[Samba] One DC cannot authenticate off of another DC
Matthew Delfino
mdelfino.list.samba at knockinc.com
Tue Jun 25 23:11:46 UTC 2019
Hello Samba Friends,
I have a single DC (we'll call it, "DC1") that simply will not take my password when I run this command:
#samba-tool ldapcmp ldap://dc2 ldap://dc3 -Uadministrator
Or this command:
#samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator
I basically get this:
> Password for [SAMDOM\administrator]:
> Password for [SAMDOM\administrator]:
> Password for [SAMDOM\administrator]:
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, > v1db1> <>
> Failed to connect to 'ldap://dc2' with backend 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
> ERROR(ldb): uncaught exception - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 942, in run
> outf=self.outf, errf=self.errf, skip_missing_dn=skip_missing_dn)
> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 64, in __init__
> options=ldb_options)
> File "/usr/lib/python3/dist-packages/samba/__init__.py", line 115, in __init__
> self.connect(url, flags, options)
It *will* authenticate when I run this command, which implies that DC2 is the one who doesn't like my password, but only when it comes from DC1:
#samba-tool ldapcmp ldap://dc1 ldap://dc3 -Uadministrator
>From DC2 and DC3, I can run all three of those commands with success.
What could cause one of my DCs (DC2) to hate my password only when it comes from one of my other DCs (DC1)? And, by the way, under that circumstance, it seems to hate every username and password combination I have that I could think to try ("-Umatthewdelfino", for example).
What have I already tried? I've demoted and re-promoted all of the DCs, which didn't make things any better. Passwords still fail in the same manner, but now every time I do an ldapcmp from samba-tool, I see a complaint about "serverReferenceBL," either as an attribute that doesn't exist in DC1 for 'CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET', or as an uncaught exception like this:
> ERROR(<class 'KeyError'>): uncaught exception - 'serverReferenceBL'
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 957, in run
> if b1.diff(b2):
> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 781, in diff
> if object1 == object2:
> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 549, in __eq__
> return self.cmp_attrs(other)
> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 590, in cmp_attrs
> if isinstance(self.attributes[x], list) and isinstance(other.attributes[x], list):
(And all of that SERVERREFERENCEBL stuff is probably unrelated. It's just very irritating, as it seems to be an attribute created during a DC promotion/domain join, but not during subsequent replications, and the ldapcmp always notices it.)
Can anyone provide some guidance?
Thanks,
Matthew
© 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
More information about the samba
mailing list