[Samba] Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
Gaiseric Vandal
gaiseric.vandal at gmail.com
Tue Nov 29 17:04:37 UTC 2016
The trusts aren't really working with Windows 2008 either (where DOMAINC
is the Windows 2008 domain.)
# /usr/local/samba/bin/net rpc trustdom establish DOMAINC
Enter DOMAINA$'s password:
Could not connect to server DOMAINC_DC
Trust to domain DOMAINC established
#
Active Directory Domains and Trusts MMC on the Windows 2008 AD DC
(DOMAINC_DC) seems to think the trusts are OK.
The security and system logs however shows that the SambaPDC is failing
to login to the DOMAINC_DC with the domain trust account. Looks like
it first tries with kerberos (which I would expect to fail) then with
NTLM. DOMAINC_DC has dual IP addresses (which is a result of
consolidating some DNS servers.)
The security log on the DOMAINC_DC shows
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 11/29/2016 10:35:03 AM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DOMAINC_DC.domainc.com
Description:
The domain controller attempted to validate the credentials for an
account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: DOMAINA$
Source Workstation: sambaPDC
Error Code: 0xc0000198
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 11/29/2016 10:35:03 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DOMAINC_DC.domainc.com
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: DOMAINA$
Account Domain: DOMAINC
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc0000198
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: SAMBA_PDC
Source Network Address: 192.168.x.x
Source Port: 51798
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated
on the computer where access was attempted.
The Subject fields indicate the account on the local system which
requested the logon. This is most commonly a service such as the
Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested.
The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on
the system requested the logon.
The Network Information fields indicate where a remote logon request
originated. Workstation name is not always available and may be left
blank in some cases.
The authentication information fields provide detailed information
about this specific logon request.
- Transited services indicate which intermediate services have
participated in this logon request.
- Package name indicates which sub-protocol was used among the
NTLM protocols.
- Key length indicates the length of the generated session key.
This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<EventRecordID>53957789</EventRecordID>
<Correlation />
<Execution ProcessID="708" ThreadID="836" />
<Channel>Security</Channel>
<Computer>DOMAINC_DC.domainc.com</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">DOMAINA$</Data>
<Data Name="TargetDomainName">DOMAINC</Data>
<Data Name="Status">0xc0000198</Data>
<Data Name="FailureReason">%%2304</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">SAMBA_PDC</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">192.168.x.x</Data>
<Data Name="IpPort">51798</Data>
</EventData>
</Event>
The system log shows
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 11/29/2016 10:34:33 AM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAINC_DC.domainc.com
Description:
A Kerberos Error Message was received:
on logon session
Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
Extended Error:
Client Realm:
Client Name:
Server Realm: DOMAINC.COM
Server Name: krbtgt/DOMAINC.COM
Target Name: krbtgt/DOMAINC.COM at DOMAINC.COM
Error Text:
File: 9
Line: e2e
Error Data is in record data.
Event Xml:
The trust password looks OK
From a linux client (samba ver 4.3.12)
> smbclient -L \\DOMAINC_DC -U 'DomainA$'
Enter DomainA$'s password:
session setup failed: NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
(with the wrong password I get NT_STATUS_LOGON_FAILURE)
But from the samba PDC (samba ver 4.4.7)
#/usr/local/samba/bin/smbclient -L \\DOMAINC_DC -U 'DomainA$'
Enter DomainA$'s password:
session setup failed: NT_STATUS_LOGON_FAILURE
Appreciate any advice.
Thanks
On 11/28/16 17:15, Gaiseric Vandal wrote:
> I noticed that smbclient worked on some solaris 11 machines but not
> others. The issue a slightly different version of libarchive on the
> machine (0.12 vs 0.13), even though I thought all machines had been
> patched to the same level. So I decided to recompile.
>
> When recompiling samba 4.4.7 on solaris 11 I saw the following warning
>
> Checking for header krb5.h : no
>
>
> The fix for this in Solaris 11 with gcc 4.8.x is
>
> export C_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5
> export CPLUS_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5
>
>
> When compling samba 3, if memory serves, I would get a little summary
> of which features were enabled and which were not.
>
> I don't think kerberos is requires for domain trusts? I know that
> Active Directory does use kerberos but , when trusts are involved,
> Samba in classic mode "thinks" that the Windows domain controller is
> an NT4 machine. So whether krb5.h was found or not it shouldn't
> matter.
>
> Thanks
>
>
>
>
>
>
> On 11/22/16 17:53, Gaiseric Vandal wrote:
>> I am not sure if this is relevant
>>
>> root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish
>> DomainB
>>
>> Enter DOMAINA$'s password:
>> Could not connect to server DomainB_DC
>> Trust to domain DomainB established
>> root at sambaPDC:~#
>>
>>
>> root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish
>> DomainC
>>
>> Enter DOMAINA$'s password:
>> Could not connect to server DomainC_DC
>> Trust to domain DomainC established
>> root at sambaPDC:~#
>>
>>
>> root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U
>> Administrator
>> Trusted domains list:
>>
>> DOMAINA S-1-5-21-xxxx-xxxx-xxxx
>> DOMAINB S-1-5-21-xxxx-xxxx-xxxx
>>
>> Trusting domains list:
>>
>> DOMAINA S-1-5-21-xxxx-xxxx-xxxx
>> DOMAINB S-1-5-21-xxxx-xxxx-xxxx
>>
>>
>>
>> I MAY have seen "could not connect to server..." errors in the past
>> even when trusts did work.
>>
>>
>>
>> On 11/22/16 13:40, Gaiseric Vandal wrote:
>>> In summary
>>>
>>> * DomainA Samba classic domain- PDC and BDC are running Samba
>>> 4.4.7. The PDC is called "SambaPDC."
>>> * DomainB Windows AD domain , level 2008, domain controller is
>>> Windows 2012 or 2012R2 (you are correct that there are not primary
>>> and backup controllers in AD)
>>> * DomainC Windows AD domain, level 2008, domain controllers are
>>> Windows 2008
>>>
>>>
>>> I need to get trusts established between DomainA and DomainB. (I
>>> don't actually need trusts between DomainA and DomainC, but hoped it
>>> might flush out a working configuration)
>>>
>>>
>>>
>>> I can not setup trusts between DomainA and DomainB in either
>>> direction. The domain controller of domainB just complains that
>>> it cannot establish an RPC connection to DomainA's PDC (The PDC on
>>> domainA has winbind errors relating to domain C.) (On the DomainA
>>> PDC, wbinfo isn't showing trusted users from domainC and I see
>>> errors in the winbind log.)
>>>
>>>
>>>
>>> I can partially setup trusts between DomainA and DomainC. The domain
>>> controller of domainC thinks two way trusts are enabled (can verify
>>> them) and I am able to grant DomainA users access to files on
>>> DomainC servers. (On the DomainA PDC, wbinfo isn't showing trusted
>>> users from domainC and I see errors in the winbind log.)
>>>
>>>
>>> Wondering if I should have complied Samba using "--without-ad-dc"
>>> option.
>>>
>>>
>>>
>>>
>>>
>>> On 11/22/16 12:43, Rowland Penny via samba wrote:
>>>> See inline comments:
>>>>
>>>> On Tue, 22 Nov 2016 12:04:57 -0500
>>>> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> I am trying to configuring Samba 4 classic PDC to trust Windows
>>>>> 2012 domain "DomainB" - the PDC is running Windows 2012 but the
>>>>> forest and domain functional levels are still Windows 2008. On the
>>>>> Win 2012 PDC I try to set up an incoming trust, but it fails with
>>>>> "The local security authority is unable to obtain an RPC connection
>>>>> to the active directory domain controller SAMBAPDC . "
>>>> Can we confirm what I think the above means:
>>>>
>>>> You have a NT4-style PDC
>>>> You have 'DomainB' in which there is a Windows 2012 AD DC running as
>>>> domain functional level 2008 (This is NOT a PDC)
>>>> You are trying to set up a trust between the PDC and the AD DC
>>>>
>>>>>
>>>>>
>>>>> I have an third domain "DomainC" - the PDC is running Windows
>>>>> 2008 , and the forest and domain functional levels are still Windows
>>>>> 2008. On that PDC I am able to configure and verify an incoming
>>>>> trust.
>>>>>
>>>> Again, you have an AD DC running windows 2008 and you can configure a
>>>> trust, but you don't say between what.
>>>>> I am guessing some recent security patch that applies to Windows 2012
>>>>> but not to Windows 2008 is the issue?
>>>>>
>>>> Sounds like it.
>>>>> Since samba is a configured as a classic domain, I would have
>>>>> expected the Windows 2012 DC to see the samba domain as an NT4
>>>>> domain.
>>>>>
>>>> Should do, but microsoft seems to be trying to make it harder, see
>>>> here:
>>>>
>>>> https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS
>>>>
>>>>> I have tried setting the following in smb.conf
>>>>>
>>>>> server services = +smb -s3fs
>>>>> dcerpc endpoint servers = +winreg +srvsvc
>>>> They will not do anything on a PDC, they are meant for an AD DC
>>>>
>>>> Rowland
>>>>
>>>
>>
>
More information about the samba
mailing list