[Bug 1572824] Re: Samba Domain Member cannot check passwords against Samba AD DC after "Badlock" update

Christopher Nighswonger 1572824 at bugs.launchpad.net
Mon May 2 15:44:27 UTC 2016


This should be fixed ASAP as it is causing large scale issues.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1572824

Title:
  Samba Domain Member cannot check passwords against Samba AD DC after
  "Badlock" update

Status in samba package in Ubuntu:
  Confirmed

Bug description:
  Hi,

  I updated Samba on my old web server which is running a fully updated
  12.04.5 LTS, and now I cannot get it to act as a domain member
  anymore. All password validation requests fail. Only way to access
  this server once more is to manually add local users with usernames
  and passwords matching the domain users.

  The server is now completely incapable of checking passwords against
  our 14.04 LTS Samba AD DC. I have verified that upgrading our other
  14.04 LTS file server from Samba 4.1.6 to 4.3.8 worked fine, but
  upgrading our Samba AD DC from 4.1.6 to 4.3.8 BROKE EVERYTHING, so I
  had to roll that back. I suspect that if I were able to update the AD
  DC to 4.3.8 perhaps this issue would go away, as I believe the problem
  is specific to the recently patched "badlock" bug. However, that is a
  separate issue, one that I will not file a bug for unless I am able to
  determine that it is not specific to our configuration. I will spin up
  a new AD DC using the 4.3.8 series and try to make it the new PDC, and
  if that also fails, I will file a bug for that other issue. I will
  also come back here and let you know if this issue goes away by doing
  that or not. I would upgrade this server to 14.04 LTS, if not for the
  fact that we still have some legacy PHP 5.3 code, and we were not able
  to compile PHP 5.3 on newer Ubuntu versions because of crazy
  dependency issues which I will not get into here.

  
  Relevant error messages when trying to use smbclient with a domain username:

  
  cli_negprot: SMB signing is mandatory and the server doesn't support it.

  failed negprot: NT_STATUS_ACCESS_DENIED

  
  Changing the server signing and client signing parameters on any of the involved servers does not seem to fix the issue unfortunately. Below is more debug info, with my true domain name changed to SAMDOM.EXAMPLE.ORG instead of what it actually is. To make it more clear, FILESERV is our 4.3.8 fileserver, FILESERV2 is actually our 4.1.6 Samba AD DC, and DB3 is our 3.6.25 file/web server.

  
  Full debug level 5 output of the smbtree command:

  
  smbtree -d 5 -U administrator
  INFO: Current debug levels:
    all: 5
    tdb: 5
    printdrivers: 5
    lanman: 5
    smb: 5
    rpc_parse: 5
    rpc_srv: 5
    rpc_cli: 5
    passdb: 5
    sam: 5
    auth: 5
    winbind: 5
    vfs: 5
    idmap: 5
    quota: 5
    acls: 5
    locking: 5
    msdfs: 5
    dmapi: 5
    registry: 5
  lp_load_ex: refreshing parameters
  Initialising global parameters
  rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
  INFO: Current debug levels:
    all: 5
    tdb: 5
    printdrivers: 5
    lanman: 5
    smb: 5
    rpc_parse: 5
    rpc_srv: 5
    rpc_cli: 5
    passdb: 5
    sam: 5
    auth: 5
    winbind: 5
    vfs: 5
    idmap: 5
    quota: 5
    acls: 5
    locking: 5
    msdfs: 5
    dmapi: 5
    registry: 5
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
  Processing section "[global]"
  doing parameter max log size = 1000
  doing parameter syslog = 0
  doing parameter panic action = /usr/share/samba/panic-action %d
  doing parameter netbios name = db3
  handle_netbios_name: set global_myname to: DB3
  doing parameter workgroup = SAMDOM
  doing parameter security = ADS
  doing parameter realm = samdom.example.org
  doing parameter encrypt passwords = true
  doing parameter load printers = no
  doing parameter printing = bsd
  doing parameter printcap name = /dev/null
  doing parameter disable spoolss = yes
  doing parameter idmap config *:backend = tdb
  doing parameter idmap config *:range = 2000-9999
  doing parameter idmap config SAMDOM:backend = ad
  doing parameter idmap config SAMDOM:schema_mode = rfc2307
  doing parameter idmap config SAMDOM:range = 10000-80000
  doing parameter winbind nss info = rfc2307
  doing parameter winbind trusted domains only = no
  doing parameter winbind use default domain = yes
  doing parameter winbind enum users = yes
  doing parameter winbind enum groups = yes
  doing parameter vfs objects = acl_xattr
  doing parameter map acl inherit = Yes
  doing parameter inherit permissions = yes
  doing parameter store dos attributes = Yes
  doing parameter unix extensions = yes
  doing parameter inherit acls = yes
  doing parameter inherit owner = yes
  doing parameter acl group control = yes
  doing parameter server string = A+ webserver
  pm_process() returned Yes
  Substituting charset 'UTF-8' for LOCALE
  added interface eth0 ip=fe80::a00:27ff:fef1:af6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
  added interface eth0 ip=192.168.6.76 bcast=192.168.255.255 netmask=255.255.0.0
  Enter administrator's password:
  Opening cache file at /var/run/samba/gencache.tdb
  Opening cache file at /var/run/samba/gencache_notrans.tdb
  name SAMDOM#1D found.
  Connecting to host=192.168.6.91
  Connecting to 192.168.6.91 at port 445
  Socket options:
          SO_KEEPALIVE = 0
          SO_REUSEADDR = 0
          SO_BROADCAST = 0
          TCP_NODELAY = 1
          TCP_KEEPCNT = 9
          TCP_KEEPIDLE = 7200
          TCP_KEEPINTVL = 75
          IPTOS_LOWDELAY = 0
          IPTOS_THROUGHPUT = 0
          SO_SNDBUF = 87040
          SO_RCVBUF = 372480
          SO_SNDLOWAT = 1
          SO_RCVLOWAT = 1
          SO_SNDTIMEO = 0
          SO_RCVTIMEO = 0
          TCP_QUICKACK = 1
  Substituting charset 'UTF-8' for LOCALE
  cli_negprot: SMB signing is mandatory and the server doesn't support it.
  failed negprot: NT_STATUS_ACCESS_DENIED
  namecache_status_fetch: key NBT/*#00.00.192.168.6.91 -> FILESERV
  Connecting to host=FILESERV
  Connecting to 192.168.6.91 at port 445
  Connecting to 192.168.6.91 at port 139
  Socket options:
          SO_KEEPALIVE = 0
          SO_REUSEADDR = 0
          SO_BROADCAST = 0
          TCP_NODELAY = 1
          TCP_KEEPCNT = 9
          TCP_KEEPIDLE = 7200
          TCP_KEEPINTVL = 75
          IPTOS_LOWDELAY = 0
          IPTOS_THROUGHPUT = 0
          SO_SNDBUF = 87040
          SO_RCVBUF = 372480
          SO_SNDLOWAT = 1
          SO_RCVLOWAT = 1
          SO_SNDTIMEO = 0
          SO_RCVTIMEO = 0
          TCP_QUICKACK = 1
  cli_negprot: SMB signing is mandatory and the server doesn't support it.
  failed negprot: NT_STATUS_ACCESS_DENIED


  Full debug level 5 output of the smbclient command:

  
  smbclient -d 5 -L localhost -U administrator
  INFO: Current debug levels:
    all: 5
    tdb: 5
    printdrivers: 5
    lanman: 5
    smb: 5
    rpc_parse: 5
    rpc_srv: 5
    rpc_cli: 5
    passdb: 5
    sam: 5
    auth: 5
    winbind: 5
    vfs: 5
    idmap: 5
    quota: 5
    acls: 5
    locking: 5
    msdfs: 5
    dmapi: 5
    registry: 5
  lp_load_ex: refreshing parameters
  Initialising global parameters
  rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
  INFO: Current debug levels:
    all: 5
    tdb: 5
    printdrivers: 5
    lanman: 5
    smb: 5
    rpc_parse: 5
    rpc_srv: 5
    rpc_cli: 5
    passdb: 5
    sam: 5
    auth: 5
    winbind: 5
    vfs: 5
    idmap: 5
    quota: 5
    acls: 5
    locking: 5
    msdfs: 5
    dmapi: 5
    registry: 5
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
  Processing section "[global]"
  doing parameter max log size = 1000
  doing parameter syslog = 0
  doing parameter panic action = /usr/share/samba/panic-action %d
  doing parameter netbios name = db3
  handle_netbios_name: set global_myname to: DB3
  doing parameter workgroup = SAMDOM
  doing parameter security = ADS
  doing parameter realm = samdom.example.org
  doing parameter encrypt passwords = true
  doing parameter load printers = no
  doing parameter printing = bsd
  doing parameter printcap name = /dev/null
  doing parameter disable spoolss = yes
  doing parameter idmap config *:backend = tdb
  doing parameter idmap config *:range = 2000-9999
  doing parameter idmap config SAMDOM:backend = ad
  doing parameter idmap config SAMDOM:schema_mode = rfc2307
  doing parameter idmap config SAMDOM:range = 10000-80000
  doing parameter winbind nss info = rfc2307
  doing parameter winbind trusted domains only = no
  doing parameter winbind use default domain = yes
  doing parameter winbind enum users = yes
  doing parameter winbind enum groups = yes
  doing parameter vfs objects = acl_xattr
  doing parameter map acl inherit = Yes
  doing parameter inherit permissions = yes
  doing parameter store dos attributes = Yes
  doing parameter unix extensions = yes
  doing parameter inherit acls = yes
  doing parameter inherit owner = yes
  doing parameter acl group control = yes
  doing parameter server string = A+ webserver
  pm_process() returned Yes
  Substituting charset 'UTF-8' for LOCALE
  added interface eth0 ip=fe80::a00:27ff:fef1:af6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
  added interface eth0 ip=192.168.6.76 bcast=192.168.255.255 netmask=255.255.0.0
  Netbios name list:-
  my_netbios_names[0]="DB3"
  Client started (version 3.6.25).
  Enter administrator's password:
  Opening cache file at /var/run/samba/gencache.tdb
  Opening cache file at /var/run/samba/gencache_notrans.tdb
  sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-First-Site-Name"
  no entry for localhost#20 found.
  resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
  resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
  startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
  resolve_wins: Attempting wins lookup for name localhost<0x20>
  resolve_wins: WINS server resolution selected and no WINS servers listed.
  resolve_hosts: Attempting host lookup for name localhost<0x20>
  namecache_store: storing 1 address for localhost#20: 127.0.0.1
  Connecting to 127.0.0.1 at port 445
  Socket options:
          SO_KEEPALIVE = 0
          SO_REUSEADDR = 0
          SO_BROADCAST = 0
          TCP_NODELAY = 1
          TCP_KEEPCNT = 9
          TCP_KEEPIDLE = 7200
          TCP_KEEPINTVL = 75
          IPTOS_LOWDELAY = 0
          IPTOS_THROUGHPUT = 0
          SO_SNDBUF = 2626560
          SO_RCVBUF = 1061808
          SO_SNDLOWAT = 1
          SO_RCVLOWAT = 1
          SO_SNDTIMEO = 0
          SO_RCVTIMEO = 0
          TCP_QUICKACK = 1
   session request ok
  Substituting charset 'UTF-8' for LOCALE
  Doing spnego session setup (blob length=112)
  got OID=1.2.840.113554.1.2.2
  got OID=1.2.840.48018.1.2.2
  got OID=1.3.6.1.4.1.311.2.2.10
  got principal=not_defined_in_RFC4178 at please_ignore
  Got challenge flags:
  Got NTLMSSP neg_flags=0x60898215
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_NEGOTIATE_TARGET_INFO
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
  NTLMSSP: Set final flags:
  Got NTLMSSP neg_flags=0x60088215
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
  NTLMSSP Sign/Seal - Initialising with flags:
  Got NTLMSSP neg_flags=0x60088215
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
  SPNEGO login failed: No logon servers
  session setup failed: NT_STATUS_NO_LOGON_SERVERS


  Full debug level 5 output of domain join command:


  root at db3:/var/lib/samba# net -d 5 ads join -U administrator
  INFO: Current debug levels:
    all: 5
    tdb: 5
    printdrivers: 5
    lanman: 5
    smb: 5
    rpc_parse: 5
    rpc_srv: 5
    rpc_cli: 5
    passdb: 5
    sam: 5
    auth: 5
    winbind: 5
    vfs: 5
    idmap: 5
    quota: 5
    acls: 5
    locking: 5
    msdfs: 5
    dmapi: 5
    registry: 5
  lp_load_ex: refreshing parameters
  Initialising global parameters
  rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
  INFO: Current debug levels:
    all: 5
    tdb: 5
    printdrivers: 5
    lanman: 5
    smb: 5
    rpc_parse: 5
    rpc_srv: 5
    rpc_cli: 5
    passdb: 5
    sam: 5
    auth: 5
    winbind: 5
    vfs: 5
    idmap: 5
    quota: 5
    acls: 5
    locking: 5
    msdfs: 5
    dmapi: 5
    registry: 5
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
  Processing section "[global]"
  doing parameter max log size = 1000
  doing parameter syslog = 0
  doing parameter panic action = /usr/share/samba/panic-action %d
  doing parameter netbios name = db3
  handle_netbios_name: set global_myname to: DB3
  doing parameter workgroup = SAMDOM
  doing parameter security = ADS
  doing parameter realm = samdom.example.org
  doing parameter encrypt passwords = true
  doing parameter load printers = no
  doing parameter printing = bsd
  doing parameter printcap name = /dev/null
  doing parameter disable spoolss = yes
  doing parameter idmap config *:backend = tdb
  doing parameter idmap config *:range = 2000-9999
  doing parameter idmap config SAMDOM:backend = ad
  doing parameter idmap config SAMDOM:schema_mode = rfc2307
  doing parameter idmap config SAMDOM:range = 10000-80000
  doing parameter winbind nss info = rfc2307
  doing parameter winbind trusted domains only = no
  doing parameter winbind use default domain = yes
  doing parameter winbind enum users = yes
  doing parameter winbind enum groups = yes
  doing parameter vfs objects = acl_xattr
  doing parameter map acl inherit = Yes
  doing parameter inherit permissions = yes
  doing parameter store dos attributes = Yes
  doing parameter unix extensions = yes
  doing parameter inherit acls = yes
  doing parameter inherit owner = yes
  doing parameter acl group control = yes
  doing parameter server string = A+ webserver
  pm_process() returned Yes
  Substituting charset 'UTF-8' for LOCALE
  Netbios name list:-
  my_netbios_names[0]="DB3"
  added interface eth0 ip=fe80::a00:27ff:fef1:af6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
  added interface eth0 ip=192.168.6.76 bcast=192.168.255.255 netmask=255.255.0.0
  Registered MSG_REQ_POOL_USAGE
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
  Enter administrator's password:
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          in: struct libnet_JoinCtx
              dc_name                  : NULL
              machine_name             : 'DB3'
              domain_name              : *
                  domain_name              : 'SAMDOM.EXAMPLE.ORG'
              account_ou               : NULL
              admin_account            : 'administrator'
              machine_password         : NULL
              join_flags               : 0x00000023 (35)
                     0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                     0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                     0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                     0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                     0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                     0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                     1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                     0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                     0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                     1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                     1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
              os_version               : NULL
              os_name                  : NULL
              create_upn               : 0x00 (0)
              upn                      : NULL
              modify_config            : 0x00 (0)
              ads                      : NULL
              debug                    : 0x01 (1)
              use_kerberos             : 0x00 (0)
              secure_channel_type      : SEC_CHAN_WKSTA (2)
  Opening cache file at /var/run/samba/gencache.tdb
  Opening cache file at /var/run/samba/gencache_notrans.tdb
  sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-First-Site-Name"
  ads_dns_lookup_srv: 1 records returned in the answer section.
  Connecting to host=fileserv2.samdom.example.org
  sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-First-Site-Name"
  name fileserv2.samdom.example.org#20 found.
  Connecting to 192.168.6.92 at port 445
  Socket options:
          SO_KEEPALIVE = 0
          SO_REUSEADDR = 0
          SO_BROADCAST = 0
          TCP_NODELAY = 1
          TCP_KEEPCNT = 9
          TCP_KEEPIDLE = 7200
          TCP_KEEPINTVL = 75
          IPTOS_LOWDELAY = 0
          IPTOS_THROUGHPUT = 0
          SO_SNDBUF = 87040
          SO_RCVBUF = 372480
          SO_SNDLOWAT = 1
          SO_RCVLOWAT = 1
          SO_SNDTIMEO = 0
          SO_RCVTIMEO = 0
          TCP_QUICKACK = 1
  Substituting charset 'UTF-8' for LOCALE
  cli_negprot: SMB signing is mandatory and the server doesn't support it.
  failed negprot: NT_STATUS_ACCESS_DENIED
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          out: struct libnet_JoinCtx
              account_name             : NULL
              netbios_domain_name      : NULL
              dns_domain_name          : NULL
              forest_name              : NULL
              dn                       : NULL
              domain_sid               : NULL
                  domain_sid               : (NULL SID)
              modified_config          : 0x00 (0)
              error_string             : 'failed to lookup DC info for domain 'SAMDOM.EXAMPLE.ORG' over rpc: Access denied'
              domain_is_ad             : 0x00 (0)
              result                   : WERR_ACCESS_DENIED
  Failed to join domain: failed to lookup DC info for domain 'SAMDOM.EXAMPLE.ORG' over rpc: Access denied
  return code = -1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1572824/+subscriptions



More information about the foundations-bugs mailing list