Bug 1388589

Summary: SPNEGO login failed: Indicates the SID structure is not valid. - with 4.2.10 but 3.6.23-36.el6_8 is OK
Product: Red Hat Enterprise Linux 7 Reporter: lejeczek <peljasz>
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.2CC: asn, gdeschner, jrivera
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-07 10:08:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description lejeczek 2016-10-25 17:43:12 UTC
Description of problem:

I have in userdb LDAP backend(multi-master replicas) this one user (and many others):
(raw ldap):

# user243, People, xxzz.tech
dn: uid=user243,ou=People,dc=xxzz,dc=tech
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uid: user243
homeDirectory: /home/user243
loginShell: /bin/bash
sambaLogonTime: 0
sambaLogoffTime: 2147483647
gecos: Some User
sambaPwdCanChange: 2147483647
mail: user243
sn: User
cn: Some User
givenName: Some
displayName: Some User
gidNumber: 513
uidNumber: 1177
sambaSID: S-1-5-21-2925918746-2661067204-1764633667-2002
sambaLMPassword: ED84DDFFD9A97C2ECA922D8A7EE0CA0B
sambaAcctFlags: [U]
sambaNTPassword: 079073B583031A7AAE5D5C2D049FC05A
userPassword:: e1NTSEF9TEl6QXB1TEpkNDZ6N1hxWFFiNFhTWUtxbXZKcmMwOTU=
shadowLastChange: 17038
shadowWarning: 4
shadowExpire: 17449
shadowMax: 99999
sambaKickoffTime: 1507597200
sambaPwdLastSet: 1476091342
sambaPwdMustChange: 2147483647
shadowMin: 99999 
Version-Release number of selected component (if applicable):

server (4.2.10 which i BDC) fails, smbclient locally: 

SPNEGO login failed: Indicates the SID structure is not valid.
session setup failed: NT_STATUS_INVALID_SID

pdbedit -v ...

Primary group S-1-5-21-2925918746-2661067204-1764633667-513 for user user243 is a UNKNOWN and not a domain group
Forcing Primary Group to 'Domain Users' for user243

..but remaining info gets shown.

Another server (3.6.23-36.el6_8) which is PDC (it's not AD setup) has no problems whatsoever.

Before you ask for logs, when I do smbclient or pdbedit on failing (4.2.) server then nothing gets logged, even with level 10 of debugging.
Only journald logs:

 0, pid=37787, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:494(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_INVALID_SID'

faulty samba:
$ net getdomainsid
SID for local machine RIDER is: S-1-5-21-2925918746-2661067204-3920627605
SID for domain XXZZ_TEC is: S-1-5-21-2925918746-2661067204-1764633667

good samba
$ net getdomainsid
SID for local machine TUNA is: S-1-5-21-2925918746-2661067204-4277062323
SID for domain XXZZ_TEC is: S-1-5-21-2925918746-2661067204-1764633667


How reproducible:

not really sure, have a ldap backend to 3.x version and see that 4.2.x won't work?


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 lejeczek 2016-11-01 16:19:26 UTC
server that fails (4.2.10 which i BDC) has - domain logons = no - I've tried samba mailing hoping to grasp complete meaning of this param, but without any response there.

If this is mis-configuration then trouble it is not describe anywhere. If I change above to "yes" then problem does not occur.

I don't know whether it's a bug, some compatibility issues between versions or...

Comment 3 Andreas Schneider 2016-11-07 10:08:19 UTC
From the smb.conf manpage:

domain logons (G)

    If set to yes, the Samba server will provide the netlogon service for Windows
    9X network logons for the workgroup it is in. This will also cause the Samba 
    server to act as a domain controller for NT4 style domain services.


If you disable 'domain logons' then users will not be able to authenticate with this NT4 DC. If you want that users are able to authenticate, you need to enable it.