edson via samba
2017-03-16 00:30:01 UTC
Hello experts
I currently have a file server running on CentOS 7. The file server is
joined to the enterprise.com domain (with Samba 4.5).
The enterprise.com domain (with samba 4.5) maintains a trust relationship
with the example.com domain running on windows server 2012R2.
The problem occurs when a user of the example.com (windows server) domain
authenticates on a workstation of the enterprise.com domain and tries to
access a file server or samba4 domain controller share. Access is denied.
Below is the logs of attempted access from a windows 10 workstation (joined
to the enterprise.com domain) to the file server using a user from the
example.com domain
[2017/03/15 19:36:47.678066, 3] ../source3/lib/access.c:338(allow_access)
Allowed connection from 10.10.10.31 (10.10.10.31)
[2017/03/15 19:36:47.678174, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2017/03/15 19:36:47.799334, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 178 (0 toread)
[2017/03/15 19:36:47.799518, 3]
../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2017/03/15 19:36:47.803391, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088297
[2017/03/15 19:36:47.804004, 3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[solange] domain=[GNULINUX] workstation=[WINDOWS10] len1=24
len2=306
[2017/03/15 19:36:47.804068, 3]
../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2017/03/15 19:36:47.804116, 3]
../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2017/03/15 19:36:47.804189, 3]
../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2017/03/15 19:36:47.804235, 2]
../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[rh]"
[2017/03/15 19:36:47.804282, 2]
../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[diretoria]"
[2017/03/15 19:36:47.804342, 3]
../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2017/03/15 19:36:47.804471, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[GNULINUX]\[solange]@[WINDOWS10] with the new password interface
[2017/03/15 19:36:47.804485, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [GNULINUX]\[solange]@[WINDOWS10]
[2017/03/15 19:36:47.804547, 3]
../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", *"
[2017/03/15 19:36:47.806880, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 10.10.10.10
[2017/03/15 19:36:47.806935, 3]
../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", *"
[2017/03/15 19:36:47.810180, 3]
../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", *"
[2017/03/15 19:36:47.815598, 3]
../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 10.10.10.10 at port 445
[2017/03/15 19:36:47.833059, 3]
../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=96)
[2017/03/15 19:36:47.833140, 3]
../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
[2017/03/15 19:36:47.833152, 3]
../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=***@please_ignore
[2017/03/15 19:36:47.837268, 3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2017/03/15 19:36:47.837310, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/03/15 19:36:47.837350, 3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/03/15 19:36:47.837358, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/03/15 19:36:47.837370, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/03/15 19:36:47.837377, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/03/15 19:36:47.838566, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/03/15 19:36:47.838589, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/03/15 19:36:47.844950, 3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2017/03/15 19:36:47.856611, 0]
../source3/auth/auth_domain.c:225(domain_client_validate)
domain_client_validate: unable to validate password for user solange in
domain GNULINUX to Domain controller SRVDC1.COORP.GNULINUX. Error was
NT_STATUS_NO_SUCH_USER.
[2017/03/15 19:36:47.857771, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [solange] -> [solange]
FAILED with error NT_STATUS_NO_SUCH_USER
[2017/03/15 19:36:47.857807, 2]
../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/03/15 19:36:47.857854, 3]
../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2017/03/15 19:36:47.858475, 3]
../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2017/03/15 19:36:47.860728, 3]
../source3/lib/util_procid.c:54(pid_to_procid)
pid_to_procid: messaging_dgm_get_unique failed: Arquivo ou diretório não
encontrado
--------------------------------------------------------------------------------------------------------------------------------
When access is made by any user of the enterprise.com domain it is granted
successfully and is not asking for authentication.
Note: The file server is integrated with the enterprise.com domain using
sssd to map users and groups (working seamlessly). Also uses samba to share
files
I currently have a file server running on CentOS 7. The file server is
joined to the enterprise.com domain (with Samba 4.5).
The enterprise.com domain (with samba 4.5) maintains a trust relationship
with the example.com domain running on windows server 2012R2.
The problem occurs when a user of the example.com (windows server) domain
authenticates on a workstation of the enterprise.com domain and tries to
access a file server or samba4 domain controller share. Access is denied.
Below is the logs of attempted access from a windows 10 workstation (joined
to the enterprise.com domain) to the file server using a user from the
example.com domain
[2017/03/15 19:36:47.678066, 3] ../source3/lib/access.c:338(allow_access)
Allowed connection from 10.10.10.31 (10.10.10.31)
[2017/03/15 19:36:47.678174, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2017/03/15 19:36:47.799334, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 178 (0 toread)
[2017/03/15 19:36:47.799518, 3]
../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2017/03/15 19:36:47.803391, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088297
[2017/03/15 19:36:47.804004, 3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[solange] domain=[GNULINUX] workstation=[WINDOWS10] len1=24
len2=306
[2017/03/15 19:36:47.804068, 3]
../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2017/03/15 19:36:47.804116, 3]
../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2017/03/15 19:36:47.804189, 3]
../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2017/03/15 19:36:47.804235, 2]
../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[rh]"
[2017/03/15 19:36:47.804282, 2]
../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[diretoria]"
[2017/03/15 19:36:47.804342, 3]
../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2017/03/15 19:36:47.804471, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[GNULINUX]\[solange]@[WINDOWS10] with the new password interface
[2017/03/15 19:36:47.804485, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [GNULINUX]\[solange]@[WINDOWS10]
[2017/03/15 19:36:47.804547, 3]
../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", *"
[2017/03/15 19:36:47.806880, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 10.10.10.10
[2017/03/15 19:36:47.806935, 3]
../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", *"
[2017/03/15 19:36:47.810180, 3]
../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", *"
[2017/03/15 19:36:47.815598, 3]
../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 10.10.10.10 at port 445
[2017/03/15 19:36:47.833059, 3]
../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=96)
[2017/03/15 19:36:47.833140, 3]
../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
[2017/03/15 19:36:47.833152, 3]
../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=***@please_ignore
[2017/03/15 19:36:47.837268, 3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2017/03/15 19:36:47.837310, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/03/15 19:36:47.837350, 3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/03/15 19:36:47.837358, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/03/15 19:36:47.837370, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/03/15 19:36:47.837377, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/03/15 19:36:47.838566, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/03/15 19:36:47.838589, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/03/15 19:36:47.844950, 3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2017/03/15 19:36:47.856611, 0]
../source3/auth/auth_domain.c:225(domain_client_validate)
domain_client_validate: unable to validate password for user solange in
domain GNULINUX to Domain controller SRVDC1.COORP.GNULINUX. Error was
NT_STATUS_NO_SUCH_USER.
[2017/03/15 19:36:47.857771, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [solange] -> [solange]
FAILED with error NT_STATUS_NO_SUCH_USER
[2017/03/15 19:36:47.857807, 2]
../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/03/15 19:36:47.857854, 3]
../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2017/03/15 19:36:47.858475, 3]
../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2017/03/15 19:36:47.860728, 3]
../source3/lib/util_procid.c:54(pid_to_procid)
pid_to_procid: messaging_dgm_get_unique failed: Arquivo ou diretório não
encontrado
--------------------------------------------------------------------------------------------------------------------------------
When access is made by any user of the enterprise.com domain it is granted
successfully and is not asking for authentication.
Note: The file server is integrated with the enterprise.com domain using
sssd to map users and groups (working seamlessly). Also uses samba to share
files
--
Att,
Edson Oliveira
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Att,
Edson Oliveira
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba