Bug 39263 - NetApp can't lookup SIDs
NetApp can't lookup SIDs
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Stefan Gohmann
Felix Botner
https://bugzilla.samba.org/show_bug.c...
:
Depends on: 37874
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-26 09:25 CEST by Stefan Gohmann
Modified: 2015-08-27 18:14 CEST (History)
6 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-08-26 09:25:43 CEST
It looks like the patch has not been integrated into the last 4.0-2 / 4.0-3 samba erratum (since errata253).

+++ This bug was initially created as a clone of Bug #37874 +++

Ticket#2015021821000495 

NetApp ONTAP 8.2.2 p2

The NetApp "cifs setup" looks okay in first place but the system can't lookup names/SID.

 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting DC address discovery for LISH.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using DNS site query (Default-First-Site-Name)..  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using generic DNS query.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting WINS queries.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 BDC addresses through WINS.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 PDC addresses through WINS.  
 [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- DC address discovery for LISH complete. 2 unique addresses found.  
 [na:cifs.server.infoMsg:info]: CIFS: Warning for server \\SJ2: Unable to create NETLOGON pipe STATUS_ACCESS_DENIED.  
 [na:cifs.server.infoMsg:info]: CIFS: Warning for server \\SJ2: Connection terminated.


Debuglevel 12 shows that the client is forcing a cipher downgrade which is rejected by samba:

[2015/02/19 19:37:10.931387, 10, pid=5381, effective(0, 0), real(0, 0)] ../source4/smbd/service_named_pipe.c:126(named_pipe_accept_done)
  Accepted npa connection from unix:. Client: 10.29.110.62 (ipv4:10.29.110.62:5168). Server: 10.29.110.4 (ipv4:10.29.110.4:445)
[2015/02/19 19:37:10.931432, 10, pid=5381, effective(0, 0), real(0, 0)] ../source4/smbd/service_named_pipe.c:144(named_pipe_accept_done)
  named pipe connection [rpc] established
[2015/02/19 19:37:10.933247,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerReqChallenge: struct netr_ServerReqChallenge
          in: struct netr_ServerReqChallenge
              server_name              : *
                  server_name              : '\\SJ2'
              computer_name            : *
                  computer_name            : 'NA2'
              credentials              : *
                  credentials: struct netr_Credential
                      data                     : 86169b14f83e2d4d
[2015/02/19 19:37:10.933298,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerReqChallenge: struct netr_ServerReqChallenge
          out: struct netr_ServerReqChallenge
              return_credentials       : *
                  return_credentials: struct netr_Credential
                      data                     : 4bd3da8eeec8d19b
              result                   : NT_STATUS_OK
[2015/02/19 19:37:10.934118,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerAuthenticate2: struct netr_ServerAuthenticate2
          in: struct netr_ServerAuthenticate2
              server_name              : *
                  server_name              : '\\SJ2'
              account_name             : *
                  account_name             : 'NA2$'
              secure_channel_type      : SEC_CHAN_WKSTA (2)
              computer_name            : *
                  computer_name            : 'NA2'
              credentials              : *
                  credentials: struct netr_Credential
                      data                     : 112364c805994119
              negotiate_flags          : *
                  negotiate_flags          : 0x000701ff (459263)
                         1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                         1: NETLOGON_NEG_PERSISTENT_SAMREPL
                         1: NETLOGON_NEG_ARCFOUR     
                         1: NETLOGON_NEG_PROMOTION_COUNT
                         1: NETLOGON_NEG_CHANGELOG_BDC
                         1: NETLOGON_NEG_FULL_SYNC_REPL
                         1: NETLOGON_NEG_MULTIPLE_SIDS
                         1: NETLOGON_NEG_REDO        
                         1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                         0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                         0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                         0: NETLOGON_NEG_CONCURRENT_RPC
                         0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                         0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                         0: NETLOGON_NEG_STRONG_KEYS 
                         0: NETLOGON_NEG_TRANSITIVE_TRUSTS
                         1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                         1: NETLOGON_NEG_PASSWORD_SET2
                         1: NETLOGON_NEG_GETDOMAININFO
                         0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                         0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                         0: NETLOGON_NEG_RODC_PASSTHROUGH
                         0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                         0: NETLOGON_NEG_SUPPORTS_AES
                         0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                         0: NETLOGON_NEG_AUTHENTICATED_RPC
[2015/02/19 19:37:10.934260,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerAuthenticate2: struct netr_ServerAuthenticate2
          out: struct netr_ServerAuthenticate2
              return_credentials       : *
                  return_credentials: struct netr_Credential
                      data                     : 0000000000000000
              negotiate_flags          : *
                  negotiate_flags          : 0x00000000 (0)
                         0: NETLOGON_NEG_ACCOUNT_LOCKOUT
                         0: NETLOGON_NEG_PERSISTENT_SAMREPL
                         0: NETLOGON_NEG_ARCFOUR     
                         0: NETLOGON_NEG_PROMOTION_COUNT
                         0: NETLOGON_NEG_CHANGELOG_BDC
                         0: NETLOGON_NEG_FULL_SYNC_REPL
                         0: NETLOGON_NEG_MULTIPLE_SIDS
                         0: NETLOGON_NEG_REDO        
                         0: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                         0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                         0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                         0: NETLOGON_NEG_CONCURRENT_RPC
                         0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                         0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                         0: NETLOGON_NEG_STRONG_KEYS 
                         0: NETLOGON_NEG_TRANSITIVE_TRUSTS
                         0: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                         0: NETLOGON_NEG_PASSWORD_SET2
                         0: NETLOGON_NEG_GETDOMAININFO
                         0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                         0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                         0: NETLOGON_NEG_RODC_PASSTHROUGH
                         0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                         0: NETLOGON_NEG_SUPPORTS_AES
                         0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                         0: NETLOGON_NEG_AUTHENTICATED_RPC
              result                   : NT_STATUS_DOWNGRADE_DETECTED
[2015/02/19 19:37:10.935225,  1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_ServerAuthenticate2: struct netr_ServerAuthenticate2
          in: struct netr_ServerAuthenticate2
              server_name              : *
                  server_name              : '\\SJ2'
              account_name             : *
                  account_name             : 'NA2$'
              secure_channel_type      : SEC_CHAN_WKSTA (2)
              computer_name            : *
                  computer_name            : 'NA2'
              credentials              : *
                  credentials: struct netr_Credential
                      data                     : 0265285653a4e82e
              negotiate_flags          : *
                  negotiate_flags          : 0x000741ff (475647)
                         1: NETLOGON_NEG_ACCOUNT_LOCKOUT
                         1: NETLOGON_NEG_PERSISTENT_SAMREPL
                         1: NETLOGON_NEG_ARCFOUR     
                         1: NETLOGON_NEG_PROMOTION_COUNT
                         1: NETLOGON_NEG_CHANGELOG_BDC
                         1: NETLOGON_NEG_FULL_SYNC_REPL
                         1: NETLOGON_NEG_MULTIPLE_SIDS
                         1: NETLOGON_NEG_REDO        
                         1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
                         0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
                         0: NETLOGON_NEG_GENERIC_PASSTHROUGH
                         0: NETLOGON_NEG_CONCURRENT_RPC
                         0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
                         0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
                         1: NETLOGON_NEG_STRONG_KEYS 
                         0: NETLOGON_NEG_TRANSITIVE_TRUSTS
                         1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
                         1: NETLOGON_NEG_PASSWORD_SET2
                         1: NETLOGON_NEG_GETDOMAININFO
                         0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
                         0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
                         0: NETLOGON_NEG_RODC_PASSTHROUGH
                         0: NETLOGON_NEG_SUPPORTS_AES_SHA2
                         0: NETLOGON_NEG_SUPPORTS_AES
                         0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
                         0: NETLOGON_NEG_AUTHENTICATED_RPC
[2015/02/19 19:37:10.935397, 10, pid=5381, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_request: SEARCH
   dn: DC=x,DC=y,DC=de
   scope: sub
   expr: (&(sAMAccountName=NA2$)(objectclass=user))
   attr: unicodePwd
   attr: userAccountControl
   attr: objectSid
   control: <NONE>
...
...
[2015/02/19 19:37:10.936137, 10, pid=5381, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_response: ENTRY
  dn: CN=NA2,CN=Computers,DC=x,DC=y,DC=de
  userAccountControl: 69632
  objectSid: S-1-5-21-1487169172-248952611-3907374446-67110852
  # unicodePwd::: REDACTED SECRET ATTRIBUTE
...
...
[2015/02/19 19:37:10.936273,  6, pid=5381, effective(0, 0), real(0, 0)] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: NULL (&(sAMAccountName=NA2$)(objectclass=user)) -> 1
[2015/02/19 19:37:10.936295,  1, pid=5381, effective(0, 0), real(0, 0)] ../source4/rpc_server/netlogon/dcerpc_netlogon.c:363(dcesrv_netr_ServerAuthenticate3)
  No challenge requested by client [NA2/NA2$], cannot authenticate




Workaround:

cat >>/etc/samba/local.conf <<__CONF__
[global]
  allow nt4 crypto = yes
__CONF__
ucr commit etc/samba/smb.conf
/etc/init.d/samba retsart

(On all DCs of cause)


As joining a native W2k8 AD works without modification, we should investigate the join process to figure our what causes the NetApp to use DES/MD5.
Comment 1 Stefan Gohmann univentionstaff 2015-08-26 10:56:49 CEST
Patch has been re-added: r15185

YAML: r63254
Comment 2 Felix Botner univentionstaff 2015-08-27 16:10:44 CEST
OK - svn/patches/.../2\:4.2.3-1-errata4.0-3/99_bug37874_NetApp.patch

OK - ucs_4.0-0-0-errata4.0-3/samba_2\:4.2.3-1.788.201508261727.patch.log

OK - ucs_4.0-0-0-errata4.0-3/samba_2\:4.2.3-1.788.201508261727.log.bz2
     ...
     dpkg-source: info: applying 99_bug37874_NetApp.patch
     ...

OK - 2015-08-12-samba.yaml
Comment 3 Janek Walkenhorst univentionstaff 2015-08-27 18:14:20 CEST
<http://errata.univention.de/ucs/4.0/289.html>