I should have included OmniOS Discuss as well, let me get them in the loop.
On Mon, May 17, 2021 at 7:55 AM Josh Coombs <jcoo...@staff.gwi.net> wrote:
> I've got an OmniOS box that three times now since being patched for
> CVE-2020-1472 has fallen back to the improper netlogon auth method,
> generating event ID 5827 and no longer authenticating SMB users. When it
> does this the only thing I've been able to do to recover is reboot the
> OmniOS box.
>
> The first two instances were running r151030cm, when it happened Saturday
> I upgraded to r151030cy, issue repeated again last night. The box is
> joined to a single Windows AD domain run by two Win 2019 servers.
>
> The only 'interesting' logging I can find on the Omni side is in
> network-smb-server, I see an INVALID_PARAMETER before the ACCESS_DENIED
> spam.
>
> @ Wed May 5 15:45:38 2021
> smbd.info: logon[our.ad.domain\backup]: ACCESS_DENIED
> smbd: service shutting down
> @ Wed May 5 15:50:47 2021
> smbd.err: SMF initialization problem: %s
> : handle not bound
> smbd: service terminated
> [ May 5 15:57:30 Enabled. ]
> [ May 5 15:58:55 Executing start method ("/usr/lib/smbsrv/smbd start"). ]
> smbd: smbd starting, pid 540
> smbd: NetBIOS services disabled
> smbd: service initialized
> [ May 5 15:58:55 Method "start" exited with status 0. ]
> smbd_dc_monitor: online
> smbd_localtime_monitor: online
> @ Wed May 5 15:59:06 2021
> smbd.info: smbd_dc_update: our.ad.domain: located
> secondary-adc-10.our.ad.domain
> @ Thu May 6 10:48:49 2021
> smbd.info: smbd_dc_monitor_refresh
> @ Thu May 6 10:48:50 2021
> smbd.info: smbd_dc_update: our.ad.domain: located
> primary-adc-10.our.ad.domain
> @ Thu May 6 10:48:51 2021
> smbd.err: netr_get_handle: open failed (0xC002001D); renegotiating...
> @ Tue May 11 01:38:56 2021
> smbd.info: smbd_dc_monitor_refresh
> smbd.info: smbd_dc_update: our.ad.domain: located
> secondary-adc-10.our.ad.domain
> @ Tue May 11 01:38:57 2021
> smbd.err: netr_get_handle: open failed (0xC002001D); renegotiating...
> @ Tue May 11 03:28:57 2021
> smbd.info: smbd_dc_monitor_refresh
> smbd.info: smbd_dc_update: our.ad.domain: located
> primary-adc-10.our.ad.domain
> @ Fri May 14 13:46:59 2021
> smbd.err: ndr_rpc_bind: smbrdr_ctx_new(Srv=primary-adc-10.our.ad.domain
> Dom=GWI User=BIDD-SAN-10$), BAD_NETWORK_PATH (0xc00000be)
> smbd.err: ndr_rpc_bind: smbrdr_ctx_new(Srv=primary-adc-10.our.ad.domain
> Dom=GWI User=BIDD-SAN-10$), BAD_NETWORK_PATH (0xc00000be)
> smbd.info: smb_ddiscover, bad DC: primary-adc-10.our.ad.domain
> smbd.err: netr_get_handle: open failed (BAD_NETWORK_PATH); renegotiating...
> smbd.info: smbd_dc_monitor_refresh
> @ Fri May 14 13:47:00 2021
> smbd.info: smbd_dc_update: our.ad.domain: located
> secondary-adc-10.our.ad.domain
> @ Fri May 14 16:57:00 2021
> smbd.info: smbd_dc_monitor_refresh
> @ Fri May 14 16:57:01 2021
> smbd.info: smbd_dc_update: our.ad.domain: located
> primary-adc-10.our.ad.domain
> @ Sat May 15 04:02:36 2021
> smbd.info: logon[our.ad.domain\backup]: INVALID_PARAMETER
> smbd.info: logon[our.ad.domain\backup]: ACCESS_DENIED
> @ Sat May 15 04:02:57 2021
> smbd.info: logon[our.ad.domain\backup]: ACCESS_DENIED
> @ Sat May 15 04:03:17 2021
> smbd.info: logon[our.ad.domain\backup]: ACCESS_DENIED
>
> <SNIP to next reboot>
>
> @ Sat May 15 10:48:18 2021
> smbd.info: logon[our.ad.domain\backup]: ACCESS_DENIED
> [ May 15 11:07:49 Enabled. ]
> [ May 15 11:10:05 Executing start method ("/usr/lib/smbsrv/smbd start"). ]
> smbd: smbd starting, pid 542
> smbd: NetBIOS services disabled
> smbd: service initialized
> [ May 15 11:10:06 Method "start" exited with status 0. ]
> smbd_dc_monitor: online
> smbd_localtime_monitor: online
> @ Sat May 15 11:10:17 2021
> smbd.info: smbd_dc_update: our.ad.domain: located
> primary-adc-10.our.ad.domain
> @ Sun May 16 21:34:24 2021
> smbd.info: logon[our.ad.domain\backup]: INVALID_PARAMETER
> @ Sun May 16 21:34:27 2021
> smbd.info: logon[our.ad.domain\backup]: ACCESS_DENIED
>
> Enabling the unsecure netlogon bypass GPO in Windows for the box
> immediately got it authing again without a reboot, although it's generating
> event ID 5830 entries as expected. Until I've got a handle on why this is
> happening, I'll have to leave the bypass in place.
>
>
>
------------------------------------------
illumos: illumos-discuss
Permalink:
https://illumos.topicbox.com/groups/discuss/T118e9252853b58b3-M7626d908f4f550323d7286f6
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
