[Samba] Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
L.P.H. van Belle
belle at bazuin.nl
Wed Oct 16 14:20:33 UTC 2019
Hai,
Can you try this.
kinit Administrator
samba-tool domain trust create asw.aswglobal.net --quarantined=yes \
-U"Administrator at ASW.ASWGLOBAL.NET" -k yes \
--local-dc-username=Administrator at OTHER.ASWGLOBAL.NET --local-dc-kerberos=yes \
-d 10
You might also have hitted :
https://bugzilla.samba.org/show_bug.cgi?id=14106 Fix spnego fallback from kerberos to ntlmssp in smbd server
Or
https://bugzilla.samba.org/show_bug.cgi?id=13884 Joining Active Directory should not use SAMR to set the password
Or
https://bugzilla.samba.org/show_bug.cgi?id=13491 Can't join SAMBA4 DC to a Microsoft Active Directory forest
These are not exact the same but you problem looks about the same.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens ASW
> Global via samba
> Verzonden: woensdag 16 oktober 2019 14:41
> Aan: Rowland penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem with SPNEGO on full trust 2016
> DC <> Samba 4.10.7 AD
>
> Hi Rowland,
>
> I made the change to my smb.conf but I still get that error
> message that talks about NTLM1. Here is the full error I get
> when creating the domain trust. I am going to try creating
> the trust on a computer with the latest version of SAMBA+ to
> see if that works.
>
> # samba-tool domain trust create asw.aswglobal.net
> --quarantined=yes -U"Administrator at ASW.ASWGLOBAL.NET"
> --local-dc-username=Administrator at OTHER.ASWGLOBAL.NET -d 10
> INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> tevent: 10
> auth_audit: 10
> auth_json_audit: 10
> kerberos: 10
> drs_repl: 10
> smb2: 10
> smb2_credits: 10
> dsdb_audit: 10
> dsdb_json_audit: 10
> dsdb_password_audit: 10
> dsdb_password_json_audit: 10
> dsdb_transaction_audit: 10
> dsdb_transaction_json_audit: 10
> dsdb_group_audit: 10
> dsdb_group_json_audit: 10
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Processing section "[global]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> pm_process() returned Yes
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncalrpc:ASW-RSX[,auth_type=ncalrpc_as_system]
> Mapped to DCERPC endpoint EPMAPPER
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> Starting GENSEC mechanism naclrpc_as_system
> gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2475220
> gensec_update_done: naclrpc_as_system[0x2485a60]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x2475220/../../auth/gensec/ncalrpc.c:99]:
> state[2] error[0 (0x0)] state[struct
> gensec_ncalrpc_update_state (0x24753d0)] timer[(nil)]
> finish[../../auth/gensec/ncalrpc.c:116]
> dcerpc_pull_auth_trailer: auth_pad_length 0
> gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2486740
> gensec_update_done: naclrpc_as_system[0x2485a60]:
> NT_STATUS_OK
> tevent_req[0x2486740/../../auth/gensec/ncalrpc.c:99]:
> state[2] error[0 (0x0)] state[struct
> gensec_ncalrpc_update_state (0x24868f0)] timer[(nil)]
> finish[../../auth/gensec/ncalrpc.c:116]
> rpc request data:
> [0000] 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ........ ........
> (...garbage...)
> [0070] 00 00 00 00 00 00 00 00 01 00 00 00
> ........ ....
> rpc reply data:
> [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ........ ........
> (...garbage...)
> Mapped to DCERPC endpoint DEFAULT
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> Starting GENSEC mechanism naclrpc_as_system
> gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2475220
> gensec_update_done: naclrpc_as_system[0x2485a60]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x2475220/../../auth/gensec/ncalrpc.c:99]:
> state[2] error[0 (0x0)] state[struct
> gensec_ncalrpc_update_state (0x24753d0)] timer[(nil)]
> finish[../../auth/gensec/ncalrpc.c:116]
> dcerpc_pull_auth_trailer: auth_pad_length 0
> gensec_update_send: naclrpc_as_system[0x2485a60]: subreq: 0x2486dc0
> gensec_update_done: naclrpc_as_system[0x2485a60]:
> NT_STATUS_OK
> tevent_req[0x2486dc0/../../auth/gensec/ncalrpc.c:99]:
> state[2] error[0 (0x0)] state[struct
> gensec_ncalrpc_update_state (0x2486f70)] timer[(nil)]
> finish[../../auth/gensec/ncalrpc.c:116]
> rpc request data:
> [0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00
> ........ ........
> (...garbage...)
> [0030] 00 00 00 00 29 00 00 00 ....)...
> rpc reply data:
> [0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85
> ..... .x ..DF....
> (...garbage...)
> rpc request data:
> [0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85
> ..... .x ..DF....
> (...garbage...)
> rpc reply data:
> [0000] 00 00 02 00 0C 00 00 00 06 00 08 00 04 00 02 00
> ........ ........
> (...garbage...)
> [00C0] 5B CF 86 04 00 00 00 00 [.......
> LocalDomain Netbios[OTHER] DNS[other.aswglobal.net]
> SID[S-1-5-21-1812336436-162148099-75943771]
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> finddcs: searching for a DC by DNS domain asw.aswglobal.net
> finddcs: looking for SRV records for _ldap._tcp.asw.aswglobal.net
> resolve_lmhosts: Attempting lmhosts lookup for name
> _ldap._tcp.asw.aswglobal.net<0x0>
> getlmhostsent: lmhost entry: 10.0.0.42 ASW#1C
> getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET
> getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET#1C
> getlmhostsent: lmhost entry: 10.0.0.40 OTHER#1C
> getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET
> getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET#1C
> dns_lookup_send_next: Sending DNS request #0 to 127.0.0.53
> dns_cli_request_send: Asking 127.0.0.53 for
> _ldap._tcp.asw.aswglobal.net./1/33 via UDP
> [0000] 9F F2 01 00 00 01 00 00 00 00 00 00 05 5F 6C 64
> ........ ....._ld
> (...garbage...)
> dns_lookup_send_next: cancelling wait_subreq
> [0000] 9F F2 81 80 00 01 00 01 00 00 00 00 05 5F 6C 64
> ........ ....._ld
> (...garbage...)
> dns_cli_request_udp_done: Got op=8180 1/1/0/0 recs
> finddcs: DNS SRV response 0 at '10.0.0.42'
> finddcs: performing CLDAP query on 10.0.0.42
> &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
> command : LOGON_SAM_LOGON_RESPONSE_EX (23)
> sbz : 0x0000 (0)
> server_type : 0x0001f1fd (127485)
> 1: NBT_SERVER_PDC
> 1: NBT_SERVER_GC
> 1: NBT_SERVER_LDAP
> 1: NBT_SERVER_DS
> 1: NBT_SERVER_KDC
> 1: NBT_SERVER_TIMESERV
> 1: NBT_SERVER_CLOSEST
> 1: NBT_SERVER_WRITABLE
> 0: NBT_SERVER_GOOD_TIMESERV
> 0: NBT_SERVER_NDNC
> 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
> 1: NBT_SERVER_FULL_SECRET_DOMAIN_6
> 1: NBT_SERVER_ADS_WEB_SERVICE
> 1: NBT_SERVER_DS_8
> 0: NBT_SERVER_HAS_DNS_NAME
> 0: NBT_SERVER_IS_DEFAULT_NC
> 0: NBT_SERVER_FOREST_ROOT
> domain_uuid :
> ba3d2257-3ed3-4a7e-b58a-244488d8a6db
> forest : 'asw.aswglobal.net'
> dns_domain : 'asw.aswglobal.net'
> pdc_dns_name : 'aswserver.asw.aswglobal.net'
> domain_name : 'ASW'
> pdc_name : 'ASWSERVER'
> user_name : ''
> server_site : 'Default-First-Site-Name'
> client_site : 'Default-First-Site-Name'
> sockaddr_size : 0x00 (0)
> sockaddr: struct nbt_sockaddr
> sockaddr_family : 0x00000000 (0)
> pdc_ip : (null)
> remaining : DATA_BLOB length=0
> next_closest_site : NULL
> nt_version : 0x00000005 (5)
> 1: NETLOGON_NT_VERSION_1
> 0: NETLOGON_NT_VERSION_5
> 1: NETLOGON_NT_VERSION_5EX
> 0: NETLOGON_NT_VERSION_5EX_WITH_IP
> 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
> 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
> 0: NETLOGON_NT_VERSION_PDC
> 0: NETLOGON_NT_VERSION_IP
> 0: NETLOGON_NT_VERSION_LOCAL
> 0: NETLOGON_NT_VERSION_GC
> lmnt_token : 0xffff (65535)
> lm20_token : 0xffff (65535)
> finddcs: Found matching DC 10.0.0.42 with server_type=0x0001f1fd
> RemoteDC Netbios[ASWSERVER] DNS[aswserver.asw.aswglobal.net]
> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,FULL_S
> ECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8,__unknown_00018000__]
> Using binding ncacn_np:aswserver.asw.aswglobal.net
> Mapped to DCERPC endpoint \pipe\lsarpc
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> resolve_lmhosts: Attempting lmhosts lookup for name
> aswserver.asw.aswglobal.net<0x20>
> getlmhostsent: lmhost entry: 10.0.0.42 ASW#1C
> getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET
> getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET#1C
> getlmhostsent: lmhost entry: 10.0.0.40 OTHER#1C
> getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET
> getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET#1C
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 87040
> SO_RCVBUF = 131072
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Password for [Administrator at ASW.ASWGLOBAL.NET]:
> Received smb_krb5 packet of length 169
> Received smb_krb5 packet of length 108
> kinit for Administrator at ASW.ASWGLOBAL.NET succeeded
> gensec_update_send: gssapi_krb5[0x2486130]: subreq: 0x2486dc0
> gensec_update_send: spnego[0x249da80]: subreq: 0x24a3cc0
> gensec_update_done: gssapi_krb5[0x2486130]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x2486dc0/../../source4/auth/gensec/gensec_gssapi.c
> :1054]: state[2] error[0 (0x0)] state[struct
> gensec_gssapi_update_state (0x2486f70)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1065]
> gensec_update_done: spnego[0x249da80]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x24a3cc0/../../auth/gensec/spnego.c:1600]:
> state[2] error[0 (0x0)] state[struct
> gensec_spnego_update_state (0x24a3e70)] timer[(nil)]
> finish[../../auth/gensec/spnego.c:2070]
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically signed
> gensec_update_send: gssapi_krb5[0x2486130]: subreq: 0x24ab540
> gensec_update_send: spnego[0x249da80]: subreq: 0x24ada20
> gensec_update_done: gssapi_krb5[0x2486130]: NT_STATUS_OK
> tevent_req[0x24ab540/../../source4/auth/gensec/gensec_gssapi.c
> :1054]: state[2] error[0 (0x0)] state[struct
> gensec_gssapi_update_state (0x24ab6f0)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1072]
> gensec_update_done: spnego[0x249da80]: NT_STATUS_OK
> tevent_req[0x24ada20/../../auth/gensec/spnego.c:1600]:
> state[2] error[0 (0x0)] state[struct
> gensec_spnego_update_state (0x24adbd0)] timer[(nil)]
> finish[../../auth/gensec/spnego.c:2070]
> signed SMB2 message
> signed SMB2 message
> signed SMB2 message
> rpc request data:
> [0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00
> ........ ........
> (...garbage...)
> [0030] 00 00 00 00 29 00 00 00 ....)...
> signed SMB2 message
> rpc reply data:
> (...garbage...)
> rpc request data:
> (...garbage...)
> signed SMB2 message
> rpc reply data:
> [0000] 00 00 02 00 0C 00 00 00 08 00 0A 00 04 00 02 00
> ........ ........
> (...garbage...)
> [00C0] AF B2 B1 5B 00 00 00 00 ...[....
> RemoteDomain Netbios[ASW] DNS[asw.aswglobal.net]
> SID[S-1-5-21-822572291-61738364-1538372271]
> rpc request data:
> [0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85
> ..... .x ..DF....
> (...garbage...)
> [0040] 61 00 6C 00 2E 00 6E 00 65 00 74 00 08 00
> a.l...n. e.t...
> rpc reply data:
> [0000] 00 00 00 00 34 00 00 C0 ....4...
> rpc request data:
> [0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85
> ..... .x ..DF....
> (...garbage...)
> [0030] 08 00 ..
> rpc reply data:
> [0000] 00 00 00 00 34 00 00 C0 ....4...
> rpc request data:
> [0000] 00 00 00 00 D2 23 8F A2 E0 F9 0F 40 A0 98 2A BD
> .....#.. ... at ..*.
> (...garbage...)
> [0040] 6C 00 2E 00 6E 00 65 00 74 00 08 00
> l...n.e. t...
> signed SMB2 message
> rpc reply data:
> [0000] 00 00 00 00 34 00 00 C0 ....4...
> rpc request data:
> [0000] 00 00 00 00 D2 23 8F A2 E0 F9 0F 40 A0 98 2A BD
> .....#.. ... at ..*.
> (...garbage...)
> signed SMB2 message
> rpc reply data:
> [0000] 00 00 00 00 34 00 00 C0 ....4...
> Using binding ncalrpc:ASW-RSX[,auth_type=ncalrpc_as_system]
> Mapped to DCERPC endpoint EPMAPPER
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> Starting GENSEC mechanism naclrpc_as_system
> gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x2486dc0
> gensec_update_done: naclrpc_as_system[0x24a3fa0]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x2486dc0/../../auth/gensec/ncalrpc.c:99]:
> state[2] error[0 (0x0)] state[struct
> gensec_ncalrpc_update_state (0x2486f70)] timer[(nil)]
> finish[../../auth/gensec/ncalrpc.c:116]
> dcerpc_pull_auth_trailer: auth_pad_length 0
> gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x2486a80
> gensec_update_done: naclrpc_as_system[0x24a3fa0]:
> NT_STATUS_OK
> tevent_req[0x2486a80/../../auth/gensec/ncalrpc.c:99]:
> state[2] error[0 (0x0)] state[struct
> gensec_ncalrpc_update_state (0x2486c30)] timer[(nil)]
> finish[../../auth/gensec/ncalrpc.c:116]
> rpc request data:
> [0000] 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ........ ........
> (...garbage...)
> rpc reply data:
> [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ........ ........
> (...garbage...)
> Mapped to DCERPC endpoint DEFAULT
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> Starting GENSEC mechanism naclrpc_as_system
> gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x2486dc0
> gensec_update_done: naclrpc_as_system[0x24a3fa0]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x2486dc0/../../auth/gensec/ncalrpc.c:99]:
> state[2] error[0 (0x0)] state[struct
> gensec_ncalrpc_update_state (0x2486f70)] timer[(nil)]
> finish[../../auth/gensec/ncalrpc.c:116]
> dcerpc_pull_auth_trailer: auth_pad_length 0
> gensec_update_send: naclrpc_as_system[0x24a3fa0]: subreq: 0x24ab540
> gensec_update_done: naclrpc_as_system[0x24a3fa0]:
> NT_STATUS_OK
> tevent_req[0x24ab540/../../auth/gensec/ncalrpc.c:99]:
> state[2] error[0 (0x0)] state[struct
> gensec_ncalrpc_update_state (0x24ab6f0)] timer[(nil)]
> finish[../../auth/gensec/ncalrpc.c:116]
> rpc request data:
> [0000] 00 00 02 00 08 00 00 00 00 00 00 00 08 00 00 00
> ........ ........
> (...garbage...)
> [0030] 00 00 00 00 00 00 00 40 .......@
> rpc reply data:
> [0000] 04 00 02 00 08 00 02 00 0C 00 02 00 01 00 00 00
> ........ ........
> (...garbage...)
> [0170] 65 00 00 00 00 00 00 00 e.......
> Using binding ncacn_np:aswserver.asw.aswglobal.net
> Mapped to DCERPC endpoint \pipe\netlogon
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface ens160 ip=10.0.0.40 bcast=10.0.0.63
> netmask=255.255.255.224
> resolve_lmhosts: Attempting lmhosts lookup for name
> aswserver.asw.aswglobal.net<0x20>
> getlmhostsent: lmhost entry: 10.0.0.42 ASW#1C
> getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET
> getlmhostsent: lmhost entry: 10.0.0.42 ASW.ASWGLOBAL.NET#1C
> getlmhostsent: lmhost entry: 10.0.0.40 OTHER#1C
> getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET
> getlmhostsent: lmhost entry: 10.0.0.40 OTHER.ASWGLOBAL.NET#1C
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 87040
> SO_RCVBUF = 131072
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> GSSAPI credentials for Administrator at ASW.ASWGLOBAL.NET will
> expire in 36000 secs
> gensec_update_send: gssapi_krb5[0x24b7e90]: subreq: 0x24ab540
> gensec_update_send: spnego[0x249dd90]: subreq: 0x24b6710
> gensec_update_done: gssapi_krb5[0x24b7e90]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x24ab540/../../source4/auth/gensec/gensec_gssapi.c
> :1054]: state[2] error[0 (0x0)] state[struct
> gensec_gssapi_update_state (0x24ab6f0)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1065]
> gensec_update_done: spnego[0x249dd90]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x24b6710/../../auth/gensec/spnego.c:1600]:
> state[2] error[0 (0x0)] state[struct
> gensec_spnego_update_state (0x24b68c0)] timer[(nil)]
> finish[../../auth/gensec/spnego.c:2070]
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically signed
> gensec_update_send: gssapi_krb5[0x24b7e90]: subreq: 0x2141650
> gensec_update_send: spnego[0x249dd90]: subreq: 0x24b6710
> gensec_update_done: gssapi_krb5[0x24b7e90]: NT_STATUS_OK
> tevent_req[0x2141650/../../source4/auth/gensec/gensec_gssapi.c
> :1054]: state[2] error[0 (0x0)] state[struct
> gensec_gssapi_update_state (0x2141800)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1072]
> gensec_update_done: spnego[0x249dd90]: NT_STATUS_OK
> tevent_req[0x24b6710/../../auth/gensec/spnego.c:1600]:
> state[2] error[0 (0x0)] state[struct
> gensec_spnego_update_state (0x24b68c0)] timer[(nil)]
> finish[../../auth/gensec/spnego.c:2070]
> signed SMB2 message
> signed SMB2 message
> signed SMB2 message
> rpc request data:
> [0000] 00 00 02 00 1E 00 00 00 00 00 00 00 1E 00 00 00
> ........ ........
> (...garbage...)
> [0060] 00 00 00 40 ...@
> signed SMB2 message
> rpc reply data:
> [0000] 00 00 02 00 04 00 02 00 08 00 02 00 01 00 00 00
> ........ ........
> (...garbage...)
> [0180] 65 00 00 00 00 00 00 00 e.......
> Creating remote TDO.
> rpc request data:
> [0000] 00 00 00 00 D2 23 8F A2 E0 F9 0F 40 A0 98 2A BD
> .....#.. ... at ..*.
> (...garbage...)
> [04C0] 7F 00 0F 00 ....
> signed SMB2 message
> rpc reply data:
> [0000] 00 00 00 00 E6 07 5D 60 F1 A0 66 40 AC 41 65 15
> ......]` ..f at .Ae.
> [0010] A7 97 42 7B 00 00 00 00 ..B{....
> Remote TDO created.
> Setting supported encryption types on remote TDO.
> rpc request data:
> [0000] 00 00 00 00 E6 07 5D 60 F1 A0 66 40 AC 41 65 15
> ......]` ..f at .Ae.
> [0010] A7 97 42 7B 0D 00 0D 00 18 00 00 00
> ..B{.... ....
> signed SMB2 message
> rpc reply data:
> [0000] 00 00 00 00 ....
> Creating local TDO.
> rpc request data:
> [0000] 00 00 00 00 82 20 7F 78 8C B5 44 46 98 DA 98 85
> ..... .x ..DF....
> (...garbage...)
> [04C0] 7F 00 0F 00 ....
> rpc reply data:
> [0000] 03 00 00 00 D8 84 B1 B4 EF 1F B6 45 BC 4E DC 36
> ........ ...E.N.6
> [0010] 31 C7 21 9F 00 00 00 00 1.!.....
> Local TDO created
> Setting supported encryption types on local TDO.
> rpc request data:
> [0000] 03 00 00 00 D8 84 B1 B4 EF 1F B6 45 BC 4E DC 36
> ........ ...E.N.6
> [0010] 31 C7 21 9F 0D 00 0D 00 18 00 00 00
> 1.!..... ....
> rpc reply data:
> [0000] 00 00 00 00 ....
> Validating outgoing trust...
> rpc request data:
> (...garbage...)
> [0060] 74 00 00 00 00 00 00 00 t.......
> ERROR: LocalValidation: DC[\\aswserver.asw.aswglobal.net]
> CONNECTION[WERR_NO_LOGON_SERVERS]
> TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED
> signed SMB2 message
> signed SMB2 message
> Thanks
>
> ________________________________
> From: Rowland penny <rpenny at samba.org>
> Sent: Tuesday, October 15, 2019 9:23 AM
> To: samba at lists.samba.org <samba at lists.samba.org>
> Subject: Re: [Samba] Problem with SPNEGO on full trust 2016
> DC <> Samba 4.10.7 AD
>
> On 15/10/2019 13:56, ASW Global via samba wrote:
> > I've read the documentation that domain trusts should be
> fully supported with both Kerberos and NTLM authentication.
> I've created a new 2016 domain on a Windows box and created a
> Samba domain on a Linux box with a BIND9_DLZ backend. Both
> servers can resolve both DNS domains forwards and backwards
> and I am able to connect a Windows 10 client to the Samba
> domain without any issues. The problem occurs when create a
> full external trust between the two domains. The trust is
> created successfully with samba-tool however the verify fails
> with TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED.
> >
> > The end result is a trust relation that fully works with
> Kerberos authentication (such as logging in on the trusted
> domain from a domain connected to the other) but this won't
> work with NTLM authentication outside of it's realm. I am
> constantly getting this error message in the wb-DOMAIN logs:
> >
> > Starting GENSEC submechanism ntlmssp
> > [2019/10/15 07:06:26.589018, 1, pid=12457, effective(0,
> 0), real(0, 0), class=rpc_parse]
> ../../librpc/ndr/ndr.c:422(ndr_print_debug)
> > negotiate: struct NEGOTIATE_MESSAGE
> > Signature : 'NTLMSSP'
> > MessageType : NtLmNegotiate (1)
> > NegotiateFlags : 0x62088215 (1644724757)
> > 1: NTLMSSP_NEGOTIATE_UNICODE
> > 0: NTLMSSP_NEGOTIATE_OEM
> > 1: NTLMSSP_REQUEST_TARGET
> > 1: NTLMSSP_NEGOTIATE_SIGN
> > 0: NTLMSSP_NEGOTIATE_SEAL
> > 0: NTLMSSP_NEGOTIATE_DATAGRAM
> > 0: NTLMSSP_NEGOTIATE_LM_KEY
> > 0: NTLMSSP_NEGOTIATE_NETWARE
> > 1: NTLMSSP_NEGOTIATE_NTLM
> > 0: NTLMSSP_NEGOTIATE_NT_ONLY
> > 0: NTLMSSP_ANONYMOUS
> > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> > 0: NTLMSSP_TARGET_TYPE_DOMAIN
> > 0: NTLMSSP_TARGET_TYPE_SERVER
> > 0: NTLMSSP_TARGET_TYPE_SHARE
> > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> > 0: NTLMSSP_NEGOTIATE_IDENTIFY
> > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> > 0: NTLMSSP_NEGOTIATE_TARGET_INFO
> > 1: NTLMSSP_NEGOTIATE_VERSION
> > 1: NTLMSSP_NEGOTIATE_128
> > 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> > 0: NTLMSSP_NEGOTIATE_56
> > DomainNameLen : 0x0000 (0)
> > DomainNameMaxLen : 0x0000 (0)
> > DomainName : *
> > DomainName : ''
> > WorkstationLen : 0x0000 (0)
> > WorkstationMaxLen : 0x0000 (0)
> > Workstation : *
> > Workstation : ''
> > Version: struct ntlmssp_VERSION
> > ProductMajorVersion :
> NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
> > ProductMinorVersion :
> NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
> > ProductBuild : 0x0000 (0)
> > Reserved: ARRAY(3)
> > [0] : 0x00 (0)
> > [1] : 0x00 (0)
> > [2] : 0x00 (0)
> > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
> > [2] : 0x00 (0)
> > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
> > [2019/10/15 07:06:26.589188, 10, pid=12457, effective(0,
> 0), real(0, 0), class=auth]
> ../../auth/gensec/gensec.c:455(gensec_update_send)
> > gensec_update_send: ntlmssp[0x5625297aa300]: subreq:
> 0x5625299b9330
> > [2019/10/15 07:06:26.589207, 10, pid=12457, effective(0,
> 0), real(0, 0), class=auth]
> ../../auth/gensec/gensec.c:455(gensec_update_send)
> > gensec_update_send: spnego[0x56252a561b00]: subreq:
> 0x562529ff3510
> > [2019/10/15 07:06:26.589223, 10, pid=12457, effective(0,
> 0), real(0, 0), class=auth]
> ../../auth/gensec/gensec.c:512(gensec_update_done)
> > gensec_update_done: ntlmssp[0x5625297aa300]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x5625299b9330/../../auth/ntlmssp/ntlmssp.c:180]:
> state[2] error[0 (0x0)] state[struct
> gensec_ntlmssp_update_state (0x5625299b94e0)] timer[(nil)]
> finish[../../auth/ntlmssp/ntlmssp.c:215]
> > [2019/10/15 07:06:26.589246, 10, pid=12457, effective(0,
> 0), real(0, 0), class=auth]
> ../../auth/gensec/gensec.c:512(gensec_update_done)
> > gensec_update_done: spnego[0x56252a561b00]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x562529ff3510/../../auth/gensec/spnego.c:1600]:
> state[2] error[0 (0x0)] state[struct
> gensec_spnego_update_state (0x562529ff36c0)] timer[(nil)]
> finish[../../auth/gensec/spnego.c:2070]
> > [2019/10/15 07:06:26.589508, 3, pid=12457, effective(0,
> 0), real(0, 0), class=auth]
> ../../auth/ntlmssp/ntlmssp_client.c:273(ntlmssp_client_challenge)
> > Got challenge flags:
> > [2019/10/15 07:06:26.589527, 3, pid=12457, effective(0,
> 0), real(0, 0), class=auth]
> ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> > Got NTLMSSP neg_flags=0x62898215
> > NTLMSSP_NEGOTIATE_UNICODE
> > NTLMSSP_REQUEST_TARGET
> > NTLMSSP_NEGOTIATE_SIGN
> > NTLMSSP_NEGOTIATE_NTLM
> > NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> > NTLMSSP_TARGET_TYPE_DOMAIN
> > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> > NTLMSSP_NEGOTIATE_TARGET_INFO
> > NTLMSSP_NEGOTIATE_VERSION
> > NTLMSSP_NEGOTIATE_128
> > NTLMSSP_NEGOTIATE_KEY_EXCH
> > [2019/10/15 07:06:26.589577, 1, pid=12457, effective(0,
> 0), real(0, 0), class=rpc_parse]
> ../../librpc/ndr/ndr.c:422(ndr_print_debug)
> > challenge: struct CHALLENGE_MESSAGE
> > Signature : 'NTLMSSP'
> > MessageType : NtLmChallenge (0x2)
> > TargetNameLen : 0x0008 (8)
> > TargetNameMaxLen : 0x0008 (8)
> > TargetName : *
> > TargetName : 'ASW'
> > NegotiateFlags : 0x62898215 (1653178901)
> > 1: NTLMSSP_NEGOTIATE_UNICODE
> > 0: NTLMSSP_NEGOTIATE_OEM
> > 1: NTLMSSP_REQUEST_TARGET
> > 1: NTLMSSP_NEGOTIATE_SIGN
> > 0: NTLMSSP_NEGOTIATE_SEAL
> > 0: NTLMSSP_NEGOTIATE_DATAGRAM
> > 0: NTLMSSP_NEGOTIATE_LM_KEY
> > 0: NTLMSSP_NEGOTIATE_NETWARE
> > 1: NTLMSSP_NEGOTIATE_NTLM
> > 0: NTLMSSP_NEGOTIATE_NT_ONLY
> > 0: NTLMSSP_ANONYMOUS
> > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> > 1: NTLMSSP_TARGET_TYPE_DOMAIN
> > 0: NTLMSSP_TARGET_TYPE_SERVER
> > 0: NTLMSSP_TARGET_TYPE_SHARE
> > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> > 0: NTLMSSP_NEGOTIATE_IDENTIFY
> > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> > 1: NTLMSSP_NEGOTIATE_TARGET_INFO
> > 1: NTLMSSP_NEGOTIATE_VERSION
> > 1: NTLMSSP_NEGOTIATE_128
> > 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> > 0: NTLMSSP_NEGOTIATE_56
> > ServerChallenge : 9577d49bcff93241
> > Reserved : 0000000000000000
> > TargetInfoLen : 0x00c2 (194)
> > TargetInfoMaxLen : 0x00c2 (194)
> > TargetInfo : *
> > TargetInfo: struct AV_PAIR_LIST
> > count : 0x00000007 (7)
> > pair: ARRAY(7)
> > pair: struct AV_PAIR
> > AvId :
> MsvAvNbDomainName (0x2)
> > AvLen : 0x0008 (8)
> > Value : union
> ntlmssp_AvValue(case 0x2)
> > AvNbDomainName : 'ASW'
> > pair: struct AV_PAIR
> > AvId :
> MsvAvNbComputerName (0x1)
> > AvLen : 0x0014 (20)
> > Value : union
> ntlmssp_AvValue(case 0x1)
> > AvNbComputerName : 'ASWSERVER'
> > pair: struct AV_PAIR
> > AvId :
> MsvAvDnsDomainName (0x4)
> > AvLen : 0x0024 (36)
> > Value : union
> ntlmssp_AvValue(case 0x4)
> > AvDnsDomainName :
> 'ASW.aswglobal.net'
> > pair: struct AV_PAIR
> > AvId :
> MsvAvDnsComputerName (0x3)
> > AvLen : 0x003a (58)
> > Value : union
> ntlmssp_AvValue(case 0x3)
> > AvDnsComputerName :
> 'aswserver.asw.aswglobal.net'
> > pair: struct AV_PAIR
> > AvId :
> MsvAvDnsTreeName (0x5)
> > AvLen : 0x0024 (36)
> > Value : union
> ntlmssp_AvValue(case 0x5)
> > AvDnsTreeName :
> 'ASW.aswglobal.net'
> > pair: struct AV_PAIR
> > AvDnsTreeName :
> 'ASW.aswglobal.net'
> > pair: struct AV_PAIR
> > AvId :
> MsvAvTimestamp (0x7)
> > AvLen : 0x0008 (8)
> > Value : union
> ntlmssp_AvValue(case 0x7)
> > AvTimestamp : Tue
> Oct 15 07:06:27 2019 EDT
> > pair: struct AV_PAIR
> > AvId : MsvAvEOL (0x0)
> > AvLen : 0x0000 (0)
> > Value : union
> ntlmssp_AvValue(case 0x0)
> > Version: struct ntlmssp_VERSION
> > ProductMajorVersion :
> NTLMSSP_WINDOWS_MAJOR_VERSION_10 (0xA)
> > ProductMinorVersion :
> NTLMSSP_WINDOWS_MINOR_VERSION_0 (0x0)
> > ProductBuild : 0x3839 (14393)
> > Reserved : 000000
> > NTLMRevisionCurrent :
> NTLMSSP_REVISION_W2K3 (0xF)
> > [2019/10/15 07:06:26.589905, 1, pid=12457, effective(0,
> 0), real(0, 0), class=rpc_parse]
> ../../librpc/ndr/ndr.c:422(ndr_print_debug)
> > authenticate: struct AUTHENTICATE_MESSAGE
> > Signature : 'NTLMSSP'
> > MessageType : NtLmAuthenticate (3)
> > LmChallengeResponseLen : 0x0000 (0)
> > LmChallengeResponseMaxLen: 0x0000 (0)
> > LmChallengeResponse : *
> > LmChallengeResponse : union
> ntlmssp_LM_RESPONSE_with_len(case 0)
> > NtChallengeResponseLen : 0x0000 (0)
> > NtChallengeResponseMaxLen: 0x0000 (0)
> > NtChallengeResponse : *
> > NtChallengeResponse : union
> ntlmssp_NTLM_RESPONSE_with_len(case 0)
> > DomainNameLen : 0x0000 (0)
> > DomainNameMaxLen : 0x0000 (0)
> > DomainName : *
> > DomainName : ''
> > UserNameLen : 0x0000 (0)
> > UserNameMaxLen : 0x0000 (0)
> > UserName : *
> > UserName : ''
> > WorkstationLen : 0x0000 (0)
> > WorkstationMaxLen : 0x0000 (0)
> > Workstation : *
> > Workstation : ''
> > EncryptedRandomSessionKeyLen: 0x0010 (16)
> > EncryptedRandomSessionKeyMaxLen: 0x0010 (16)
> > EncryptedRandomSessionKey: *
> > EncryptedRandomSessionKey: DATA_BLOB length=16
> > [0000] 81 EE CC 4D B3 48 F7 A9 57 E9 E6 94 B7 55 59 DE
> ...M.H.. W....UY.
> > NegotiateFlags : 0x62008a15 (1644202517)
> > 1: NTLMSSP_NEGOTIATE_UNICODE
> > 0: NTLMSSP_NEGOTIATE_OEM
> > 1: NTLMSSP_REQUEST_TARGET
> > 0: NTLMSSP_NEGOTIATE_OEM
> > 1: NTLMSSP_REQUEST_TARGET
> > 1: NTLMSSP_NEGOTIATE_SIGN
> > 0: NTLMSSP_NEGOTIATE_SEAL
> > 0: NTLMSSP_NEGOTIATE_DATAGRAM
> > 0: NTLMSSP_NEGOTIATE_LM_KEY
> > 0: NTLMSSP_NEGOTIATE_NETWARE
> > 1: NTLMSSP_NEGOTIATE_NTLM
> > 0: NTLMSSP_NEGOTIATE_NT_ONLY
> > 1: NTLMSSP_ANONYMOUS
> > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> > 0: NTLMSSP_TARGET_TYPE_DOMAIN
> > 0: NTLMSSP_TARGET_TYPE_SERVER
> > 0: NTLMSSP_TARGET_TYPE_SHARE
> > 0: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> > 0: NTLMSSP_NEGOTIATE_IDENTIFY
> > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> > 0: NTLMSSP_NEGOTIATE_TARGET_INFO
> > 1: NTLMSSP_NEGOTIATE_VERSION
> > 1: NTLMSSP_NEGOTIATE_128
> > 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> > 0: NTLMSSP_NEGOTIATE_56
> > Version: struct ntlmssp_VERSION
> > ProductMajorVersion :
> NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
> > ProductMinorVersion :
> NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
> > ProductBuild : 0x0000 (0)
> > Reserved: ARRAY(3)
> > [0] : 0x00 (0)
> > [1] : 0x00 (0)
> > [2] : 0x00 (0)
> > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
> > [2019/10/15 07:06:26.590148, 3, pid=12457, effective(0,
> 0), real(0, 0), class=auth]
> ../../auth/ntlmssp/ntlmssp_client.c:761(ntlmssp_client_challenge)
> > NTLMSSP: Set final flags:
> > [2019/10/15 07:06:26.590160, 3, pid=12457, effective(0,
> 0), real(0, 0), class=auth]
> ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> > Got NTLMSSP neg_flags=0x62008a15
> > NTLMSSP_NEGOTIATE_UNICODE
> > NTLMSSP_REQUEST_TARGET
> > NTLMSSP_NEGOTIATE_SIGN
> > NTLMSSP_NEGOTIATE_NTLM
> > NTLMSSP_ANONYMOUS
> > NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> > NTLMSSP_NEGOTIATE_VERSION
> > NTLMSSP_NEGOTIATE_128
> > NTLMSSP_NEGOTIATE_KEY_EXCH
> > [2019/10/15 07:06:26.590195, 3, pid=12457, effective(0,
> 0), real(0, 0), class=auth]
> ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
> > NTLMSSP Sign/Seal - Initialising with flags:
> > [2019/10/15 07:06:26.590195, 3, pid=12457, effective(0,
> 0), real(0, 0), class=auth]
> ../../auth/ntlmssp/ntlmssp_sign.c:514(ntlmssp_sign_reset)
> > NTLMSSP Sign/Seal - Initialising with flags:
> > [2019/10/15 07:06:26.590206, 3, pid=12457, effective(0,
> 0), real(0, 0), class=auth]
> ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> > Got NTLMSSP neg_flags=0x62008a15
> > NTLMSSP_NEGOTIATE_UNICODE
> > NTLMSSP_REQUEST_TARGET
> > NTLMSSP_NEGOTIATE_SIGN
> > NTLMSSP_NEGOTIATE_NTLM
> > NTLMSSP_ANONYMOUS
> > NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> > NTLMSSP_NEGOTIATE_VERSION
> > NTLMSSP_NEGOTIATE_128
> > NTLMSSP_NEGOTIATE_KEY_EXCH
> > [2019/10/15 07:06:26.590240, 5, pid=12457, effective(0,
> 0), real(0, 0), class=auth]
> ../../auth/ntlmssp/ntlmssp_sign.c:638(ntlmssp_sign_reset)
> > NTLMSSP Sign/Seal - using NTLM1
>
> What version of Samba are you using ?
>
> It looks like it using NTLM1 , but the Windows domain probably isn't,
> try adding these lines to your smb.conf:
>
> client min protocol = SMB2_02
> server min protocol = SMB2_02
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list