[Samba] One DC cannot authenticate off of another DC
L.P.H. van Belle
belle at bazuin.nl
Wed Jun 26 07:32:13 UTC 2019
Hai,
What is the running OS and version of samba on these servers.
Can you post some configs of these DC's ( all 3 )
/etc/hosts
/etc/resolv.conf
/etc/samba/smb.conf
And for all 3 this the keytab output.
klist -ke /var/lib/samba/private/secrets.keytab
Your also sure you servers time is not out of sync?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Matthew Delfino via samba
> Verzonden: woensdag 26 juni 2019 1:12
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] One DC cannot authenticate off of another DC
>
>
> Hello Samba Friends,
>
>
> I have a single DC (we'll call it, "DC1") that simply will
> not take my password when I run this command:
>
>
> #samba-tool ldapcmp ldap://dc2 ldap://dc3 -Uadministrator
>
>
> Or this command:
>
>
> #samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator
>
>
> I basically get this:
>
>
> > Password for [SAMDOM\administrator]:
> > Password for [SAMDOM\administrator]:
> > Password for [SAMDOM\administrator]:
> > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
> <8009030C: LdapErr: DSID-0C0904DC, comment:
> AcceptSecurityContext error, data 52e, > v1db1> <>
> > Failed to connect to 'ldap://dc2' with backend 'ldap': LDAP
> error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
> DSID-0C0904DC, comment: AcceptSecurityContext error, data
> 52e, v1db1> <>
> > ERROR(ldb): uncaught exception - LDAP error 49
> LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
> DSID-0C0904DC, comment: AcceptSecurityContext error, data
> 52e, v1db1> <>
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 185, in _run
> > return self.run(*args, **kwargs)
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",
> line 942, in run
> > outf=self.outf, errf=self.errf,
> skip_missing_dn=skip_missing_dn)
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",
> line 64, in __init__
> > options=ldb_options)
> > File "/usr/lib/python3/dist-packages/samba/__init__.py",
> line 115, in __init__
> > self.connect(url, flags, options)
>
>
> It *will* authenticate when I run this command, which implies
> that DC2 is the one who doesn't like my password, but only
> when it comes from DC1:
>
>
> #samba-tool ldapcmp ldap://dc1 ldap://dc3 -Uadministrator
>
>
> From DC2 and DC3, I can run all three of those commands with success.
>
>
> What could cause one of my DCs (DC2) to hate my password only
> when it comes from one of my other DCs (DC1)? And, by the
> way, under that circumstance, it seems to hate every username
> and password combination I have that I could think to try
> ("-Umatthewdelfino", for example).
>
>
> What have I already tried? I've demoted and re-promoted all
> of the DCs, which didn't make things any better. Passwords
> still fail in the same manner, but now every time I do an
> ldapcmp from samba-tool, I see a complaint about
> "serverReferenceBL," either as an attribute that doesn't
> exist in DC1 for 'CN=DC2,OU=DOMAIN
> CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET', or as an uncaught
> exception like this:
>
>
> > ERROR(<class 'KeyError'>): uncaught exception - 'serverReferenceBL'
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 185, in _run
> > return self.run(*args, **kwargs)
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",
> line 957, in run
> > if b1.diff(b2):
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",
> line 781, in diff
> > if object1 == object2:
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",
> line 549, in __eq__
> > return self.cmp_attrs(other)
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",
> line 590, in cmp_attrs
> > if isinstance(self.attributes[x], list) and
> isinstance(other.attributes[x], list):
>
>
> (And all of that SERVERREFERENCEBL stuff is probably
> unrelated. It's just very irritating, as it seems to be an
> attribute created during a DC promotion/domain join, but not
> during subsequent replications, and the ldapcmp always notices it.)
>
>
> Can anyone provide some guidance?
>
>
> Thanks,
> Matthew
>
> © 2019 KNOCK, inc. All rights reserved. KNOCK is a registered
> trademark of KNOCK, inc. This message and any attachments
> contain information, which is confidential and/or privileged.
> If you are not the intended recipient, please refrain from
> any disclosure, copying, distribution or use of this
> information. Please be aware that such actions are
> prohibited. If you have received this transmission in error,
> kindly notify the sender by e-mail. Your cooperation is appreciated.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list