[Samba] Samba 4 "Classic PDC" trusts fail with Win 2008

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Nov 29 18:30:05 UTC 2016


Digging further


On the sambaPDC  (samba 4.4.7)

    # net -d3 rpc trustdom establish  DOMAINC
    lp_load_ex: refreshing parameters
    Initialising global parameters
    rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
    params.c:pm_process() - Processing configuration file
    "/etc/samba/smb.conf"
    Processing section "[global]"
    Unknown parameter encountered: "client ipc signing"
    Ignoring unknown parameter "client ipc signing"
    Unknown parameter encountered: "server max protocol"
    Ignoring unknown parameter "server max protocol"
    added interface net0 ip=192.168.x.x bcast=192.168.xx netmask=xxxxx
    Registered MSG_REQ_POOL_USAGE
    Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
    Enter DOMAINA$'s password:
    Connecting to host=DOMAINC_DC
    Connecting to 192.168.x.x at port 445
    Doing spnego session setup (blob length=124)
    got principal=not_defined_in_RFC4178 at please_ignore
    Got challenge flags:
    Got NTLMSSP neg_flags=0x62898215
    NTLMSSP: Set final flags:
    Got NTLMSSP neg_flags=0x60088215
    NTLMSSP Sign/Seal - Initialising with flags:
    Got NTLMSSP neg_flags=0x60088215
    SPNEGO login failed: No logon interdomain trust account
    failed session setup with NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
    *Could not connect to server DOMAINC_DC*
    Connecting to host=DOMAINC_DC
    Connecting to 192.168.x.x at port 445
    *NetServerEnum2 error: Couldn't find primary domain controller for
    domain DOMAINA*
    smbldap_search_domain_info: Searching
    for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAINA))]
    smbldap_open_connection: connection opened
    ldap_connect_system: successful connection to the LDAP server
    Trust to domain DOMAINC established
    return code = 0
    #



On a Samba 4.4.7 member server




    #  ./smbclient -L \\Xen2 -U 'DOMAINC\DomainA$'
      Enter DOMAINC\DomainA$'s password:
    session setup failed: NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
    #


On 11/29/16 12:04, Gaiseric Vandal wrote:
> The trusts aren't really working with Windows 2008 either (where 
> DOMAINC is the Windows 2008 domain.)
>
>
>
>     # /usr/local/samba/bin/net rpc trustdom establish DOMAINC
>     Enter DOMAINA$'s password:
>     Could not connect to server DOMAINC_DC
>     Trust to domain DOMAINC established
>     #
>
>
>
> Active Directory Domains and Trusts MMC on the  Windows 2008 AD DC  
> (DOMAINC_DC) seems to think the trusts are OK.
>
> The security and system logs however shows that the SambaPDC is 
> failing to login to the DOMAINC_DC  with the domain trust account.   
> Looks like it first tries with kerberos (which I would expect to fail) 
> then with NTLM.     DOMAINC_DC has dual IP addresses (which is a 
> result of consolidating some DNS servers.)
>
>
> The security log on the DOMAINC_DC shows
>
>     Log Name:      Security
>     Source:        Microsoft-Windows-Security-Auditing
>     Date:          11/29/2016 10:35:03 AM
>     Event ID:      4776
>     Task Category: Credential Validation
>     Level:         Information
>     Keywords:      Audit Failure
>     User:          N/A
>     Computer:      DOMAINC_DC.domainc.com
>     Description:
>     The domain controller attempted to validate the credentials for an
>     account.
>
>     Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>     Logon Account:    DOMAINA$
>     Source Workstation:    sambaPDC
>     Error Code:    0xc0000198
>
>
>
>     Log Name:      Security
>     Source:        Microsoft-Windows-Security-Auditing
>     Date:          11/29/2016 10:35:03 AM
>     Event ID:      4625
>     Task Category: Logon
>     Level:         Information
>     Keywords:      Audit Failure
>     User:          N/A
>     Computer:     DOMAINC_DC.domainc.com
>     Description:
>     An account failed to log on.
>
>     Subject:
>         Security ID:        NULL SID
>         Account Name:        -
>         Account Domain:        -
>         Logon ID:        0x0
>
>     Logon Type:            3
>
>     Account For Which Logon Failed:
>         Security ID:        NULL SID
>         Account Name:        DOMAINA$
>         Account Domain:        DOMAINC
>
>     Failure Information:
>         Failure Reason:        An Error occured during Logon.
>         Status:            0xc0000198
>         Sub Status:        0x0
>
>     Process Information:
>         Caller Process ID:    0x0
>         Caller Process Name:    -
>
>     Network Information:
>         Workstation Name:    SAMBA_PDC
>         Source Network Address:    192.168.x.x
>         Source Port:        51798
>
>     Detailed Authentication Information:
>         Logon Process:        NtLmSsp
>         Authentication Package:    NTLM
>         Transited Services:    -
>         Package Name (NTLM only):    -
>         Key Length:        0
>
>     This event is generated when a logon request fails. It is
>     generated on the computer where access was attempted.
>
>     The Subject fields indicate the account on the local system which
>     requested the logon. This is most commonly a service such as the
>     Server service, or a local process such as Winlogon.exe or
>     Services.exe.
>
>     The Logon Type field indicates the kind of logon that was
>     requested. The most common types are 2 (interactive) and 3 (network).
>
>     The Process Information fields indicate which account and process
>     on the system requested the logon.
>
>     The Network Information fields indicate where a remote logon
>     request originated. Workstation name is not always available and
>     may be left blank in some cases.
>
>     The authentication information fields provide detailed information
>     about this specific logon request.
>         - Transited services indicate which intermediate services have
>     participated in this logon request.
>         - Package name indicates which sub-protocol was used among the
>     NTLM protocols.
>         - Key length indicates the length of the generated session
>     key. This will be 0 if no session key was requested.
>     Event Xml:
>     <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
>       <System>
>         <Provider Name="Microsoft-Windows-Security-Auditing"
>     Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
>         <EventID>4625</EventID>
>         <Version>0</Version>
>         <Level>0</Level>
>         <Task>12544</Task>
>         <Opcode>0</Opcode>
>         <Keywords>0x8010000000000000</Keywords>
>         <EventRecordID>53957789</EventRecordID>
>         <Correlation />
>         <Execution ProcessID="708" ThreadID="836" />
>         <Channel>Security</Channel>
>         <Computer>DOMAINC_DC.domainc.com</Computer>
>         <Security />
>       </System>
>       <EventData>
>         <Data Name="SubjectUserSid">S-1-0-0</Data>
>         <Data Name="SubjectUserName">-</Data>
>         <Data Name="SubjectDomainName">-</Data>
>         <Data Name="SubjectLogonId">0x0</Data>
>         <Data Name="TargetUserSid">S-1-0-0</Data>
>         <Data Name="TargetUserName">DOMAINA$</Data>
>         <Data Name="TargetDomainName">DOMAINC</Data>
>         <Data Name="Status">0xc0000198</Data>
>         <Data Name="FailureReason">%%2304</Data>
>         <Data Name="SubStatus">0x0</Data>
>         <Data Name="LogonType">3</Data>
>         <Data Name="LogonProcessName">NtLmSsp </Data>
>         <Data Name="AuthenticationPackageName">NTLM</Data>
>         <Data Name="WorkstationName">SAMBA_PDC</Data>
>         <Data Name="TransmittedServices">-</Data>
>         <Data Name="LmPackageName">-</Data>
>         <Data Name="KeyLength">0</Data>
>         <Data Name="ProcessId">0x0</Data>
>         <Data Name="ProcessName">-</Data>
>         <Data Name="IpAddress">192.168.x.x</Data>
>         <Data Name="IpPort">51798</Data>
>       </EventData>
>     </Event>
>
>
>
> The system log shows
>
>     Log Name:      System
>     Source:        Microsoft-Windows-Security-Kerberos
>     Date:          11/29/2016 10:34:33 AM
>     Event ID:      3
>     Task Category: None
>     Level:         Error
>     Keywords:      Classic
>     User:          N/A
>     Computer:      DOMAINC_DC.domainc.com
>     Description:
>     A Kerberos Error Message was received:
>      on logon session
>      Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
>      Extended Error:
>      Client Realm:
>      Client Name:
>      Server Realm: DOMAINC.COM
>      Server Name: krbtgt/DOMAINC.COM
>      Target Name: krbtgt/DOMAINC.COM at DOMAINC.COM
>      Error Text:
>      File: 9
>      Line: e2e
>      Error Data is in record data.
>     Event Xml:
>
>
>
>
> The trust password looks OK
>
> From a linux client (samba ver 4.3.12)
>
>     > smbclient -L \\DOMAINC_DC -U 'DomainA$'
>     Enter DomainA$'s password:
>     session setup failed: NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
>
>     (with the wrong password I get NT_STATUS_LOGON_FAILURE)
>
>
> But from the samba PDC (samba ver 4.4.7)
>
>     #/usr/local/samba/bin/smbclient  -L \\DOMAINC_DC -U 'DomainA$'
>     Enter DomainA$'s password:
>     session setup failed: NT_STATUS_LOGON_FAILURE
>
>
> Appreciate any advice.
>
> Thanks
>
>
>
> On 11/28/16 17:15, Gaiseric Vandal wrote:
>> I noticed that smbclient worked on some solaris 11 machines but not 
>> others.  The issue a slightly different version of libarchive on the 
>> machine (0.12 vs 0.13), even though I thought all machines had been 
>> patched to the same level.  So I decided to recompile.
>>
>> When recompiling samba 4.4.7 on solaris 11  I saw the following warning
>>
>>     Checking for header krb5.h                                   : no
>>
>>
>> The fix for this in Solaris 11 with gcc 4.8.x is
>>
>>     export C_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5
>>     export CPLUS_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5
>>
>>
>> When compling samba 3, if memory serves, I would get a little summary 
>> of which features were enabled and which were not.
>>
>> I don't think kerberos is requires for domain trusts?  I know that 
>> Active Directory does use kerberos but , when trusts are involved, 
>> Samba in classic mode "thinks" that the Windows domain controller is 
>> an NT4 machine.    So whether krb5.h was found or not it shouldn't 
>> matter.
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>> On 11/22/16 17:53, Gaiseric Vandal wrote:
>>> I am not sure if this is relevant
>>>
>>>     root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish
>>>     DomainB
>>>
>>>     Enter DOMAINA$'s password:
>>>     Could not connect to server DomainB_DC
>>>     Trust to domain DomainB established
>>>     root at sambaPDC:~#
>>>
>>>
>>>     root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish
>>>     DomainC
>>>
>>>     Enter DOMAINA$'s password:
>>>     Could not connect to server DomainC_DC
>>>     Trust to domain DomainC established
>>>     root at sambaPDC:~#
>>>
>>>
>>>     root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U
>>>     Administrator
>>>     Trusted domains list:
>>>
>>>     DOMAINA      S-1-5-21-xxxx-xxxx-xxxx
>>>     DOMAINB      S-1-5-21-xxxx-xxxx-xxxx
>>>
>>>     Trusting domains list:
>>>
>>>     DOMAINA      S-1-5-21-xxxx-xxxx-xxxx
>>>     DOMAINB       S-1-5-21-xxxx-xxxx-xxxx
>>>
>>>
>>>
>>> I MAY have seen  "could not connect to server..." errors in the past 
>>> even when trusts did work.
>>>
>>>
>>>
>>> On 11/22/16 13:40, Gaiseric Vandal wrote:
>>>> In summary
>>>>
>>>>  * DomainA    Samba classic domain-  PDC and BDC are running Samba 
>>>> 4.4.7.  The PDC is called "SambaPDC."
>>>>  * DomainB    Windows AD domain , level 2008, domain controller is 
>>>> Windows 2012   or 2012R2 (you are correct that there are not 
>>>> primary and backup controllers in AD)
>>>>  * DomainC    Windows AD domain, level 2008, domain controllers 
>>>> are  Windows 2008
>>>>
>>>>
>>>> I need to get trusts established between DomainA and DomainB. (I 
>>>> don't actually need trusts between DomainA and DomainC, but hoped 
>>>> it might flush out a working configuration)
>>>>
>>>>
>>>>
>>>> I can not  setup trusts between DomainA and DomainB in either 
>>>> direction.     The domain controller of domainB  just complains 
>>>> that it cannot establish an RPC connection to DomainA's PDC (The 
>>>> PDC on domainA has winbind errors relating to domain C.)  (On the 
>>>> DomainA PDC, wbinfo isn't showing trusted users from domainC and I 
>>>> see errors in the winbind log.)
>>>>
>>>>
>>>>
>>>> I can partially setup trusts between DomainA and DomainC. The 
>>>> domain controller of domainC  thinks two way trusts are enabled 
>>>> (can verify them)  and I am able to grant DomainA users access to 
>>>> files on DomainC servers.  (On the DomainA PDC, wbinfo isn't 
>>>> showing trusted users from domainC and I see errors in the winbind 
>>>> log.)
>>>>
>>>>
>>>> Wondering if I should have complied Samba using "--without-ad-dc" 
>>>> option.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 11/22/16 12:43, Rowland Penny via samba wrote:
>>>>> See inline comments:
>>>>>
>>>>> On Tue, 22 Nov 2016 12:04:57 -0500
>>>>> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>> I am trying to configuring  Samba 4 classic PDC to trust  Windows
>>>>>> 2012 domain "DomainB" -  the PDC is running Windows 2012 but the
>>>>>> forest and domain functional levels are still Windows 2008.  On the
>>>>>> Win 2012 PDC I try to set up an incoming trust, but it fails with
>>>>>> "The local security authority is unable to obtain an RPC connection
>>>>>> to the active directory domain controller SAMBAPDC .  "
>>>>> Can we confirm what I think the above means:
>>>>>
>>>>> You have a NT4-style PDC
>>>>> You have 'DomainB' in which there is a Windows 2012 AD DC running as
>>>>> domain functional level 2008 (This is NOT a PDC)
>>>>> You are trying to set up a trust between the PDC and the AD DC
>>>>>
>>>>>>
>>>>>>
>>>>>> I have an third domain "DomainC"  -   the PDC is running Windows
>>>>>> 2008 , and  the forest and domain functional levels are still 
>>>>>> Windows
>>>>>> 2008. On that PDC I am able to configure and verify an incoming 
>>>>>> trust.
>>>>>>
>>>>> Again, you have an AD DC running windows 2008 and you can configure a
>>>>> trust, but you don't say between what.
>>>>>> I am guessing some recent security patch that applies to Windows 
>>>>>> 2012
>>>>>> but not to Windows 2008 is the issue?
>>>>>>
>>>>> Sounds like it.
>>>>>> Since samba is a configured as a classic domain, I would have
>>>>>> expected the Windows 2012 DC to see the samba domain as an NT4 
>>>>>> domain.
>>>>>>
>>>>> Should do, but microsoft seems to be trying to make it harder, see
>>>>> here:
>>>>>
>>>>> https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS
>>>>>
>>>>>> I have tried setting the following in smb.conf
>>>>>>
>>>>>>      server services = +smb -s3fs
>>>>>>      dcerpc endpoint servers = +winreg +srvsvc
>>>>> They will not do anything on a PDC, they are meant for an AD DC
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>
>



More information about the samba mailing list