[Bug 1572122] Re: Samba upgrade to 3.6.25-0ubuntu0.12.04.2 break domain authentication

Christopher Nighswonger 1572122 at bugs.launchpad.net
Tue May 3 12:00:28 UTC 2016 

When upgrading our DC from Ubuntu 13.04 to 14.04 we were also upgraded
from Samba 3.6.9 to 4.3.8. Now Ubuntu clients cannot authenticate and
(as ghomem mentions) Ubuntu member servers are not able to join the
domain. Unfortunately downgrading Samba on 14.04 is not as simple as
using dpkg or apt. Here is a snippet of debug out put when attempting to
join the domain:

Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
smb_signing_check_pdu: BAD SIG: wanted SMB signature of
[0000] CB 5B 1C 2A DC 07 09 6E                             .[.*...n 
smb_signing_check_pdu: BAD SIG: got SMB signature of
[0000] 00 00 00 00 00 00 00 00                             ........ 
smb_signing_good: BAD SIG: seq 1
SPNEGO login failed: Access denied
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : NULL
            dns_domain_name          : NULL
            forest_name              : NULL
            dn                       : NULL
            domain_sid               : NULL
                domain_sid               : (NULL SID)
            modified_config          : 0x00 (0)
            error_string             : 'failed to lookup DC info for domain 'FOO' over rpc: Access denied'
            domain_is_ad             : 0x00 (0)
            result                   : WERR_ACCESS_DENIED
Failed to join domain: failed to lookup DC info for domain 'FOO' over rpc: Access denied
return code = -1

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1572122

Title:
  Samba upgrade to 3.6.25-0ubuntu0.12.04.2 break domain authentication

Status in samba package in Ubuntu:
  Confirmed
Status in samba package in CentOS:
  Unknown
Status in samba package in Debian:
  New

Bug description:
  Hi,

  Problem :  The last samba upgrade broke my ldap authentification for windows 7 client. 
  Upgrade : samba 2:3.6.3-2ubuntu2 -> samba 2:3.6.25-0ubuntu0.12.04.2 
  Config : Ubuntu serveur, 12.04 with Samba 3 + ldap

  Win 7 errors : "The trust relationship between this workstation and the primary domain failed" 
  windows client can't join the domain

  Linux client can authentificate themselves without problems.

  Does anyone  have similar problems ?

  
  Thanks

  
      cat /var/log/samba/log.pc075

      [2016/04/19 08:40:30.050073,  2] smbd/sesssetup.c:1291(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
      [2016/04/19 08:40:30.051311,  2] smbd/sesssetup.c:1291(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
      [2016/04/19 08:40:30.051511,  2] lib/smbldap.c:1018(smbldap_open_connection) smbldap_open_connection: connection opened
      [2016/04/19 08:40:30.059872,  2] rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain) Returning domain sid for domain ENSASE -> S-1-5-21-1348238158-1112093341-1520777740
      [2016/04/19 08:40:30.060329,  2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: pc075$
      [2016/04/19 08:40:30.069236,  2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 515
      [2016/04/19 08:40:30.069747,  2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 515
      [2016/04/19 08:40:30.070223,  2] ../libcli/auth/credentials.c:308(netlogon_creds_server_check_internal) credentials check failed
      [2016/04/19 08:40:30.070271,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client PC075 machine account PC075$
      [2016/04/19 08:40:30.072638,  2] rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
    Returning domain sid for domain ENSASE -> S-1-5-21-1348238158-1112093341-1520777740
      [2016/04/19 08:40:30.073005,  2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: pc075$
      [2016/04/19 08:40:30.073580,  2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 515
      [2016/04/19 08:40:30.076775,  1] rpc_server/srv_pipe.c:1845(api_pipe_request) srv_pipe_check_verification_trailer: failed

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1572122/+subscriptions

More information about the foundations-bugs mailing list