Web lists-archives.com

[Samba] RPC Authentication Error




Hi,

Some time back I had written to the list about integrating Cisco ISE and facing errors with RPC login. When we actually integrated using ISE 2.4.0357 we noticed that Kerberos authentication is working like a charm. But MS-RPC authentication throws error.

From the samba logs, we noticed that ISE workstation is able to negotiate the RPC ports switch to higher Dynamic RPC ports, authentication is working fine. However, the very next step, the connerction gets terminated and ISE looses connection with AD Domain Controller. Samba log showing the error is shown below. My smb.conf is also shown.

Any specific setting we need to do in Samba to get this working?

My Samba version is 4.7.3

_*My smb.conf:

*_# Global parameters
[global]
    netbios name = DC1
    realm = EXAMPLE.COM
    server role = active directory domain controller
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
    workgroup = EXAMPLE
    idmap_ldb:use rfc2307 = yes
    ldap server require strong auth = No
# Logs and events
    eventlog list = Security
    log level = 3
    log file = /var/log/samba/dc1.%T.log
    max log size = 1000000

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/exza.com/scripts
    read only = No

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

_*Samba Logs (Log level set to 3)

*__[2018/06/13 16:11:57.262264,  2] ../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_objects_commit)
  Replicated 0 objects (0 linked attributes) for DC=example,DC=com
[2018/06/13 16:12:14.433654,  2] ../source4/dsdb/kcc/kcc_periodic.c:710(kccsrv_samba_kcc)
  Calling samba_kcc script
[2018/06/13 16:12:14.706632,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_kcc: ldb_wrap open of secrets.ldb
[2018/06/13 16:12:15.171836,  3] ../lib/util/util_runcmd.c:291(samba_runcmd_io_handler)
  samba_runcmd_io_handler: Child /usr/local/samba/sbin/samba_kcc exited 0
[2018/06/13 16:12:15.171946,  3] ../source4/dsdb/kcc/kcc_periodic.c:695(samba_kcc_done)
  Completed samba_kcc OK
[2018/06/13 16:12:58.219597,  3] ../source4/smbd/service_stream.c:65(stream_terminate_connection)   Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT' [2018/06/13 16:12:58.219997,  2] ../source4/smbd/process_standard.c:473(standard_terminate)   standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT] [2018/06/13 16:12:58.233556,  2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 12918 () exited with status 0
[2018/06/13 16:12:58.238059,  3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/06/13 16:12:58.458247,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: TGS-REQ ISEAPPL$@EXAMPLE.COM from iEXAMPLEpv4:192.168.100.40:40583 for cifs/pdc.EXAMPLE.com@xxxxxxxxxxx [canonicalize, renewable, forwardable] [2018/06/13 16:12:58.467845,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: TGS-REQ authtime: 2018-06-13T16:10:17 starttime: 2018-06-13T16:12:58 endtime: 2018-06-14T02:10:17 renew till: 2018-06-20T16:10:17 [2018/06/13 16:12:58.516514,  3] ../libcli/auth/schannel_state_tdb.c:360(schannel_store_challenge_tdb)   schannel_store_challenge_tdb: stored challenge info for 'ISEAPPL' with key CHALLENGE/cc [2018/06/13 16:12:58.521086,  3] ../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb)   schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/ISEAPPL [2018/06/13 16:12:58.521235,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [NETLOGON,ServerAuthenticate] user [EXAMPLE]\[ISEAPPL$] at [Wed, 13 Jun 2018 16:12:58.521173 IST] with [HMAC-MD5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.100.40:62133] became [EXAMPLE]\[ISEAPPL$] [S-1-5-21-3209396036-1574839989-2322605064-1124]. local host [ipv4:192.168.100.26:445]  NETLOGON computer [ISEAPPL] trust account [ISEAPPL$] [2018/06/13 16:12:58.524348,  3] ../source4/smbd/service_stream.c:65(stream_terminate_connection)
  Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2018/06/13 16:12:58.524484,  2] ../source4/smbd/process_standard.c:473(standard_terminate)
  standard_terminate: reason[dcesrv: dcesrv_fault_disconnect]
[2018/06/13 16:12:58.542045,  2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 12955 () exited with status 0
[2018/06/13 16:12:58.562075,  3] ../libcli/auth/schannel_state_tdb.c:360(schannel_store_challenge_tdb)   schannel_store_challenge_tdb: stored challenge info for 'ISEAPPL' with key CHALLENGE/cc [2018/06/13 16:12:58.584001,  3] ../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb)   schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/ISEAPPL [2018/06/13 16:12:58.584165,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [NETLOGON,ServerAuthenticate] user [EXAMPLE]\[ISEAPPL$] at [Wed, 13 Jun 2018 16:12:58.584107 IST] with [HMAC-MD5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.100.40:62133] became [EXAMPLE]\[ISEAPPL$] [S-1-5-21-3209396036-1574839989-2322605064-1124]. local host [ipv4:192.168.100.26:445]  NETLOGON computer [ISEAPPL] trust account [ISEAPPL$] [2018/06/13 16:12:58.589893,  3] ../source4/smbd/service_stream.c:65(stream_terminate_connection)
  Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2018/06/13 16:12:58.590071,  2] ../source4/smbd/process_standard.c:473(standard_terminate)
  standard_terminate: reason[dcesrv: dcesrv_fault_disconnect]
[2018/06/13 16:12:58.609884,  2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 12956 () exited with status 0
[2018/06/13 16:12:58.620708,  3] ../libcli/auth/schannel_state_tdb.c:360(schannel_store_challenge_tdb)   schannel_store_challenge_tdb: stored challenge info for 'ISEAPPL' with key CHALLENGE/cc [2018/06/13 16:12:58.625361,  3] ../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb)   schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/ISEAPPL [2018/06/13 16:12:58.625485,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [NETLOGON,ServerAuthenticate] user [EXAMPLE]\[ISEAPPL$] at [Wed, 13 Jun 2018 16:12:58.625439 IST] with [HMAC-MD5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.100.40:62133] became [EXAMPLE]\[ISEAPPL$] [S-1-5-21-3209396036-1574839989-2322605064-1124]. local host [ipv4:192.168.100.26:445]  NETLOGON computer [ISEAPPL] trust account [ISEAPPL$] [2018/06/13 16:12:58.628539,  3] ../source4/smbd/service_stream.c:65(stream_terminate_connection)
  Terminating connection - 'dcesrv: dcesrv_fault_disconnect'
[2018/06/13 16:12:58.628725,  2] ../source4/smbd/process_standard.c:473(standard_terminate)
  standard_terminate: reason[dcesrv: dcesrv_fault_disconnect]
[2018/06/13 16:12:58.648041,  2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 12957 () exited with status 0
[2018/06/13 16:13:11.409977,  2] ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)   ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on DC=DomainDnsZones,DC=example,DC=com using filter (uSNChanged>=5275) [2018/06/13 16:13:11.413251,  3] ../source4/rpc_server/drsuapi/getncchanges.c:2822(dcesrv_drsuapi_DsGetNCChanges)
  UpdateRefs on getncchanges for ebe5bcd2-1d05-493b-a482-00b5f91f0da1
[2018/06/13 16:13:11.414283,  2] ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)   DsGetNCChanges with uSNChanged >= 5275 flags 0x80000074 on <GUID=29d6d5f5-1e87-427b-8e84-e978c1725c5a>;DC=DomainDnsZones,DC=example,DC=com gave 0 objects (done 0/0) 0 links (done 0/0 (as S-1-5-21-3209396036-1574839989-2322605064-1104)) [2018/06/13 16:13:11.471996,  2] ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)   ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on DC=ForestDnsZones,DC=example,DC=com using filter (uSNChanged>=5275) [2018/06/13 16:13:11.474085,  3] ../source4/rpc_server/drsuapi/getncchanges.c:2822(dcesrv_drsuapi_DsGetNCChanges)
  UpdateRefs on getncchanges for ebe5bcd2-1d05-493b-a482-00b5f91f0da1
[2018/06/13 16:13:11.475036,  2] ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)   DsGetNCChanges with uSNChanged >= 5275 flags 0x80000074 on <GUID=c223adac-9a39-4be5-9ba1-6c8c09b13788>;DC=ForestDnsZones,DC=example,DC=com gave 0 objects (done 0/0) 0 links (done 0/0 (as S-1-5-21-3209396036-1574839989-2322605064-1104)) [2018/06/13 16:13:11.532511,  2] ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)   ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on CN=Schema,CN=Configuration,DC=example,DC=com using filter (uSNChanged>=5275) [2018/06/13 16:13:11.565453,  3] ../source4/rpc_server/drsuapi/getncchanges.c:2822(dcesrv_drsuapi_DsGetNCChanges)
  UpdateRefs on getncchanges for ebe5bcd2-1d05-493b-a482-00b5f91f0da1
[2018/06/13 16:13:11.566236,  2] ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)   DsGetNCChanges with uSNChanged >= 5275 flags 0x80000074 on <GUID=9917b04c-be53-4231-adb1-5a2e832ef106>;CN=Schema,CN=Configuration,DC=example,DC=com gave 0 objects (done 0/0) 0 links (done 0/0 (as S-1-5-21-3209396036-1574839989-2322605064-1104)) [2018/06/13 16:13:11.617249,  2] ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)   ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on CN=Configuration,DC=example,DC=com using filter (uSNChanged>=5275) [2018/06/13 16:13:11.641910,  3] ../source4/rpc_server/drsuapi/getncchanges.c:2822(dcesrv_drsuapi_DsGetNCChanges)
  UpdateRefs on getncchanges for ebe5bcd2-1d05-493b-a482-00b5f91f0da1
[2018/06/13 16:13:11.642523,  2] ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)   DsGetNCChanges with uSNChanged >= 5275 flags 0x80000074 on <GUID=acf4c22d-2a78-4abb-89be-cf26883fc442>;CN=Configuration,DC=example,DC=com gave 0 objects (done 0/0) 0 links (done 0/0 (as S-1-5-21-3209396036-1574839989-2322605064-1104)) [2018/06/13 16:13:11.693102,  2] ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)   ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on DC=example,DC=com using filter (uSNChanged>=5275) [2018/06/13 16:13:11.701136,  3] ../source4/rpc_server/drsuapi/getncchanges.c:2822(dcesrv_drsuapi_DsGetNCChanges)
  UpdateRefs on getncchanges for ebe5bcd2-1d05-493b-a482-00b5f91f0da1
[2018/06/13 16:13:11.701949,  2] ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)   DsGetNCChanges with uSNChanged >= 5275 flags 0x80000074 on <GUID=ea173018-cadb-4f3f-9502-20a48823f0d6>;<SID=S-1-5-21-3209396036-1574839989-2322605064>;DC=example,DC=com gave 0 objects (done 0/0) 0 links (done 0/0 (as S-1-5-21-3209396036-1574839989-2322605064-1104)) [2018/06/13 16:13:28.198184,  3] ../source4/smbd/service_stream.c:65(stream_terminate_connection)   Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_IO_TIMEOUT' [2018/06/13 16:13:28.198848,  2] ../source4/smbd/process_standard.c:473(standard_terminate)   standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_IO_TIMEOUT] [2018/06/13 16:13:28.207854,  2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 12930 () exited with status 0
[2018/06/13 16:13:28.305493,  3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb__
**_**_**_

--

Thanks & Regards,


Anantha Raghava



Do not print this e-mail unless required. Save Paper & trees.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba