Web lists-archives.com

Re: [Samba] RODC and LDAP via Simple Authentication fails




That was exactly what I was looking for. I hope 4.8 should not be too
far away... ;)

In the meantime I found this in the logs at level 2:

[2018/01/22 21:15:50.010307,  3]
../source4/auth/ntlm/auth.c:240(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user
[(null)]\[cn=LDAP,cn=Users,dc=my,dc=domain,dc=com]@[(null)]
  auth_check_password_send: user is: [MYDOMAIN]\[ldap]@[(null)]
[2018/01/22 21:15:50.016870,  3]
../source4/dsdb/repl/drepl_secret.c:145(drepl_repl_secret)
  ../source4/dsdb/repl/drepl_secret.c:145: started secret replication
for CN=ldap,CN=Users,DC=my,DC=domain,DC=com
[2018/01/22 21:15:50.017031,  3]
../libcli/nbt/lmhosts.c:184(resolve_lmhosts_file_as_sockaddr)
  resolve_lmhosts: Attempting lmhosts lookup for name
ef201f76-caaa-40b7-9ff2-41b4790dcf4d._msdcs.my.domain.com<0x20>
[2018/01/22 21:15:50.022197,  2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
  auth_check_password_recv: sam_failtrusts authentication for user
[MYDOMAIN\ldap] FAILED with error NT_STATUS_NO_TRUST_LSA_SECRET,
authoritative=1
[2018/01/22 21:15:50.026733,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [LDAP,simple bind] user
[(null)]\[cn=LDAP,cn=Users,dc=my,dc=domain,dc=com] at [Mon, 22 Jan 2018
21:15:50.026694 CET] with [Plaintext] status
[NT_STATUS_NO_TRUST_LSA_SECRET] workstation [(null)] remote host
[ipv4:192.168.10.60:51622] mapped to [MYDOMAIN]\[ldap]. local host
[ipv4:192.168.10.60:636]
[2018/01/22 21:15:50.027299,  2] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-01-22T21:15:50.026864+0100",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_NO_TRUST_LSA_SECRET", "localAddress":
"ipv4:192.168.10.60:636", "clientDomain": null, "remoteAddress":
"ipv4:192.168.10.60:51622", "serviceDescription": "LDAP",
"passwordType": "Plaintext", "authDescription": "simple bind",
"mappedDomain": "MYDOMAIN", "netlogonSecureChannelType": 0,
"clientAccount": "cn=LDAP,cn=Users,dc=my,dc=domain,dc=com",
"becameAccount": null, "workstation": null, "becameDomain": null,
"becameSid": "(NULL SID)", "mappedAccount": "ldap", "netlogonComputer":
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonTrustAccountSid": "(NULL SID)"}}
[2018/01/22 21:15:50.027400,  3]
../auth/auth_log.c:139(get_auth_event_server)
  get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2018/01/22 21:15:50.031314,  3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2018/01/22 21:15:50.031680,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
  standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT]
[2018/01/22 21:15:50.045176,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 16200 () exited with status 0
[2018/01/22 21:15:50.052762,  3]
../libcli/nbt/lmhosts.c:184(resolve_lmhosts_file_as_sockaddr)
  resolve_lmhosts: Attempting lmhosts lookup for name
ef201f76-caaa-40b7-9ff2-41b4790dcf4d._msdcs.my.domain.com<0x20>
[2018/01/22 21:15:50.090394,  3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/01/22 21:15:52.380162,  2]
../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_objects_commit)
  Replicated 0 objects (0 linked attributes) for DC=my,DC=domain,DC=com
[2018/01/22 21:15:52.380345,  3]
../source4/dsdb/repl/drepl_secret.c:57(drepl_repl_secret_callback)
  ../source4/dsdb/repl/drepl_secret.c:57: repl secret completed OK for
'CN=ldap,CN=Users,DC=my,DC=domain,DC=com'

Does that help?
Best regards
Johannes

Am 22.01.2018 um 21:08 schrieb Andrew Bartlett:
> On Mon, 2018-01-22 at 20:56 +0100, Johannes Engel via samba wrote:
>> Hi Andrew,
>>
>> I am deeply impressed by your speed! :D
>>
>> The RODC is actually Samba 4.7.4, the other DCs are still on 4.6.12.
>>
>> Any suggestion how I can debug this w/o setting everything on level 10? ;)
> Just turn up the logs one level at a time until something comes out.  
>
> Upgrading the other DCs to 4.7 (carefully, per my other mail) might
> help, as it would then match what our tests do, but I can't think of
> how exactly.  
>
> In the long run it will ensure that the bad password count and lockout
> is correctly handled. 
>
> Samba 4.8 will make this a little easier to debug because 'auth' is now
> accepted as a debug class in the AD DC, so you can see those logs more
> specifically with something like 'log level = 3 auth:5 winbind:5'.
>
> I hope this helps,
>
> Andrew Bartlett


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba