[Samba] Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD

ASW Global aswsupplyservices at outlook.com
Wed Oct 16 12:40:54 UTC 2019


Hi Rowland,

I made the change to my smb.conf but I still get that error message that talks about NTLM1. Here is the full error I get when creating the domain trust. I am going to try creating the trust on a computer with the latest version of SAMBA+ to see if that works.

# samba-tool domain trust create asw.aswglobal.net --quarantined=yes -U"Administrator at ASW.ASWGLOBAL.NET" --local-dc-username=Administrator at OTHER.ASWGLOBAL.NET -d 10
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncalrpc:ASW-RSX[,auth_type=ncalrpc_as_system]
Mapped to DCERPC endpoint EPMAPPER
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
Starting GENSEC mechanism naclrpc_as_system
gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2475220
gensec_update_done: naclrpc_as_system[0x2485a60]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x2475220/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]  state[struct gensec_ncalrpc_update_state (0x24753d0)] timer[(nil)] finish[../../auth/gensec/ncalrpc.c:116]
dcerpc_pull_auth_trailer: auth_pad_length 0
gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2486740
gensec_update_done: naclrpc_as_system[0x2485a60]: NT_STATUS_OK tevent_req[0x2486740/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]  state[struct gensec_ncalrpc_update_state (0x24868f0)] timer[(nil)] finish[../../auth/gensec/ncalrpc.c:116]
rpc request data:
[0000] 01 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
(...garbage...)
[0070] 00 00 00 00 00 00 00 00   01 00 00 00               ........ ....
rpc reply data:
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
(...garbage...)
Mapped to DCERPC endpoint DEFAULT
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
Starting GENSEC mechanism naclrpc_as_system
gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2475220
gensec_update_done: naclrpc_as_system[0x2485a60]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x2475220/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]  state[struct gensec_ncalrpc_update_state (0x24753d0)] timer[(nil)] finish[../../auth/gensec/ncalrpc.c:116]
dcerpc_pull_auth_trailer: auth_pad_length 0
gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2486dc0
gensec_update_done: naclrpc_as_system[0x2485a60]: NT_STATUS_OK tevent_req[0x2486dc0/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]  state[struct gensec_ncalrpc_update_state (0x2486f70)] timer[(nil)] finish[../../auth/gensec/ncalrpc.c:116]
rpc request data:
[0000] 00 00 02 00 01 00 00 00   00 00 00 00 01 00 00 00   ........ ........
(...garbage...)
[0030] 00 00 00 00 29 00 00 00                             ....)...
rpc reply data:
[0000] 00 00 00 00 82 20 7F 78   8C B5 44 46 98 DA 98 85   ..... .x ..DF....
(...garbage...)
rpc request data:
[0000] 00 00 00 00 82 20 7F 78   8C B5 44 46 98 DA 98 85   ..... .x ..DF....
(...garbage...)
rpc reply data:
[0000] 00 00 02 00 0C 00 00 00   06 00 08 00 04 00 02 00   ........ ........
(...garbage...)
[00C0] 5B CF 86 04 00 00 00 00                             [.......
LocalDomain Netbios[OTHER] DNS[other.aswglobal.net] SID[S-1-5-21-1812336436-162148099-75943771]
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
finddcs: searching for a DC by DNS domain asw.aswglobal.net
finddcs: looking for SRV records for _ldap._tcp.asw.aswglobal.net
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.asw.aswglobal.net<0x0>
getlmhostsent: lmhost entry: 10.0.0.42 ASW#1C
getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET
getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET#1C
getlmhostsent: lmhost entry: 10.0.0.40 OTHER#1C
getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET
getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET#1C
dns_lookup_send_next: Sending DNS request #0 to 127.0.0.53
dns_cli_request_send: Asking 127.0.0.53 for _ldap._tcp.asw.aswglobal.net./1/33 via UDP
[0000] 9F F2 01 00 00 01 00 00   00 00 00 00 05 5F 6C 64   ........ ....._ld
(...garbage...)
dns_lookup_send_next: cancelling wait_subreq
[0000] 9F F2 81 80 00 01 00 01   00 00 00 00 05 5F 6C 64   ........ ....._ld
(...garbage...)
dns_cli_request_udp_done: Got op=8180 1/1/0/0 recs
finddcs: DNS SRV response 0 at '10.0.0.42'
finddcs: performing CLDAP query on 10.0.0.42
     &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
        command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
        sbz                      : 0x0000 (0)
        server_type              : 0x0001f1fd (127485)
               1: NBT_SERVER_PDC
               1: NBT_SERVER_GC
               1: NBT_SERVER_LDAP
               1: NBT_SERVER_DS
               1: NBT_SERVER_KDC
               1: NBT_SERVER_TIMESERV
               1: NBT_SERVER_CLOSEST
               1: NBT_SERVER_WRITABLE
               0: NBT_SERVER_GOOD_TIMESERV
               0: NBT_SERVER_NDNC
               0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
               1: NBT_SERVER_FULL_SECRET_DOMAIN_6
               1: NBT_SERVER_ADS_WEB_SERVICE
               1: NBT_SERVER_DS_8
               0: NBT_SERVER_HAS_DNS_NAME
               0: NBT_SERVER_IS_DEFAULT_NC
               0: NBT_SERVER_FOREST_ROOT
        domain_uuid              : ba3d2257-3ed3-4a7e-b58a-244488d8a6db
        forest                   : 'asw.aswglobal.net'
        dns_domain               : 'asw.aswglobal.net'
        pdc_dns_name             : 'aswserver.asw.aswglobal.net'
        domain_name              : 'ASW'
        pdc_name                 : 'ASWSERVER'
        user_name                : ''
        server_site              : 'Default-First-Site-Name'
        client_site              : 'Default-First-Site-Name'
        sockaddr_size            : 0x00 (0)
        sockaddr: struct nbt_sockaddr
            sockaddr_family          : 0x00000000 (0)
            pdc_ip                   : (null)
            remaining                : DATA_BLOB length=0
        next_closest_site        : NULL
        nt_version               : 0x00000005 (5)
               1: NETLOGON_NT_VERSION_1
               0: NETLOGON_NT_VERSION_5
               1: NETLOGON_NT_VERSION_5EX
               0: NETLOGON_NT_VERSION_5EX_WITH_IP
               0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
               0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
               0: NETLOGON_NT_VERSION_PDC
               0: NETLOGON_NT_VERSION_IP
               0: NETLOGON_NT_VERSION_LOCAL
               0: NETLOGON_NT_VERSION_GC
        lmnt_token               : 0xffff (65535)
        lm20_token               : 0xffff (65535)
finddcs: Found matching DC 10.0.0.42 with server_type=0x0001f1fd
RemoteDC Netbios[ASWSERVER] DNS[aswserver.asw.aswglobal.net] ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8,__unknown_00018000__]
Using binding ncacn_np:aswserver.asw.aswglobal.net
Mapped to DCERPC endpoint \pipe\lsarpc
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
resolve_lmhosts: Attempting lmhosts lookup for name aswserver.asw.aswglobal.net<0x20>
getlmhostsent: lmhost entry: 10.0.0.42 ASW#1C
getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET
getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET#1C
getlmhostsent: lmhost entry: 10.0.0.40 OTHER#1C
getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET
getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET#1C
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 131072
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [Administrator at ASW.ASWGLOBAL.NET]:
Received smb_krb5 packet of length 169
Received smb_krb5 packet of length 108
kinit for Administrator at ASW.ASWGLOBAL.NET succeeded
gensec_update_send: gssapi_krb5[0x2486130]: subreq: 0x2486dc0
gensec_update_send: spnego[0x249da80]: subreq: 0x24a3cc0
gensec_update_done: gssapi_krb5[0x2486130]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x2486dc0/../../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state (0x2486f70)] timer[(nil)] finish[../../source4/auth/gensec/gensec_gssapi.c:1065]
gensec_update_done: spnego[0x249da80]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x24a3cc0/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x24a3e70)] timer[(nil)] finish[../../auth/gensec/spnego.c:2070]
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
gensec_update_send: gssapi_krb5[0x2486130]: subreq: 0x24ab540
gensec_update_send: spnego[0x249da80]: subreq: 0x24ada20
gensec_update_done: gssapi_krb5[0x2486130]: NT_STATUS_OK tevent_req[0x24ab540/../../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state (0x24ab6f0)] timer[(nil)] finish[../../source4/auth/gensec/gensec_gssapi.c:1072]
gensec_update_done: spnego[0x249da80]: NT_STATUS_OK tevent_req[0x24ada20/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x24adbd0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2070]
signed SMB2 message
signed SMB2 message
signed SMB2 message
rpc request data:
[0000] 00 00 02 00 01 00 00 00   00 00 00 00 01 00 00 00   ........ ........
(...garbage...)
[0030] 00 00 00 00 29 00 00 00                             ....)...
signed SMB2 message
rpc reply data:
(...garbage...)
rpc request data:
(...garbage...)
signed SMB2 message
rpc reply data:
[0000] 00 00 02 00 0C 00 00 00   08 00 0A 00 04 00 02 00   ........ ........
(...garbage...)
[00C0] AF B2 B1 5B 00 00 00 00                             ...[....
RemoteDomain Netbios[ASW] DNS[asw.aswglobal.net] SID[S-1-5-21-822572291-61738364-1538372271]
rpc request data:
[0000] 00 00 00 00 82 20 7F 78   8C B5 44 46 98 DA 98 85   ..... .x ..DF....
(...garbage...)
[0040] 61 00 6C 00 2E 00 6E 00   65 00 74 00 08 00         a.l...n. e.t...
rpc reply data:
[0000] 00 00 00 00 34 00 00 C0                             ....4...
rpc request data:
[0000] 00 00 00 00 82 20 7F 78   8C B5 44 46 98 DA 98 85   ..... .x ..DF....
(...garbage...)
[0030] 08 00                                              ..
rpc reply data:
[0000] 00 00 00 00 34 00 00 C0                             ....4...
rpc request data:
[0000] 00 00 00 00 D2 23 8F A2   E0 F9 0F 40 A0 98 2A BD   .....#.. ... at ..*.
(...garbage...)
[0040] 6C 00 2E 00 6E 00 65 00   74 00 08 00               l...n.e. t...
signed SMB2 message
rpc reply data:
[0000] 00 00 00 00 34 00 00 C0                             ....4...
rpc request data:
[0000] 00 00 00 00 D2 23 8F A2   E0 F9 0F 40 A0 98 2A BD   .....#.. ... at ..*.
(...garbage...)
signed SMB2 message
rpc reply data:
[0000] 00 00 00 00 34 00 00 C0                             ....4...
Using binding ncalrpc:ASW-RSX[,auth_type=ncalrpc_as_system]
Mapped to DCERPC endpoint EPMAPPER
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
Starting GENSEC mechanism naclrpc_as_system
gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x2486dc0
gensec_update_done: naclrpc_as_system[0x24a3fa0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x2486dc0/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]  state[struct gensec_ncalrpc_update_state (0x2486f70)] timer[(nil)] finish[../../auth/gensec/ncalrpc.c:116]
dcerpc_pull_auth_trailer: auth_pad_length 0
gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x2486a80
gensec_update_done: naclrpc_as_system[0x24a3fa0]: NT_STATUS_OK tevent_req[0x2486a80/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]  state[struct gensec_ncalrpc_update_state (0x2486c30)] timer[(nil)] finish[../../auth/gensec/ncalrpc.c:116]
rpc request data:
[0000] 01 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
(...garbage...)
rpc reply data:
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
(...garbage...)
Mapped to DCERPC endpoint DEFAULT
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
Starting GENSEC mechanism naclrpc_as_system
gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x2486dc0
gensec_update_done: naclrpc_as_system[0x24a3fa0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x2486dc0/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]  state[struct gensec_ncalrpc_update_state (0x2486f70)] timer[(nil)] finish[../../auth/gensec/ncalrpc.c:116]
dcerpc_pull_auth_trailer: auth_pad_length 0
gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x24ab540
gensec_update_done: naclrpc_as_system[0x24a3fa0]: NT_STATUS_OK tevent_req[0x24ab540/../../auth/gensec/ncalrpc.c:99]: state[2] error[0 (0x0)]  state[struct gensec_ncalrpc_update_state (0x24ab6f0)] timer[(nil)] finish[../../auth/gensec/ncalrpc.c:116]
rpc request data:
[0000] 00 00 02 00 08 00 00 00   00 00 00 00 08 00 00 00   ........ ........
(...garbage...)
[0030] 00 00 00 00 00 00 00 40                             .......@
rpc reply data:
[0000] 04 00 02 00 08 00 02 00   0C 00 02 00 01 00 00 00   ........ ........
(...garbage...)
[0170] 65 00 00 00 00 00 00 00                             e.......
Using binding ncacn_np:aswserver.asw.aswglobal.net
Mapped to DCERPC endpoint \pipe\netlogon
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface ens160 ip=10.0.0.40 bcast=10.0.0.63 netmask=255.255.255.224
resolve_lmhosts: Attempting lmhosts lookup for name aswserver.asw.aswglobal.net<0x20>
getlmhostsent: lmhost entry: 10.0.0.42 ASW#1C
getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET
getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET#1C
getlmhostsent: lmhost entry: 10.0.0.40 OTHER#1C
getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET
getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET#1C
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 131072
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for Administrator at ASW.ASWGLOBAL.NET will expire in 36000 secs
gensec_update_send: gssapi_krb5[0x24b7e90]: subreq: 0x24ab540
gensec_update_send: spnego[0x249dd90]: subreq: 0x24b6710
gensec_update_done: gssapi_krb5[0x24b7e90]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x24ab540/../../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state (0x24ab6f0)] timer[(nil)] finish[../../source4/auth/gensec/gensec_gssapi.c:1065]
gensec_update_done: spnego[0x249dd90]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x24b6710/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x24b68c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2070]
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
gensec_update_send: gssapi_krb5[0x24b7e90]: subreq: 0x2141650
gensec_update_send: spnego[0x249dd90]: subreq: 0x24b6710
gensec_update_done: gssapi_krb5[0x24b7e90]: NT_STATUS_OK tevent_req[0x2141650/../../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state (0x2141800)] timer[(nil)] finish[../../source4/auth/gensec/gensec_gssapi.c:1072]
gensec_update_done: spnego[0x249dd90]: NT_STATUS_OK tevent_req[0x24b6710/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x24b68c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2070]
signed SMB2 message
signed SMB2 message
signed SMB2 message
rpc request data:
[0000] 00 00 02 00 1E 00 00 00   00 00 00 00 1E 00 00 00   ........ ........
(...garbage...)
[0060] 00 00 00 40                                        ...@
signed SMB2 message
rpc reply data:
[0000] 00 00 02 00 04 00 02 00   08 00 02 00 01 00 00 00   ........ ........
(...garbage...)
[0180] 65 00 00 00 00 00 00 00                             e.......
Creating remote TDO.
rpc request data:
[0000] 00 00 00 00 D2 23 8F A2   E0 F9 0F 40 A0 98 2A BD   .....#.. ... at ..*.
(...garbage...)
[04C0] 7F 00 0F 00                                        ....
signed SMB2 message
rpc reply data:
[0000] 00 00 00 00 E6 07 5D 60   F1 A0 66 40 AC 41 65 15   ......]` ..f at .Ae.
[0010] A7 97 42 7B 00 00 00 00                             ..B{....
Remote TDO created.
Setting supported encryption types on remote TDO.
rpc request data:
[0000] 00 00 00 00 E6 07 5D 60   F1 A0 66 40 AC 41 65 15   ......]` ..f at .Ae.
[0010] A7 97 42 7B 0D 00 0D 00   18 00 00 00               ..B{.... ....
signed SMB2 message
rpc reply data:
[0000] 00 00 00 00                                        ....
Creating local TDO.
rpc request data:
[0000] 00 00 00 00 82 20 7F 78   8C B5 44 46 98 DA 98 85   ..... .x ..DF....
(...garbage...)
[04C0] 7F 00 0F 00                                        ....
rpc reply data:
[0000] 03 00 00 00 D8 84 B1 B4   EF 1F B6 45 BC 4E DC 36   ........ ...E.N.6
[0010] 31 C7 21 9F 00 00 00 00                             1.!.....
Local TDO created
Setting supported encryption types on local TDO.
rpc request data:
[0000] 03 00 00 00 D8 84 B1 B4   EF 1F B6 45 BC 4E DC 36   ........ ...E.N.6
[0010] 31 C7 21 9F 0D 00 0D 00   18 00 00 00               1.!..... ....
rpc reply data:
[0000] 00 00 00 00                                        ....
Validating outgoing trust...
rpc request data:
(...garbage...)
[0060] 74 00 00 00 00 00 00 00                             t.......
ERROR: LocalValidation: DC[\\aswserver.asw.aswglobal.net] CONNECTION[WERR_NO_LOGON_SERVERS] TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED
signed SMB2 message
signed SMB2 message
Thanks

________________________________
From: Rowland penny <rpenny at samba.org>
Sent: Tuesday, October 15, 2019 9:23 AM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD

On 15/10/2019 13:56, ASW Global via samba wrote:
> I've read the documentation that domain trusts should be fully supported with both Kerberos and NTLM authentication. I've created a new 2016 domain on a Windows box and created a Samba domain on a Linux box with a BIND9_DLZ backend. Both servers can resolve both DNS domains forwards and backwards and I am able to connect a Windows 10 client to the Samba domain without any issues. The problem occurs when create a full  external trust between the two domains. The trust is created successfully with samba-tool however the verify fails with TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED.
>
> The end result is a trust relation that fully works with Kerberos authentication (such as logging in on the trusted domain from a domain connected to the other) but this won't work with NTLM authentication outside of it's realm. I am constantly getting this error message in the wb-DOMAIN logs:
>
> Starting GENSEC submechanism ntlmssp
> [2019/10/15 07:06:26.589018,  1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
>         negotiate: struct NEGOTIATE_MESSAGE
>            Signature                : 'NTLMSSP'
>            MessageType              : NtLmNegotiate (1)
>            NegotiateFlags           : 0x62088215 (1644724757)
>                   1: NTLMSSP_NEGOTIATE_UNICODE
>                   0: NTLMSSP_NEGOTIATE_OEM
>                   1: NTLMSSP_REQUEST_TARGET
>                   1: NTLMSSP_NEGOTIATE_SIGN
>                   0: NTLMSSP_NEGOTIATE_SEAL
>                   0: NTLMSSP_NEGOTIATE_DATAGRAM
>                   0: NTLMSSP_NEGOTIATE_LM_KEY
>                   0: NTLMSSP_NEGOTIATE_NETWARE
>                   1: NTLMSSP_NEGOTIATE_NTLM
>                   0: NTLMSSP_NEGOTIATE_NT_ONLY
>                   0: NTLMSSP_ANONYMOUS
>                   0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>                   1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>                   0: NTLMSSP_TARGET_TYPE_DOMAIN
>                   0: NTLMSSP_TARGET_TYPE_SERVER
>                   0: NTLMSSP_TARGET_TYPE_SHARE
>                   1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>                   0: NTLMSSP_NEGOTIATE_IDENTIFY
>                   0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>                   0: NTLMSSP_NEGOTIATE_TARGET_INFO
>                   1: NTLMSSP_NEGOTIATE_VERSION
>                   1: NTLMSSP_NEGOTIATE_128
>                   1: NTLMSSP_NEGOTIATE_KEY_EXCH
>                   0: NTLMSSP_NEGOTIATE_56
>            DomainNameLen            : 0x0000 (0)
>            DomainNameMaxLen         : 0x0000 (0)
>            DomainName               : *
>                DomainName               : ''
>            WorkstationLen           : 0x0000 (0)
>            WorkstationMaxLen        : 0x0000 (0)
>            Workstation              : *
>                Workstation              : ''
>            Version: struct ntlmssp_VERSION
>                ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
>                ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
>                ProductBuild             : 0x0000 (0)
>                Reserved: ARRAY(3)
>                    [0]                      : 0x00 (0)
>                    [1]                      : 0x00 (0)
>                    [2]                      : 0x00 (0)
>                NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
>                    [2]                      : 0x00 (0)
>                NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
> [2019/10/15 07:06:26.589188, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
>    gensec_update_send: ntlmssp[0x5625297aa300]: subreq: 0x5625299b9330
> [2019/10/15 07:06:26.589207, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
>    gensec_update_send: spnego[0x56252a561b00]: subreq: 0x562529ff3510
> [2019/10/15 07:06:26.589223, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
>    gensec_update_done: ntlmssp[0x5625297aa300]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5625299b9330/../../auth/ntlmssp/ntlmssp.c:180]: state[2] error[0 (0x0)]  state[struct gensec_ntlmssp_update_state (0x5625299b94e0)] timer[(nil)] finish[../../auth/ntlmssp/ntlmssp.c:215]
> [2019/10/15 07:06:26.589246, 10, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:512(gensec_update_done)
>    gensec_update_done: spnego[0x56252a561b00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x562529ff3510/../../auth/gensec/spnego.c:1600]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x562529ff36c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2070]
> [2019/10/15 07:06:26.589508,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_client.c:273(ntlmssp_client_challenge)
>    Got challenge flags:
> [2019/10/15 07:06:26.589527,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
>    Got NTLMSSP neg_flags=0x62898215
>      NTLMSSP_NEGOTIATE_UNICODE
>      NTLMSSP_REQUEST_TARGET
>      NTLMSSP_NEGOTIATE_SIGN
>      NTLMSSP_NEGOTIATE_NTLM
>      NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>      NTLMSSP_TARGET_TYPE_DOMAIN
>      NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>      NTLMSSP_NEGOTIATE_TARGET_INFO
>      NTLMSSP_NEGOTIATE_VERSION
>      NTLMSSP_NEGOTIATE_128
>      NTLMSSP_NEGOTIATE_KEY_EXCH
> [2019/10/15 07:06:26.589577,  1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
>         challenge: struct CHALLENGE_MESSAGE
>            Signature                : 'NTLMSSP'
>            MessageType              : NtLmChallenge (0x2)
>            TargetNameLen            : 0x0008 (8)
>            TargetNameMaxLen         : 0x0008 (8)
>            TargetName               : *
>                TargetName               : 'ASW'
>            NegotiateFlags           : 0x62898215 (1653178901)
>                   1: NTLMSSP_NEGOTIATE_UNICODE
>                   0: NTLMSSP_NEGOTIATE_OEM
>                   1: NTLMSSP_REQUEST_TARGET
>                   1: NTLMSSP_NEGOTIATE_SIGN
>                   0: NTLMSSP_NEGOTIATE_SEAL
>                   0: NTLMSSP_NEGOTIATE_DATAGRAM
>                   0: NTLMSSP_NEGOTIATE_LM_KEY
>                   0: NTLMSSP_NEGOTIATE_NETWARE
>                   1: NTLMSSP_NEGOTIATE_NTLM
>                   0: NTLMSSP_NEGOTIATE_NT_ONLY
>                   0: NTLMSSP_ANONYMOUS
>                   0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>                   1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>                   1: NTLMSSP_TARGET_TYPE_DOMAIN
>                   0: NTLMSSP_TARGET_TYPE_SERVER
>                   0: NTLMSSP_TARGET_TYPE_SHARE
>                   1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>                   0: NTLMSSP_NEGOTIATE_IDENTIFY
>                   0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>                   1: NTLMSSP_NEGOTIATE_TARGET_INFO
>                   1: NTLMSSP_NEGOTIATE_VERSION
>                   1: NTLMSSP_NEGOTIATE_128
>                   1: NTLMSSP_NEGOTIATE_KEY_EXCH
>                   0: NTLMSSP_NEGOTIATE_56
>            ServerChallenge          : 9577d49bcff93241
>            Reserved                 : 0000000000000000
>            TargetInfoLen            : 0x00c2 (194)
>            TargetInfoMaxLen         : 0x00c2 (194)
>            TargetInfo               : *
>                TargetInfo: struct AV_PAIR_LIST
>                    count                    : 0x00000007 (7)
>                    pair: ARRAY(7)
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvNbDomainName (0x2)
>                            AvLen                    : 0x0008 (8)
>                            Value                    : union ntlmssp_AvValue(case 0x2)
>                            AvNbDomainName           : 'ASW'
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvNbComputerName (0x1)
>                            AvLen                    : 0x0014 (20)
>                            Value                    : union ntlmssp_AvValue(case 0x1)
>                            AvNbComputerName         : 'ASWSERVER'
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvDnsDomainName (0x4)
>                            AvLen                    : 0x0024 (36)
>                            Value                    : union ntlmssp_AvValue(case 0x4)
>                            AvDnsDomainName          : 'ASW.aswglobal.net'
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvDnsComputerName (0x3)
>                            AvLen                    : 0x003a (58)
>                            Value                    : union ntlmssp_AvValue(case 0x3)
>                            AvDnsComputerName        : 'aswserver.asw.aswglobal.net'
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvDnsTreeName (0x5)
>                            AvLen                    : 0x0024 (36)
>                            Value                    : union ntlmssp_AvValue(case 0x5)
>                            AvDnsTreeName            : 'ASW.aswglobal.net'
>                        pair: struct AV_PAIR
>                            AvDnsTreeName            : 'ASW.aswglobal.net'
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvTimestamp (0x7)
>                            AvLen                    : 0x0008 (8)
>                            Value                    : union ntlmssp_AvValue(case 0x7)
>                            AvTimestamp              : Tue Oct 15 07:06:27 2019 EDT
>                        pair: struct AV_PAIR
>                            AvId                     : MsvAvEOL (0x0)
>                            AvLen                    : 0x0000 (0)
>                            Value                    : union ntlmssp_AvValue(case 0x0)
>            Version: struct ntlmssp_VERSION
>                ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_10 (0xA)
>                ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0x0)
>                ProductBuild             : 0x3839 (14393)
>                Reserved                 : 000000
>                NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (0xF)
> [2019/10/15 07:06:26.589905,  1, pid=12457, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
>         authenticate: struct AUTHENTICATE_MESSAGE
>            Signature                : 'NTLMSSP'
>            MessageType              : NtLmAuthenticate (3)
>            LmChallengeResponseLen   : 0x0000 (0)
>            LmChallengeResponseMaxLen: 0x0000 (0)
>            LmChallengeResponse      : *
>                LmChallengeResponse      : union ntlmssp_LM_RESPONSE_with_len(case 0)
>            NtChallengeResponseLen   : 0x0000 (0)
>            NtChallengeResponseMaxLen: 0x0000 (0)
>            NtChallengeResponse      : *
>                NtChallengeResponse      : union ntlmssp_NTLM_RESPONSE_with_len(case 0)
>            DomainNameLen            : 0x0000 (0)
>            DomainNameMaxLen         : 0x0000 (0)
>            DomainName               : *
>                DomainName               : ''
>            UserNameLen              : 0x0000 (0)
>            UserNameMaxLen           : 0x0000 (0)
>            UserName                 : *
>                UserName                 : ''
>            WorkstationLen           : 0x0000 (0)
>            WorkstationMaxLen        : 0x0000 (0)
>            Workstation              : *
>                Workstation              : ''
>            EncryptedRandomSessionKeyLen: 0x0010 (16)
>            EncryptedRandomSessionKeyMaxLen: 0x0010 (16)
>            EncryptedRandomSessionKey: *
>                EncryptedRandomSessionKey: DATA_BLOB length=16
>    [0000] 81 EE CC 4D B3 48 F7 A9   57 E9 E6 94 B7 55 59 DE   ...M.H.. W....UY.
>            NegotiateFlags           : 0x62008a15 (1644202517)
>                   1: NTLMSSP_NEGOTIATE_UNICODE
>                   0: NTLMSSP_NEGOTIATE_OEM
>                   1: NTLMSSP_REQUEST_TARGET
>                   0: NTLMSSP_NEGOTIATE_OEM
>                   1: NTLMSSP_REQUEST_TARGET
>                   1: NTLMSSP_NEGOTIATE_SIGN
>                   0: NTLMSSP_NEGOTIATE_SEAL
>                   0: NTLMSSP_NEGOTIATE_DATAGRAM
>                   0: NTLMSSP_NEGOTIATE_LM_KEY
>                   0: NTLMSSP_NEGOTIATE_NETWARE
>                   1: NTLMSSP_NEGOTIATE_NTLM
>                   0: NTLMSSP_NEGOTIATE_NT_ONLY
>                   1: NTLMSSP_ANONYMOUS
>                   0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>                   0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>                   1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>                   0: NTLMSSP_TARGET_TYPE_DOMAIN
>                   0: NTLMSSP_TARGET_TYPE_SERVER
>                   0: NTLMSSP_TARGET_TYPE_SHARE
>                   0: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>                   0: NTLMSSP_NEGOTIATE_IDENTIFY
>                   0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>                   0: NTLMSSP_NEGOTIATE_TARGET_INFO
>                   1: NTLMSSP_NEGOTIATE_VERSION
>                   1: NTLMSSP_NEGOTIATE_128
>                   1: NTLMSSP_NEGOTIATE_KEY_EXCH
>                   0: NTLMSSP_NEGOTIATE_56
>            Version: struct ntlmssp_VERSION
>                ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
>                ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
>                ProductBuild             : 0x0000 (0)
>                Reserved: ARRAY(3)
>                    [0]                      : 0x00 (0)
>                    [1]                      : 0x00 (0)
>                    [2]                      : 0x00 (0)
>                NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
> [2019/10/15 07:06:26.590148,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_client.c:761(ntlmssp_client_challenge)
>    NTLMSSP: Set final flags:
> [2019/10/15 07:06:26.590160,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
>    Got NTLMSSP neg_flags=0x62008a15
>      NTLMSSP_NEGOTIATE_UNICODE
>      NTLMSSP_REQUEST_TARGET
>      NTLMSSP_NEGOTIATE_SIGN
>      NTLMSSP_NEGOTIATE_NTLM
>      NTLMSSP_ANONYMOUS
>      NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>      NTLMSSP_NEGOTIATE_VERSION
>      NTLMSSP_NEGOTIATE_128
>      NTLMSSP_NEGOTIATE_KEY_EXCH
> [2019/10/15 07:06:26.590195,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
>    NTLMSSP Sign/Seal - Initialising with flags:
> [2019/10/15 07:06:26.590195,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
>    NTLMSSP Sign/Seal - Initialising with flags:
> [2019/10/15 07:06:26.590206,  3, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
>    Got NTLMSSP neg_flags=0x62008a15
>      NTLMSSP_NEGOTIATE_UNICODE
>      NTLMSSP_REQUEST_TARGET
>      NTLMSSP_NEGOTIATE_SIGN
>      NTLMSSP_NEGOTIATE_NTLM
>      NTLMSSP_ANONYMOUS
>      NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>      NTLMSSP_NEGOTIATE_VERSION
>      NTLMSSP_NEGOTIATE_128
>      NTLMSSP_NEGOTIATE_KEY_EXCH
> [2019/10/15 07:06:26.590240,  5, pid=12457, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_sign.c:638(ntlmssp_sign_reset)
>    NTLMSSP Sign/Seal - using NTLM1

What version of Samba are you using ?

It looks like it using NTLM1 , but the Windows domain probably isn't,
try adding these lines to your smb.conf:

client min protocol = SMB2_02
server min protocol = SMB2_02

Rowland






More information about the samba mailing list