[Samba] Fwd: Unable to change passwords from Win XP Pro clients
Eleuterio Contracampo
econtracampo at gmail.com
Fri Apr 21 16:00:59 UTC 2017
Sorry, I missed some relevant part of the logs after the suggested changes:
Kerberos: AS-REQ user2 at MYDOMAIN from ipv4:192.168.44.56:2080 for
krbtgt/MYDOMAIN at MYDOMAIN
[2017/04/21 12:47:37.526742, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 128
[2017/04/21 12:47:37.526772, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- user2 at MYDOMAIN
[2017/04/21 12:47:37.526791, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- user2 at MYDOMAIN
[2017/04/21 12:47:37.526934, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- user2 at MYDOMAIN using
arcfour-hmac-md5
[2017/04/21 12:47:37.526965, 2]
../source4/auth/sam.c:218(authsam_account_ok)
sam_account_ok: Account for user 'user2 at MYDOMAIN' password must change!.
[2017/04/21 12:47:45.429986, 2]
../source4/nbt_server/dgram/netlogon.c:198(nbtd_mailslot_netlogon_handler)
nbtd netlogon handler failed from 192.168.40.112:138 to CER<1c> -
NT_STATUS_BAD_NETWORK_NAME
[2017/04/21 12:47:45.430057, 2]
../source4/nbt_server/dgram/netlogon.c:198(nbtd_mailslot_netlogon_handler)
nbtd netlogon handler failed from 192.168.40.112:138 to CER<1c> -
NT_STATUS_BAD_NETWORK_NAME
[2017/04/21 12:47:45.593337, 2]
../source4/nbt_server/dgram/netlogon.c:198(nbtd_mailslot_netlogon_handler)
nbtd netlogon handler failed from 192.168.40.112:138 to CER<1c> -
NT_STATUS_BAD_NETWORK_NAME
[2017/04/21 12:47:45.593408, 2]
../source4/nbt_server/dgram/netlogon.c:198(nbtd_mailslot_netlogon_handler)
nbtd netlogon handler failed from 192.168.40.112:138 to CER<1c> -
NT_STATUS_BAD_NETWORK_NAME
[2017/04/21 12:47:54.894173, 3]
../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2017/04/21 12:47:54.894544, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe208b2b7
[2017/04/21 12:47:54.897859, 3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[] domain=[] workstation=[HOSTYYY] len1=1 len2=0
[2017/04/21 12:47:54.897907, 3]
../source4/auth/ntlm/auth.c:270(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[]\[]@[HOSTYYY]
auth_check_password_send: mapped user is: [MYDOMAIN]\[]@[HOSTYYY]
[2017/04/21 12:47:54.897976, 0]
../auth/gensec/gensec.c:257(gensec_verify_dcerpc_auth_level)
Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
[2017/04/21 12:47:54.901039, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2017/04/21 12:47:54.901078, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: dcesrv_fault_disconnect]
[2017/04/21 12:47:54.957292, 3]
../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2017/04/21 12:47:54.957653, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe208b2b7
[2017/04/21 12:47:54.960943, 3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[] domain=[] workstation=[HOSTYYY] len1=1 len2=0
[2017/04/21 12:47:54.960984, 3]
../source4/auth/ntlm/auth.c:270(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[]\[]@[HOSTYYY]
auth_check_password_send: mapped user is: [MYDOMAIN]\[]@[HOSTYYY]
[2017/04/21 12:47:54.961041, 0]
../auth/gensec/gensec.c:257(gensec_verify_dcerpc_auth_level)
Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
[2017/04/21 12:47:54.964150, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2017/04/21 12:47:54.964187, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: dcesrv_fault_disconnect]
[2017/04/21 12:47:55.147539, 3]
../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2017/04/21 12:47:55.147901, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe208b2b7
[2017/04/21 12:47:55.152947, 3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[] domain=[] workstation=[HOSTYYY] len1=1 len2=0
[2017/04/21 12:47:55.152989, 3]
../source4/auth/ntlm/auth.c:270(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[]\[]@[HOSTYYY]
auth_check_password_send: mapped user is: [MYDOMAIN]\[]@[HOSTYYY]
[2017/04/21 12:47:55.153046, 0]
../auth/gensec/gensec.c:257(gensec_verify_dcerpc_auth_level)
Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
[2017/04/21 12:47:55.156384, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2017/04/21 12:47:55.156424, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: dcesrv_fault_disconnect]
[2017/04/21 12:47:55.215248, 3]
../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2017/04/21 12:47:55.215605, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe208b2b7
[2017/04/21 12:47:55.219199, 3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[] domain=[] workstation=[HOSTYYY] len1=1 len2=0
[2017/04/21 12:47:55.219241, 3]
../source4/auth/ntlm/auth.c:270(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[]\[]@[HOSTYYY]
auth_check_password_send: mapped user is: [MYDOMAIN]\[]@[HOSTYYY]
[2017/04/21 12:47:55.219297, 0]
../auth/gensec/gensec.c:257(gensec_verify_dcerpc_auth_level)
Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
On Fri, Apr 21, 2017 at 11:57 AM, Eleuterio Contracampo <
econtracampo at gmail.com> wrote:
> Thank you Rowland!!
>
> Sorry about my ignorance. I guess I tried many different things and
> polluted the smb.conf file.
>
> I've removed every single line you mentioned off my smb.conf. Still the
> problem persists:
>
> MYDOMAIN\Administrator (S-1-5-21-1965676298-842383976-2353361141-500) is
> changing password of user2 at MYDOMAIN.org.ar
>
> [2017/04/21 12:05:42.233899, 3] ../source4/smbd/service_
> stream.c:66(stream_terminate_connection)
>
> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
>
> [2017/04/21 12:05:42.233940, 3] ../source4/smbd/process_
> single.c:114(single_terminate)
>
> single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
>
> [2017/04/21 12:05:45.687345, 2] ../source4/dsdb/repl/drepl_
> notify.c:199(dreplsrv_notify_op_callback)
>
> dreplsrv_notify: DsReplicaSync successfuly sent to 375d3482-b7f4-49ae-839b-
> 2ca6a2be9698._msdcs.MYDOMAIN.org.ar
>
> [2017/04/21 12:05:46.691655, 2] ../source4/rpc_server/drsuapi/
> getncchanges.c:1428(getncchanges_collect_objects)
>
> ../source4/rpc_server/drsuapi/getncchanges.c:1428: getncchanges on
> DC=MYDOMAIN,DC=org,DC=ar using filter (uSNChanged>=7425)
>
> [2017/04/21 12:05:46.733142, 3] ../source4/rpc_server/drsuapi/
> getncchanges.c:2008(dcesrv_drsuapi_DsGetNCChanges)
>
> UpdateRefs on getncchanges for 375d3482-b7f4-49ae-839b-2ca6a2be9698
>
> [2017/04/21 12:05:46.734033, 2] ../source4/rpc_server/drsuapi/
> getncchanges.c:2115(dcesrv_drsuapi_DsGetNCChanges)
>
> DsGetNCChanges with uSNChanged >= 7425 flags 0x00000074 on
> <GUID=17a35154-99b3-44c6-8829-a5db4acf402c>;<SID=S-1-5-21-
> 1965676298-842383976-2353361141>;DC=MYDOMAIN,DC=org,DC=ar
>
> gave 1 objects (done 1/1) 0 links (done 0/0 (as
> S-1-5-21-1965676298-842383976-2353361141-1105))
>
>
> Same behavior: win7 clients work, win XP clients don't. Anything else I
> should try?
>
> thanks again,
>
> EC
>
> On Fri, Apr 21, 2017 at 11:30 AM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 21 Apr 2017 10:39:58 -0400
>> Eleuterio Contracampo via samba <samba at lists.samba.org> wrote:
>>
>> > Hello everyone,
>> >
>> > First time with Samba 4.
>> > I've got it running mostly (with Windows 7 clients, everything works
>> > like a charm.), but I-m struggling with an issue that is driving me
>> > nuts (spent countless hours trying out stuff and googleing without
>> > luck):
>> >
>> > When users log in from Win XP Pro terminals, and are forced to change
>> > initially assigned passwords, they get an error (1728: error in RCP
>> > protocol) and cannot continue.
>> >
>> > **Some background about my setup:*
>> > PDC: SERV5N
>> > BDC: SERV6N
>>
>> You do not have a 'PDC' & 'BDC', you have two AD DCs
>>
>>
>> > **My smb.conf (PDC):*
>> >
>> > # Global parameters
>> >
>> > [global]
>>
>> Remove this lot from smb.conf:
>>
>> wins support = yes
>> security = user
>> os level = 65
>> domain logons = yes
>> preferred master = yes
>> domain master = yes
>> local master = yes
>> name resolve order = host wins lmhosts bcast
>> remote announce = 192.168.40.255
>> remote browse sync = 192.168.40.255
>> passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.40.213"
>> ldap suffix = dc=MYDOMAIN,dc=org,dc=ar
>> ldap user suffix = ou=users
>> ldap machine suffix = ou=machines
>> ldap group suffix = ou=groups
>> ldap admin dn = cn=admin,dc=MYDOMAIN,dc=org,dc=ar
>> ldap delete dn = no
>> acl:search = false
>> kerberos method = secrets only
>> vfs objects = fileid acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
>> ldap passwd sync = yes
>>
>> They are either default settings or have absolutely no place in an AD
>> DC smb.conf. The 'ldap' lines should only be used on a ldap based Samba
>> machine, not an AD DC, 'acl_xattr' is built into the samba binary.
>> Finally 'ldap passwd sync' only makes sense when you want the local
>> users passwords to sync with the users in ldap, only problem is, you
>> cannot have a local user with the same name as an AD user.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list