[Samba] One DC cannot authenticate off of another DC

L.P.H. van Belle belle at bazuin.nl
Wed Jun 26 07:32:13 UTC 2019 

Hai, 

What is the running OS and version of samba on these servers. 

Can you post some configs of these DC's ( all 3  )

/etc/hosts
/etc/resolv.conf
/etc/samba/smb.conf 

And for all 3 this the keytab output. 
klist -ke /var/lib/samba/private/secrets.keytab

Your also sure you servers time is not out of sync? 

Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Matthew Delfino via samba
> Verzonden: woensdag 26 juni 2019 1:12
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] One DC cannot authenticate off of another DC
> 
> 
> Hello Samba Friends,
> 
> 
> I have a single DC (we'll call it, "DC1") that simply will 
> not take my password when I run this command: 
> 
> 
> #samba-tool ldapcmp ldap://dc2 ldap://dc3 -Uadministrator 
> 
> 
> Or this command: 
> 
> 
> #samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator 
> 
> 
> I basically get this: 
> 
> 
> > Password for [SAMDOM\administrator]: 
> > Password for [SAMDOM\administrator]: 
> > Password for [SAMDOM\administrator]: 
> > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  
> <8009030C: LdapErr: DSID-0C0904DC, comment: 
> AcceptSecurityContext error, data 52e, > v1db1> <> 
> > Failed to connect to 'ldap://dc2' with backend 'ldap': LDAP 
> error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: 
> DSID-0C0904DC, comment: AcceptSecurityContext error, data 
> 52e, v1db1> <> 
> > ERROR(ldb): uncaught exception - LDAP error 49 
> LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: 
> DSID-0C0904DC, comment: AcceptSecurityContext error, data 
> 52e, v1db1> <> 
> >   File 
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", 
> line 185, in _run 
> >     return self.run(*args, **kwargs) 
> >   File 
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", 
> line 942, in run 
> >     outf=self.outf, errf=self.errf, 
> skip_missing_dn=skip_missing_dn) 
> >   File 
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", 
> line 64, in __init__ 
> >     options=ldb_options) 
> >   File "/usr/lib/python3/dist-packages/samba/__init__.py", 
> line 115, in __init__ 
> >     self.connect(url, flags, options) 
> 
> 
> It *will* authenticate when I run this command, which implies 
> that DC2 is the one who doesn't like my password, but only 
> when it comes from DC1: 
> 
> 
> #samba-tool ldapcmp ldap://dc1 ldap://dc3 -Uadministrator 
> 
> 
> From DC2 and DC3, I can run all three of those commands with success. 
> 
> 
> What could cause one of my DCs (DC2) to hate my password only 
> when it comes from one of my other DCs (DC1)? And, by the 
> way, under that circumstance, it seems to hate every username 
> and password combination I have that I could think to try 
> ("-Umatthewdelfino", for example). 
> 
> 
> What have I already tried? I've demoted and re-promoted all 
> of the DCs, which didn't make things any better. Passwords 
> still fail in the same manner, but now every time I do an 
> ldapcmp from samba-tool, I see a complaint about 
> "serverReferenceBL," either as an attribute that doesn't 
> exist in DC1 for 'CN=DC2,OU=DOMAIN 
> CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET', or as an uncaught 
> exception like this: 
> 
> 
> > ERROR(<class 'KeyError'>): uncaught exception - 'serverReferenceBL' 
> >   File 
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", 
> line 185, in _run 
> >     return self.run(*args, **kwargs) 
> >   File 
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", 
> line 957, in run 
> >     if b1.diff(b2): 
> >   File 
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", 
> line 781, in diff 
> >     if object1 == object2: 
> >   File 
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", 
> line 549, in __eq__ 
> >     return self.cmp_attrs(other) 
> >   File 
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", 
> line 590, in cmp_attrs 
> >     if isinstance(self.attributes[x], list) and 
> isinstance(other.attributes[x], list): 
> 
> 
> (And all of that SERVERREFERENCEBL stuff is probably 
> unrelated. It's just very irritating, as it seems to be an 
> attribute created during a DC promotion/domain join, but not 
> during subsequent replications, and the ldapcmp always notices it.)
> 
> 
> Can anyone provide some guidance? 
> 
> 
> Thanks,
> Matthew
> 
> © 2019 KNOCK, inc. All rights reserved. KNOCK is a registered 
> trademark of KNOCK, inc. This message and any attachments 
> contain information, which is confidential and/or privileged. 
> If you are not the intended recipient, please refrain from 
> any disclosure, copying, distribution or use of this 
> information. Please be aware that such actions are 
> prohibited. If you have received this transmission in error, 
> kindly notify the sender by e-mail. Your cooperation is appreciated.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list