Public bug reported: Hi,
I updated Samba on my old web server which is running a fully updated 12.04.5 LTS, and now I cannot get it to act as a domain member anymore. All password validation requests fail. Only way to access this server once more is to manually add local users with usernames and passwords matching the domain users. The server is now completely incapable of checking passwords against our 14.04 LTS Samba AD DC. I have verified that upgrading our other 14.04 LTS file server from Samba 4.1.6 to 4.3.8 worked fine, but upgrading our Samba AD DC from 4.1.6 to 4.3.8 BROKE EVERYTHING, so I had to roll that back. I suspect that if I were able to update the AD DC to 4.3.8 perhaps this issue would go away, as I believe the problem is specific to the recently patched "badlock" bug. However, that is a separate issue, one that I will not file a bug for unless I am able to determine that it is not specific to our configuration. I will spin up a new AD DC using the 4.3.8 series and try to make it the new PDC, and if that also fails, I will file a bug for that other issue. I will also come back here and let you know if this issue goes away by doing that or not. I would upgrade this server to 14.04 LTS, if not for the fact that we still have some legacy PHP 5.3 code, and we were not able to compile PHP 5.3 on newer Ubuntu versions because of crazy dependency issues which I will not get into here. Relevant error messages when trying to use smbclient with a domain username: cli_negprot: SMB signing is mandatory and the server doesn't support it. failed negprot: NT_STATUS_ACCESS_DENIED Changing the server signing and client signing parameters on any of the involved servers does not seem to fix the issue unfortunately. Below is more debug info, with my true domain name changed to SAMDOM.EXAMPLE.ORG instead of what it actually is. To make it more clear, FILESERV is our 4.3.8 fileserver, FILESERV2 is actually our 4.1.6 Samba AD DC, and DB3 is our 3.6.25 file/web server. Full debug level 5 output of the smbtree command: smbtree -d 5 -U administrator INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter max log size = 1000 doing parameter syslog = 0 doing parameter panic action = /usr/share/samba/panic-action %d doing parameter netbios name = db3 handle_netbios_name: set global_myname to: DB3 doing parameter workgroup = SAMDOM doing parameter security = ADS doing parameter realm = samdom.example.org doing parameter encrypt passwords = true doing parameter load printers = no doing parameter printing = bsd doing parameter printcap name = /dev/null doing parameter disable spoolss = yes doing parameter idmap config *:backend = tdb doing parameter idmap config *:range = 2000-9999 doing parameter idmap config SAMDOM:backend = ad doing parameter idmap config SAMDOM:schema_mode = rfc2307 doing parameter idmap config SAMDOM:range = 10000-80000 doing parameter winbind nss info = rfc2307 doing parameter winbind trusted domains only = no doing parameter winbind use default domain = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter vfs objects = acl_xattr doing parameter map acl inherit = Yes doing parameter inherit permissions = yes doing parameter store dos attributes = Yes doing parameter unix extensions = yes doing parameter inherit acls = yes doing parameter inherit owner = yes doing parameter acl group control = yes doing parameter server string = A+ webserver pm_process() returned Yes Substituting charset 'UTF-8' for LOCALE added interface eth0 ip=fe80::a00:27ff:fef1:af6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: added interface eth0 ip=192.168.6.76 bcast=192.168.255.255 netmask=255.255.0.0 Enter administrator's password: Opening cache file at /var/run/samba/gencache.tdb Opening cache file at /var/run/samba/gencache_notrans.tdb name SAMDOM#1D found. Connecting to host=192.168.6.91 Connecting to 192.168.6.91 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 87040 SO_RCVBUF = 372480 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 Substituting charset 'UTF-8' for LOCALE cli_negprot: SMB signing is mandatory and the server doesn't support it. failed negprot: NT_STATUS_ACCESS_DENIED namecache_status_fetch: key NBT/*#00.00.192.168.6.91 -> FILESERV Connecting to host=FILESERV Connecting to 192.168.6.91 at port 445 Connecting to 192.168.6.91 at port 139 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 87040 SO_RCVBUF = 372480 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 cli_negprot: SMB signing is mandatory and the server doesn't support it. failed negprot: NT_STATUS_ACCESS_DENIED Full debug level 5 output of the smbclient command: smbclient -d 5 -L localhost -U administrator INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter max log size = 1000 doing parameter syslog = 0 doing parameter panic action = /usr/share/samba/panic-action %d doing parameter netbios name = db3 handle_netbios_name: set global_myname to: DB3 doing parameter workgroup = SAMDOM doing parameter security = ADS doing parameter realm = samdom.example.org doing parameter encrypt passwords = true doing parameter load printers = no doing parameter printing = bsd doing parameter printcap name = /dev/null doing parameter disable spoolss = yes doing parameter idmap config *:backend = tdb doing parameter idmap config *:range = 2000-9999 doing parameter idmap config SAMDOM:backend = ad doing parameter idmap config SAMDOM:schema_mode = rfc2307 doing parameter idmap config SAMDOM:range = 10000-80000 doing parameter winbind nss info = rfc2307 doing parameter winbind trusted domains only = no doing parameter winbind use default domain = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter vfs objects = acl_xattr doing parameter map acl inherit = Yes doing parameter inherit permissions = yes doing parameter store dos attributes = Yes doing parameter unix extensions = yes doing parameter inherit acls = yes doing parameter inherit owner = yes doing parameter acl group control = yes doing parameter server string = A+ webserver pm_process() returned Yes Substituting charset 'UTF-8' for LOCALE added interface eth0 ip=fe80::a00:27ff:fef1:af6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: added interface eth0 ip=192.168.6.76 bcast=192.168.255.255 netmask=255.255.0.0 Netbios name list:- my_netbios_names[0]="DB3" Client started (version 3.6.25). Enter administrator's password: Opening cache file at /var/run/samba/gencache.tdb Opening cache file at /var/run/samba/gencache_notrans.tdb sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-First-Site-Name" no entry for localhost#20 found. resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20> resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory resolve_wins: Attempting wins lookup for name localhost<0x20> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name localhost<0x20> namecache_store: storing 1 address for localhost#20: 127.0.0.1 Connecting to 127.0.0.1 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 2626560 SO_RCVBUF = 1061808 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 session request ok Substituting charset 'UTF-8' for LOCALE Doing spnego session setup (blob length=112) got OID=1.2.840.113554.1.2.2 got OID=1.2.840.48018.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: No logon servers session setup failed: NT_STATUS_NO_LOGON_SERVERS Full debug level 5 output of domain join command: root@db3:/var/lib/samba# net -d 5 ads join -U administrator INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter max log size = 1000 doing parameter syslog = 0 doing parameter panic action = /usr/share/samba/panic-action %d doing parameter netbios name = db3 handle_netbios_name: set global_myname to: DB3 doing parameter workgroup = SAMDOM doing parameter security = ADS doing parameter realm = samdom.example.org doing parameter encrypt passwords = true doing parameter load printers = no doing parameter printing = bsd doing parameter printcap name = /dev/null doing parameter disable spoolss = yes doing parameter idmap config *:backend = tdb doing parameter idmap config *:range = 2000-9999 doing parameter idmap config SAMDOM:backend = ad doing parameter idmap config SAMDOM:schema_mode = rfc2307 doing parameter idmap config SAMDOM:range = 10000-80000 doing parameter winbind nss info = rfc2307 doing parameter winbind trusted domains only = no doing parameter winbind use default domain = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter vfs objects = acl_xattr doing parameter map acl inherit = Yes doing parameter inherit permissions = yes doing parameter store dos attributes = Yes doing parameter unix extensions = yes doing parameter inherit acls = yes doing parameter inherit owner = yes doing parameter acl group control = yes doing parameter server string = A+ webserver pm_process() returned Yes Substituting charset 'UTF-8' for LOCALE Netbios name list:- my_netbios_names[0]="DB3" added interface eth0 ip=fe80::a00:27ff:fef1:af6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: added interface eth0 ip=192.168.6.76 bcast=192.168.255.255 netmask=255.255.0.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Enter administrator's password: libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'DB3' domain_name : * domain_name : 'SAMDOM.EXAMPLE.ORG' account_ou : NULL admin_account : 'administrator' machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) Opening cache file at /var/run/samba/gencache.tdb Opening cache file at /var/run/samba/gencache_notrans.tdb sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-First-Site-Name" ads_dns_lookup_srv: 1 records returned in the answer section. Connecting to host=fileserv2.samdom.example.org sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-First-Site-Name" name fileserv2.samdom.example.org#20 found. Connecting to 192.168.6.92 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 87040 SO_RCVBUF = 372480 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 Substituting charset 'UTF-8' for LOCALE cli_negprot: SMB signing is mandatory and the server doesn't support it. failed negprot: NT_STATUS_ACCESS_DENIED libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'SAMDOM.EXAMPLE.ORG' over rpc: Access denied' domain_is_ad : 0x00 (0) result : WERR_ACCESS_DENIED Failed to join domain: failed to lookup DC info for domain 'SAMDOM.EXAMPLE.ORG' over rpc: Access denied return code = -1 ** Affects: samba (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1572824 Title: Samba Domain Member cannot check passwords against Samba AD DC after "Badlock" update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1572824/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs