Univention Bugzilla – Bug 39263
NetApp can't lookup SIDs
Last modified: 2015-08-27 18:14:20 CEST
It looks like the patch has not been integrated into the last 4.0-2 / 4.0-3 samba erratum (since errata253). +++ This bug was initially created as a clone of Bug #37874 +++ Ticket#2015021821000495 NetApp ONTAP 8.2.2 p2 The NetApp "cifs setup" looks okay in first place but the system can't lookup names/SID. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting DC address discovery for LISH. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using DNS site query (Default-First-Site-Name).. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 addresses using generic DNS query. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Starting WINS queries. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 1 BDC addresses through WINS. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- Found 2 PDC addresses through WINS. [na:auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- DC address discovery for LISH complete. 2 unique addresses found. [na:cifs.server.infoMsg:info]: CIFS: Warning for server \\SJ2: Unable to create NETLOGON pipe STATUS_ACCESS_DENIED. [na:cifs.server.infoMsg:info]: CIFS: Warning for server \\SJ2: Connection terminated. Debuglevel 12 shows that the client is forcing a cipher downgrade which is rejected by samba: [2015/02/19 19:37:10.931387, 10, pid=5381, effective(0, 0), real(0, 0)] ../source4/smbd/service_named_pipe.c:126(named_pipe_accept_done) Accepted npa connection from unix:. Client: 10.29.110.62 (ipv4:10.29.110.62:5168). Server: 10.29.110.4 (ipv4:10.29.110.4:445) [2015/02/19 19:37:10.931432, 10, pid=5381, effective(0, 0), real(0, 0)] ../source4/smbd/service_named_pipe.c:144(named_pipe_accept_done) named pipe connection [rpc] established [2015/02/19 19:37:10.933247, 1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) netr_ServerReqChallenge: struct netr_ServerReqChallenge in: struct netr_ServerReqChallenge server_name : * server_name : '\\SJ2' computer_name : * computer_name : 'NA2' credentials : * credentials: struct netr_Credential data : 86169b14f83e2d4d [2015/02/19 19:37:10.933298, 1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) netr_ServerReqChallenge: struct netr_ServerReqChallenge out: struct netr_ServerReqChallenge return_credentials : * return_credentials: struct netr_Credential data : 4bd3da8eeec8d19b result : NT_STATUS_OK [2015/02/19 19:37:10.934118, 1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) netr_ServerAuthenticate2: struct netr_ServerAuthenticate2 in: struct netr_ServerAuthenticate2 server_name : * server_name : '\\SJ2' account_name : * account_name : 'NA2$' secure_channel_type : SEC_CHAN_WKSTA (2) computer_name : * computer_name : 'NA2' credentials : * credentials: struct netr_Credential data : 112364c805994119 negotiate_flags : * negotiate_flags : 0x000701ff (459263) 1: NETLOGON_NEG_ACCOUNT_LOCKOUT 1: NETLOGON_NEG_PERSISTENT_SAMREPL 1: NETLOGON_NEG_ARCFOUR 1: NETLOGON_NEG_PROMOTION_COUNT 1: NETLOGON_NEG_CHANGELOG_BDC 1: NETLOGON_NEG_FULL_SYNC_REPL 1: NETLOGON_NEG_MULTIPLE_SIDS 1: NETLOGON_NEG_REDO 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 0: NETLOGON_NEG_GENERIC_PASSTHROUGH 0: NETLOGON_NEG_CONCURRENT_RPC 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 0: NETLOGON_NEG_STRONG_KEYS 0: NETLOGON_NEG_TRANSITIVE_TRUSTS 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 1: NETLOGON_NEG_PASSWORD_SET2 1: NETLOGON_NEG_GETDOMAININFO 0: NETLOGON_NEG_CROSS_FOREST_TRUSTS 0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 0: NETLOGON_NEG_SUPPORTS_AES_SHA2 0: NETLOGON_NEG_SUPPORTS_AES 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 0: NETLOGON_NEG_AUTHENTICATED_RPC [2015/02/19 19:37:10.934260, 1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) netr_ServerAuthenticate2: struct netr_ServerAuthenticate2 out: struct netr_ServerAuthenticate2 return_credentials : * return_credentials: struct netr_Credential data : 0000000000000000 negotiate_flags : * negotiate_flags : 0x00000000 (0) 0: NETLOGON_NEG_ACCOUNT_LOCKOUT 0: NETLOGON_NEG_PERSISTENT_SAMREPL 0: NETLOGON_NEG_ARCFOUR 0: NETLOGON_NEG_PROMOTION_COUNT 0: NETLOGON_NEG_CHANGELOG_BDC 0: NETLOGON_NEG_FULL_SYNC_REPL 0: NETLOGON_NEG_MULTIPLE_SIDS 0: NETLOGON_NEG_REDO 0: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 0: NETLOGON_NEG_GENERIC_PASSTHROUGH 0: NETLOGON_NEG_CONCURRENT_RPC 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 0: NETLOGON_NEG_STRONG_KEYS 0: NETLOGON_NEG_TRANSITIVE_TRUSTS 0: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 0: NETLOGON_NEG_PASSWORD_SET2 0: NETLOGON_NEG_GETDOMAININFO 0: NETLOGON_NEG_CROSS_FOREST_TRUSTS 0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 0: NETLOGON_NEG_SUPPORTS_AES_SHA2 0: NETLOGON_NEG_SUPPORTS_AES 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 0: NETLOGON_NEG_AUTHENTICATED_RPC result : NT_STATUS_DOWNGRADE_DETECTED [2015/02/19 19:37:10.935225, 1, pid=5381, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) netr_ServerAuthenticate2: struct netr_ServerAuthenticate2 in: struct netr_ServerAuthenticate2 server_name : * server_name : '\\SJ2' account_name : * account_name : 'NA2$' secure_channel_type : SEC_CHAN_WKSTA (2) computer_name : * computer_name : 'NA2' credentials : * credentials: struct netr_Credential data : 0265285653a4e82e negotiate_flags : * negotiate_flags : 0x000741ff (475647) 1: NETLOGON_NEG_ACCOUNT_LOCKOUT 1: NETLOGON_NEG_PERSISTENT_SAMREPL 1: NETLOGON_NEG_ARCFOUR 1: NETLOGON_NEG_PROMOTION_COUNT 1: NETLOGON_NEG_CHANGELOG_BDC 1: NETLOGON_NEG_FULL_SYNC_REPL 1: NETLOGON_NEG_MULTIPLE_SIDS 1: NETLOGON_NEG_REDO 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 0: NETLOGON_NEG_GENERIC_PASSTHROUGH 0: NETLOGON_NEG_CONCURRENT_RPC 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 1: NETLOGON_NEG_STRONG_KEYS 0: NETLOGON_NEG_TRANSITIVE_TRUSTS 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 1: NETLOGON_NEG_PASSWORD_SET2 1: NETLOGON_NEG_GETDOMAININFO 0: NETLOGON_NEG_CROSS_FOREST_TRUSTS 0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 0: NETLOGON_NEG_SUPPORTS_AES_SHA2 0: NETLOGON_NEG_SUPPORTS_AES 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 0: NETLOGON_NEG_AUTHENTICATED_RPC [2015/02/19 19:37:10.935397, 10, pid=5381, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) ldb: ldb_trace_request: SEARCH dn: DC=x,DC=y,DC=de scope: sub expr: (&(sAMAccountName=NA2$)(objectclass=user)) attr: unicodePwd attr: userAccountControl attr: objectSid control: <NONE> ... ... [2015/02/19 19:37:10.936137, 10, pid=5381, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) ldb: ldb_trace_response: ENTRY dn: CN=NA2,CN=Computers,DC=x,DC=y,DC=de userAccountControl: 69632 objectSid: S-1-5-21-1487169172-248952611-3907374446-67110852 # unicodePwd::: REDACTED SECRET ATTRIBUTE ... ... [2015/02/19 19:37:10.936273, 6, pid=5381, effective(0, 0), real(0, 0)] ../lib/util/util_ldb.c:60(gendb_search_v) gendb_search_v: NULL (&(sAMAccountName=NA2$)(objectclass=user)) -> 1 [2015/02/19 19:37:10.936295, 1, pid=5381, effective(0, 0), real(0, 0)] ../source4/rpc_server/netlogon/dcerpc_netlogon.c:363(dcesrv_netr_ServerAuthenticate3) No challenge requested by client [NA2/NA2$], cannot authenticate Workaround: cat >>/etc/samba/local.conf <<__CONF__ [global] allow nt4 crypto = yes __CONF__ ucr commit etc/samba/smb.conf /etc/init.d/samba retsart (On all DCs of cause) As joining a native W2k8 AD works without modification, we should investigate the join process to figure our what causes the NetApp to use DES/MD5.
Patch has been re-added: r15185 YAML: r63254
OK - svn/patches/.../2\:4.2.3-1-errata4.0-3/99_bug37874_NetApp.patch OK - ucs_4.0-0-0-errata4.0-3/samba_2\:4.2.3-1.788.201508261727.patch.log OK - ucs_4.0-0-0-errata4.0-3/samba_2\:4.2.3-1.788.201508261727.log.bz2 ... dpkg-source: info: applying 99_bug37874_NetApp.patch ... OK - 2015-08-12-samba.yaml
<http://errata.univention.de/ucs/4.0/289.html>