[Samba] Samba 4.10 member: SMB login no longer working

Matthew Delfino mdelfino.list.samba at knockinc.com
Wed Jun 26 17:58:42 UTC 2019


I apologize, everyone, for replying to the wrong thread here. Please ignore this message, it was supposed to be in the "Re: [Samba] One DC cannot authenticate off of another DC" thread.



 From:   Matthew Delfino via samba <samba at lists.samba.org> 
 To:   L.P.H. van Belle <belle at bazuin.nl>, "samba at lists.samba.org" <samba at lists.samba.org> 
 Sent:   6/26/2019 12:44 PM 
 Subject:   Re: [Samba] Samba 4.10 member: SMB login no longer working 

Thank you, Louis, for your reply. 
 
 
By simply asking me to provide outputs of the aforementioned files, I found the cause of my first problem (auth failing). It was my /etc/hosts file on dc1. 
 
 
All of them should look like this, and indeed DC2 and DC3's *did* look like this: 
 
 
 
 
# cat /etc/hosts 
> 127.0.0.1       localhost.samdom.mycompany.net  localhost 
> 192.168.3.201 dc1.samdom.mycompany.net dc1 
> 192.168.3.202 dc2.samdom.mycompany.net dc2 
> 192.168.3.203 dc3.samdom.mycompany.net dc3 
>  
> # The following lines are desirable for IPv6 capable hosts 
> ::1     localhost ip6-localhost ip6-loopback 
> ff02::1 ip6-allnodes 
> ff02::2 ip6-allrouters 
 
 
DC1's /etc/hosts looked the same, except for the third line, which looked like this: 
 
 
 
> 192.168.3.203 dc2.samdom.mycompany.net dc2 
 
 
That's the same IP for dc3 on the fourth line! Changing it's IP address to 192.168.3.202 to match the other two hosts files swiftly put an end to my failed authentications. 
 
 
But, I still see this whenever I compare any of my DCs to DC1: 
 
 
 
# samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator 
> Password for [SAMDOM\administrator]: 
>  
> * Comparing [DOMAIN] context... 
>  
> * Objects to be compared: 1723 
>  
> Comparing: 
> 'CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET' [ldap://dc1] 
> 'CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET' [ldap://dc2] 
>     Attributes found only in ldap://dc2:        SERVERREFERENCEBL 
>  
>     FAILED 
>  
> * Result for [DOMAIN]: FAILURE 
>  
> SUMMARY 
> --------- 
>  
> Attributes found only in ldap://dc2: 
>  
>     SERVERREFERENCEBL 
>  
> * Comparing [CONFIGURATION] context... 
>  
> * Objects to be compared: 1623 
>  
> * Result for [CONFIGURATION]: SUCCESS 
>  
> * Comparing [SCHEMA] context... 
>  
> * Objects to be compared: 1578 
>  
> * Result for [SCHEMA]: SUCCESS 
>  
> * Comparing [DNSDOMAIN] context... 
>  
> * Objects to be compared: 166 
>  
> * Result for [DNSDOMAIN]: SUCCESS 
>  
> * Comparing [DNSFOREST] context... 
>  
> * Objects to be compared: 26 
>  
> * Result for [DNSFOREST]: SUCCESS 
> ERROR: Compare failed: -1 
 
 
I have tried fixing this with reboots, and running this command: 
 
 
# samba-tool drs replicate --full-sync dc1 dc2 DC=samdom,DC=mycompany,DC=net 
 
 
As well as the similar commands for DC=ForestDnsZones,... DC=DomainDnsZones,... CN=Configuration,... and CN=Schema,... but nothing gets that serverReferenceBL into the CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET record on DC1. 
 
 
Do you think that this attribute, "SERVERREFERENCEBL," is applied at domain join only? And, perhaps that my wrongly configured /etc/hosts file botched a proper replication to DC1? 
 
 
Here are the answers to your questions... 
 
 
 
DC3 
-------- 
# cat /etc/hosts 
> 127.0.0.1       localhost.samdom.mycompany.net  localhost 
> 192.168.3.201    dc1.samdom.mycompany.net    dc1 
> 192.168.3.202    dc2.samdom.mycompany.net    dc2 
> 192.168.3.203    dc3.samdom.mycompany.net    dc3 
>  
# The following lines are desirable for IPv6 capable hosts 
> ::1     localhost ip6-localhost ip6-loopback 
> ff02::1 ip6-allnodes 
> ff02::2 ip6-allrouters 
 
 
# cat /etc/resolv.conf  
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) 
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN 
> nameserver 192.168.3.203 
> nameserver 192.168.3.201 
> nameserver 192.168.3.202 
> search samdom.mycompany.net 
 
 
# cat /etc/samba/smb.conf  
> # Global parameters 
> [global] 
>     netbios name = DC3 
>     realm = SAMDOM.MYCOMPANY.NET 
>     server role = active directory domain controller 
>     #server services = -dns 
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate 
>     workgroup = SAMDOM 
>     idmap_ldb:use rfc2307 = yes 
>     #dns forwarder = 8.8.4.4 
>     #dns forwarder = 8.8.8.8 
>     #allow dns updates = disabled 
>     dsdb:schema update allowed = true 
>     printcap name = /dev/null 
>     load printers = no 
>     printing = bsd  
>     ldap server require strong auth = no  
>     tls enabled  = yes 
>     tls keyfile  = tls/myKey.pem 
>     tls certfile = tls/dc3_samdom_mycompany_net.pem 
>     tls cafile   = tls/dc3_samdom_mycompany_net.ca-bundle.pem 
>     #log file = /var/log/samba/%a.%M.log 
>     max log size = 2048 
>     log level = 1 auth_audit:3 
>     apply group policies = yes 
>  
> [netlogon] 
>     path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts 
>     read only = No 
>  
> [sysvol] 
>     path = /var/lib/samba/sysvol 
>     read only = No 
 
 
# klist -ke /var/lib/samba/private/secrets.keytab  
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab 
> KVNO Principal 
> ---- -------------------------------------------------------------------------- 
>    2 HOST/dc3 at SAMDOM.MYCOMPANY.NET (des-cbc-crc)  
>    2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (des-cbc-crc)  
>    2 DC3$@SAMDOM.MYCOMPANY.NET (des-cbc-crc)  
>    2 HOST/dc3 at SAMDOM.MYCOMPANY.NET (des-cbc-md5)  
>    2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (des-cbc-md5)  
>    2 DC3$@SAMDOM.MYCOMPANY.NET (des-cbc-md5)  
>    2 HOST/dc3 at SAMDOM.MYCOMPANY.NET (arcfour-hmac)  
>    2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (arcfour-hmac)  
>    2 DC3$@SAMDOM.MYCOMPANY.NET (arcfour-hmac)  
>    2 HOST/dc3 at SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)  
>    2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)  
>    2 DC3$@SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)  
>    2 HOST/dc3 at SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)  
>    2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)  
>    2 DC3$@SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)  
 
 
 
 
DC2 
-------- 
# cat /etc/hosts 
> 127.0.0.1       localhost.samdom.mycompany.net  localhost 
> 192.168.3.201    dc1.samdom.mycompany.net    dc1 
> 192.168.3.202    dc2.samdom.mycompany.net    dc2 
> 192.168.3.203    dc3.samdom.mycompany.net    dc3 
>  
> # The following lines are desirable for IPv6 capable hosts 
> ::1     localhost ip6-localhost ip6-loopback 
> ff02::1 ip6-allnodes 
> ff02::2 ip6-allrouters 
 
 
# cat /etc/resolv.conf  
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) 
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN 
> nameserver 192.168.3.202 
> nameserver 192.168.3.201 
> nameserver 192.168.3.203 
> search samdom.mycompany.net 
 
 
# cat /etc/samba/smb.conf  
> # Global parameters 
> [global] 
>     netbios name = DC2 
>     realm = SAMDOM.MYCOMPANY.NET 
>     server role = active directory domain controller 
>     #server services = -dns 
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate 
>     workgroup = SAMDOM 
>     idmap_ldb:use rfc2307 = yes 
>     #dns forwarder = 8.8.4.4 
>     #dns forwarder = 8.8.8.8 
>     #allow dns updates = disabled 
>     dsdb:schema update allowed = true 
>     printcap name = /dev/null 
>     load printers = no 
>     printing = bsd  
>     ldap server require strong auth = no 
>     tls enabled  = yes 
>     tls keyfile  = tls/myKey.pem 
>     tls certfile = tls/dc2_samdom_mycompany_net.pem 
>     tls cafile   = tls/dc2_samdom_mycompany_net.ca-bundle.pem 
>     #log file = /var/log/samba/%a.%M.log 
>     max log size = 2048 
>     log level = 1 auth_audit:3 
>     apply group policies = yes 
>  
> [netlogon] 
>     path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts 
>     read only = No 
>  
> [sysvol] 
>     path = /var/lib/samba/sysvol 
>     read only = No 
 
 
# klist -ke /var/lib/samba/private/secrets.keytab  
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab 
> KVNO Principal 
> ---- -------------------------------------------------------------------------- 
>    2 HOST/dc2 at SAMDOM.MYCOMPANY.NET (des-cbc-crc)  
>    2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (des-cbc-crc)  
>    2 DC2$@SAMDOM.MYCOMPANY.NET (des-cbc-crc)  
>    2 HOST/dc2 at SAMDOM.MYCOMPANY.NET (des-cbc-md5)  
>    2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (des-cbc-md5)  
>    2 DC2$@SAMDOM.MYCOMPANY.NET (des-cbc-md5)  
>    2 HOST/dc2 at SAMDOM.MYCOMPANY.NET (arcfour-hmac)  
>    2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (arcfour-hmac)  
>    2 DC2$@SAMDOM.MYCOMPANY.NET (arcfour-hmac)  
>    2 HOST/dc2 at SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)  
>    2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)  
>    2 DC2$@SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)  
>    2 HOST/dc2 at SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)  
>    2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)  
>    2 DC2$@SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96) 
 
 
 
 
DC1 
-------- 
# cat /etc/hosts 
> 127.0.0.1    localhost.samdom.mycompany.net    localhost 
> 192.168.3.201    dc1.samdom.mycompany.net    dc1 
> 192.168.3.202    dc2.samdom.mycompany.net    dc2 
> 192.168.3.203    dc3.samdom.mycompany.net    dc3 
>  
> # The following lines are desirable for IPv6 capable hosts 
> ::1     localhost ip6-localhost ip6-loopback 
> ff02::1 ip6-allnodes 
> ff02::2 ip6-allrouters 
 
 
# cat /etc/resolv.conf 
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) 
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN 
> nameserver 192.168.3.201 
> nameserver 192.168.3.202 
> nameserver 192.168.3.203 
> search samdom.mycompany.net 
 
 
# cat /etc/samba/smb.conf 
> # Global parameters 
> [global] 
>     netbios name = DC1 
>     realm = SAMDOM.MYCOMPANY.NET 
>     server role = active directory domain controller 
>     #server services = -dns 
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate 
>     workgroup = SAMDOM 
>     idmap_ldb:use rfc2307 = yes 
>     #dns forwarder = 8.8.4.4 
>     #dns forwarder = 8.8.8.8 
>     #allow dns updates = disabled 
>     #dsdb:schema update allowed = true 
>     printcap name = /dev/null 
>     load printers = no 
>     printing = bsd  
>     ldap server require strong auth = no 
>     tls enabled  = yes 
>     tls keyfile  = tls/myKey.pem 
>     tls certfile = tls/dc1_samdom_mycompany_net.pem 
>     tls cafile   = tls/dc1_samdom_mycompany_net.ca-bundle.pem 
>     #log file = /var/log/samba/%a.%M.log 
>     max log size = 2048 
>     log level = 1 auth_audit:3 
>     apply group policies = yes 
>  
> [netlogon] 
>     path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts 
>     read only = No 
>  
> [sysvol] 
>     path = /var/lib/samba/sysvol 
>     read only = No 
 
 
# klist -ke /var/lib/samba/private/secrets.keytab 
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab 
> KVNO Principal 
> ---- -------------------------------------------------------------------------- 
>    2 HOST/dc1 at SAMDOM.MYCOMPANY.NET (des-cbc-crc)  
>    2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (des-cbc-crc)  
>    2 DC1$@SAMDOM.MYCOMPANY.NET (des-cbc-crc)  
>    2 HOST/dc1 at SAMDOM.MYCOMPANY.NET (des-cbc-md5)  
>    2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (des-cbc-md5)  
>    2 DC1$@SAMDOM.MYCOMPANY.NET (des-cbc-md5)  
>    2 HOST/dc1 at SAMDOM.MYCOMPANY.NET (arcfour-hmac)  
>    2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (arcfour-hmac)  
>    2 DC1$@SAMDOM.MYCOMPANY.NET (arcfour-hmac)  
>    2 HOST/dc1 at SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)  
>    2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)  
>    2 DC1$@SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)  
>    2 HOST/dc1 at SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)  
>    2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)  
>    2 DC1$@SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)  
 
 
Thank you, 
Matthew 
 
 
 
From: L.P.H. van Belle via samba <samba at lists.samba.org>  
To: "samba at lists.samba.org" <samba at lists.samba.org>  
Sent: 6/26/2019 2:32 AM  
Subject: Re: [Samba] One DC cannot authenticate off of another DC  
 
Hai,  
 
What is the running OS and version of samba on these servers.  
 
Can you post some configs of these DC's ( all 3  )  
 
/etc/hosts  
/etc/resolv.conf  
/etc/samba/smb.conf  
 
And for all 3 this the keytab output.  
klist -ke /var/lib/samba/private/secrets.keytab  
 
Your also sure you servers time is not out of sync?  
 
Greetz,  
 
Louis  
 
 
 
 
> -----Oorspronkelijk bericht-----  
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens  
> Matthew Delfino via samba  
> Verzonden: woensdag 26 juni 2019 1:12  
> Aan: samba at lists.samba.org  
> Onderwerp: [Samba] One DC cannot authenticate off of another DC  
>  
>  
> Hello Samba Friends,  
>  
>  
> I have a single DC (we'll call it, "DC1") that simply will  
> not take my password when I run this command:   
>  
>  
> #samba-tool ldapcmp ldap://dc2 ldap://dc3 -Uadministrator   
>  
>  
> Or this command:   
>  
>  
> #samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator   
>  
>  
> I basically get this:   
>  
>  
> > Password for [SAMDOM\administrator]:   
> > Password for [SAMDOM\administrator]:   
> > Password for [SAMDOM\administrator]:   
> > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -    
> <8009030C: LdapErr: DSID-0C0904DC, comment:  
> AcceptSecurityContext error, data 52e, > v1db1> <>   
> > Failed to connect to 'ldap://dc2' with backend 'ldap': LDAP  
> error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr:  
> DSID-0C0904DC, comment: AcceptSecurityContext error, data  
> 52e, v1db1> <>   
> > ERROR(ldb): uncaught exception - LDAP error 49  
> LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr:  
> DSID-0C0904DC, comment: AcceptSecurityContext error, data  
> 52e, v1db1> <>   
> >   File  
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",  
> line 185, in _run   
> >     return self.run(*args, **kwargs)   
> >   File  
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",  
> line 942, in run   
> >     outf=self.outf, errf=self.errf,  
> skip_missing_dn=skip_missing_dn)   
> >   File  
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",  
> line 64, in __init__   
> >     options=ldb_options)   
> >   File "/usr/lib/python3/dist-packages/samba/__init__.py",  
> line 115, in __init__   
> >     self.connect(url, flags, options)   
>  
>  
> It *will* authenticate when I run this command, which implies  
> that DC2 is the one who doesn't like my password, but only  
> when it comes from DC1:   
>  
>  
> #samba-tool ldapcmp ldap://dc1 ldap://dc3 -Uadministrator   
>  
>  
> From DC2 and DC3, I can run all three of those commands with success.   
>  
>  
> What could cause one of my DCs (DC2) to hate my password only  
> when it comes from one of my other DCs (DC1)? And, by the  
> way, under that circumstance, it seems to hate every username  
> and password combination I have that I could think to try  
> ("-Umatthewdelfino", for example).   
>  
>  
> What have I already tried? I've demoted and re-promoted all  
> of the DCs, which didn't make things any better. Passwords  
> still fail in the same manner, but now every time I do an  
> ldapcmp from samba-tool, I see a complaint about  
> "serverReferenceBL," either as an attribute that doesn't  
> exist in DC1 for 'CN=DC2,OU=DOMAIN  
> CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET', or as an uncaught  
> exception like this:   
>  
>  
> > ERROR(<class 'KeyError'>): uncaught exception - 'serverReferenceBL'   
> >   File  
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",  
> line 185, in _run   
> >     return self.run(*args, **kwargs)   
> >   File  
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",  
> line 957, in run   
> >     if b1.diff(b2):   
> >   File  
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",  
> line 781, in diff   
> >     if object1 == object2:   
> >   File  
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",  
> line 549, in __eq__   
> >     return self.cmp_attrs(other)   
> >   File  
> "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",  
> line 590, in cmp_attrs   
> >     if isinstance(self.attributes[x], list) and  
> isinstance(other.attributes[x], list):   
>  
>  
> (And all of that SERVERREFERENCEBL stuff is probably  
> unrelated. It's just very irritating, as it seems to be an  
> attribute created during a DC promotion/domain join, but not  
> during subsequent replications, and the ldapcmp always notices it.)  
>  
>  
> Can anyone provide some guidance?   
>  
>  
> Thanks,  
> Matthew  
>  
> © 2019 KNOCK, inc. All rights reserved. KNOCK is a registered  
> trademark of KNOCK, inc. This message and any attachments  
> contain information, which is confidential and/or privileged.  
> If you are not the intended recipient, please refrain from  
> any disclosure, copying, distribution or use of this  
> information. Please be aware that such actions are  
> prohibited. If you have received this transmission in error,  
> kindly notify the sender by e-mail. Your cooperation is appreciated.  
> --  
> To unsubscribe from this list go to the following URL and read the  
> instructions:  https://lists.samba.org/mailman/options/samba  
>  
>  
 
 
--  
To unsubscribe from this list go to the following URL and read the  
instructions:  https://lists.samba.org/mailman/options/samba  
 
 
© 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated. 
--  
To unsubscribe from this list go to the following URL and read the 
instructions:  https://lists.samba.org/mailman/options/samba 
 


© 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.


More information about the samba mailing list