enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #05254
[Bug 1572824] [NEW] Samba Domain Member cannot check passwords against Samba AD DC after "Badlock" update
Public bug reported:
Hi,
I updated Samba on my old web server which is running a fully updated
12.04.5 LTS, and now I cannot get it to act as a domain member anymore.
All password validation requests fail. Only way to access this server
once more is to manually add local users with usernames and passwords
matching the domain users.
The server is now completely incapable of checking passwords against our
14.04 LTS Samba AD DC. I have verified that upgrading our other 14.04
LTS file server from Samba 4.1.6 to 4.3.8 worked fine, but upgrading our
Samba AD DC from 4.1.6 to 4.3.8 BROKE EVERYTHING, so I had to roll that
back. I suspect that if I were able to update the AD DC to 4.3.8 perhaps
this issue would go away, as I believe the problem is specific to the
recently patched "badlock" bug. However, that is a separate issue, one
that I will not file a bug for unless I am able to determine that it is
not specific to our configuration. I will spin up a new AD DC using the
4.3.8 series and try to make it the new PDC, and if that also fails, I
will file a bug for that other issue. I will also come back here and let
you know if this issue goes away by doing that or not. I would upgrade
this server to 14.04 LTS, if not for the fact that we still have some
legacy PHP 5.3 code, and we were not able to compile PHP 5.3 on newer
Ubuntu versions because of crazy dependency issues which I will not get
into here.
Relevant error messages when trying to use smbclient with a domain username:
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_ACCESS_DENIED
Changing the server signing and client signing parameters on any of the involved servers does not seem to fix the issue unfortunately. Below is more debug info, with my true domain name changed to SAMDOM.EXAMPLE.ORG instead of what it actually is. To make it more clear, FILESERV is our 4.3.8 fileserver, FILESERV2 is actually our 4.1.6 Samba AD DC, and DB3 is our 3.6.25 file/web server.
Full debug level 5 output of the smbtree command:
smbtree -d 5 -U administrator
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter netbios name = db3
handle_netbios_name: set global_myname to: DB3
doing parameter workgroup = SAMDOM
doing parameter security = ADS
doing parameter realm = samdom.example.org
doing parameter encrypt passwords = true
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config SAMDOM:backend = ad
doing parameter idmap config SAMDOM:schema_mode = rfc2307
doing parameter idmap config SAMDOM:range = 10000-80000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter inherit permissions = yes
doing parameter store dos attributes = Yes
doing parameter unix extensions = yes
doing parameter inherit acls = yes
doing parameter inherit owner = yes
doing parameter acl group control = yes
doing parameter server string = A+ webserver
pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=fe80::a00:27ff:fef1:af6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.6.76 bcast=192.168.255.255 netmask=255.255.0.0
Enter administrator's password:
Opening cache file at /var/run/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
name SAMDOM#1D found.
Connecting to host=192.168.6.91
Connecting to 192.168.6.91 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
Substituting charset 'UTF-8' for LOCALE
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_ACCESS_DENIED
namecache_status_fetch: key NBT/*#00.00.192.168.6.91 -> FILESERV
Connecting to host=FILESERV
Connecting to 192.168.6.91 at port 445
Connecting to 192.168.6.91 at port 139
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_ACCESS_DENIED
Full debug level 5 output of the smbclient command:
smbclient -d 5 -L localhost -U administrator
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter netbios name = db3
handle_netbios_name: set global_myname to: DB3
doing parameter workgroup = SAMDOM
doing parameter security = ADS
doing parameter realm = samdom.example.org
doing parameter encrypt passwords = true
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config SAMDOM:backend = ad
doing parameter idmap config SAMDOM:schema_mode = rfc2307
doing parameter idmap config SAMDOM:range = 10000-80000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter inherit permissions = yes
doing parameter store dos attributes = Yes
doing parameter unix extensions = yes
doing parameter inherit acls = yes
doing parameter inherit owner = yes
doing parameter acl group control = yes
doing parameter server string = A+ webserver
pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=fe80::a00:27ff:fef1:af6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.6.76 bcast=192.168.255.255 netmask=255.255.0.0
Netbios name list:-
my_netbios_names[0]="DB3"
Client started (version 3.6.25).
Enter administrator's password:
Opening cache file at /var/run/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-First-Site-Name"
no entry for localhost#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
resolve_wins: Attempting wins lookup for name localhost<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name localhost<0x20>
namecache_store: storing 1 address for localhost#20: 127.0.0.1
Connecting to 127.0.0.1 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061808
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
session request ok
Substituting charset 'UTF-8' for LOCALE
Doing spnego session setup (blob length=112)
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.48018.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: No logon servers
session setup failed: NT_STATUS_NO_LOGON_SERVERS
Full debug level 5 output of domain join command:
root@db3:/var/lib/samba# net -d 5 ads join -U administrator
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter netbios name = db3
handle_netbios_name: set global_myname to: DB3
doing parameter workgroup = SAMDOM
doing parameter security = ADS
doing parameter realm = samdom.example.org
doing parameter encrypt passwords = true
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config SAMDOM:backend = ad
doing parameter idmap config SAMDOM:schema_mode = rfc2307
doing parameter idmap config SAMDOM:range = 10000-80000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter inherit permissions = yes
doing parameter store dos attributes = Yes
doing parameter unix extensions = yes
doing parameter inherit acls = yes
doing parameter inherit owner = yes
doing parameter acl group control = yes
doing parameter server string = A+ webserver
pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
Netbios name list:-
my_netbios_names[0]="DB3"
added interface eth0 ip=fe80::a00:27ff:fef1:af6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.6.76 bcast=192.168.255.255 netmask=255.255.0.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter administrator's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'DB3'
domain_name : *
domain_name : 'SAMDOM.EXAMPLE.ORG'
account_ou : NULL
admin_account : 'administrator'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Opening cache file at /var/run/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-First-Site-Name"
ads_dns_lookup_srv: 1 records returned in the answer section.
Connecting to host=fileserv2.samdom.example.org
sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-First-Site-Name"
name fileserv2.samdom.example.org#20 found.
Connecting to 192.168.6.92 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
Substituting charset 'UTF-8' for LOCALE
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_ACCESS_DENIED
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain 'SAMDOM.EXAMPLE.ORG' over rpc: Access denied'
domain_is_ad : 0x00 (0)
result : WERR_ACCESS_DENIED
Failed to join domain: failed to lookup DC info for domain 'SAMDOM.EXAMPLE.ORG' over rpc: Access denied
return code = -1
** Affects: samba (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1572824
Title:
Samba Domain Member cannot check passwords against Samba AD DC after
"Badlock" update
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1572824/+subscriptions
Follow ups