[Samba] Samba 4 "Classic PDC" trusts fail with Win 2008
Gaiseric Vandal
gaiseric.vandal at gmail.com
Tue Nov 29 18:30:05 UTC 2016
Digging further
On the sambaPDC (samba 4.4.7)
# net -d3 rpc trustdom establish DOMAINC
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
Unknown parameter encountered: "client ipc signing"
Ignoring unknown parameter "client ipc signing"
Unknown parameter encountered: "server max protocol"
Ignoring unknown parameter "server max protocol"
added interface net0 ip=192.168.x.x bcast=192.168.xx netmask=xxxxx
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter DOMAINA$'s password:
Connecting to host=DOMAINC_DC
Connecting to 192.168.x.x at port 445
Doing spnego session setup (blob length=124)
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: No logon interdomain trust account
failed session setup with NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
*Could not connect to server DOMAINC_DC*
Connecting to host=DOMAINC_DC
Connecting to 192.168.x.x at port 445
*NetServerEnum2 error: Couldn't find primary domain controller for
domain DOMAINA*
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAINA))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
Trust to domain DOMAINC established
return code = 0
#
On a Samba 4.4.7 member server
# ./smbclient -L \\Xen2 -U 'DOMAINC\DomainA$'
Enter DOMAINC\DomainA$'s password:
session setup failed: NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
#
On 11/29/16 12:04, Gaiseric Vandal wrote:
> The trusts aren't really working with Windows 2008 either (where
> DOMAINC is the Windows 2008 domain.)
>
>
>
> # /usr/local/samba/bin/net rpc trustdom establish DOMAINC
> Enter DOMAINA$'s password:
> Could not connect to server DOMAINC_DC
> Trust to domain DOMAINC established
> #
>
>
>
> Active Directory Domains and Trusts MMC on the Windows 2008 AD DC
> (DOMAINC_DC) seems to think the trusts are OK.
>
> The security and system logs however shows that the SambaPDC is
> failing to login to the DOMAINC_DC with the domain trust account.
> Looks like it first tries with kerberos (which I would expect to fail)
> then with NTLM. DOMAINC_DC has dual IP addresses (which is a
> result of consolidating some DNS servers.)
>
>
> The security log on the DOMAINC_DC shows
>
> Log Name: Security
> Source: Microsoft-Windows-Security-Auditing
> Date: 11/29/2016 10:35:03 AM
> Event ID: 4776
> Task Category: Credential Validation
> Level: Information
> Keywords: Audit Failure
> User: N/A
> Computer: DOMAINC_DC.domainc.com
> Description:
> The domain controller attempted to validate the credentials for an
> account.
>
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon Account: DOMAINA$
> Source Workstation: sambaPDC
> Error Code: 0xc0000198
>
>
>
> Log Name: Security
> Source: Microsoft-Windows-Security-Auditing
> Date: 11/29/2016 10:35:03 AM
> Event ID: 4625
> Task Category: Logon
> Level: Information
> Keywords: Audit Failure
> User: N/A
> Computer: DOMAINC_DC.domainc.com
> Description:
> An account failed to log on.
>
> Subject:
> Security ID: NULL SID
> Account Name: -
> Account Domain: -
> Logon ID: 0x0
>
> Logon Type: 3
>
> Account For Which Logon Failed:
> Security ID: NULL SID
> Account Name: DOMAINA$
> Account Domain: DOMAINC
>
> Failure Information:
> Failure Reason: An Error occured during Logon.
> Status: 0xc0000198
> Sub Status: 0x0
>
> Process Information:
> Caller Process ID: 0x0
> Caller Process Name: -
>
> Network Information:
> Workstation Name: SAMBA_PDC
> Source Network Address: 192.168.x.x
> Source Port: 51798
>
> Detailed Authentication Information:
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Transited Services: -
> Package Name (NTLM only): -
> Key Length: 0
>
> This event is generated when a logon request fails. It is
> generated on the computer where access was attempted.
>
> The Subject fields indicate the account on the local system which
> requested the logon. This is most commonly a service such as the
> Server service, or a local process such as Winlogon.exe or
> Services.exe.
>
> The Logon Type field indicates the kind of logon that was
> requested. The most common types are 2 (interactive) and 3 (network).
>
> The Process Information fields indicate which account and process
> on the system requested the logon.
>
> The Network Information fields indicate where a remote logon
> request originated. Workstation name is not always available and
> may be left blank in some cases.
>
> The authentication information fields provide detailed information
> about this specific logon request.
> - Transited services indicate which intermediate services have
> participated in this logon request.
> - Package name indicates which sub-protocol was used among the
> NTLM protocols.
> - Key length indicates the length of the generated session
> key. This will be 0 if no session key was requested.
> Event Xml:
> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> <System>
> <Provider Name="Microsoft-Windows-Security-Auditing"
> Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
> <EventID>4625</EventID>
> <Version>0</Version>
> <Level>0</Level>
> <Task>12544</Task>
> <Opcode>0</Opcode>
> <Keywords>0x8010000000000000</Keywords>
> <EventRecordID>53957789</EventRecordID>
> <Correlation />
> <Execution ProcessID="708" ThreadID="836" />
> <Channel>Security</Channel>
> <Computer>DOMAINC_DC.domainc.com</Computer>
> <Security />
> </System>
> <EventData>
> <Data Name="SubjectUserSid">S-1-0-0</Data>
> <Data Name="SubjectUserName">-</Data>
> <Data Name="SubjectDomainName">-</Data>
> <Data Name="SubjectLogonId">0x0</Data>
> <Data Name="TargetUserSid">S-1-0-0</Data>
> <Data Name="TargetUserName">DOMAINA$</Data>
> <Data Name="TargetDomainName">DOMAINC</Data>
> <Data Name="Status">0xc0000198</Data>
> <Data Name="FailureReason">%%2304</Data>
> <Data Name="SubStatus">0x0</Data>
> <Data Name="LogonType">3</Data>
> <Data Name="LogonProcessName">NtLmSsp </Data>
> <Data Name="AuthenticationPackageName">NTLM</Data>
> <Data Name="WorkstationName">SAMBA_PDC</Data>
> <Data Name="TransmittedServices">-</Data>
> <Data Name="LmPackageName">-</Data>
> <Data Name="KeyLength">0</Data>
> <Data Name="ProcessId">0x0</Data>
> <Data Name="ProcessName">-</Data>
> <Data Name="IpAddress">192.168.x.x</Data>
> <Data Name="IpPort">51798</Data>
> </EventData>
> </Event>
>
>
>
> The system log shows
>
> Log Name: System
> Source: Microsoft-Windows-Security-Kerberos
> Date: 11/29/2016 10:34:33 AM
> Event ID: 3
> Task Category: None
> Level: Error
> Keywords: Classic
> User: N/A
> Computer: DOMAINC_DC.domainc.com
> Description:
> A Kerberos Error Message was received:
> on logon session
> Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
> Extended Error:
> Client Realm:
> Client Name:
> Server Realm: DOMAINC.COM
> Server Name: krbtgt/DOMAINC.COM
> Target Name: krbtgt/DOMAINC.COM at DOMAINC.COM
> Error Text:
> File: 9
> Line: e2e
> Error Data is in record data.
> Event Xml:
>
>
>
>
> The trust password looks OK
>
> From a linux client (samba ver 4.3.12)
>
> > smbclient -L \\DOMAINC_DC -U 'DomainA$'
> Enter DomainA$'s password:
> session setup failed: NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
>
> (with the wrong password I get NT_STATUS_LOGON_FAILURE)
>
>
> But from the samba PDC (samba ver 4.4.7)
>
> #/usr/local/samba/bin/smbclient -L \\DOMAINC_DC -U 'DomainA$'
> Enter DomainA$'s password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
> Appreciate any advice.
>
> Thanks
>
>
>
> On 11/28/16 17:15, Gaiseric Vandal wrote:
>> I noticed that smbclient worked on some solaris 11 machines but not
>> others. The issue a slightly different version of libarchive on the
>> machine (0.12 vs 0.13), even though I thought all machines had been
>> patched to the same level. So I decided to recompile.
>>
>> When recompiling samba 4.4.7 on solaris 11 I saw the following warning
>>
>> Checking for header krb5.h : no
>>
>>
>> The fix for this in Solaris 11 with gcc 4.8.x is
>>
>> export C_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5
>> export CPLUS_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5
>>
>>
>> When compling samba 3, if memory serves, I would get a little summary
>> of which features were enabled and which were not.
>>
>> I don't think kerberos is requires for domain trusts? I know that
>> Active Directory does use kerberos but , when trusts are involved,
>> Samba in classic mode "thinks" that the Windows domain controller is
>> an NT4 machine. So whether krb5.h was found or not it shouldn't
>> matter.
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>> On 11/22/16 17:53, Gaiseric Vandal wrote:
>>> I am not sure if this is relevant
>>>
>>> root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish
>>> DomainB
>>>
>>> Enter DOMAINA$'s password:
>>> Could not connect to server DomainB_DC
>>> Trust to domain DomainB established
>>> root at sambaPDC:~#
>>>
>>>
>>> root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish
>>> DomainC
>>>
>>> Enter DOMAINA$'s password:
>>> Could not connect to server DomainC_DC
>>> Trust to domain DomainC established
>>> root at sambaPDC:~#
>>>
>>>
>>> root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U
>>> Administrator
>>> Trusted domains list:
>>>
>>> DOMAINA S-1-5-21-xxxx-xxxx-xxxx
>>> DOMAINB S-1-5-21-xxxx-xxxx-xxxx
>>>
>>> Trusting domains list:
>>>
>>> DOMAINA S-1-5-21-xxxx-xxxx-xxxx
>>> DOMAINB S-1-5-21-xxxx-xxxx-xxxx
>>>
>>>
>>>
>>> I MAY have seen "could not connect to server..." errors in the past
>>> even when trusts did work.
>>>
>>>
>>>
>>> On 11/22/16 13:40, Gaiseric Vandal wrote:
>>>> In summary
>>>>
>>>> * DomainA Samba classic domain- PDC and BDC are running Samba
>>>> 4.4.7. The PDC is called "SambaPDC."
>>>> * DomainB Windows AD domain , level 2008, domain controller is
>>>> Windows 2012 or 2012R2 (you are correct that there are not
>>>> primary and backup controllers in AD)
>>>> * DomainC Windows AD domain, level 2008, domain controllers
>>>> are Windows 2008
>>>>
>>>>
>>>> I need to get trusts established between DomainA and DomainB. (I
>>>> don't actually need trusts between DomainA and DomainC, but hoped
>>>> it might flush out a working configuration)
>>>>
>>>>
>>>>
>>>> I can not setup trusts between DomainA and DomainB in either
>>>> direction. The domain controller of domainB just complains
>>>> that it cannot establish an RPC connection to DomainA's PDC (The
>>>> PDC on domainA has winbind errors relating to domain C.) (On the
>>>> DomainA PDC, wbinfo isn't showing trusted users from domainC and I
>>>> see errors in the winbind log.)
>>>>
>>>>
>>>>
>>>> I can partially setup trusts between DomainA and DomainC. The
>>>> domain controller of domainC thinks two way trusts are enabled
>>>> (can verify them) and I am able to grant DomainA users access to
>>>> files on DomainC servers. (On the DomainA PDC, wbinfo isn't
>>>> showing trusted users from domainC and I see errors in the winbind
>>>> log.)
>>>>
>>>>
>>>> Wondering if I should have complied Samba using "--without-ad-dc"
>>>> option.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 11/22/16 12:43, Rowland Penny via samba wrote:
>>>>> See inline comments:
>>>>>
>>>>> On Tue, 22 Nov 2016 12:04:57 -0500
>>>>> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>> I am trying to configuring Samba 4 classic PDC to trust Windows
>>>>>> 2012 domain "DomainB" - the PDC is running Windows 2012 but the
>>>>>> forest and domain functional levels are still Windows 2008. On the
>>>>>> Win 2012 PDC I try to set up an incoming trust, but it fails with
>>>>>> "The local security authority is unable to obtain an RPC connection
>>>>>> to the active directory domain controller SAMBAPDC . "
>>>>> Can we confirm what I think the above means:
>>>>>
>>>>> You have a NT4-style PDC
>>>>> You have 'DomainB' in which there is a Windows 2012 AD DC running as
>>>>> domain functional level 2008 (This is NOT a PDC)
>>>>> You are trying to set up a trust between the PDC and the AD DC
>>>>>
>>>>>>
>>>>>>
>>>>>> I have an third domain "DomainC" - the PDC is running Windows
>>>>>> 2008 , and the forest and domain functional levels are still
>>>>>> Windows
>>>>>> 2008. On that PDC I am able to configure and verify an incoming
>>>>>> trust.
>>>>>>
>>>>> Again, you have an AD DC running windows 2008 and you can configure a
>>>>> trust, but you don't say between what.
>>>>>> I am guessing some recent security patch that applies to Windows
>>>>>> 2012
>>>>>> but not to Windows 2008 is the issue?
>>>>>>
>>>>> Sounds like it.
>>>>>> Since samba is a configured as a classic domain, I would have
>>>>>> expected the Windows 2012 DC to see the samba domain as an NT4
>>>>>> domain.
>>>>>>
>>>>> Should do, but microsoft seems to be trying to make it harder, see
>>>>> here:
>>>>>
>>>>> https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS
>>>>>
>>>>>> I have tried setting the following in smb.conf
>>>>>>
>>>>>> server services = +smb -s3fs
>>>>>> dcerpc endpoint servers = +winreg +srvsvc
>>>>> They will not do anything on a PDC, they are meant for an AD DC
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>
>
More information about the samba
mailing list