[Samba] Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
Rowland penny
rpenny at samba.org
Tue Oct 15 13:23:10 UTC 2019
On 15/10/2019 13:56, ASW Global via samba wrote:
> I've read the documentation that domain trusts should be fully supported with both Kerberos and NTLM authentication. I've created a new 2016 domain on a Windows box and created a Samba domain on a Linux box with a BIND9_DLZ backend. Both servers can resolve both DNS domains forwards and backwards and I am able to connect a Windows 10 client to the Samba domain without any issues. The problem occurs when create a full external trust between the two domains. The trust is created successfully with samba-tool however the verify fails with TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED.
>
> The end result is a trust relation that fully works with Kerberos authentication (such as logging in on the trusted domain from a domain connected to the other) but this won't work with NTLM authentication outside of it's realm. I am constantly getting this error message in the wb-DOMAIN logs:
>
> Starting GENSEC submechanism ntlmssp
> [2019/10/15 07:06:26.589018, 1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
> negotiate: struct NEGOTIATE_MESSAGE
> Signature : 'NTLMSSP'
> MessageType : NtLmNegotiate (1)
> NegotiateFlags : 0x62088215 (1644724757)
> 1: NTLMSSP_NEGOTIATE_UNICODE
> 0: NTLMSSP_NEGOTIATE_OEM
> 1: NTLMSSP_REQUEST_TARGET
> 1: NTLMSSP_NEGOTIATE_SIGN
> 0: NTLMSSP_NEGOTIATE_SEAL
> 0: NTLMSSP_NEGOTIATE_DATAGRAM
> 0: NTLMSSP_NEGOTIATE_LM_KEY
> 0: NTLMSSP_NEGOTIATE_NETWARE
> 1: NTLMSSP_NEGOTIATE_NTLM
> 0: NTLMSSP_NEGOTIATE_NT_ONLY
> 0: NTLMSSP_ANONYMOUS
> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> 0: NTLMSSP_TARGET_TYPE_DOMAIN
> 0: NTLMSSP_TARGET_TYPE_SERVER
> 0: NTLMSSP_TARGET_TYPE_SHARE
> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> 0: NTLMSSP_NEGOTIATE_IDENTIFY
> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> 0: NTLMSSP_NEGOTIATE_TARGET_INFO
> 1: NTLMSSP_NEGOTIATE_VERSION
> 1: NTLMSSP_NEGOTIATE_128
> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> 0: NTLMSSP_NEGOTIATE_56
> DomainNameLen : 0x0000 (0)
> DomainNameMaxLen : 0x0000 (0)
> DomainName : *
> DomainName : ''
> WorkstationLen : 0x0000 (0)
> WorkstationMaxLen : 0x0000 (0)
> Workstation : *
> Workstation : ''
> Version: struct ntlmssp_VERSION
> ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
> ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
> ProductBuild : 0x0000 (0)
> Reserved: ARRAY(3)
> [0] : 0x00 (0)
> [1] : 0x00 (0)
> [2] : 0x00 (0)
> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
> [2] : 0x00 (0)
> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
> [2019/10/15 07:06:26.589188, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
> gensec_update_send: ntlmssp[0x5625297aa300]: subreq: 0x5625299b9330
> [2019/10/15 07:06:26.589207, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
> gensec_update_send: spnego[0x56252a561b00]: subreq: 0x562529ff3510
> [2019/10/15 07:06:26.589223, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
> gensec_update_done: ntlmssp[0x5625297aa300]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5625299b9330/../../auth/ntlmssp/ntlmssp.c:180]: state[2] error[0 (0x0)] state[struct gensec_ntlmssp_update_state (0x5625299b94e0)] timer[(nil)] finish[../../auth/ntlmssp/ntlmssp.c:215]
> [2019/10/15 07:06:26.589246, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
> gensec_update_done: spnego[0x56252a561b00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x562529ff3510/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x562529ff36c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2070]
> [2019/10/15 07:06:26.589508, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_client.c:273(ntlmssp_client_challenge)
> Got challenge flags:
> [2019/10/15 07:06:26.589527, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_TARGET_TYPE_DOMAIN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_TARGET_INFO
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2019/10/15 07:06:26.589577, 1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
> challenge: struct CHALLENGE_MESSAGE
> Signature : 'NTLMSSP'
> MessageType : NtLmChallenge (0x2)
> TargetNameLen : 0x0008 (8)
> TargetNameMaxLen : 0x0008 (8)
> TargetName : *
> TargetName : 'ASW'
> NegotiateFlags : 0x62898215 (1653178901)
> 1: NTLMSSP_NEGOTIATE_UNICODE
> 0: NTLMSSP_NEGOTIATE_OEM
> 1: NTLMSSP_REQUEST_TARGET
> 1: NTLMSSP_NEGOTIATE_SIGN
> 0: NTLMSSP_NEGOTIATE_SEAL
> 0: NTLMSSP_NEGOTIATE_DATAGRAM
> 0: NTLMSSP_NEGOTIATE_LM_KEY
> 0: NTLMSSP_NEGOTIATE_NETWARE
> 1: NTLMSSP_NEGOTIATE_NTLM
> 0: NTLMSSP_NEGOTIATE_NT_ONLY
> 0: NTLMSSP_ANONYMOUS
> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> 1: NTLMSSP_TARGET_TYPE_DOMAIN
> 0: NTLMSSP_TARGET_TYPE_SERVER
> 0: NTLMSSP_TARGET_TYPE_SHARE
> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> 0: NTLMSSP_NEGOTIATE_IDENTIFY
> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> 1: NTLMSSP_NEGOTIATE_TARGET_INFO
> 1: NTLMSSP_NEGOTIATE_VERSION
> 1: NTLMSSP_NEGOTIATE_128
> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> 0: NTLMSSP_NEGOTIATE_56
> ServerChallenge : 9577d49bcff93241
> Reserved : 0000000000000000
> TargetInfoLen : 0x00c2 (194)
> TargetInfoMaxLen : 0x00c2 (194)
> TargetInfo : *
> TargetInfo: struct AV_PAIR_LIST
> count : 0x00000007 (7)
> pair: ARRAY(7)
> pair: struct AV_PAIR
> AvId : MsvAvNbDomainName (0x2)
> AvLen : 0x0008 (8)
> Value : union ntlmssp_AvValue(case 0x2)
> AvNbDomainName : 'ASW'
> pair: struct AV_PAIR
> AvId : MsvAvNbComputerName (0x1)
> AvLen : 0x0014 (20)
> Value : union ntlmssp_AvValue(case 0x1)
> AvNbComputerName : 'ASWSERVER'
> pair: struct AV_PAIR
> AvId : MsvAvDnsDomainName (0x4)
> AvLen : 0x0024 (36)
> Value : union ntlmssp_AvValue(case 0x4)
> AvDnsDomainName : 'ASW.aswglobal.net'
> pair: struct AV_PAIR
> AvId : MsvAvDnsComputerName (0x3)
> AvLen : 0x003a (58)
> Value : union ntlmssp_AvValue(case 0x3)
> AvDnsComputerName : 'aswserver.asw.aswglobal.net'
> pair: struct AV_PAIR
> AvId : MsvAvDnsTreeName (0x5)
> AvLen : 0x0024 (36)
> Value : union ntlmssp_AvValue(case 0x5)
> AvDnsTreeName : 'ASW.aswglobal.net'
> pair: struct AV_PAIR
> AvDnsTreeName : 'ASW.aswglobal.net'
> pair: struct AV_PAIR
> AvId : MsvAvTimestamp (0x7)
> AvLen : 0x0008 (8)
> Value : union ntlmssp_AvValue(case 0x7)
> AvTimestamp : Tue Oct 15 07:06:27 2019 EDT
> pair: struct AV_PAIR
> AvId : MsvAvEOL (0x0)
> AvLen : 0x0000 (0)
> Value : union ntlmssp_AvValue(case 0x0)
> Version: struct ntlmssp_VERSION
> ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_10 (0xA)
> ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0x0)
> ProductBuild : 0x3839 (14393)
> Reserved : 000000
> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (0xF)
> [2019/10/15 07:06:26.589905, 1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
> authenticate: struct AUTHENTICATE_MESSAGE
> Signature : 'NTLMSSP'
> MessageType : NtLmAuthenticate (3)
> LmChallengeResponseLen : 0x0000 (0)
> LmChallengeResponseMaxLen: 0x0000 (0)
> LmChallengeResponse : *
> LmChallengeResponse : union ntlmssp_LM_RESPONSE_with_len(case 0)
> NtChallengeResponseLen : 0x0000 (0)
> NtChallengeResponseMaxLen: 0x0000 (0)
> NtChallengeResponse : *
> NtChallengeResponse : union ntlmssp_NTLM_RESPONSE_with_len(case 0)
> DomainNameLen : 0x0000 (0)
> DomainNameMaxLen : 0x0000 (0)
> DomainName : *
> DomainName : ''
> UserNameLen : 0x0000 (0)
> UserNameMaxLen : 0x0000 (0)
> UserName : *
> UserName : ''
> WorkstationLen : 0x0000 (0)
> WorkstationMaxLen : 0x0000 (0)
> Workstation : *
> Workstation : ''
> EncryptedRandomSessionKeyLen: 0x0010 (16)
> EncryptedRandomSessionKeyMaxLen: 0x0010 (16)
> EncryptedRandomSessionKey: *
> EncryptedRandomSessionKey: DATA_BLOB length=16
> [0000] 81 EE CC 4D B3 48 F7 A9 57 E9 E6 94 B7 55 59 DE ...M.H.. W....UY.
> NegotiateFlags : 0x62008a15 (1644202517)
> 1: NTLMSSP_NEGOTIATE_UNICODE
> 0: NTLMSSP_NEGOTIATE_OEM
> 1: NTLMSSP_REQUEST_TARGET
> 0: NTLMSSP_NEGOTIATE_OEM
> 1: NTLMSSP_REQUEST_TARGET
> 1: NTLMSSP_NEGOTIATE_SIGN
> 0: NTLMSSP_NEGOTIATE_SEAL
> 0: NTLMSSP_NEGOTIATE_DATAGRAM
> 0: NTLMSSP_NEGOTIATE_LM_KEY
> 0: NTLMSSP_NEGOTIATE_NETWARE
> 1: NTLMSSP_NEGOTIATE_NTLM
> 0: NTLMSSP_NEGOTIATE_NT_ONLY
> 1: NTLMSSP_ANONYMOUS
> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> 0: NTLMSSP_TARGET_TYPE_DOMAIN
> 0: NTLMSSP_TARGET_TYPE_SERVER
> 0: NTLMSSP_TARGET_TYPE_SHARE
> 0: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> 0: NTLMSSP_NEGOTIATE_IDENTIFY
> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> 0: NTLMSSP_NEGOTIATE_TARGET_INFO
> 1: NTLMSSP_NEGOTIATE_VERSION
> 1: NTLMSSP_NEGOTIATE_128
> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> 0: NTLMSSP_NEGOTIATE_56
> Version: struct ntlmssp_VERSION
> ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
> ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
> ProductBuild : 0x0000 (0)
> Reserved: ARRAY(3)
> [0] : 0x00 (0)
> [1] : 0x00 (0)
> [2] : 0x00 (0)
> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
> [2019/10/15 07:06:26.590148, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_client.c:761(ntlmssp_client_challenge)
> NTLMSSP: Set final flags:
> [2019/10/15 07:06:26.590160, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_ANONYMOUS
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2019/10/15 07:06:26.590195, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2019/10/15 07:06:26.590195, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2019/10/15 07:06:26.590206, 3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_ANONYMOUS
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2019/10/15 07:06:26.590240, 5, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:638(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - using NTLM1
What version of Samba are you using ?
It looks like it using NTLM1 , but the Windows domain probably isn't,
try adding these lines to your smb.conf:
client min protocol = SMB2_02
server min protocol = SMB2_02
Rowland
More information about the samba
mailing list