[Samba] Fwd: Unable to change passwords from Win XP Pro clients
Eleuterio Contracampo
econtracampo at gmail.com
Fri Apr 21 14:39:58 UTC 2017
Hello everyone,
First time with Samba 4.
I've got it running mostly (with Windows 7 clients, everything works like a
charm.), but I-m struggling with an issue that is driving me nuts (spent
countless hours trying out stuff and googleing without luck):
When users log in from Win XP Pro terminals, and are forced to change
initially assigned passwords, they get an error (1728: error in RCP
protocol) and cannot continue.
If as an administrator, I force a given password, accounts work without a
problem.
**Some background about my setup:*
PDC: SERV5N
BDC: SERV6N
root at serv5n:/var/log/samba# samba --version
Version 4.3.11-Ubuntu
root at serv5n:/var/log/samba# uname -a
Linux serv5n.mydomain.org.ar 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31
14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
root at serv5n:/var/log/samba# wbinfo -t
checking the trust secret for domain MYDOMAIN via RPC calls succeeded
root at serv6n:/var/log/samba# samba-tool ldapcmp ldap://SERV5N ldap://SERV6N
-Uadministrator --filter=WhenChanged
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Password for [MYDOMAIN\administrator]:
* Comparing [DOMAIN] context...
* Objects to be compared: 571
* Result for [DOMAIN]: SUCCESS
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1616
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1550
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 50
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 18
* Result for [DNSFOREST]: SUCCESS
**My smb.conf (PDC):*
# Global parameters
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.ORG.AR
netbios name = SERV5N
server role = active directory domain controller
wins support = yes
dns forwarder = 8.8.8.8
allow dns updates = nonsecure
idmap_ldb:use rfc2307 = yes
security = user
map to guest = bad user
guest account = nobody
tls enabled = yes
tls keyfile = /etc/samba/tls/PDC_key.pem
tls certfile = /etc/samba/tls/PDC_cert.pem
tls cafile =
log level = 3
server string = %h Server (Samba, Linux)
os level = 65
domain logons = yes
preferred master = yes
domain master = yes
local master = yes
name resolve order = host wins lmhosts bcast
remote announce = 192.168.40.255
remote browse sync = 192.168.40.255
passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.40.213"
ldap suffix = dc=MYDOMAIN,dc=org,dc=ar
ldap user suffix = ou=users
ldap machine suffix = ou=machines
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=MYDOMAIN,dc=org,dc=ar
ldap delete dn = no
acl:search = false
kerberos method = secrets only
vfs objects = fileid acl_xattr
map acl inherit = yes
store dos attributes = yes
ldap passwd sync = yes
ldap server require strong auth = no
# printing
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
# added for printing performance
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolssd:prefork_min_children = 5 # Minimum number of child processes
spoolssd:prefork_max_children = 25 # Maximum number of child processes
spoolssd:prefork_spawn_rate = 5
spoolssd:prefork_max_allowed_clients = 100
spoolssd:prefork_child_min_life = 60
[netlogon]
path = /var/lib/samba/sysvol/MYDOMAIN.org.ar/scripts
read only = No
browsable = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
[profiles]
path = /srv/samba/profiles
writable = yes
browsable = no
guest ok = no
create mask = 0600
directory mask = 0700
[grupos]
path = /srv/samba/groups
read only = No
[printers]
comment = All Printers
browseable = yes
path = /var/spool/samba
printable = yes
writable = no
guest ok = no
read only = yes
create mode = 0700
write list = @adm root
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
*Finally, some lines from log.samba:*
root at serv5n:/var/log/samba# tail -f log.samba
[2017/04/21 10:46:05.255993, 3] ../source4/rpc_server/drsuapi/
getncchanges.c:2008(dcesrv_drsuapi_DsGetNCChanges)
UpdateRefs on getncchanges for 375d3482-b7f4-49ae-839b-2ca6a2be9698
[2017/04/21 10:46:05.256822, 2] ../source4/rpc_server/drsuapi/
getncchanges.c:2115(dcesrv_drsuapi_DsGetNCChanges)
DsGetNCChanges with uSNChanged >= 3690 flags 0x00000074 on
<GUID=aee82ef2-3986-40f4-b177-9107b71151d5>;CN=Schema,CN=
Configuration,DC=mydomain,DC=org,DC=ar gave 0 objects (done 0/0) 0 links
(done 0/0 (as S-1-5-21-1965676298-842383976-2353361141-1105))
[2017/04/21 10:46:05.554761, 2] ../source4/rpc_server/drsuapi/
getncchanges.c:1428(getncchanges_collect_objects)
../source4/rpc_server/drsuapi/getncchanges.c:1428: getncchanges on
CN=Configuration,DC=mydomain,DC=org,DC=ar using filter (uSNChanged>=4145)
[2017/04/21 10:46:05.614599, 3] ../source4/rpc_server/drsuapi/
getncchanges.c:2008(dcesrv_drsuapi_DsGetNCChanges)
UpdateRefs on getncchanges for 375d3482-b7f4-49ae-839b-2ca6a2be9698
[2017/04/21 10:46:05.615409, 2] ../source4/rpc_server/drsuapi/
getncchanges.c:2115(dcesrv_drsuapi_DsGetNCChanges)
DsGetNCChanges with uSNChanged >= 4145 flags 0x00000074 on
<GUID=5b78c03c-b01f-4e3d-b60c-6043859d22ad>;CN=Configuration,DC=mydomain,DC=org,DC=ar
gave 0 objects (done 0/0) 0 links (done 0/0 (as
S-1-5-21-1965676298-842383976-2353361141-1105))
[2017/04/21 10:46:05.796273, 2] ../source4/rpc_server/drsuapi/
getncchanges.c:1428(getncchanges_collect_objects)
../source4/rpc_server/drsuapi/getncchanges.c:1428: getncchanges on
DC=mydomain,DC=org,DC=ar using filter (uSNChanged>=7410)
[2017/04/21 10:46:05.836114, 3] ../source4/rpc_server/drsuapi/
getncchanges.c:2008(dcesrv_drsuapi_DsGetNCChanges)
UpdateRefs on getncchanges for 375d3482-b7f4-49ae-839b-2ca6a2be9698
[2017/04/21 10:46:05.836971, 2] ../source4/rpc_server/drsuapi/
getncchanges.c:2115(dcesrv_drsuapi_DsGetNCChanges)
DsGetNCChanges with uSNChanged >= 7410 flags 0x00000074 on
<GUID=17a35154-99b3-44c6-8829-a5db4acf402c>;<SID=S-1-5-21-
1965676298-842383976-2353361141>;DC=mydomain,DC=org,DC=ar gave 0 objects
(done 0/0) 0 links (done 0/0 (as S-1-5-21-1965676298-842383976-
2353361141-1105))
[2017/04/21 10:46:08.819667, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'HOSTXYZ.org.ar', forwarding
[2017/04/21 10:46:08.857099, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'HOSTXYZ', forwarding
[2017/04/21 10:46:08.887511, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'HOSTXYZ', forwarding
[2017/04/21 10:46:08.915863, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'HOSTXYZ', forwarding
[2017/04/21 10:46:08.922533, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'HOSTXYZ', forwarding
[2017/04/21 10:46:08.952902, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'HOSTXYZ', forwarding
[2017/04/21 10:46:08.981669, 3] ../source4/libcli/resolve/dns_
ex.c:492(pipe_handler)
dns child failed to find name 'HOSTXYZ' of type A
[2017/04/21 10:46:08.989338, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'HOSTXYZ', forwarding
[2017/04/21 10:46:08.995976, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'HOSTXYZ', forwarding
[2017/04/21 10:46:09.026943, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'HOSTXYZ', forwarding
[2017/04/21 10:46:09.033926, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'HOSTXYZ', forwarding
[2017/04/21 10:46:09.040783, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'HOSTXYZ', forwarding
[2017/04/21 10:46:15.942031, 3] ../source4/auth/kerberos/krb5_
init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ user1 at mydomain from ipv4:192.168.44.56:1382 for
krbtgt/mydomain at mydomain
[2017/04/21 10:46:15.945779, 3] ../source4/auth/kerberos/krb5_
init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 128
[2017/04/21 10:46:15.945817, 3] ../source4/auth/kerberos/krb5_
init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- user1 at mydomain
[2017/04/21 10:46:15.945836, 3] ../source4/auth/kerberos/krb5_
init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- user1 at mydomain
[2017/04/21 10:46:15.945919, 3] ../source4/auth/kerberos/krb5_
init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- user1 at mydomain using
arcfour-hmac-md5
[2017/04/21 10:46:15.945953, 2] ../source4/auth/sam.c:218(
authsam_account_ok)
sam_account_ok: Account for user 'user1 at mydomain' password must change!.
[2017/04/21 10:46:22.681717, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'PROGRAM', forwarding
[2017/04/21 10:46:22.688894, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'PROGRAM', forwarding
[2017/04/21 10:46:22.695961, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'PROGRAM', forwarding
[2017/04/21 10:46:22.702968, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'PROGRAM', forwarding
[2017/04/21 10:46:22.709922, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'PROGRAM', forwarding
[2017/04/21 10:46:22.718366, 3] ../source4/libcli/resolve/dns_
ex.c:492(pipe_handler)
dns child failed to find name 'PROGRAM' of type A
[2017/04/21 10:46:22.724544, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'PROGRAM', forwarding
[2017/04/21 10:46:22.752076, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'PROGRAM', forwarding
[2017/04/21 10:46:22.759247, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'PROGRAM', forwarding
[2017/04/21 10:46:22.766084, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'PROGRAM', forwarding
[2017/04/21 10:46:22.773333, 2] ../source4/dns_server/dns_
query.c:626(dns_server_process_query_send)
Not authoritative for 'PROGRAM', forwarding
[2017/04/21 10:46:27.510607, 3] ../lib/ldb-samba/ldb_wrap.c:
321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2017/04/21 10:46:27.510985, 3] ../auth/ntlmssp/ntlmssp_util.
c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe208b2b7
[2017/04/21 10:46:27.515204, 3] ../auth/ntlmssp/ntlmssp_
server.c:452(ntlmssp_server_preauth)
Got user=[] domain=[] workstation=[HOSTYYY] len1=1 len2=0
[2017/04/21 10:46:27.515253, 3] ../source4/auth/ntlm/auth.c:
270(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[]\[]@[HOSTYYY]
auth_check_password_send: mapped user is: [mydomain]\[]@[HOSTYYY]
[2017/04/21 10:46:27.515312, 0] ../auth/gensec/gensec.c:257(
gensec_verify_dcerpc_auth_level)
Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
[2017/04/21 10:46:27.518367, 3] ../source4/smbd/service_
stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2017/04/21 10:46:27.518413, 3] ../source4/smbd/process_
single.c:114(single_terminate)
single_terminate: reason[dcesrv: dcesrv_fault_disconnect]
[2017/04/21 10:46:27.578922, 3] ../lib/ldb-samba/ldb_wrap.c:
321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2017/04/21 10:46:27.579290, 3] ../auth/ntlmssp/ntlmssp_util.
c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe208b2b7
[2017/04/21 10:46:27.584524, 3] ../auth/ntlmssp/ntlmssp_
server.c:452(ntlmssp_server_preauth)
Got user=[] domain=[] workstation=[HOSTYYY] len1=1 len2=0
[2017/04/21 10:46:27.584571, 3] ../source4/auth/ntlm/auth.c:
270(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[]\[]@[HOSTYYY]
auth_check_password_send: mapped user is: [mydomain]\[]@[HOSTYYY]
[2017/04/21 10:46:27.584621, 0] ../auth/gensec/gensec.c:257(
gensec_verify_dcerpc_auth_level)
Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
[2017/04/21 10:46:27.588475, 3] ../source4/smbd/service_
stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2017/04/21 10:46:27.588518, 3] ../source4/smbd/process_
single.c:114(single_terminate)
single_terminate: reason[dcesrv: dcesrv_fault_disconnect]
[2017/04/21 10:46:27.658991, 3] ../lib/ldb-samba/ldb_wrap.c:
321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2017/04/21 10:46:27.659355, 3] ../auth/ntlmssp/ntlmssp_util.
c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe208b2b7
[2017/04/21 10:46:27.664123, 3] ../auth/ntlmssp/ntlmssp_
server.c:452(ntlmssp_server_preauth)
Got user=[] domain=[] workstation=[HOSTYYY] len1=1 len2=0
[2017/04/21 10:46:27.664174, 3] ../source4/auth/ntlm/auth.c:
270(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[]\[]@[HOSTYYY]
auth_check_password_send: mapped user is: [mydomain]\[]@[HOSTYYY]
[2017/04/21 10:46:27.664229, 0] ../auth/gensec/gensec.c:257(
gensec_verify_dcerpc_auth_level)
Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
[2017/04/21 10:46:27.667372, 3] ../source4/smbd/service_
stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2017/04/21 10:46:27.667415, 3] ../source4/smbd/process_
single.c:114(single_terminate)
single_terminate: reason[dcesrv: dcesrv_fault_disconnect]
[2017/04/21 10:46:27.758583, 3] ../lib/ldb-samba/ldb_wrap.c:
321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2017/04/21 10:46:27.758980, 3] ../auth/ntlmssp/ntlmssp_util.
c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe208b2b7
[2017/04/21 10:46:27.763160, 3] ../auth/ntlmssp/ntlmssp_
server.c:452(ntlmssp_server_preauth)
Got user=[] domain=[] workstation=[HOSTYYY] len1=1 len2=0
[2017/04/21 10:46:27.763211, 3] ../source4/auth/ntlm/auth.c:
270(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[]\[]@[HOSTYYY]
auth_check_password_send: mapped user is: [mydomain]\[]@[HOSTYYY]
[2017/04/21 10:46:27.763265, 0] ../auth/gensec/gensec.c:257(
gensec_verify_dcerpc_auth_level)
Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
[2017/04/21 10:46:27.766642, 3] ../source4/smbd/service_
stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2017/04/21 10:46:27.766693, 3] ../source4/smbd/process_
single.c:114(single_terminate)
single_terminate: reason[dcesrv: dcesrv_fault_disconnect]
Cannot figure out what is going on. Any hint would be most appreciated!!
Thanks in advance,
EC
More information about the samba
mailing list