[Samba] invalid NTLMSSP_MIC / SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Nov 2 14:19:53 UTC 2016
With the patches for BADLOCK I had to upgrade/patch my domain
controllers first then upgrade the member servers.
In addition to security fixes, some of the signing defaults changed so I
think I had to explicitly set
server signing = No
On 10/24/16 14:25, Alex Crow via samba wrote:
>
> On 24/10/16 18:03, Boris S. via samba wrote:
>> Hello,
>>
>> since I upgraded my NT4 domain Samba 4.2.11 to 4.2.14 I can no longer
>> authenticate
>> when I access any share.
>> After that I even upgraded to Samba 4.4.5 but still get the same error:
>>
>>
>> [2016/10/15 04:42:19.786198, 2]
>> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>> check_ntlm_password: authentication for user [xx] -> [xx] -> [xx]
>> succeeded
>> [2016/10/15 04:42:19.789933, 1]
>> ../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
>> ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[xx]
>> domain=[XXXXXXX] workstation=[XXXXX]
>> [2016/10/15 04:42:19.789982, 1] ../lib/util/util.c:559(dump_data)
>> [0000] 97 BD D0 A6 D7 16 E4 0A 59 33 62 ED CC 6A 35 04 ........
>> Y3b..j5.
>> [2016/10/15 04:42:19.790035, 1] ../lib/util/util.c:559(dump_data)
>> [0000] F2 85 BB 00 46 11 89 C4 84 E3 2C 4C 5D FA F4 6A ....F...
>> ..,L]..j
>> [2016/10/15 04:42:19.790095, 2]
>> ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
>> SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
>>
>>
>> Server: FreeBSD 10.3/64 bit
>> Clients: Windows 7 64bit
>>
>> When I downgrade to 4.2.11 everything works again.
>> An upgrade to DC is currently not an option so I need to stick to NT4
>> PDC for a while.
>>
>> I duplicated the whole server to a VM, so I could test anything and
>> wouldn't harm the production server.
>>
>> Any idea what might the cause?
>> Do you need more Information?
>>
>>
>>
>>
>> My smb.conf:
>>
>> [global]
>>
>> workgroup = XXXXXXX
>> netbios name = SERVER
>> unix password sync = false
>> max log size = 100
>> unix extensions = no
>> log level = 2 vfs:2
>> map to guest = Bad User
>> server max protocol = smb2
>> server min protocol = smb2
>> passdb backend = tdbsam
>> unix charset = ISO8859-1
>> dos charset = CP1252
>> bind interfaces only = yes
>> hosts allow = 192.168.255. 127.
>> acl allow execute always = True
>> load printers = no
>> log file = /var/log/samba4/log.%m
>> log level = 2
>> security = user
>> encrypt passwords = yes
>> interfaces = em0, lo0
>> local master = yes
>> os level = 65
>> domain master = yes
>> preferred master = yes
>> domain logons = yes
>> wins support = yes
>> wins proxy = yes
>> dns proxy = no
>>
>>
>>
>>
> I have had pretty much the same issue against CentOS 6.x/Samba 3.x DCs
> from Samba 4.2.x (CentOS) and 4.4.x (Sernet) File servers.
>
> Please look at BZ#12393 and add your findings:
> https://bugzilla.samba.org/show_bug.cgi?id=12303
>
> We upgraded our DCs to 4.4.x and it went away. Are you /really/ still
> running actual NT4 DCs? Wow....
>
> Cheers
>
> Alex
>
>
>
>
> --
> This message is intended only for the addressee and may contain
> confidential information. Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
> This email is not intended to, nor should it be taken to, constitute advice.
> The information provided is correct to our knowledge & belief and must not
> be used as a substitute for obtaining tax, regulatory, investment, legal or
> any other appropriate advice.
>
> "Transact" is operated by Integrated Financial Arrangements Ltd.
> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
> (Registered office: as above; Registered in England and Wales under
> number: 3727592). Authorised and regulated by the Financial Conduct
> Authority (entered on the Financial Services Register; no. 190856).
>
More information about the samba
mailing list