[Samba] Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD

Rowland penny rpenny at samba.org
Tue Oct 15 13:23:10 UTC 2019


On 15/10/2019 13:56, ASW Global via samba wrote:
> I've read the documentation that domain trusts should be fully supported with both Kerberos and NTLM authentication. I've created a new 2016 domain on a Windows box and created a Samba domain on a Linux box with a BIND9_DLZ backend. Both servers can resolve both DNS domains forwards and backwards and I am able to connect a Windows 10 client to the Samba domain without any issues. The problem occurs when create a full  external trust between the two domains. The trust is created successfully with samba-tool however the verify fails with TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED.
>
> The end result is a trust relation that fully works with Kerberos authentication (such as logging in on the trusted domain from a domain connected to the other) but this won't work with NTLM authentication outside of it's realm. I am constantly getting this error message in the wb-DOMAIN logs:
>
> Starting GENSEC submechanism ntlmssp
> [2019/10/15 07:06:26.589018,  1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
>         negotiate: struct NEGOTIATE_MESSAGE
>            Signature                : 'NTLMSSP'
>            MessageType              : NtLmNegotiate (1)
>            NegotiateFlags           : 0x62088215 (1644724757)
>                   1: NTLMSSP_NEGOTIATE_UNICODE
>                   0: NTLMSSP_NEGOTIATE_OEM
>                   1: NTLMSSP_REQUEST_TARGET
>                   1: NTLMSSP_NEGOTIATE_SIGN
>                   0: NTLMSSP_NEGOTIATE_SEAL
>                   0: NTLMSSP_NEGOTIATE_DATAGRAM
>                   0: NTLMSSP_NEGOTIATE_LM_KEY
>                   0: NTLMSSP_NEGOTIATE_NETWARE
>                   1: NTLMSSP_NEGOTIATE_NTLM
>                   0: NTLMSSP_NEGOTIATE_NT_ONLY
>                   0: NTLMSSP_ANONYMOUS
>                   0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>                   1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>                   0: NTLMSSP_TARGET_TYPE_DOMAIN
>                   0: NTLMSSP_TARGET_TYPE_SERVER
>                   0: NTLMSSP_TARGET_TYPE_SHARE
>                   1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>                   0: NTLMSSP_NEGOTIATE_IDENTIFY
>                   0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>                   0: NTLMSSP_NEGOTIATE_TARGET_INFO
>                   1: NTLMSSP_NEGOTIATE_VERSION
>                   1: NTLMSSP_NEGOTIATE_128
>                   1: NTLMSSP_NEGOTIATE_KEY_EXCH
>                   0: NTLMSSP_NEGOTIATE_56
>            DomainNameLen            : 0x0000 (0)
>            DomainNameMaxLen         : 0x0000 (0)
>            DomainName               : *
>                DomainName               : ''
>            WorkstationLen           : 0x0000 (0)
>            WorkstationMaxLen        : 0x0000 (0)
>            Workstation              : *
>                Workstation              : ''
>            Version: struct ntlmssp_VERSION
>                ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
>                ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
>                ProductBuild             : 0x0000 (0)
>                Reserved: ARRAY(3)
>                    [0]                      : 0x00 (0)
>                    [1]                      : 0x00 (0)
>                    [2]                      : 0x00 (0)
>                NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
>                    [2]                      : 0x00 (0)
>                NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
> [2019/10/15 07:06:26.589188, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
>    gensec_update_send: ntlmssp[0x5625297aa300]: subreq: 0x5625299b9330
> [2019/10/15 07:06:26.589207, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
>    gensec_update_send: spnego[0x56252a561b00]: subreq: 0x562529ff3510
> [2019/10/15 07:06:26.589223, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
>    gensec_update_done: ntlmssp[0x5625297aa300]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5625299b9330/../../auth/ntlmssp/ntlmssp.c:180]: state[2] error[0 (0x0)]  state[struct gensec_ntlmssp_update_state (0x5625299b94e0)] timer[(nil)] finish[../../auth/ntlmssp/ntlmssp.c:215]
> [2019/10/15 07:06:26.589246, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
>    gensec_update_done: spnego[0x56252a561b00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x562529ff3510/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x562529ff36c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2070]
> [2019/10/15 07:06:26.589508,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_client.c:273(ntlmssp_client_challenge)
>    Got challenge flags:
> [2019/10/15 07:06:26.589527,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
>    Got NTLMSSP neg_flags=0x62898215
>      NTLMSSP_NEGOTIATE_UNICODE
>      NTLMSSP_REQUEST_TARGET
>      NTLMSSP_NEGOTIATE_SIGN
>      NTLMSSP_NEGOTIATE_NTLM
>      NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>      NTLMSSP_TARGET_TYPE_DOMAIN
>      NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>      NTLMSSP_NEGOTIATE_TARGET_INFO
>      NTLMSSP_NEGOTIATE_VERSION
>      NTLMSSP_NEGOTIATE_128
>      NTLMSSP_NEGOTIATE_KEY_EXCH
> [2019/10/15 07:06:26.589577,  1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
>         challenge: struct CHALLENGE_MESSAGE
>            Signature                : 'NTLMSSP'
>            MessageType              : NtLmChallenge (0x2)
>            TargetNameLen            : 0x0008 (8)
>            TargetNameMaxLen         : 0x0008 (8)
>            TargetName               : *
>                TargetName               : 'ASW'
>            NegotiateFlags           : 0x62898215 (1653178901)
>                   1: NTLMSSP_NEGOTIATE_UNICODE
>                   0: NTLMSSP_NEGOTIATE_OEM
>                   1: NTLMSSP_REQUEST_TARGET
>                   1: NTLMSSP_NEGOTIATE_SIGN
>                   0: NTLMSSP_NEGOTIATE_SEAL
>                   0: NTLMSSP_NEGOTIATE_DATAGRAM
>                   0: NTLMSSP_NEGOTIATE_LM_KEY
>                   0: NTLMSSP_NEGOTIATE_NETWARE
>                   1: NTLMSSP_NEGOTIATE_NTLM
>                   0: NTLMSSP_NEGOTIATE_NT_ONLY
>                   0: NTLMSSP_ANONYMOUS
>                   0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>                   1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>                   1: NTLMSSP_TARGET_TYPE_DOMAIN
>                   0: NTLMSSP_TARGET_TYPE_SERVER
>                   0: NTLMSSP_TARGET_TYPE_SHARE
>                   1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>                   0: NTLMSSP_NEGOTIATE_IDENTIFY
>                   0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>                   1: NTLMSSP_NEGOTIATE_TARGET_INFO
>                   1: NTLMSSP_NEGOTIATE_VERSION
>                   1: NTLMSSP_NEGOTIATE_128
>                   1: NTLMSSP_NEGOTIATE_KEY_EXCH
>                   0: NTLMSSP_NEGOTIATE_56
>            ServerChallenge          : 9577d49bcff93241
>            Reserved                 : 0000000000000000
>            TargetInfoLen            : 0x00c2 (194)
>            TargetInfoMaxLen         : 0x00c2 (194)
>            TargetInfo               : *
>                TargetInfo: struct AV_PAIR_LIST
>                    count                    : 0x00000007 (7)
>                    pair: ARRAY(7)
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvNbDomainName (0x2)
>                            AvLen                    : 0x0008 (8)
>                            Value                    : union ntlmssp_AvValue(case 0x2)
>                            AvNbDomainName           : 'ASW'
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvNbComputerName (0x1)
>                            AvLen                    : 0x0014 (20)
>                            Value                    : union ntlmssp_AvValue(case 0x1)
>                            AvNbComputerName         : 'ASWSERVER'
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvDnsDomainName (0x4)
>                            AvLen                    : 0x0024 (36)
>                            Value                    : union ntlmssp_AvValue(case 0x4)
>                            AvDnsDomainName          : 'ASW.aswglobal.net'
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvDnsComputerName (0x3)
>                            AvLen                    : 0x003a (58)
>                            Value                    : union ntlmssp_AvValue(case 0x3)
>                            AvDnsComputerName        : 'aswserver.asw.aswglobal.net'
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvDnsTreeName (0x5)
>                            AvLen                    : 0x0024 (36)
>                            Value                    : union ntlmssp_AvValue(case 0x5)
>                            AvDnsTreeName            : 'ASW.aswglobal.net'
>                        pair: struct AV_PAIR
>                            AvDnsTreeName            : 'ASW.aswglobal.net'
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvTimestamp (0x7)
>                            AvLen                    : 0x0008 (8)
>                            Value                    : union ntlmssp_AvValue(case 0x7)
>                            AvTimestamp              : Tue Oct 15 07:06:27 2019 EDT
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvEOL (0x0)
>                            AvLen                    : 0x0000 (0)
>                            Value                    : union ntlmssp_AvValue(case 0x0)
>            Version: struct ntlmssp_VERSION
>                ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_10 (0xA)
>                ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0x0)
>                ProductBuild             : 0x3839 (14393)
>                Reserved                 : 000000
>                NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (0xF)
> [2019/10/15 07:06:26.589905,  1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
>         authenticate: struct AUTHENTICATE_MESSAGE
>            Signature                : 'NTLMSSP'
>            MessageType              : NtLmAuthenticate (3)
>            LmChallengeResponseLen   : 0x0000 (0)
>            LmChallengeResponseMaxLen: 0x0000 (0)
>            LmChallengeResponse      : *
>                LmChallengeResponse      : union ntlmssp_LM_RESPONSE_with_len(case 0)
>            NtChallengeResponseLen   : 0x0000 (0)
>            NtChallengeResponseMaxLen: 0x0000 (0)
>            NtChallengeResponse      : *
>                NtChallengeResponse      : union ntlmssp_NTLM_RESPONSE_with_len(case 0)
>            DomainNameLen            : 0x0000 (0)
>            DomainNameMaxLen         : 0x0000 (0)
>            DomainName               : *
>                DomainName               : ''
>            UserNameLen              : 0x0000 (0)
>            UserNameMaxLen           : 0x0000 (0)
>            UserName                 : *
>                UserName                 : ''
>            WorkstationLen           : 0x0000 (0)
>            WorkstationMaxLen        : 0x0000 (0)
>            Workstation              : *
>                Workstation              : ''
>            EncryptedRandomSessionKeyLen: 0x0010 (16)
>            EncryptedRandomSessionKeyMaxLen: 0x0010 (16)
>            EncryptedRandomSessionKey: *
>                EncryptedRandomSessionKey: DATA_BLOB length=16
>    [0000] 81 EE CC 4D B3 48 F7 A9   57 E9 E6 94 B7 55 59 DE   ...M.H.. W....UY.
>            NegotiateFlags           : 0x62008a15 (1644202517)
>                   1: NTLMSSP_NEGOTIATE_UNICODE
>                   0: NTLMSSP_NEGOTIATE_OEM
>                   1: NTLMSSP_REQUEST_TARGET
>                   0: NTLMSSP_NEGOTIATE_OEM
>                   1: NTLMSSP_REQUEST_TARGET
>                   1: NTLMSSP_NEGOTIATE_SIGN
>                   0: NTLMSSP_NEGOTIATE_SEAL
>                   0: NTLMSSP_NEGOTIATE_DATAGRAM
>                   0: NTLMSSP_NEGOTIATE_LM_KEY
>                   0: NTLMSSP_NEGOTIATE_NETWARE
>                   1: NTLMSSP_NEGOTIATE_NTLM
>                   0: NTLMSSP_NEGOTIATE_NT_ONLY
>                   1: NTLMSSP_ANONYMOUS
>                   0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>                   1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>                   0: NTLMSSP_TARGET_TYPE_DOMAIN
>                   0: NTLMSSP_TARGET_TYPE_SERVER
>                   0: NTLMSSP_TARGET_TYPE_SHARE
>                   0: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>                   0: NTLMSSP_NEGOTIATE_IDENTIFY
>                   0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>                   0: NTLMSSP_NEGOTIATE_TARGET_INFO
>                   1: NTLMSSP_NEGOTIATE_VERSION
>                   1: NTLMSSP_NEGOTIATE_128
>                   1: NTLMSSP_NEGOTIATE_KEY_EXCH
>                   0: NTLMSSP_NEGOTIATE_56
>            Version: struct ntlmssp_VERSION
>                ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
>                ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
>                ProductBuild             : 0x0000 (0)
>                Reserved: ARRAY(3)
>                    [0]                      : 0x00 (0)
>                    [1]                      : 0x00 (0)
>                    [2]                      : 0x00 (0)
>                NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
> [2019/10/15 07:06:26.590148,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_client.c:761(ntlmssp_client_challenge)
>    NTLMSSP: Set final flags:
> [2019/10/15 07:06:26.590160,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
>    Got NTLMSSP neg_flags=0x62008a15
>      NTLMSSP_NEGOTIATE_UNICODE
>      NTLMSSP_REQUEST_TARGET
>      NTLMSSP_NEGOTIATE_SIGN
>      NTLMSSP_NEGOTIATE_NTLM
>      NTLMSSP_ANONYMOUS
>      NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>      NTLMSSP_NEGOTIATE_VERSION
>      NTLMSSP_NEGOTIATE_128
>      NTLMSSP_NEGOTIATE_KEY_EXCH
> [2019/10/15 07:06:26.590195,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
>    NTLMSSP Sign/Seal - Initialising with flags:
> [2019/10/15 07:06:26.590195,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
>    NTLMSSP Sign/Seal - Initialising with flags:
> [2019/10/15 07:06:26.590206,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
>    Got NTLMSSP neg_flags=0x62008a15
>      NTLMSSP_NEGOTIATE_UNICODE
>      NTLMSSP_REQUEST_TARGET
>      NTLMSSP_NEGOTIATE_SIGN
>      NTLMSSP_NEGOTIATE_NTLM
>      NTLMSSP_ANONYMOUS
>      NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>      NTLMSSP_NEGOTIATE_VERSION
>      NTLMSSP_NEGOTIATE_128
>      NTLMSSP_NEGOTIATE_KEY_EXCH
> [2019/10/15 07:06:26.590240,  5, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:638(ntlmssp_sign_reset)
>    NTLMSSP Sign/Seal - using NTLM1

What version of Samba are you using ?

It looks like it using NTLM1 , but the Windows domain probably isn't, 
try adding these lines to your smb.conf:

client min protocol = SMB2_02
server min protocol = SMB2_02

Rowland





More information about the samba mailing list