[Samba] Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
ASW Global
aswsupplyservices at outlook.com
Tue Oct 15 12:56:18 UTC 2019
I've read the documentation that domain trusts should be fully supported with both Kerberos and NTLM authentication. I've created a new 2016 domain on a Windows box and created a Samba domain on a Linux box with a BIND9_DLZ backend. Both servers can resolve both DNS domains forwards and backwards and I am able to connect a Windows 10 client to the Samba domain without any issues. The problem occurs when create a full external trust between the two domains. The trust is created successfully with samba-tool however the verify fails with TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED.
The end result is a trust relation that fully works with Kerberos authentication (such as logging in on the trusted domain from a domain connected to the other) but this won't work with NTLM authentication outside of it's realm. I am constantly getting this error message in the wb-DOMAIN logs:
Starting GENSEC submechanism ntlmssp
[2019/10/15 07:06:26.589018, 1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
[2019/10/15 07:06:26.589188, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
gensec_update_send: ntlmssp[0x5625297aa300]: subreq: 0x5625299b9330
[2019/10/15 07:06:26.589207, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
gensec_update_send: spnego[0x56252a561b00]: subreq: 0x562529ff3510
[2019/10/15 07:06:26.589223, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
gensec_update_done: ntlmssp[0x5625297aa300]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5625299b9330/../../auth/ntlmssp/ntlmssp.c:180]: state[2] error[0 (0x0)] state[struct gensec_ntlmssp_update_state (0x5625299b94e0)] timer[(nil)] finish[../../auth/ntlmssp/ntlmssp.c:215]
[2019/10/15 07:06:26.589246, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
gensec_update_done: spnego[0x56252a561b00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x562529ff3510/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x562529ff36c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2070]
[2019/10/15 07:06:26.589508, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_client.c:273(ntlmssp_client_challenge)
Got challenge flags:
[2019/10/15 07:06:26.589527, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2019/10/15 07:06:26.589577, 1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
challenge: struct CHALLENGE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmChallenge (0x2)
TargetNameLen : 0x0008 (8)
TargetNameMaxLen : 0x0008 (8)
TargetName : *
TargetName : 'ASW'
NegotiateFlags : 0x62898215 (1653178901)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
1: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
1: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
ServerChallenge : 9577d49bcff93241
Reserved : 0000000000000000
TargetInfoLen : 0x00c2 (194)
TargetInfoMaxLen : 0x00c2 (194)
TargetInfo : *
TargetInfo: struct AV_PAIR_LIST
count : 0x00000007 (7)
pair: ARRAY(7)
pair: struct AV_PAIR
AvId : MsvAvNbDomainName (0x2)
AvLen : 0x0008 (8)
Value : union ntlmssp_AvValue(case 0x2)
AvNbDomainName : 'ASW'
pair: struct AV_PAIR
AvId : MsvAvNbComputerName (0x1)
AvLen : 0x0014 (20)
Value : union ntlmssp_AvValue(case 0x1)
AvNbComputerName : 'ASWSERVER'
pair: struct AV_PAIR
AvId : MsvAvDnsDomainName (0x4)
AvLen : 0x0024 (36)
Value : union ntlmssp_AvValue(case 0x4)
AvDnsDomainName : 'ASW.aswglobal.net'
pair: struct AV_PAIR
AvId : MsvAvDnsComputerName (0x3)
AvLen : 0x003a (58)
Value : union ntlmssp_AvValue(case 0x3)
AvDnsComputerName : 'aswserver.asw.aswglobal.net'
pair: struct AV_PAIR
AvId : MsvAvDnsTreeName (0x5)
AvLen : 0x0024 (36)
Value : union ntlmssp_AvValue(case 0x5)
AvDnsTreeName : 'ASW.aswglobal.net'
pair: struct AV_PAIR
AvDnsTreeName : 'ASW.aswglobal.net'
pair: struct AV_PAIR
AvId : MsvAvTimestamp (0x7)
AvLen : 0x0008 (8)
Value : union ntlmssp_AvValue(case 0x7)
AvTimestamp : Tue Oct 15 07:06:27 2019 EDT
pair: struct AV_PAIR
AvId : MsvAvEOL (0x0)
AvLen : 0x0000 (0)
Value : union ntlmssp_AvValue(case 0x0)
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_10 (0xA)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0x0)
ProductBuild : 0x3839 (14393)
Reserved : 000000
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (0xF)
[2019/10/15 07:06:26.589905, 1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
authenticate: struct AUTHENTICATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmAuthenticate (3)
LmChallengeResponseLen : 0x0000 (0)
LmChallengeResponseMaxLen: 0x0000 (0)
LmChallengeResponse : *
LmChallengeResponse : union ntlmssp_LM_RESPONSE_with_len(case 0)
NtChallengeResponseLen : 0x0000 (0)
NtChallengeResponseMaxLen: 0x0000 (0)
NtChallengeResponse : *
NtChallengeResponse : union ntlmssp_NTLM_RESPONSE_with_len(case 0)
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
UserNameLen : 0x0000 (0)
UserNameMaxLen : 0x0000 (0)
UserName : *
UserName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
EncryptedRandomSessionKeyLen: 0x0010 (16)
EncryptedRandomSessionKeyMaxLen: 0x0010 (16)
EncryptedRandomSessionKey: *
EncryptedRandomSessionKey: DATA_BLOB length=16
[0000] 81 EE CC 4D B3 48 F7 A9 57 E9 E6 94 B7 55 59 DE ...M.H.. W....UY.
NegotiateFlags : 0x62008a15 (1644202517)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
1: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
0: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
[2019/10/15 07:06:26.590148, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_client.c:761(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2019/10/15 07:06:26.590160, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2019/10/15 07:06:26.590195, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2019/10/15 07:06:26.590195, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2019/10/15 07:06:26.590206, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2019/10/15 07:06:26.590240, 5, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:638(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - using NTLM1
[2019/10/15 07:06:26.590268, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
gensec_update_send: ntlmssp[0x5625297aa300]: subreq: 0x562529bcbfd0
[2019/10/15 07:06:26.590283, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
gensec_update_send: spnego[0x56252a561b00]: subreq: 0x562529ff3510
[2019/10/15 07:06:26.590298, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
gensec_update_done: ntlmssp[0x5625297aa300]: NT_STATUS_OK tevent_req[0x562529bcbfd0/../../auth/ntlmssp/ntlmssp.c:180]: state[2] error[0 (0x0)] state[struct gensec_ntlmssp_update_state (0x562529bcc180)] timer[(nil)] finish[../../auth/ntlmssp/ntlmssp.c:222]
[2019/10/15 07:06:26.590320, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
gensec_update_done: spnego[0x56252a561b00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x562529ff3510/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x562529ff36c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2070]
[2019/10/15 07:06:26.590744, 3, pid=12457, effective(0, 0), real(0, 0)] ../../source3/libsmb/cliconnect.c:1693(cli_session_setup_creds_done_spnego)
SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.
[2019/10/15 07:06:26.590770, 1, pid=12457, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cm.c:1255(cm_prepare_connection)
anonymous session setup to aswserver.asw.aswglobal.net failed with NT_STATUS_ACCESS_DENIED
[2019/10/15 07:06:26.590799, 1, pid=12457, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cm.c:1305(cm_prepare_connection)
Failed to prepare SMB connection to aswserver.asw.aswglobal.net: NT_STATUS_ACCESS_DENIED
[2019/10/15 07:06:26.590817, 10, pid=12457, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
gencache_set_data_blob: Adding cache entry with key=[NEG_CONN_CACHE/ASW,aswserver.asw.aswglobal.net] and timeout=[Tue Oct 15 07:07:26 2019 EDT] (60 seconds ahead)
[2019/10/15 07:06:26.590838, 9, pid=12457, effective(0, 0), real(0, 0)] ../../source3/libsmb/conncache.c:189(add_failed_connection_entry)
add_failed_connection_entry: added domain ASW (aswserver.asw.aswglobal.net) to failed conn cache
[2019/10/15 07:06:26.590851, 10, pid=12457, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:276(gencache_del)
Deleting cache entry (key=[SAFJOIN/DOMAIN/ASW])
[2019/10/15 07:06:26.590864, 10, pid=12457, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:276(gencache_del)
Deleting cache entry (key=[SAF/DOMAIN/ASW])
[2019/10/15 07:06:26.590876, 10, pid=12457, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
gencache_set_data_blob: Adding cache entry with key=[NEG_CONN_CACHE/ASW.aswglobal.net,aswserver.asw.aswglobal.net] and timeout=[Tue Oct 15 07:07:26 2019 EDT] (60 seconds ahead)
[2019/10/15 07:06:26.590893, 9, pid=12457, effective(0, 0), real(0, 0)] ../../source3/libsmb/conncache.c:189(add_failed_connection_entry)
add_failed_connection_entry: added domain asw.aswglobal.net (aswserver.asw.aswglobal.net) to failed conn cache
[2019/10/15 07:06:26.590906, 10, pid=12457, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:276(gencache_del)
Deleting cache entry (key=[SAFJOIN/DOMAIN/ASW.ASWGLOBAL.NET])
[2019/10/15 07:06:26.590918, 10, pid=12457, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:276(gencache_del)
Deleting cache entry (key=[SAF/DOMAIN/ASW.ASWGLOBAL.NET])
[2019/10/15 07:06:26.590958, 10, pid=12457, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cm.c:406(set_domain_offline)
I have a simple out of box smb.conf:
[global]
bind interfaces only = yes
interfaces = 127.0.0.1 10.0.0.40
netbios name = ASW-OTHER
realm = OTHER.ASWGLOBAL.NET
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = OTHER
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/ops.aswglobal.net/scripts
read only = No
wbinfo --online-status
BUILTIN : active connection
OTHER : active connection
ASW : no active connection
More information about the samba
mailing list