[Samba] RODC and LDAP via Simple Authentication fails
Johannes Engel
jcnengel+samba at gmail.com
Mon Jan 22 20:30:37 UTC 2018
That was exactly what I was looking for. I hope 4.8 should not be too
far away... ;)
In the meantime I found this in the logs at level 2:
[2018/01/22 21:15:50.010307, 3]
../source4/auth/ntlm/auth.c:240(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[(null)]\[cn=LDAP,cn=Users,dc=my,dc=domain,dc=com]@[(null)]
auth_check_password_send: user is: [MYDOMAIN]\[ldap]@[(null)]
[2018/01/22 21:15:50.016870, 3]
../source4/dsdb/repl/drepl_secret.c:145(drepl_repl_secret)
../source4/dsdb/repl/drepl_secret.c:145: started secret replication
for CN=ldap,CN=Users,DC=my,DC=domain,DC=com
[2018/01/22 21:15:50.017031, 3]
../libcli/nbt/lmhosts.c:184(resolve_lmhosts_file_as_sockaddr)
resolve_lmhosts: Attempting lmhosts lookup for name
ef201f76-caaa-40b7-9ff2-41b4790dcf4d._msdcs.my.domain.com<0x20>
[2018/01/22 21:15:50.022197, 2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
auth_check_password_recv: sam_failtrusts authentication for user
[MYDOMAIN\ldap] FAILED with error NT_STATUS_NO_TRUST_LSA_SECRET,
authoritative=1
[2018/01/22 21:15:50.026733, 2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [LDAP,simple bind] user
[(null)]\[cn=LDAP,cn=Users,dc=my,dc=domain,dc=com] at [Mon, 22 Jan 2018
21:15:50.026694 CET] with [Plaintext] status
[NT_STATUS_NO_TRUST_LSA_SECRET] workstation [(null)] remote host
[ipv4:192.168.10.60:51622] mapped to [MYDOMAIN]\[ldap]. local host
[ipv4:192.168.10.60:636]
[2018/01/22 21:15:50.027299, 2] ../auth/auth_log.c:220(log_json)
JSON Authentication: {"timestamp": "2018-01-22T21:15:50.026864+0100",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_NO_TRUST_LSA_SECRET", "localAddress":
"ipv4:192.168.10.60:636", "clientDomain": null, "remoteAddress":
"ipv4:192.168.10.60:51622", "serviceDescription": "LDAP",
"passwordType": "Plaintext", "authDescription": "simple bind",
"mappedDomain": "MYDOMAIN", "netlogonSecureChannelType": 0,
"clientAccount": "cn=LDAP,cn=Users,dc=my,dc=domain,dc=com",
"becameAccount": null, "workstation": null, "becameDomain": null,
"becameSid": "(NULL SID)", "mappedAccount": "ldap", "netlogonComputer":
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonTrustAccountSid": "(NULL SID)"}}
[2018/01/22 21:15:50.027400, 3]
../auth/auth_log.c:139(get_auth_event_server)
get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2018/01/22 21:15:50.031314, 3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/01/22 21:15:50.031680, 2]
../source4/smbd/process_standard.c:473(standard_terminate)
standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT]
[2018/01/22 21:15:50.045176, 2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
Child 16200 () exited with status 0
[2018/01/22 21:15:50.052762, 3]
../libcli/nbt/lmhosts.c:184(resolve_lmhosts_file_as_sockaddr)
resolve_lmhosts: Attempting lmhosts lookup for name
ef201f76-caaa-40b7-9ff2-41b4790dcf4d._msdcs.my.domain.com<0x20>
[2018/01/22 21:15:50.090394, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/01/22 21:15:52.380162, 2]
../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for DC=my,DC=domain,DC=com
[2018/01/22 21:15:52.380345, 3]
../source4/dsdb/repl/drepl_secret.c:57(drepl_repl_secret_callback)
../source4/dsdb/repl/drepl_secret.c:57: repl secret completed OK for
'CN=ldap,CN=Users,DC=my,DC=domain,DC=com'
Does that help?
Best regards
Johannes
Am 22.01.2018 um 21:08 schrieb Andrew Bartlett:
> On Mon, 2018-01-22 at 20:56 +0100, Johannes Engel via samba wrote:
>> Hi Andrew,
>>
>> I am deeply impressed by your speed! :D
>>
>> The RODC is actually Samba 4.7.4, the other DCs are still on 4.6.12.
>>
>> Any suggestion how I can debug this w/o setting everything on level 10? ;)
> Just turn up the logs one level at a time until something comes out.
>
> Upgrading the other DCs to 4.7 (carefully, per my other mail) might
> help, as it would then match what our tests do, but I can't think of
> how exactly.
>
> In the long run it will ensure that the bad password count and lockout
> is correctly handled.
>
> Samba 4.8 will make this a little easier to debug because 'auth' is now
> accepted as a debug class in the AD DC, so you can see those logs more
> specifically with something like 'log level = 3 auth:5 winbind:5'.
>
> I hope this helps,
>
> Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180122/1964ea22/signature.sig>
More information about the samba
mailing list