Web lists-archives.com

Re: [Samba] RODC and LDAP via Simple Authentication fails

That was exactly what I was looking for. I hope 4.8 should not be too
far away... ;)

In the meantime I found this in the logs at level 2:

[2018/01/22 21:15:50.010307,  3]
  auth_check_password_send: Checking password for unmapped user
  auth_check_password_send: user is: [MYDOMAIN]\[ldap]@[(null)]
[2018/01/22 21:15:50.016870,  3]
  ../source4/dsdb/repl/drepl_secret.c:145: started secret replication
for CN=ldap,CN=Users,DC=my,DC=domain,DC=com
[2018/01/22 21:15:50.017031,  3]
  resolve_lmhosts: Attempting lmhosts lookup for name
[2018/01/22 21:15:50.022197,  2]
  auth_check_password_recv: sam_failtrusts authentication for user
[2018/01/22 21:15:50.026733,  2]
  Auth: [LDAP,simple bind] user
[(null)]\[cn=LDAP,cn=Users,dc=my,dc=domain,dc=com] at [Mon, 22 Jan 2018
21:15:50.026694 CET] with [Plaintext] status
[NT_STATUS_NO_TRUST_LSA_SECRET] workstation [(null)] remote host
[ipv4:] mapped to [MYDOMAIN]\[ldap]. local host
[2018/01/22 21:15:50.027299,  2] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-01-22T21:15:50.026864+0100",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_NO_TRUST_LSA_SECRET", "localAddress":
"ipv4:", "clientDomain": null, "remoteAddress":
"ipv4:", "serviceDescription": "LDAP",
"passwordType": "Plaintext", "authDescription": "simple bind",
"mappedDomain": "MYDOMAIN", "netlogonSecureChannelType": 0,
"clientAccount": "cn=LDAP,cn=Users,dc=my,dc=domain,dc=com",
"becameAccount": null, "workstation": null, "becameDomain": null,
"becameSid": "(NULL SID)", "mappedAccount": "ldap", "netlogonComputer":
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonTrustAccountSid": "(NULL SID)"}}
[2018/01/22 21:15:50.027400,  3]
  get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
[2018/01/22 21:15:50.031314,  3]
  Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() -
[2018/01/22 21:15:50.031680,  2]
  standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() -
[2018/01/22 21:15:50.045176,  2]
  Child 16200 () exited with status 0
[2018/01/22 21:15:50.052762,  3]
  resolve_lmhosts: Attempting lmhosts lookup for name
[2018/01/22 21:15:50.090394,  3]
  ldb_wrap open of secrets.ldb
[2018/01/22 21:15:52.380162,  2]
  Replicated 0 objects (0 linked attributes) for DC=my,DC=domain,DC=com
[2018/01/22 21:15:52.380345,  3]
  ../source4/dsdb/repl/drepl_secret.c:57: repl secret completed OK for

Does that help?
Best regards

Am 22.01.2018 um 21:08 schrieb Andrew Bartlett:
> On Mon, 2018-01-22 at 20:56 +0100, Johannes Engel via samba wrote:
>> Hi Andrew,
>> I am deeply impressed by your speed! :D
>> The RODC is actually Samba 4.7.4, the other DCs are still on 4.6.12.
>> Any suggestion how I can debug this w/o setting everything on level 10? ;)
> Just turn up the logs one level at a time until something comes out.  
> Upgrading the other DCs to 4.7 (carefully, per my other mail) might
> help, as it would then match what our tests do, but I can't think of
> how exactly.  
> In the long run it will ensure that the bad password count and lockout
> is correctly handled. 
> Samba 4.8 will make this a little easier to debug because 'auth' is now
> accepted as a debug class in the AD DC, so you can see those logs more
> specifically with something like 'log level = 3 auth:5 winbind:5'.
> I hope this helps,
> Andrew Bartlett

Attachment: signature.asc
Description: OpenPGP digital signature

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba