Bug 37874 – NetApp can't lookup SIDs

Bug 37874 - NetApp can't lookup SIDs


Summary:	NetApp can't lookup SIDs

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.0-1-errata
Assigned To:	Arvid Requate
QA Contact:	Stefan Gohmann

URL:	https://bugzilla.samba.org/show_bug.c...
Keywords:

Depends on:
Blocks:	39263
	Show dependency tree / graph

Reported:	2015-02-24 14:31 CET by Janis Meybohm
Modified:	2015-08-26 09:25 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
netapp_netlogon.patch (1.24 KB, patch) 2015-02-24 18:15 CET, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Janis Meybohm

2015-02-24 14:31:59 CET

Ticket#2015021821000495 

NetApp ONTAP 8.2.2 p2

The NetApp "cifs setup" looks okay in first place but the system can't lookup names/SID.

 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting DC address discovery for LISH.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using DNS site query (Default-First-Site-Name)..  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using generic DNS query.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting WINS queries.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 BDC addresses through WINS.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 PDC addresses through WINS.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- DC address discovery for LISH complete. 2 unique addresses found.  
 [na:cifs.server.infoMsg:info]: CIFS: Warning for server \\SJ2: Unable to create NETLOGON pipe STATUS_ACCESS_DENIED.  
 [na:cifs.server.infoMsg:info]: CIFS: Warning for server \\SJ2: Connection terminated.


Debuglevel 12 shows that the client is forcing a cipher downgrade which is rejected by samba:

[2015/02/19 19:37:10.931387, 10, pid=5381, effective(0, 0), real(0, 0)] ../source4/smbd/service_named_pipe.c:126(named_pipe_accept_done)
  Accepted npa connection from unix:. Client: 10.29.110.62 (ipv4:10.29.110.62:5168). Server: 10.29.110.4 (ipv4:10.29.110.4:445)
[2015/02/19 19:37:10.931432, 10, pid=5381, effective(0, 0), real(0, 0)] ../source4/smbd/service_named_pipe.c:144(named_pipe_accept_done)
  named pipe connection [rpc] established
[2015/02/19 19:37:10.933247,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerReqChallenge: struct netr_ServerReqChallenge
          in: struct netr_ServerReqChallenge
              server_name              : *
                  server_name              : '\\SJ2'
              computer_name            : *
                  computer_name            : 'NA2'
              credentials              : *
                  credentials: struct netr_Credential
                      data                     : 86169b14f83e2d4d
[2015/02/19 19:37:10.933298,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerReqChallenge: struct netr_ServerReqChallenge
          out: struct netr_ServerReqChallenge
              return_credentials       : *
                  return_credentials: struct netr_Credential
                      data                     : 4bd3da8eeec8d19b
              result                   : NT_STATUS_OK
[2015/02/19 19:37:10.934118,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerAuthenticate2: struct netr_ServerAuthenticate2
          in: struct netr_ServerAuthenticate2
              server_name              : *
                  server_name              : '\\SJ2'
              account_name             : *
                  account_name             : 'NA2$'
              secure_channel_type      : SEC_CHAN_WKSTA (2)
              computer_name            : *
                  computer_name            : 'NA2'
              credentials              : *
                  credentials: struct netr_Credential
                      data                     : 112364c805994119
              negotiate_flags          : *
                  negotiate_flags          : 0x000701ff (459263)
                         1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                         1: NETLOGON_NEG_PERSISTENT_SAMREPL
                         1: NETLOGON_NEG_ARCFOUR     
                         1: NETLOGON_NEG_PROMOTION_COUNT
                         1: NETLOGON_NEG_CHANGELOG_BDC
                         1: NETLOGON_NEG_FULL_SYNC_REPL
                         1: NETLOGON_NEG_MULTIPLE_SIDS
                         1: NETLOGON_NEG_REDO        
                         1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                         0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                         0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                         0: NETLOGON_NEG_CONCURRENT_RPC
                         0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                         0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                         0: NETLOGON_NEG_STRONG_KEYS 
                         0: NETLOGON_NEG_TRANSITIVE_TRUSTS
                         1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                         1: NETLOGON_NEG_PASSWORD_SET2
                         1: NETLOGON_NEG_GETDOMAININFO
                         0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                         0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                         0: NETLOGON_NEG_RODC_PASSTHROUGH
                         0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                         0: NETLOGON_NEG_SUPPORTS_AES
                         0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                         0: NETLOGON_NEG_AUTHENTICATED_RPC
[2015/02/19 19:37:10.934260,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerAuthenticate2: struct netr_ServerAuthenticate2
          out: struct netr_ServerAuthenticate2
              return_credentials       : *
                  return_credentials: struct netr_Credential
                      data                     : 0000000000000000
              negotiate_flags          : *
                  negotiate_flags          : 0x00000000 (0)
                         0: NETLOGON_NEG_ACCOUNT_LOCKOUT
                         0: NETLOGON_NEG_PERSISTENT_SAMREPL
                         0: NETLOGON_NEG_ARCFOUR     
                         0: NETLOGON_NEG_PROMOTION_COUNT
                         0: NETLOGON_NEG_CHANGELOG_BDC
                         0: NETLOGON_NEG_FULL_SYNC_REPL
                         0: NETLOGON_NEG_MULTIPLE_SIDS
                         0: NETLOGON_NEG_REDO        
                         0: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                         0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                         0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                         0: NETLOGON_NEG_CONCURRENT_RPC
                         0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                         0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                         0: NETLOGON_NEG_STRONG_KEYS 
                         0: NETLOGON_NEG_TRANSITIVE_TRUSTS
                         0: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                         0: NETLOGON_NEG_PASSWORD_SET2
                         0: NETLOGON_NEG_GETDOMAININFO
                         0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                         0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                         0: NETLOGON_NEG_RODC_PASSTHROUGH
                         0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                         0: NETLOGON_NEG_SUPPORTS_AES
                         0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                         0: NETLOGON_NEG_AUTHENTICATED_RPC
              result                   : NT_STATUS_DOWNGRADE_DETECTED
[2015/02/19 19:37:10.935225,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerAuthenticate2: struct netr_ServerAuthenticate2
          in: struct netr_ServerAuthenticate2
              server_name              : *
                  server_name              : '\\SJ2'
              account_name             : *
                  account_name             : 'NA2$'
              secure_channel_type      : SEC_CHAN_WKSTA (2)
              computer_name            : *
                  computer_name            : 'NA2'
              credentials              : *
                  credentials: struct netr_Credential
                      data                     : 0265285653a4e82e
              negotiate_flags          : *
                  negotiate_flags          : 0x000741ff (475647)
                         1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                         1: NETLOGON_NEG_PERSISTENT_SAMREPL
                         1: NETLOGON_NEG_ARCFOUR     
                         1: NETLOGON_NEG_PROMOTION_COUNT
                         1: NETLOGON_NEG_CHANGELOG_BDC
                         1: NETLOGON_NEG_FULL_SYNC_REPL
                         1: NETLOGON_NEG_MULTIPLE_SIDS
                         1: NETLOGON_NEG_REDO        
                         1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                         0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                         0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                         0: NETLOGON_NEG_CONCURRENT_RPC
                         0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                         0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                         1: NETLOGON_NEG_STRONG_KEYS 
                         0: NETLOGON_NEG_TRANSITIVE_TRUSTS
                         1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                         1: NETLOGON_NEG_PASSWORD_SET2
                         1: NETLOGON_NEG_GETDOMAININFO
                         0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                         0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                         0: NETLOGON_NEG_RODC_PASSTHROUGH
                         0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                         0: NETLOGON_NEG_SUPPORTS_AES
                         0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                         0: NETLOGON_NEG_AUTHENTICATED_RPC
[2015/02/19 19:37:10.935397, 10, pid=5381, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_request: SEARCH
   dn: DC=x,DC=y,DC=de
   scope: sub
   expr: (&(sAMAccountName=NA2$)(objectclass=user))
   attr: unicodePwd
   attr: userAccountControl
   attr: objectSid
   control: <NONE>
...
...
[2015/02/19 19:37:10.936137, 10, pid=5381, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_response: ENTRY
  dn: CN=NA2,CN=Computers,DC=x,DC=y,DC=de
  userAccountControl: 69632
  objectSid: S-1-5-21-1487169172-248952611-3907374446-67110852
  # unicodePwd::: REDACTED SECRET ATTRIBUTE
...
...
[2015/02/19 19:37:10.936273,  6, pid=5381, effective(0, 0), real(0, 0)] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: NULL (&(sAMAccountName=NA2$)(objectclass=user)) -> 1
[2015/02/19 19:37:10.936295,  1, pid=5381, effective(0, 0), real(0, 0)] ../source4/rpc_server/netlogon/dcerpc_netlogon.c:363(dcesrv_netr_ServerAuthenticate3)
  No challenge requested by client [NA2/NA2$], cannot authenticate




Workaround:

cat >>/etc/samba/local.conf <<__CONF__
[global]
  allow nt4 crypto = yes
__CONF__
ucr commit etc/samba/smb.conf
/etc/init.d/samba retsart

(On all DCs of cause)


As joining a native W2k8 AD works without modification, we should investigate the join process to figure our what causes the NetApp to use DES/MD5.

Comment 1 Janis Meybohm

2015-02-24 14:44:15 CET

This is what the test environment NetApp shows without nt4 crypto:
---
netapp> cifs domaininfo
NetBIOS Domain:                         LISH
Windows Domain Name:                    40lish.qa
Domain Controller Functionality:        Windows 2008 R2
Domain Functionality:                   Windows 2003
Forest Functionality:                   Windows 2003
Filer AD Site:                          Default-First-Site-Name
 
Not currently connected to any DCs
Preferred Addresses:
                                        None
Favored Addresses:
                                        10.200.6.40     MASTER           PDCBROKEN
Other Addresses:
                                        None
 
Connected AD LDAP Server:               \\master.40lish.qa
Preferred Addresses:
                                        None
Favored Addresses:
                                        10.200.6.40    
                                         master.40lish.qa
Other Addresses:
                                        None
---



As soon as nt4 crypto is enabled:
---
netapp> cifs domaininfo                    
NetBIOS Domain:                         LISH
Windows Domain Name:                    40lish.qa
Domain Controller Functionality:        Windows 2008 R2
Domain Functionality:                   Windows 2003
Forest Functionality:                   Windows 2003
Filer AD Site:                          Default-First-Site-Name

Current Connected DCs:                  \\MASTER
Total DC addresses found:               1
Preferred Addresses:
                                        None
Favored Addresses:
                                        10.200.6.40     MASTER           PDC
Other Addresses:
                                        None

Connected AD LDAP Server:               \\master.40lish.qa
Preferred Addresses:
                                        None
Favored Addresses:
                                        10.200.6.40     
                                         master.40lish.qa
Other Addresses:
                                        None
---

Comment 2 Arvid Requate

2015-02-24 18:15:02 CET

Created attachment 6717 [details]
netapp_netlogon.patch

This patch fixed the problem in the test setup.


The issue is triggered by the netapp in two steps:

1. The Netapp calls netr_ServerReqChallenge to set up the challenge tokens

2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS set to 0. Native AD and Samba respond to this with NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away the challenge token negotiated in the first step.

3. Next it calls netr_ServerAuthenticate2 again, this time with NETLOGON_NEG_STRONG_KEYS set to 1. Samba returns NT_STATUS_ACCESS_DENIED as it has lost track of the challenge.


Upstream git commit 321ebc99b5a00f82265aee741a48aa84b214d6e8 introduced a workaround for a different but related issue. My patch makes a minor adjustment to the upstream patch to delay flushing the cached challenge until it's clear that we are not in this NT_STATUS_DOWNGRADE_DETECTED situation.

Comment 3 Janis Meybohm

2015-02-25 13:20:48 CET

(In reply to Arvid Requate from comment #2)
> Created attachment 6717 [details]
> netapp_netlogon.patch
> 
> This patch fixed the problem in the test setup.
So it does in mine!

Comment 4 Arvid Requate

2015-03-19 20:40:59 CET

The package has bee rebuilt with the patch in errata4.0-1.

Advisory: 2015-03-19-samba.yaml

Patch sent to the upstream mailing list (see URL field above).

Comment 5 Stefan Gohmann

2015-03-23 08:10:11 CET

YAML: OK

Code review: OK

ucs-test: OK

Comment 6 Janek Walkenhorst

2015-03-25 16:40:10 CET

<http://errata.univention.de/ucs/4.0/138.html>

Comment 7 Arvid Requate

2015-05-27 12:31:01 CEST

No reaction upstream. Filed bug https://bugzilla.samba.org/show_bug.cgi?id=11291 for this.