Univention Bugzilla – Bug 37874
NetApp can't lookup SIDs
Last modified: 2015-08-26 09:25:43 CEST
Ticket#2015021821000495 NetApp ONTAP 8.2.2 p2 The NetApp "cifs setup" looks okay in first place but the system can't lookup names/SID. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting DC address discovery for LISH. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using DNS site query (Default-First-Site-Name).. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using generic DNS query. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting WINS queries. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 BDC addresses through WINS. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 PDC addresses through WINS. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- DC address discovery for LISH complete. 2 unique addresses found. [na:cifs.server.infoMsg:info]: CIFS: Warning for server \\SJ2: Unable to create NETLOGON pipe STATUS_ACCESS_DENIED. [na:cifs.server.infoMsg:info]: CIFS: Warning for server \\SJ2: Connection terminated. Debuglevel 12 shows that the client is forcing a cipher downgrade which is rejected by samba: [2015/02/19 19:37:10.931387, 10, pid=5381, effective(0, 0), real(0, 0)] ../source4/smbd/service_named_pipe.c:126(named_pipe_accept_done) Accepted npa connection from unix:. Client: 10.29.110.62 (ipv4:10.29.110.62:5168). Server: 10.29.110.4 (ipv4:10.29.110.4:445) [2015/02/19 19:37:10.931432, 10, pid=5381, effective(0, 0), real(0, 0)] ../source4/smbd/service_named_pipe.c:144(named_pipe_accept_done) named pipe connection [rpc] established [2015/02/19 19:37:10.933247, 1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) netr_ServerReqChallenge: struct netr_ServerReqChallenge in: struct netr_ServerReqChallenge server_name : * server_name : '\\SJ2' computer_name : * computer_name : 'NA2' credentials : * credentials: struct netr_Credential data : 86169b14f83e2d4d [2015/02/19 19:37:10.933298, 1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) netr_ServerReqChallenge: struct netr_ServerReqChallenge out: struct netr_ServerReqChallenge return_credentials : * return_credentials: struct netr_Credential data : 4bd3da8eeec8d19b result : NT_STATUS_OK [2015/02/19 19:37:10.934118, 1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) netr_ServerAuthenticate2: struct netr_ServerAuthenticate2 in: struct netr_ServerAuthenticate2 server_name : * server_name : '\\SJ2' account_name : * account_name : 'NA2$' secure_channel_type : SEC_CHAN_WKSTA (2) computer_name : * computer_name : 'NA2' credentials : * credentials: struct netr_Credential data : 112364c805994119 negotiate_flags : * negotiate_flags : 0x000701ff (459263) 1: NETLOGON_NEG_ACCOUNT_LOCKOUT 1: NETLOGON_NEG_PERSISTENT_SAMREPL 1: NETLOGON_NEG_ARCFOUR 1: NETLOGON_NEG_PROMOTION_COUNT 1: NETLOGON_NEG_CHANGELOG_BDC 1: NETLOGON_NEG_FULL_SYNC_REPL 1: NETLOGON_NEG_MULTIPLE_SIDS 1: NETLOGON_NEG_REDO 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 0: NETLOGON_NEG_GENERIC_PASSTHROUGH 0: NETLOGON_NEG_CONCURRENT_RPC 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 0: NETLOGON_NEG_STRONG_KEYS 0: NETLOGON_NEG_TRANSITIVE_TRUSTS 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 1: NETLOGON_NEG_PASSWORD_SET2 1: NETLOGON_NEG_GETDOMAININFO 0: NETLOGON_NEG_CROSS_FOREST_TRUSTS 0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 0: NETLOGON_NEG_SUPPORTS_AES_SHA2 0: NETLOGON_NEG_SUPPORTS_AES 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 0: NETLOGON_NEG_AUTHENTICATED_RPC [2015/02/19 19:37:10.934260, 1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) netr_ServerAuthenticate2: struct netr_ServerAuthenticate2 out: struct netr_ServerAuthenticate2 return_credentials : * return_credentials: struct netr_Credential data : 0000000000000000 negotiate_flags : * negotiate_flags : 0x00000000 (0) 0: NETLOGON_NEG_ACCOUNT_LOCKOUT 0: NETLOGON_NEG_PERSISTENT_SAMREPL 0: NETLOGON_NEG_ARCFOUR 0: NETLOGON_NEG_PROMOTION_COUNT 0: NETLOGON_NEG_CHANGELOG_BDC 0: NETLOGON_NEG_FULL_SYNC_REPL 0: NETLOGON_NEG_MULTIPLE_SIDS 0: NETLOGON_NEG_REDO 0: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 0: NETLOGON_NEG_GENERIC_PASSTHROUGH 0: NETLOGON_NEG_CONCURRENT_RPC 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 0: NETLOGON_NEG_STRONG_KEYS 0: NETLOGON_NEG_TRANSITIVE_TRUSTS 0: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 0: NETLOGON_NEG_PASSWORD_SET2 0: NETLOGON_NEG_GETDOMAININFO 0: NETLOGON_NEG_CROSS_FOREST_TRUSTS 0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 0: NETLOGON_NEG_SUPPORTS_AES_SHA2 0: NETLOGON_NEG_SUPPORTS_AES 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 0: NETLOGON_NEG_AUTHENTICATED_RPC result : NT_STATUS_DOWNGRADE_DETECTED [2015/02/19 19:37:10.935225, 1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) netr_ServerAuthenticate2: struct netr_ServerAuthenticate2 in: struct netr_ServerAuthenticate2 server_name : * server_name : '\\SJ2' account_name : * account_name : 'NA2$' secure_channel_type : SEC_CHAN_WKSTA (2) computer_name : * computer_name : 'NA2' credentials : * credentials: struct netr_Credential data : 0265285653a4e82e negotiate_flags : * negotiate_flags : 0x000741ff (475647) 1: NETLOGON_NEG_ACCOUNT_LOCKOUT 1: NETLOGON_NEG_PERSISTENT_SAMREPL 1: NETLOGON_NEG_ARCFOUR 1: NETLOGON_NEG_PROMOTION_COUNT 1: NETLOGON_NEG_CHANGELOG_BDC 1: NETLOGON_NEG_FULL_SYNC_REPL 1: NETLOGON_NEG_MULTIPLE_SIDS 1: NETLOGON_NEG_REDO 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 0: NETLOGON_NEG_GENERIC_PASSTHROUGH 0: NETLOGON_NEG_CONCURRENT_RPC 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 1: NETLOGON_NEG_STRONG_KEYS 0: NETLOGON_NEG_TRANSITIVE_TRUSTS 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 1: NETLOGON_NEG_PASSWORD_SET2 1: NETLOGON_NEG_GETDOMAININFO 0: NETLOGON_NEG_CROSS_FOREST_TRUSTS 0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 0: NETLOGON_NEG_SUPPORTS_AES_SHA2 0: NETLOGON_NEG_SUPPORTS_AES 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 0: NETLOGON_NEG_AUTHENTICATED_RPC [2015/02/19 19:37:10.935397, 10, pid=5381, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) ldb: ldb_trace_request: SEARCH dn: DC=x,DC=y,DC=de scope: sub expr: (&(sAMAccountName=NA2$)(objectclass=user)) attr: unicodePwd attr: userAccountControl attr: objectSid control: <NONE> ... ... [2015/02/19 19:37:10.936137, 10, pid=5381, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) ldb: ldb_trace_response: ENTRY dn: CN=NA2,CN=Computers,DC=x,DC=y,DC=de userAccountControl: 69632 objectSid: S-1-5-21-1487169172-248952611-3907374446-67110852 # unicodePwd::: REDACTED SECRET ATTRIBUTE ... ... [2015/02/19 19:37:10.936273, 6, pid=5381, effective(0, 0), real(0, 0)] ../lib/util/util_ldb.c:60(gendb_search_v) gendb_search_v: NULL (&(sAMAccountName=NA2$)(objectclass=user)) -> 1 [2015/02/19 19:37:10.936295, 1, pid=5381, effective(0, 0), real(0, 0)] ../source4/rpc_server/netlogon/dcerpc_netlogon.c:363(dcesrv_netr_ServerAuthenticate3) No challenge requested by client [NA2/NA2$], cannot authenticate Workaround: cat >>/etc/samba/local.conf <<__CONF__ [global] allow nt4 crypto = yes __CONF__ ucr commit etc/samba/smb.conf /etc/init.d/samba retsart (On all DCs of cause) As joining a native W2k8 AD works without modification, we should investigate the join process to figure our what causes the NetApp to use DES/MD5.
This is what the test environment NetApp shows without nt4 crypto: --- netapp> cifs domaininfo NetBIOS Domain: LISH Windows Domain Name: 40lish.qa Domain Controller Functionality: Windows 2008 R2 Domain Functionality: Windows 2003 Forest Functionality: Windows 2003 Filer AD Site: Default-First-Site-Name Not currently connected to any DCs Preferred Addresses: None Favored Addresses: 10.200.6.40 MASTER PDCBROKEN Other Addresses: None Connected AD LDAP Server: \\master.40lish.qa Preferred Addresses: None Favored Addresses: 10.200.6.40 master.40lish.qa Other Addresses: None --- As soon as nt4 crypto is enabled: --- netapp> cifs domaininfo NetBIOS Domain: LISH Windows Domain Name: 40lish.qa Domain Controller Functionality: Windows 2008 R2 Domain Functionality: Windows 2003 Forest Functionality: Windows 2003 Filer AD Site: Default-First-Site-Name Current Connected DCs: \\MASTER Total DC addresses found: 1 Preferred Addresses: None Favored Addresses: 10.200.6.40 MASTER PDC Other Addresses: None Connected AD LDAP Server: \\master.40lish.qa Preferred Addresses: None Favored Addresses: 10.200.6.40 master.40lish.qa Other Addresses: None ---
Created attachment 6717 [details] netapp_netlogon.patch This patch fixed the problem in the test setup. The issue is triggered by the netapp in two steps: 1. The Netapp calls netr_ServerReqChallenge to set up the challenge tokens 2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS set to 0. Native AD and Samba respond to this with NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away the challenge token negotiated in the first step. 3. Next it calls netr_ServerAuthenticate2 again, this time with NETLOGON_NEG_STRONG_KEYS set to 1. Samba returns NT_STATUS_ACCESS_DENIED as it has lost track of the challenge. Upstream git commit 321ebc99b5a00f82265aee741a48aa84b214d6e8 introduced a workaround for a different but related issue. My patch makes a minor adjustment to the upstream patch to delay flushing the cached challenge until it's clear that we are not in this NT_STATUS_DOWNGRADE_DETECTED situation.
(In reply to Arvid Requate from comment #2) > Created attachment 6717 [details] > netapp_netlogon.patch > > This patch fixed the problem in the test setup. So it does in mine!
The package has bee rebuilt with the patch in errata4.0-1. Advisory: 2015-03-19-samba.yaml Patch sent to the upstream mailing list (see URL field above).
YAML: OK Code review: OK ucs-test: OK
<http://errata.univention.de/ucs/4.0/138.html>
No reaction upstream. Filed bug https://bugzilla.samba.org/show_bug.cgi?id=11291 for this.