Bug 37874 - NetApp can't lookup SIDs
NetApp can't lookup SIDs
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-1-errata
Assigned To: Arvid Requate
Stefan Gohmann
https://bugzilla.samba.org/show_bug.c...
:
Depends on:
Blocks: 39263
  Show dependency treegraph
 
Reported: 2015-02-24 14:31 CET by Janis Meybohm
Modified: 2015-08-26 09:25 CEST (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments
netapp_netlogon.patch (1.24 KB, patch)
2015-02-24 18:15 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2015-02-24 14:31:59 CET
Ticket#2015021821000495 

NetApp ONTAP 8.2.2 p2

The NetApp "cifs setup" looks okay in first place but the system can't lookup names/SID.

 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting DC address discovery for LISH.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using DNS site query (Default-First-Site-Name)..  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using generic DNS query.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting WINS queries.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 BDC addresses through WINS.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 PDC addresses through WINS.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- DC address discovery for LISH complete. 2 unique addresses found.  
 [na:cifs.server.infoMsg:info]: CIFS: Warning for server \\SJ2: Unable to create NETLOGON pipe STATUS_ACCESS_DENIED.  
 [na:cifs.server.infoMsg:info]: CIFS: Warning for server \\SJ2: Connection terminated.


Debuglevel 12 shows that the client is forcing a cipher downgrade which is rejected by samba:

[2015/02/19 19:37:10.931387, 10, pid=5381, effective(0, 0), real(0, 0)] ../source4/smbd/service_named_pipe.c:126(named_pipe_accept_done)
  Accepted npa connection from unix:. Client: 10.29.110.62 (ipv4:10.29.110.62:5168). Server: 10.29.110.4 (ipv4:10.29.110.4:445)
[2015/02/19 19:37:10.931432, 10, pid=5381, effective(0, 0), real(0, 0)] ../source4/smbd/service_named_pipe.c:144(named_pipe_accept_done)
  named pipe connection [rpc] established
[2015/02/19 19:37:10.933247,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerReqChallenge: struct netr_ServerReqChallenge
          in: struct netr_ServerReqChallenge
              server_name              : *
                  server_name              : '\\SJ2'
              computer_name            : *
                  computer_name            : 'NA2'
              credentials              : *
                  credentials: struct netr_Credential
                      data                     : 86169b14f83e2d4d
[2015/02/19 19:37:10.933298,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerReqChallenge: struct netr_ServerReqChallenge
          out: struct netr_ServerReqChallenge
              return_credentials       : *
                  return_credentials: struct netr_Credential
                      data                     : 4bd3da8eeec8d19b
              result                   : NT_STATUS_OK
[2015/02/19 19:37:10.934118,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerAuthenticate2: struct netr_ServerAuthenticate2
          in: struct netr_ServerAuthenticate2
              server_name              : *
                  server_name              : '\\SJ2'
              account_name             : *
                  account_name             : 'NA2$'
              secure_channel_type      : SEC_CHAN_WKSTA (2)
              computer_name            : *
                  computer_name            : 'NA2'
              credentials              : *
                  credentials: struct netr_Credential
                      data                     : 112364c805994119
              negotiate_flags          : *
                  negotiate_flags          : 0x000701ff (459263)
                         1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                         1: NETLOGON_NEG_PERSISTENT_SAMREPL
                         1: NETLOGON_NEG_ARCFOUR     
                         1: NETLOGON_NEG_PROMOTION_COUNT
                         1: NETLOGON_NEG_CHANGELOG_BDC
                         1: NETLOGON_NEG_FULL_SYNC_REPL
                         1: NETLOGON_NEG_MULTIPLE_SIDS
                         1: NETLOGON_NEG_REDO        
                         1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                         0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                         0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                         0: NETLOGON_NEG_CONCURRENT_RPC
                         0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                         0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                         0: NETLOGON_NEG_STRONG_KEYS 
                         0: NETLOGON_NEG_TRANSITIVE_TRUSTS
                         1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                         1: NETLOGON_NEG_PASSWORD_SET2
                         1: NETLOGON_NEG_GETDOMAININFO
                         0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                         0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                         0: NETLOGON_NEG_RODC_PASSTHROUGH
                         0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                         0: NETLOGON_NEG_SUPPORTS_AES
                         0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                         0: NETLOGON_NEG_AUTHENTICATED_RPC
[2015/02/19 19:37:10.934260,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerAuthenticate2: struct netr_ServerAuthenticate2
          out: struct netr_ServerAuthenticate2
              return_credentials       : *
                  return_credentials: struct netr_Credential
                      data                     : 0000000000000000
              negotiate_flags          : *
                  negotiate_flags          : 0x00000000 (0)
                         0: NETLOGON_NEG_ACCOUNT_LOCKOUT
                         0: NETLOGON_NEG_PERSISTENT_SAMREPL
                         0: NETLOGON_NEG_ARCFOUR     
                         0: NETLOGON_NEG_PROMOTION_COUNT
                         0: NETLOGON_NEG_CHANGELOG_BDC
                         0: NETLOGON_NEG_FULL_SYNC_REPL
                         0: NETLOGON_NEG_MULTIPLE_SIDS
                         0: NETLOGON_NEG_REDO        
                         0: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                         0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                         0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                         0: NETLOGON_NEG_CONCURRENT_RPC
                         0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                         0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                         0: NETLOGON_NEG_STRONG_KEYS 
                         0: NETLOGON_NEG_TRANSITIVE_TRUSTS
                         0: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                         0: NETLOGON_NEG_PASSWORD_SET2
                         0: NETLOGON_NEG_GETDOMAININFO
                         0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                         0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                         0: NETLOGON_NEG_RODC_PASSTHROUGH
                         0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                         0: NETLOGON_NEG_SUPPORTS_AES
                         0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                         0: NETLOGON_NEG_AUTHENTICATED_RPC
              result                   : NT_STATUS_DOWNGRADE_DETECTED
[2015/02/19 19:37:10.935225,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerAuthenticate2: struct netr_ServerAuthenticate2
          in: struct netr_ServerAuthenticate2
              server_name              : *
                  server_name              : '\\SJ2'
              account_name             : *
                  account_name             : 'NA2$'
              secure_channel_type      : SEC_CHAN_WKSTA (2)
              computer_name            : *
                  computer_name            : 'NA2'
              credentials              : *
                  credentials: struct netr_Credential
                      data                     : 0265285653a4e82e
              negotiate_flags          : *
                  negotiate_flags          : 0x000741ff (475647)
                         1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                         1: NETLOGON_NEG_PERSISTENT_SAMREPL
                         1: NETLOGON_NEG_ARCFOUR     
                         1: NETLOGON_NEG_PROMOTION_COUNT
                         1: NETLOGON_NEG_CHANGELOG_BDC
                         1: NETLOGON_NEG_FULL_SYNC_REPL
                         1: NETLOGON_NEG_MULTIPLE_SIDS
                         1: NETLOGON_NEG_REDO        
                         1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                         0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                         0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                         0: NETLOGON_NEG_CONCURRENT_RPC
                         0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                         0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                         1: NETLOGON_NEG_STRONG_KEYS 
                         0: NETLOGON_NEG_TRANSITIVE_TRUSTS
                         1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                         1: NETLOGON_NEG_PASSWORD_SET2
                         1: NETLOGON_NEG_GETDOMAININFO
                         0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                         0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                         0: NETLOGON_NEG_RODC_PASSTHROUGH
                         0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                         0: NETLOGON_NEG_SUPPORTS_AES
                         0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                         0: NETLOGON_NEG_AUTHENTICATED_RPC
[2015/02/19 19:37:10.935397, 10, pid=5381, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_request: SEARCH
   dn: DC=x,DC=y,DC=de
   scope: sub
   expr: (&(sAMAccountName=NA2$)(objectclass=user))
   attr: unicodePwd
   attr: userAccountControl
   attr: objectSid
   control: <NONE>
...
...
[2015/02/19 19:37:10.936137, 10, pid=5381, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_response: ENTRY
  dn: CN=NA2,CN=Computers,DC=x,DC=y,DC=de
  userAccountControl: 69632
  objectSid: S-1-5-21-1487169172-248952611-3907374446-67110852
  # unicodePwd::: REDACTED SECRET ATTRIBUTE
...
...
[2015/02/19 19:37:10.936273,  6, pid=5381, effective(0, 0), real(0, 0)] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: NULL (&(sAMAccountName=NA2$)(objectclass=user)) -> 1
[2015/02/19 19:37:10.936295,  1, pid=5381, effective(0, 0), real(0, 0)] ../source4/rpc_server/netlogon/dcerpc_netlogon.c:363(dcesrv_netr_ServerAuthenticate3)
  No challenge requested by client [NA2/NA2$], cannot authenticate




Workaround:

cat >>/etc/samba/local.conf <<__CONF__
[global]
  allow nt4 crypto = yes
__CONF__
ucr commit etc/samba/smb.conf
/etc/init.d/samba retsart

(On all DCs of cause)


As joining a native W2k8 AD works without modification, we should investigate the join process to figure our what causes the NetApp to use DES/MD5.
Comment 1 Janis Meybohm univentionstaff 2015-02-24 14:44:15 CET
This is what the test environment NetApp shows without nt4 crypto:
---
netapp> cifs domaininfo
NetBIOS Domain:                         LISH
Windows Domain Name:                    40lish.qa
Domain Controller Functionality:        Windows 2008 R2
Domain Functionality:                   Windows 2003
Forest Functionality:                   Windows 2003
Filer AD Site:                          Default-First-Site-Name
 
Not currently connected to any DCs
Preferred Addresses:
                                        None
Favored Addresses:
                                        10.200.6.40     MASTER           PDCBROKEN
Other Addresses:
                                        None
 
Connected AD LDAP Server:               \\master.40lish.qa
Preferred Addresses:
                                        None
Favored Addresses:
                                        10.200.6.40    
                                         master.40lish.qa
Other Addresses:
                                        None
---



As soon as nt4 crypto is enabled:
---
netapp> cifs domaininfo                    
NetBIOS Domain:                         LISH
Windows Domain Name:                    40lish.qa
Domain Controller Functionality:        Windows 2008 R2
Domain Functionality:                   Windows 2003
Forest Functionality:                   Windows 2003
Filer AD Site:                          Default-First-Site-Name

Current Connected DCs:                  \\MASTER
Total DC addresses found:               1
Preferred Addresses:
                                        None
Favored Addresses:
                                        10.200.6.40     MASTER           PDC
Other Addresses:
                                        None

Connected AD LDAP Server:               \\master.40lish.qa
Preferred Addresses:
                                        None
Favored Addresses:
                                        10.200.6.40     
                                         master.40lish.qa
Other Addresses:
                                        None
---
Comment 2 Arvid Requate univentionstaff 2015-02-24 18:15:02 CET
Created attachment 6717 [details]
netapp_netlogon.patch

This patch fixed the problem in the test setup.


The issue is triggered by the netapp in two steps:

1. The Netapp calls netr_ServerReqChallenge to set up the challenge tokens

2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS set to 0. Native AD and Samba respond to this with NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away the challenge token negotiated in the first step.

3. Next it calls netr_ServerAuthenticate2 again, this time with NETLOGON_NEG_STRONG_KEYS set to 1. Samba returns NT_STATUS_ACCESS_DENIED as it has lost track of the challenge.


Upstream git commit 321ebc99b5a00f82265aee741a48aa84b214d6e8 introduced a workaround for a different but related issue. My patch makes a minor adjustment to the upstream patch to delay flushing the cached challenge until it's clear that we are not in this NT_STATUS_DOWNGRADE_DETECTED situation.
Comment 3 Janis Meybohm univentionstaff 2015-02-25 13:20:48 CET
(In reply to Arvid Requate from comment #2)
> Created attachment 6717 [details]
> netapp_netlogon.patch
> 
> This patch fixed the problem in the test setup.
So it does in mine!
Comment 4 Arvid Requate univentionstaff 2015-03-19 20:40:59 CET
The package has bee rebuilt with the patch in errata4.0-1.

Advisory: 2015-03-19-samba.yaml

Patch sent to the upstream mailing list (see URL field above).
Comment 5 Stefan Gohmann univentionstaff 2015-03-23 08:10:11 CET
YAML: OK

Code review: OK

ucs-test: OK
Comment 6 Janek Walkenhorst univentionstaff 2015-03-25 16:40:10 CET
<http://errata.univention.de/ucs/4.0/138.html>
Comment 7 Arvid Requate univentionstaff 2015-05-27 12:31:01 CEST
No reaction upstream. Filed bug https://bugzilla.samba.org/show_bug.cgi?id=11291 for this.