, pid=1422, effective(65534, 65534),
> real(65534, 0), class=rpc_srv]
> ../source3/rpc_server/rpc_handles.c:337(find_policy_by_hnd_internal)
>
> Found policy hnd[0] [0000] 00 00 00 00 12 00 00 00 00 00 00 00 E5 56
> 8C
> E5 ........ .....V..
>
> [0010] 8E 05 00 00 ....
>
> [2016/03/13 18:11:24.669333, 6, pid=1422, effective(65534, 65534),
> real(65534, 0), class=rpc_srv]
> ../source3/rpc_server/rpc_handles.c:386(close_policy_hnd)
>
> Closed policy
>
> [2016/03/13 18:11:24.669363, 1, pid=1422, effective(65534, 65534),
> real(65534, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
>
> samr_Close: struct samr_Close
>
> out: struct samr_Close
>
> handle : *
>
> handle: struct policy_handle
>
> handle_type : 0x00000000 (0)
>
> uuid :
> 00000000-0000-0000-0000-000000000000
>
> result : NT_STATUS_OK
>
> [2016/03/13 18:11:24.669482, 10, pid=1422, effective(65534, 65534),
> real(65534, 0), class=rpc_srv]
> ../source3/rpc_server/rpc_handles.c:416(close_policy_by_pipe)
>
> Deleted handle list for RPC connection \samr
>
> [2016/03/13 18:11:24.669536, 2, pid=1422, effective(65534, 65534),
> real(65534, 0)]
> ../libcli/auth/credentials.c:381(netlogon_creds_server_check_internal)
>
> credentials check failed
>
> [2016/03/13 18:11:24.669577, 0, pid=1422, effective(65534, 65534),
> real(65534, 0), class=rpc_srv]
> ../source3/rpc_server/netlogon/srv_netlog_nt.c:997(_netr_ServerAuthenticat
> e3
> )
>
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client PC-DAVE machine account PC-DAVE$
>
> [2016/03/13 18:11:24.669611, 1, pid=1422, effective(65534, 65534),
> real(65534, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
>
> netr_ServerAuthenticate3: struct netr_ServerAuthenticate3
>
> out: struct netr_ServerAuthenticate3
>
> return_credentials : *
>
> return_credentials: struct netr_Credential
>
> data : 0000000000000000
>
> negotiate_flags : *
>
> negotiate_flags : 0x410241ff (1090667007)
>
> 1: NETLOGON_NEG_ACCOUNT_LOCKOUT
>
> 1: NETLOGON_NEG_PERSISTENT_SAMREPL
>
> 1: NETLOGON_NEG_ARCFOUR
>
> 1: NETLOGON_NEG_PROMOTION_COUNT
>
> 1: NETLOGON_NEG_CHANGELOG_BDC
>
> 1: NETLOGON_NEG_FULL_SYNC_REPL
>
> 1: NETLOGON_NEG_MULTIPLE_SIDS
>
> 1: NETLOGON_NEG_REDO
>
> 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
>
> 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
>
> 0: NETLOGON_NEG_GENERIC_PASSTHROUGH
>
> 0: NETLOGON_NEG_CONCURRENT_RPC
>
> 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
>
> 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
>
> 1: NETLOGON_NEG_STRONG_KEYS
>
> 0: NETLOGON_NEG_TRANSITIVE_TRUSTS
>
> 0: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
>
> 1: NETLOGON_NEG_PASSWORD_SET2
>
> 0: NETLOGON_NEG_GETDOMAININFO
>
> 0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
>
> 0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
>
> 0: NETLOGON_NEG_RODC_PASSTHROUGH
>
> 0: NETLOGON_NEG_SUPPORTS_AES_SHA2
>
> 1: NETLOGON_NEG_SUPPORTS_AES
>
> 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
>
> 1: NETLOGON_NEG_AUTHENTICATED_RPC
>
> rid : *
>
> rid : 0x00000000 (0)
>
> result : NT_STATUS_ACCESS_DENIED
>
>
>
>
>
> ## end log file snippet ##
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list