[openchange][devel] Outlook 2007/MAPIProxy NT_STATUS_IO_TIMEOUT Problem

[Beat Flepp]

Hi,

I'm running into a problem when trying to connect Outlook 2007 through 
MAPIProxy to an Exchange 2007 server.

The MAPIProxy log shows an entry:

auth_check_password_recv: winbind authentication for user [mmlnj\flepp] FAILED 
with error NT_STATUS_IO_TIMEOUT
dcesrv_auth_auth3: failed to authenticate: NT_STATUS_IO_TIMEOUT

My setup is:

Outlook (192.168.102.58) <--> MAPIProxy (192.168.102.57) <--> Exchange 
(192.168.102.53)

Below are detailed informations about this setup.

Direct connection from Outlook to Exchange with the same user/password works 
fine.

I also have attached the following files:

smb.conf
start-samba.txt (Samba startup log)
outlook-check-name.txt (Samba log when connecting with Outlook which shows the 
above error)
mapiproxy.pcap (Wireshark packet dump)

>From the WireShark log (mapiproxy.pcap) I can see that the SMB_NETLOGON 
>request 
sent from the MAPIProxy to the Exchange server never returned, to there might 
be a problem with my Windows server.

I would appreciate your help!

Thanks,
Beat Flepp





192.168.102.57
--------------
mapiproxy.mmlnj.com
Ubuntu 9.10 Server

Openchange MAPIProxy server installed according to the instrucions at
http://apidocs.openchange.org/mapiproxy/index.html

Samba4 Version 4.0.0alpha10 according to header file
/usr/local/samba/include/samba/version.h:

/* Autogenerated by script/mkversion.sh */
#define SAMBA_VERSION_MAJOR 4
#define SAMBA_VERSION_MINOR 0
#define SAMBA_VERSION_RELEASE 0
#define SAMBA_VERSION_ALPHA_RELEASE 10
#define SAMBA_VERSION_OFFICIAL_STRING "4.0.0alpha10"
/* Version for mkrelease.sh: 
SAMBA_VERSION_STRING=4.0.0alpha10
*/

Samba4 started with 

./samba -d5 -i -M single



192.168.102.58
--------------
workstation.mmlnj.com
Windows XP Professional SP3

Member of the mmlnj.com domain

Outlook 2007 Configuration

Microsoft Exchange Server:     mapiproxy
Use Cached Exchange Mode:      yes
User Name:                     flepp
Encrypt Data:                  no
Always Prompt for Credentials: yes 
Logon Network Security:        Password Authentication



192.168.102.53
--------------
exchange.mmlnj.com
Windows 2008 Server Enterprise SP2

Domain Controller for mmlnj.com domain/Active Directory/DNS

Exchange Server 2007


In the security event log, I see the logon request for user "flepp" coming from
the mapiproxy server:

The domain controller attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  flepp
Source Workstation:     MAPIPROXY
Error Code:     0x0

An account was successfully logged on.

Subject:
        Security ID:            NULL SID
        Account Name:           -
        Account Domain:         -
        Logon ID:               0x0

An account was logged off.

Subject:
        Security ID:            MMLNJ\flepp
        Account Name:           flepp
        Account Domain:         MMLNJ
        Logon ID:               0x65405e

Logon Type:                     3




[globals]
        netbios name    = MAPIPROXY
        workgroup       = MMLNJ
        realm           = MMLNJ.COM
        server role     = member server
        aux_methods:member server = sam

        ### Configuration required by mapiproxy ###
        dcesrv:assoc group checking = true
        dcerpc endpoint servers = epmapper, mapiproxy
        dcerpc_mapiproxy:binding = ncacn_ip_tcp:192.168.102.53[print]
        dcerpc_mapiproxy:username = flepp
        dcerpc_mapiproxy:password = password
        dcerpc_mapiproxy:domain = MMLNJ.COM
        dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, 
exchange_ds_rfr
        dcerpc_mapiproxy:modules = downgrade
        ### Configuration required by mapiproxy ###

mapipr...@mapiproxy:~$ sudo /usr/local/samba/sbin/samba -d5 -i -M single
lp_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file 
"/usr/local/samba/etc/smb.conf"
Processing section "[globals]"
pm_process() returned Yes
adding hidden service IPC$
adding hidden service ADMIN$
samba version 4.0.0alpha10 started.
Copyright Andrew Tridgell and the Samba Team 1992-2009
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'ntlmssp' registered
NTPTR backend 'simple_ldb'
NTVFS backend 'simple' for type 1 registered
NTVFS backend 'cifs' for type 1 registered
NTVFS backend 'nbench' for type 1 registered
NTVFS backend 'unixuid' for type 1 registered
NTVFS backend 'unixuid' for type 3 registered
NTVFS backend 'unixuid' for type 2 registered
NTVFS backend 'cifsposix' for type 1 registered
NTVFS backend 'smb2' for type 1 registered
NTVFS backend 'default' for type 2 registered
NTVFS backend 'default' for type 3 registered
NTVFS backend 'default' for type 1 registered
NTVFS backend 'posix' for type 1 registered
PROCESS_MODEL 'standard' registered
PROCESS_MODEL 'prefork' registered
PROCESS_MODEL 'single' registered
AUTH backend 'winbind_samba3' registered
AUTH backend 'winbind' registered
AUTH backend 'winbind_wbclient' registered
AUTH backend 'server' registered
AUTH backend 'name_to_ntstatus' registered
AUTH backend 'fixed_challenge' registered
AUTH backend 'unix' registered
AUTH backend 'anonymous' registered
AUTH backend 'sam' registered
AUTH backend 'sam_ignoredomain' registered
SHARE backend [ldb] registered.
SHARE backend [classic] registered.
(normal if no LDAP backend required) Could not find entry to match filter: 
'(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '(null)'
ldb: pdc_fsmo_init: we are master: no

ldb: naming_fsmo_init: we are master: no

schema_fsmo_init: we are master: no
ldb_wrap open of sam.ldb
ldb: no modules required by the db
ldb: No modules specified for this database
ldb_wrap open of privilege.ldb
ldb: no modules required by the db
ldb: No modules specified for this database
ldb_wrap open of /usr/local/samba/private/schannel.ldb
samba: using 'single' process model
DCERPC endpoint server 'wkssvc' registered
DCERPC endpoint server 'drsuapi' registered
DCERPC endpoint server 'spoolss' registered
DCERPC endpoint server 'winreg' registered
DCERPC endpoint server 'epmapper' registered
DCERPC endpoint server 'srvsvc' registered
DCERPC endpoint server 'netlogon' registered
DCERPC endpoint server 'browser' registered
DCERPC endpoint server 'rpcecho' registered
DCERPC endpoint server 'unixinfo' registered
DCERPC endpoint server 'samr' registered
DCERPC endpoint server 'remote' registered
DCERPC endpoint server 'dssetup' registered
DCERPC endpoint server 'lsarpc' registered
DCERPC endpoint server 'exchange_emsmdb' registered
DCERPC endpoint server 'exchange_nsp' registered
DCERPC endpoint server 'exchange_ds_rfr' registered
DCERPC endpoint server 'mapiproxy' registered
dcesrv_interface_register: interface 'epmapper' registered on endpoint 
'ncacn_np:[\pipe\epmapper]'
dcesrv_interface_register: interface 'epmapper' registered on endpoint 
'ncacn_ip_tcp:[135]'
dcesrv_interface_register: interface 'epmapper' registered on endpoint 
'ncalrpc:[EPMAPPER]'
MAPIPROXY module 'dummy' registered
MAPIPROXY module 'pack' registered
MAPIPROXY module 'cache' registered
MAPIPROXY module 'downgrade' registered
MAPIPROXY module 'downgrade' loaded
mapiproxy_module_load 'downgrade' (Downgrade EMSMDB protocol version 
EcDoConnect/EcDoRpc)
MAPIPROXY server 'exchange_nsp' registered
MAPIPROXY server 'exchange_emsmdb' registered
MAPIPROXY server 'exchange_ds_rfr' registered
MAPIPROXY server mode disabled
dcesrv_interface_register: interface 'exchange_emsmdb' registered on endpoint 
'ncacn_np:[\pipe\lsass]'
dcesrv_interface_register: interface 'exchange_emsmdb' registered on endpoint 
'ncacn_np:[\pipe\protected_storage]'
dcesrv_interface_register: interface 'exchange_emsmdb' registered on endpoint 
'ncacn_ip_tcp:'
dcesrv_interface_register: interface 'exchange_nsp' registered on endpoint 
'ncacn_np:[\pipe\lsass]'
dcesrv_interface_register: interface 'exchange_nsp' registered on endpoint 
'ncacn_np:[\pipe\protected_storage]'
dcesrv_interface_register: interface 'exchange_nsp' registered on endpoint 
'ncacn_ip_tcp:[]'
dcesrv_interface_register: interface 'exchange_ds_rfr' registered on endpoint 
'ncacn_np:[\pipe\lsass]'
dcesrv_interface_register: interface 'exchange_ds_rfr' registered on endpoint 
'ncacn_np:[\pipe\protected_storage]'
dcesrv_interface_register: interface 'exchange_ds_rfr' registered on endpoint 
'ncacn_ip_tcp:[]'
added interface ip=192.168.102.57 nmask=255.255.255.0
(normal if no LDAP backend required) Could not find entry to match filter: 
'(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '(null)'
task_server_terminate: [ldap_server: no LDAP server required in member server 
configuration]
single_terminate: reason[ldap_server: no LDAP server required in member server 
configuration]
added interface ip=192.168.102.57 nmask=255.255.255.0
task_server_terminate: [cldap_server: no CLDAP server required in member server 
configuration]
single_terminate: reason[cldap_server: no CLDAP server required in member 
server configuration]
task_server_terminate: [kdc: no KDC required in member server configuration]
single_terminate: reason[kdc: no KDC required in member server configuration]
task_server_terminate: [dreplsrv: no DSDB replication required in domain member 
configuration]
single_terminate: reason[dreplsrv: no DSDB replication required in domain 
member configuration]
Did not find domain record for MMLNJ
ldb: no modules required by the db
ldb: No modules specified for this database
ldb_wrap open of idmap.ldb
(normal if no LDAP backend required) Could not find entry to match filter: 
'(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '(null)'
task_server_terminate: [kccsrv: no KCC required in domain member configuration]
single_terminate: reason[kccsrv: no KCC required in domain member configuration]
Registered MAPIPROXY<00> with 192.168.102.57 on interface 192.168.102.255
Registered MAPIPROXY<03> with 192.168.102.57 on interface 192.168.102.255
Registered MAPIPROXY<20> with 192.168.102.57 on interface 192.168.102.255
Registered MMLNJ<00> with 192.168.102.57 on interface 192.168.102.255

mapiproxy::mapiproxy_op_bind: [session = 0x0] [session server id = 0x0 0x29 0x0]
dcerpc_mapiproxy: Delegated credentials acquired
mapiproxy::mapiproxy_op_connect
dcerpc_mapiproxy: RPC proxy: Using specified account
Using binding ncacn_ip_tcp:192.168.102.53[,print]
Mapped to DCERPC endpoint 135
added interface ip=192.168.102.57 nmask=255.255.255.0
added interface ip=192.168.102.57 nmask=255.255.255.0
Mapped to DCERPC endpoint 1031
added interface ip=192.168.102.57 nmask=255.255.255.0
added interface ip=192.168.102.57 nmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Cannot do GSSAPI to an IP address
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898205
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP challenge set by NTLM2
challenge is: 
[0000] 20 13 EB BD B1 D0 FE 71                             ......q 
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088205
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
ERROR: talloc_free with references at mapiproxy/dcesrv_mapiproxy.c:161
        reference at auth/gensec/gensec.c:1089
dcerpc_mapiproxy: RPC proxy: CONNECTED
(normal if no LDAP backend required) Could not find entry to match filter: 
'(&(flatname=MMLNJ)(objectclass=primaryDomain))' base: 'cn=Primary Domains'
Could not find machine account in secrets database: 
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Starting GENSEC mechanism ntlmssp
Got NTLMSSP neg_flags=0xa2088207
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_NEGOTIATE_OEM
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_56
Got user=[flepp] domain=[mmlnj] workstation=[WORKSTATION] len1=24 len2=24
auth_check_password_send:  Checking password for unmapped user 
[mmlnj]\[fle...@[workstation]
map_user_info: Mapping user [mmlnj]\[flepp] from workstation [WORKSTATION]
auth_check_password_send:  mapped user is: [mmlnj]\[fle...@[workstation]
auth_get_challenge: returning previous challenge by module NTLMSSP callback 
(NTLM2) (normal)
[0000] C5 A7 34 7B A4 46 DA 53                            ..4{.F.S 
auth_get_challenge: returning previous challenge by module NTLMSSP callback 
(NTLM2) (normal)
wb_irpc_SamLogon called
added interface ip=192.168.102.57 nmask=255.255.255.0
added interface ip=192.168.102.57 nmask=255.255.255.0
dns child failed to find name 'MMLNJ' of type A
nbtd_getdcname called
auth_check_password_recv: winbind authentication for user [mmlnj\flepp] FAILED 
with error NT_STATUS_IO_TIMEOUT
dcesrv_auth_auth3: failed to authenticate: NT_STATUS_IO_TIMEOUT
mapiproxy::mapiproxy_op_ndr_pull
User is not authenticated, cannot process
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
mapiproxy::mapiproxy_op_unbind
WARNING: attempt to remove unset id 52862 in idtree
rpc_server/dcerpc_server.c:78: Failed to remove assoc_group 0x0000ce7e
wb_irpc_SamLogon_callback called
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]

mapiproxy.pcap
Description: Binary data

_______________________________________________
devel mailing list
devel@lists.openchange.org
http://mailman.openchange.org/listinfo/devel