UCS 4.3 Samba 4.7 - Probleme beim Authentizieren (war: Änderungen bei NTLM?)

@Moritz_Bunkus i already try and recreate the most dns entries i can
nslookup and dns appear to be ok.
But the problems persists

I 'm now try see the netlogon log … but i cannot understand/view where the issue is.

04/05 09:22:40 [LOGON] SamLogon: Network logon of ccm\teste from INFORMATICA02 Entered
04/05 09:23:01 [CRITICAL] NlPrintRpcDebug: Dumping extended error for I_NetLogonSamLogonEx with 0xc0020017
04/05 09:23:01 [CRITICAL]  [0] ProcessID is 580
04/05 09:23:01 [CRITICAL]  [0] System Time is: 4/5/2018 8:23:1:716
04/05 09:23:01 [CRITICAL]  [0] Generating component is 18
04/05 09:23:01 [CRITICAL]  [0] Status is 1722
04/05 09:23:01 [CRITICAL]  [0] Detection location is 1442
04/05 09:23:01 [CRITICAL]  [0] Flags is 0
04/05 09:23:01 [CRITICAL]  [0] NumberOfParameters is 1
04/05 09:23:01 [CRITICAL]      Unicode string: feldc01.ccm.local
04/05 09:23:01 [CRITICAL]  [1] ProcessID is 580
04/05 09:23:01 [CRITICAL]  [1] System Time is: 4/5/2018 8:23:1:716
04/05 09:23:01 [CRITICAL]  [1] Generating component is 18
04/05 09:23:01 [CRITICAL]  [1] Status is 1722
04/05 09:23:01 [CRITICAL]  [1] Detection location is 323
04/05 09:23:01 [CRITICAL]  [1] Flags is 0
04/05 09:23:01 [CRITICAL]  [1] NumberOfParameters is 0
04/05 09:23:01 [CRITICAL]  [2] ProcessID is 580
04/05 09:23:01 [CRITICAL]  [2] System Time is: 4/5/2018 8:23:1:716
04/05 09:23:01 [CRITICAL]  [2] Generating component is 18
04/05 09:23:01 [CRITICAL]  [2] Status is 1237
04/05 09:23:01 [CRITICAL]  [2] Detection location is 313
04/05 09:23:01 [CRITICAL]  [2] Flags is 0
04/05 09:23:01 [CRITICAL]  [2] NumberOfParameters is 0
04/05 09:23:01 [CRITICAL]  [3] ProcessID is 580
04/05 09:23:01 [CRITICAL]  [3] System Time is: 4/5/2018 8:23:1:716
04/05 09:23:01 [CRITICAL]  [3] Generating component is 18
04/05 09:23:01 [CRITICAL]  [3] Status is 10060
04/05 09:23:01 [CRITICAL]  [3] Detection location is 311
04/05 09:23:01 [CRITICAL]  [3] Flags is 0
04/05 09:23:01 [CRITICAL]  [3] NumberOfParameters is 3
04/05 09:23:01 [CRITICAL]      Long val: 49153
04/05 09:23:01 [CRITICAL]      Pointer val: 0
04/05 09:23:01 [CRITICAL]      Pointer val: 0
04/05 09:23:01 [CRITICAL]  [4] ProcessID is 580
04/05 09:23:01 [CRITICAL]  [4] System Time is: 4/5/2018 8:23:1:716
04/05 09:23:01 [CRITICAL]  [4] Generating component is 18
04/05 09:23:01 [CRITICAL]  [4] Status is 10060
04/05 09:23:01 [CRITICAL]  [4] Detection location is 318
04/05 09:23:01 [CRITICAL]  [4] Flags is 0
04/05 09:23:01 [CRITICAL]  [4] NumberOfParameters is 0
04/05 09:23:01 [CRITICAL] CCM: NlFinishApiClientSession: timeout call to \\feldc01.ccm.local.  Count: 1 
04/05 09:23:01 [CRITICAL] CCM: NlpUserValidateHigher: denying access after status: 0xc0020017 1
04/05 09:23:01 [SESSION] CCM: NlSetStatusClientSession: Set connection status to c0020017
04/05 09:23:01 [SESSION] CCM: NlSetStatusClientSession: Unbind from server \\feldc01.ccm.local (PIPE) 0.
04/05 09:23:01 [SESSION] CCM: NlSetStatusClientSession: Unbind from server \\feldc01.ccm.local (TCP) 1.
04/05 09:23:01 [SESSION] CCM: NlSessionSetup: Try Session setup
04/05 09:23:01 [SESSION] CCM: NlDiscoverDc: Start Synchronous Discovery
04/05 09:23:01 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
04/05 09:23:01 [MAILSLOT] NetpDcPingListIp: ccm.local.: Sent UDP ping to 192.168.100.2
04/05 09:23:01 [MISC] NetpDcGetName: NetpDcGetNameIp returned 0
04/05 09:23:01 [MISC] LoadBalanceDebug (Flags: FORCE DSP AVOIDSELF ): DC=FELDC01, SrvCount=2, FailedAQueryCount=0, DcsPinged=1, LoopIndex=0
04/05 09:23:01 [PERF] NlSetServerClientSession: Not changing connection (000000000044E7C8): "\\feldc01.ccm.local"
    ClientSession: 00000000004566E0CCM: NlDiscoverDc: Found DC \\feldc01.ccm.local
04/05 09:23:22 [CRITICAL] NlPrintRpcDebug: Dumping extended error for I_NetServerReqChallenge with 0xc0020017
04/05 09:23:22 [CRITICAL]  [0] ProcessID is 580
04/05 09:23:22 [CRITICAL]  [0] System Time is: 4/5/2018 8:23:22:896
04/05 09:23:22 [CRITICAL]  [0] Generating component is 18
04/05 09:23:22 [CRITICAL]  [0] Status is 1722
04/05 09:23:22 [CRITICAL]  [0] Detection location is 1442
04/05 09:23:22 [CRITICAL]  [0] Flags is 0
04/05 09:23:22 [CRITICAL]  [0] NumberOfParameters is 1
04/05 09:23:22 [CRITICAL]      Unicode string: feldc01.ccm.local
04/05 09:23:22 [CRITICAL]  [1] ProcessID is 580
04/05 09:23:22 [CRITICAL]  [1] System Time is: 4/5/2018 8:23:22:896
04/05 09:23:22 [CRITICAL]  [1] Generating component is 18
04/05 09:23:22 [CRITICAL]  [1] Status is 1722
04/05 09:23:22 [CRITICAL]  [1] Detection location is 323
04/05 09:23:22 [CRITICAL]  [1] Flags is 0
04/05 09:23:22 [CRITICAL]  [1] NumberOfParameters is 0
04/05 09:23:22 [CRITICAL]  [2] ProcessID is 580
04/05 09:23:22 [CRITICAL]  [2] System Time is: 4/5/2018 8:23:22:896
04/05 09:23:22 [CRITICAL]  [2] Generating component is 18
04/05 09:23:22 [CRITICAL]  [2] Status is 1237
04/05 09:23:22 [CRITICAL]  [2] Detection location is 313
04/05 09:23:22 [CRITICAL]  [2] Flags is 0
04/05 09:23:22 [CRITICAL]  [2] NumberOfParameters is 0
04/05 09:23:22 [CRITICAL]  [3] ProcessID is 580
04/05 09:23:22 [CRITICAL]  [3] System Time is: 4/5/2018 8:23:22:896
04/05 09:23:22 [CRITICAL]  [3] Generating component is 18
04/05 09:23:22 [CRITICAL]  [3] Status is 10060
04/05 09:23:22 [CRITICAL]  [3] Detection location is 311
04/05 09:23:22 [CRITICAL]  [3] Flags is 0
04/05 09:23:22 [CRITICAL]  [3] NumberOfParameters is 3
04/05 09:23:22 [CRITICAL]      Long val: 49153
04/05 09:23:22 [CRITICAL]      Pointer val: 0
04/05 09:23:22 [CRITICAL]      Pointer val: 0
04/05 09:23:22 [CRITICAL]  [4] ProcessID is 580
04/05 09:23:22 [CRITICAL]  [4] System Time is: 4/5/2018 8:23:22:896
04/05 09:23:22 [CRITICAL]  [4] Generating component is 18
04/05 09:23:22 [CRITICAL]  [4] Status is 10060
04/05 09:23:22 [CRITICAL]  [4] Detection location is 318
04/05 09:23:22 [CRITICAL]  [4] Flags is 0
04/05 09:23:22 [CRITICAL]  [4] NumberOfParameters is 0
04/05 09:23:22 [SESSION] CCM: NlStartApiClientSession: Unbind from server \\feldc01.ccm.local (TCP) 0.
04/05 09:23:23 [SESSION] CCM: NlSessionSetup: Negotiated flags with server are 0x612fffff
04/05 09:23:23 [SESSION] CCM: NlSetStatusClientSession: Set connection status to 0
04/05 09:23:23 [DOMAIN] Setting LSA NetbiosDomain: CCM DnsDomain: ccm.local. DnsTree: ccm.local. DomainGuid:17435187-b154-4c14-a46f-69ab309d1823
04/05 09:23:23 [LOGON] NlSetForestTrustList: New trusted domain list:
04/05 09:23:23 [LOGON]     0: CCM ccm.local (NT 5) (Forest Tree Root) (Primary Domain) (Native)
04/05 09:23:23 [LOGON]        Dom Guid: 17435187-b154-4c14-a46f-69ab309d1823
04/05 09:23:23 [LOGON]        Dom Sid: S-1-5-21-2042430931-3186930242-3709046569
04/05 09:23:23 [SESSION] CCM: NlSetStatusClientSession: Set connection status to 0
04/05 09:23:23 [SESSION] CCM: NlSessionSetup: Session setup Succeeded
04/05 09:23:43 [MISC] DsGetDcName function called: Dom:CCM Acct:(null) Flags: DS NETBIOS RET_DNS 
04/05 09:23:43 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
04/05 09:23:43 [MISC] NetpDcGetName: ccm.local. using cached information
04/05 09:23:43 [MISC] DsGetDcName function returns 0: Dom:CCM Acct:(null) Flags: DS NETBIOS RET_DNS 
04/05 09:23:44 [CRITICAL] NlPrintRpcDebug: Dumping extended error for I_NetLogonSamLogonEx with 0xc0020017
04/05 09:23:44 [CRITICAL]  [0] ProcessID is 580
04/05 09:23:44 [CRITICAL]  [0] System Time is: 4/5/2018 8:23:44:342
04/05 09:23:44 [CRITICAL]  [0] Generating component is 18
04/05 09:23:44 [CRITICAL]  [0] Status is 1722
04/05 09:23:44 [CRITICAL]  [0] Detection location is 1442
04/05 09:23:44 [CRITICAL]  [0] Flags is 0
04/05 09:23:44 [CRITICAL]  [0] NumberOfParameters is 1
04/05 09:23:44 [CRITICAL]      Unicode string: feldc01.ccm.local
04/05 09:23:44 [CRITICAL]  [1] ProcessID is 580
04/05 09:23:44 [CRITICAL]  [1] System Time is: 4/5/2018 8:23:44:342
04/05 09:23:44 [CRITICAL]  [1] Generating component is 18
04/05 09:23:44 [CRITICAL]  [1] Status is 1722
04/05 09:23:44 [CRITICAL]  [1] Detection location is 323
04/05 09:23:44 [CRITICAL]  [1] Flags is 0
04/05 09:23:44 [CRITICAL]  [1] NumberOfParameters is 0
04/05 09:23:44 [CRITICAL]  [2] ProcessID is 580
04/05 09:23:44 [CRITICAL]  [2] System Time is: 4/5/2018 8:23:44:342
04/05 09:23:44 [CRITICAL]  [2] Generating component is 18
04/05 09:23:44 [CRITICAL]  [2] Status is 1237
04/05 09:23:44 [CRITICAL]  [2] Detection location is 313
04/05 09:23:44 [CRITICAL]  [2] Flags is 0
04/05 09:23:44 [CRITICAL]  [2] NumberOfParameters is 0
04/05 09:23:44 [CRITICAL]  [3] ProcessID is 580
04/05 09:23:44 [CRITICAL]  [3] System Time is: 4/5/2018 8:23:44:342
04/05 09:23:44 [CRITICAL]  [3] Generating component is 18
04/05 09:23:44 [CRITICAL]  [3] Status is 10060
04/05 09:23:44 [CRITICAL]  [3] Detection location is 311
04/05 09:23:44 [CRITICAL]  [3] Flags is 0
04/05 09:23:44 [CRITICAL]  [3] NumberOfParameters is 3
04/05 09:23:44 [CRITICAL]      Long val: 49153
04/05 09:23:44 [CRITICAL]      Pointer val: 0
04/05 09:23:44 [CRITICAL]      Pointer val: 0
04/05 09:23:44 [CRITICAL]  [4] ProcessID is 580
04/05 09:23:44 [CRITICAL]  [4] System Time is: 4/5/2018 8:23:44:342
04/05 09:23:44 [CRITICAL]  [4] Generating component is 18
04/05 09:23:44 [CRITICAL]  [4] Status is 10060
04/05 09:23:44 [CRITICAL]  [4] Detection location is 318
04/05 09:23:44 [CRITICAL]  [4] Flags is 0
04/05 09:23:44 [CRITICAL]  [4] NumberOfParameters is 0
04/05 09:23:44 [CRITICAL] CCM: NlFinishApiClientSession: timeout call to \\feldc01.ccm.local.  Count: 1 
04/05 09:23:44 [CRITICAL] CCM: NlpUserValidateHigher: denying access after status: 0xc0020017 1
04/05 09:23:44 [SESSION] CCM: NlSetStatusClientSession: Set connection status to c0020017
04/05 09:23:44 [SESSION] CCM: NlSetStatusClientSession: Unbind from server \\feldc01.ccm.local (PIPE) 0.
04/05 09:23:44 [SESSION] CCM: NlSetStatusClientSession: Unbind from server \\feldc01.ccm.local (TCP) 1.
04/05 09:23:44 [LOGON] SamLogon: Network logon of ccm\teste from INFORMATICA02 Returns 0xC0020017

After that i try turn off one server at time to see if something works but same issue.

I’m out of ideas at this time and start thinking of boot a windows VM to move the AD

@Moritz_Bunkus @mschlee For pure lucky shot i get more feedback.

Like i said before, my terminal server is running IIS that serves the company intranet that have some pages that need AD authentication.

I always use the http://ipaddress and when put the loging information was put in the format domain\user, since i get this errors, RDP, shared folders only working via fqdn etc, i open the intranet with http://fqdn and use the same method to put the credentials, always without success and getting the netlogon.log like i put before.

Know i try put the credentials in the format username@domain, and if using the ipaddress i cannot authenticate using the fqdn works.

So if i open the intranet with http://fqdn and in the credentials i use user@domain eveythings works.

Hope this gives you some information that can point us to the solution.

Thanks

Hi there,

I’ve had exactly the same issue. Solved reproducably by the following steps for anyone who is interested:

1. Create a local.conf file which is then included in smb.conf:

cat /etc/samba/local.conf
[global]
map untrusted to domain = yes

2. ucr commit /etc/samba/smb.conf
3. service samba-ad-dc restart

Side note: Running on 4.3-0 errata11, was a 4.2 before.
Side note 2: This also solved in this forum reported RDP issues with upgraded 4.3 instances which access did not work or took forever.

@codedmind: Your solution works, since using FQDN and @notation always uses KRB in the first place, everything with NTLM was blocked by changed default behavior of samba 3.7 (see changelog of samba for the change of the parameter, man smb.conf also helps out for the reasons why this was a bad idea to have this changed as default behavior (and Univention just taking it “as-is”).

And you will be a happy puppy with uber-fast connections to RDP and CIFS shares again.

Have fun.

- mike

Well, my case seems to be (at least partly) different as this patch does not change the 20 seconds showing “negotiating credentials …” when logging in via RDP which was 2 seconds before.

I did not apply the changes on the system with the SQL server yet.

Can anybody confirm this patch will address the issue ?

Thanks to everybody trying to dig the right solution - Martin

@mkromer @mschlee i try this but without sucess, i’m still having issues with rdp connections from TS server to SQL Server and same issues when try to acess shared folders from SQL SERVER

Hi mkromer

i have test the patch from you, but the problem is the same.

regards klaus

@mschlee @klausz @codedmind: The only other difference I’ve made was setting ucr set samba/ntlm/auth=yes which effectively sets NTLM1 to be permitted as well. Maybe worth a try?

We are currently checking the issue and will report our results.

Ok, it looks like the firewall of the UCS 4.3 Samba/AD DCs is blocking TCP ports dynamically allocated by Samba 4.7. In our lab we found that similar issues with other services (RDP and share access) could be fixed by the following adjustment, so we would suggest to check if this also fixes the issues reported in this thread.

ucr set \
     security/packetfilter/package/univention-samba4/tcp/49152:65535/all="ACCEPT" \
     security/packetfilter/package/univention-samba4/tcp/49152:65535/all/en="Dynamic RPC Ports (Samba)"

ucr unset \
     security/packetfilter/package/univention-samba4/tcp/49152/all \
     security/packetfilter/package/univention-samba4/tcp/49152/all/en

service univention-firewall restart

Please note that this needs to be adjusted on all UCS 4.3 Samba/AD DCs.

Login ist wieder normal schnell

Danke & LG

Christian

Vielen Dank, klappt wieder alles.

Martin