[Samba] invalid NTLMSSP_MIC / SPNEGO login failed: NT_STATUS_INVALID_PARAMETER

Mon Oct 24 18:25:40 UTC 2016

On 24/10/16 18:03, Boris S. via samba wrote:
>
> Hello,
>
> since I upgraded my NT4 domain Samba 4.2.11 to 4.2.14 I can no longer
> authenticate
> when I access any share.
> After that I even upgraded to Samba 4.4.5 but still get the same error:
>
>
> [2016/10/15 04:42:19.786198,  2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [xx] -> [xx] -> [xx]
> succeeded
> [2016/10/15 04:42:19.789933,  1]
> ../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
>   ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[xx]
> domain=[XXXXXXX] workstation=[XXXXX]
> [2016/10/15 04:42:19.789982,  1] ../lib/util/util.c:559(dump_data)
>   [0000] 97 BD D0 A6 D7 16 E4 0A   59 33 62 ED CC 6A 35 04 ........
> Y3b..j5.
> [2016/10/15 04:42:19.790035,  1] ../lib/util/util.c:559(dump_data)
>   [0000] F2 85 BB 00 46 11 89 C4   84 E3 2C 4C 5D FA F4 6A ....F...
> ..,L]..j
> [2016/10/15 04:42:19.790095,  2]
> ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
>
>
> Server: FreeBSD 10.3/64 bit
> Clients: Windows 7 64bit
>
> When I downgrade to 4.2.11 everything works again.
> An upgrade to DC is currently not an option so I need to stick to NT4
> PDC for a while.
>
> I duplicated the whole server to a VM, so I could test anything and
> wouldn't harm the production server.
>
> Any idea what might the cause?
> Do you need more Information?
>
>
>
>
> My smb.conf:
>
> [global]
>
>    workgroup = XXXXXXX
>    netbios name = SERVER
>    unix password sync = false
>    max log size = 100
>    unix extensions = no
>    log level = 2 vfs:2
>    map to guest = Bad User
>    server max protocol = smb2
>    server min protocol = smb2
>    passdb backend = tdbsam
>    unix charset = ISO8859-1
>    dos charset = CP1252
>    bind interfaces only = yes
>    hosts allow = 192.168.255. 127.
>    acl allow execute always = True
>    load printers = no
>    log file = /var/log/samba4/log.%m
>    log level = 2
>    security = user
>    encrypt passwords = yes
>    interfaces = em0, lo0
>    local master = yes
>    os level = 65
>    domain master = yes
>    preferred master = yes
>    domain logons = yes
>    wins support = yes
>    wins proxy = yes
>    dns proxy = no
>
>
>
>

I have had pretty much the same issue against CentOS 6.x/Samba 3.x DCs
from Samba 4.2.x (CentOS) and 4.4.x (Sernet) File servers.

Please look at BZ#12393 and add your findings:
https://bugzilla.samba.org/show_bug.cgi?id=12303

We upgraded our DCs to 4.4.x and it went away. Are you /really/ still
running actual NT4 DCs? Wow....

Cheers

Alex

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).