Bug 1359398 - Domain login no longer works after F22 -> F23 upgrade
Summary: Domain login no longer works after F22 -> F23 upgrade
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 24
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Orphan Owner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-23 18:20 UTC by Martin Vuille
Modified: 2017-05-24 09:22 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-24 09:22:48 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Martin Vuille 2016-07-23 18:20:28 UTC
Description of problem:
Computer is a member of NT domain. DC is samba 3.6.12

Since upgrading from F22 -> F23, domain logins no longer work: "Domain Controller unreachable, using cached credentials instead."

I'm seeing the following errors in log.winbindd-idmap:

[2016/07/22 11:23:28.791764, 10, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1917(cm_open_connection)
  cm_open_connection: dcname is 'MIMIR' for domain YGGDRASIL
[2016/07/22 11:23:28.793277, 10, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1023(cm_prepare_connection)
  cm_prepare_connection: connecting to DC MIMIR for domain YGGDRASIL
ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory
[2016/07/22 11:23:28.794755,  5, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1142(cm_prepare_connection)
  connecting to MIMIR from THOR using NTLMSSP with username [YGGDRASIL]\[THOR$]
[2016/07/22 11:23:28.798607,  0] ../libcli/smb/smb_signing.c:138(smb_signing_good)
  smb_signing_good: BAD SIG: seq 1
[2016/07/22 11:23:28.798690,  4, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1184(cm_prepare_connection)
  authenticated session setup failed with NT_STATUS_ACCESS_DENIED

and I am also seeing SELinux errors for winbindd:

time->Fri Jul 22 09:45:06 2016
type=PROCTITLE msg=audit(1469195106.880:3563): proctitle="/usr/sbin/winbindd"
type=PATH msg=audit(1469195106.880:3563): item=0 name="/var/lib/samba/private/msg.sock/1207" inode=2502647 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:samba_var_t:s0 nametype=NORMAL
type=CWD msg=audit(1469195106.880:3563):  cwd="/"
type=SOCKADDR msg=audit(1469195106.880:3563): saddr=01002F7661722F6C69622F73616D62612F707269766174652F6D73672E736F636B2F31323037000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1469195106.880:3563): arch=c000003e syscall=46 success=no exit=-13 a0=7 a1=7fff67c8aaa0 a2=0 a3=0 items=1 ppid=1137 pid=1139 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1469195106.880:3563): avc:  denied  { sendto } for  pid=1139 comm="winbindd" path="/var/lib/samba/private/msg.sock/1207" scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=unix_dgram_socket permissive=0

Version-Release number of selected component (if applicable):
samba 4.3.11-1.fc23

How reproducible:
100% reproducible

Steps to Reproduce:
1.Login to domain member using domain account

Actual results:
Login fails: "Domain Controller unreachable, using cached credentials instead."

Expected results:
Login succeeds

Additional info:
This ticket https://bugzilla.redhat.com/show_bug.cgi?id=1337569 seems to be the same issue (at least "unable to stat" part) and suggests there is a fix in samba 4.4.3-6

Comment 1 Martin Vuille 2016-08-01 18:37:35 UTC
Changed component from samba4 (which seems to be obsolete) to samba

Comment 2 Martin Vuille 2016-08-01 18:45:20 UTC
Upgraded samba to 4.4.5-1 from fedora24-updates, issue still present
log.winbindd-idmap has changed slightly, no longer seeing "unable to stat module"
Still seeing SELinux errors as above

2016/08/01 14:38:37.794851, 10, pid=1161, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1924(cm_open_connection)
  cm_open_connection: dcname is 'MIMIR' for domain YGGDRASIL
[2016/08/01 14:38:37.798119, 10, pid=1161, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1030(cm_prepare_connection)
  cm_prepare_connection: connecting to DC MIMIR for domain YGGDRASIL
[2016/08/01 14:38:37.799741,  5, pid=1161, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1149(cm_prepare_connection)
  connecting to MIMIR from THOR using NTLMSSP with username [YGGDRASIL]\[THOR$]
[2016/08/01 14:38:37.803687,  0] ../libcli/smb/smb_signing.c:138(smb_signing_good)
  smb_signing_good: BAD SIG: seq 1
[2016/08/01 14:38:37.803758,  4, pid=1161, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1191(cm_prepare_connection)
  authenticated session setup failed with NT_STATUS_ACCESS_DENIED

Comment 3 Milan Kerslager 2016-09-02 08:58:43 UTC
The problem is still present in Fedora 24.
Joing to classic NT4 style domain fails inf Fedora 24, but works in Fedora 20.

$ net join -w oalib.cz -U root
Failed to join domain: failed to find DC for domain OALIB.CZ
$ net rpc oldjoin -w oalib.cz -U root 
Failed to join domain: failed to find DC for domain OALIB.CZ

When trying to debug problem, it seem like net command is trying to join AD instead of classic domain:

net join -w oalib.cz -U root -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface enp8s0 ip=10.0.0.35 bcast=10.0.255.255 netmask=255.255.0.0
get_dc_list: preferred server list: ", *"
ads_find_dc: name resolution for realm '' (domain 'OALIB.CZ') failed: NT_STATUS_NO_LOGON_SERVERS
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'PITOMA'
            domain_name              : *
                domain_name              : 'OALIB.CZ'
            domain_name_type         : JoinDomNameTypeUnknown (0)
            account_ou               : NULL
            admin_account            : ''
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x000000c1 (193)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   1: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   1: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   0: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.OALIB.CZ (Success)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : NULL
            dns_domain_name          : NULL
            forest_name              : NULL
            dn                       : NULL
            domain_sid               : NULL
                domain_sid               : (NULL SID)
            modified_config          : 0x00 (0)
            error_string             : 'failed to find DC for domain OALIB.CZ'
            domain_is_ad             : 0x00 (0)
            set_encryption_types     : 0x00000000 (0)
            result                   : WERR_DCNOTFOUND
Enter root's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'PITOMA'
            domain_name              : *
                domain_name              : 'OALIB.CZ'
            domain_name_type         : JoinDomNameTypeUnknown (0)
            account_ou               : NULL
            admin_account            : 'root'
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.OALIB.CZ (Success)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : NULL
            dns_domain_name          : NULL
            forest_name              : NULL
            dn                       : NULL
            domain_sid               : NULL
                domain_sid               : (NULL SID)
            modified_config          : 0x00 (0)
            error_string             : 'failed to find DC for domain OALIB.CZ'
            domain_is_ad             : 0x00 (0)
            set_encryption_types     : 0x00000000 (0)
            result                   : WERR_DCNOTFOUND
Failed to join domain: failed to find DC for domain OALIB.CZ
Enter root's password: <password entered>
return code = -1


$ net rpc oldjoin -w oalib.cz -U root -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface enp8s0 ip=10.0.0.35 bcast=10.0.255.255 netmask=255.255.0.0
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'PITOMA'
            domain_name              : *
                domain_name              : 'OALIB.CZ'
            domain_name_type         : JoinDomNameTypeUnknown (0)
            account_ou               : NULL
            admin_account            : ''
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x000000c1 (193)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   1: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   1: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   0: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.OALIB.CZ (Success)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : NULL
            dns_domain_name          : NULL
            forest_name              : NULL
            dn                       : NULL
            domain_sid               : NULL
                domain_sid               : (NULL SID)
            modified_config          : 0x00 (0)
            error_string             : 'failed to find DC for domain OALIB.CZ'
            domain_is_ad             : 0x00 (0)
            set_encryption_types     : 0x00000000 (0)
            result                   : WERR_DCNOTFOUND
Failed to join domain: failed to find DC for domain OALIB.CZ
return code = -1


Debug output from Fedora 20 working setup for comparsion:
=========================================================
$ net join -w pslib.cz -U root -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface p4p1 ip=10.0.50.4 bcast=10.0.255.255 netmask=255.255.0.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
get_dc_list: preferred server list: ", *"
resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1c>
resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1c>
resolve_wins: using WINS server 10.0.0.2 and tag '*'
Got a positive name query response from 10.0.0.2 ( 10.0.0.2 )
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 10.0.0.2 failed.
resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1b>
resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1b>
resolve_wins: using WINS server 10.0.0.2 and tag '*'
Got a positive name query response from 10.0.0.2 ( 10.0.0.2 )
Connecting to 10.0.0.2 at port 445
rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
Enter root's password:

Comment 4 Milan Kerslager 2016-09-02 09:02:59 UTC
I made a mistake in previous post. Working F20 setup for joining NT4 domain:

$ net join -w oalib.cz -U root -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface p4p1 ip=10.0.50.4 bcast=10.0.255.255 netmask=255.255.0.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
get_dc_list: preferred server list: ", *"
resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1c>
resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1c>
resolve_wins: using WINS server 10.0.0.2 and tag '*'
Got a positive name query response from 10.0.0.2 ( 10.0.0.2 )
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 10.0.0.2 failed.
resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1b>
resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1b>
resolve_wins: using WINS server 10.0.0.2 and tag '*'
Got a positive name query response from 10.0.0.2 ( 10.0.0.2 )
Connecting to 10.0.0.2 at port 445
rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
Enter root's password:
Connecting to 10.0.0.2 at port 445
Doing spnego session setup (blob length=42)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Connecting to 10.0.0.2 at port 445
Joined domain OALIB.CZ.
return code = 0

Comment 5 Alexander Bokovoy 2016-09-02 09:06:25 UTC
Can you provide these logs with -d10 ?


Note You need to log in before you can comment on or make changes to this bug.