NTLMSSP NTLM2 packet check failed due to invalid signature

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

NTLMSSP NTLM2 packet check failed due to invalid signature

Samba - General mailing list
Ciao!

How are you?
I guess, things changed. I was in Stretch, now in Buster, always in TESTING repo.
But, I had a script, that deleted caches, everything, it worked for months.
Now I changed my domain from patrikx3.tk to patrikx3.com and stopped.
I can join to the domain if only use the first interface (I need 2 now).
But the first error was the error is “” instead of “ac.patrikx3.com”, which is cryptic.

Then, I can use LDAP awesome via my clients and everything, but my windows do not understand that I am on the domain, although I can login and authenticate, but still I get this error on Samba like:
The server is not operational.

The last one is:
NTLMSSP NTLM2 packet check failed due to invalid signature!

Do you guys what it could be? No idea. I tried tons of settings, always the same.

Besides, all was generated by the samba provision tool.

My samba config:
[global]
        netbios name = SERVER
        realm = AC.PATRIKX3.COM
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc
#       server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = PATRIKX3
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
#       bind interfaces only=yes
# for join, use this
#       interfaces=lo enp1s0 127.0.0.1 192.168.78.20
        allow insecure wide links = yes
# need for old samba 3 - like the router
        unix extensions = no
        local master = yes
        preferred master = yes
        template shell = /bin/bash
        template homedir = /home/%U
        log level = 3

[netlogon]
        path = /var/lib/samba/sysvol/ac.patrikx3.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[media]
        path = /media
        read only = no
        guest ok = no
        force group = media
        writable = yes

[mounts]
        path = /mnt
        read only = no
        guest ok = no
        force group = mount
        writable = yes

[router-logs]
        path = /var/log-router
        read only = yes
        guest ok = yes
        writable = no
        browseable = yes
#       valid users = router
        force user = root
       

Sent from Mail for Windows 10

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NTLMSSP NTLM2 packet check failed due to invalid signature

Samba - General mailing list
On Fri, 14 Jul 2017 20:24:05 +0200
"Patrik Laszlo \(patrikx3\) via samba" <[hidden email]> wrote:

> Ciao!
>
> How are you?
> I guess, things changed. I was in Stretch, now in Buster, always in
> TESTING repo. But, I had a script, that deleted caches, everything,
> it worked for months. Now I changed my domain from patrikx3.tk to
> patrikx3.com and stopped.

How did you change the domain ?
Have you reprovisioned ?

> I can join to the domain if only use the
> first interface (I need 2 now). But the first error was the error is
> “” instead of “ac.patrikx3.com”, which is cryptic.
>
> Then, I can use LDAP awesome via my clients and everything, but my
> windows do not understand that I am on the domain, although I can
> login and authenticate, but still I get this error on Samba like: The
> server is not operational.
>
> The last one is:
> NTLMSSP NTLM2 packet check failed due to invalid signature!
>
> Do you guys what it could be? No idea. I tried tons of settings,
> always the same.
>
> Besides, all was generated by the samba provision tool.

Sorry, but I do not believe that, for one thing, the provision never
adds lines that start with a '#'

>
> My samba config:
> [global]
>         netbios name = SERVER
>         realm = AC.PATRIKX3.COM
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc #       server services = s3fs, rpc,
> nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc,
> dnsupdate workgroup = PATRIKX3 server role = active directory domain
> controller idmap_ldb:use rfc2307 = yes
> #       bind interfaces only=yes
> # for join, use this
> #       interfaces=lo enp1s0 127.0.0.1 192.168.78.20
>         allow insecure wide links = yes
> # need for old samba 3 - like the router
>         unix extensions = no
>         local master = yes
>         preferred master = yes
>         template shell = /bin/bash
>         template homedir = /home/%U
>         log level = 3
>
> [netlogon]
>         path = /var/lib/samba/sysvol/ac.patrikx3.com/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> [media]
>         path = /media
>         read only = no
>         guest ok = no
>         force group = media
>         writable = yes
>
> [mounts]
>         path = /mnt
>         read only = no
>         guest ok = no
>         force group = mount
>         writable = yes
>
> [router-logs]
>         path = /var/log-router
>         read only = yes
>         guest ok = yes
>         writable = no
>         browseable = yes
> #       valid users = router
>         force user = root
>        
>
> Sent from Mail for Windows 10
>

I would alter the shares by making them resemble the [netlogon &
[sysvol] shares and then set the permissions from your Windows 10
machine.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NTLMSSP NTLM2 packet check failed due to invalidsignature

Samba - General mailing list
On Fri, 14 Jul 2017 21:02:48 +0200
"Patrik Laszlo (patrikx3)" <[hidden email]> wrote:

> Plus this:
> It was generating named.conf.update, not is is not generating.
>
> * this file is auto-generated - do not edit */
> update-policy {
>         grant AC.PATRIKX3.COM ms-self * A AAAA;
>         grant [hidden email] wildcard * A AAAA SRV
> CNAME; grant SERVER$@ac.patrikx3.tk wildcard * A AAAA SRV CNAME;
> };

Did you change the dns domain as well ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NTLMSSP NTLM2 packet check failed due to invalidsignature

Samba - General mailing list
yes, bind dlz, i can ping all works as the wiki shows. ping ac.patrilx3.com
and forestdomaimsomething.ac.patrilx3. com as well.
just this packet problem in samba log, not generating the
named.conf.updated file anymore, but no errors in bind dlz.
ldap is correct i use my clients via ubuntu mint.

showing private instead domain.

reinstall or what? disable 2nd interface, no idea :(

Patrik

On Jul 14, 2017 21:11, "Rowland Penny via samba" <[hidden email]>
wrote:

> On Fri, 14 Jul 2017 21:02:48 +0200
> "Patrik Laszlo (patrikx3)" <[hidden email]> wrote:
>
> > Plus this:
> > It was generating named.conf.update, not is is not generating.
> >
> > * this file is auto-generated - do not edit */
> > update-policy {
> >         grant AC.PATRIKX3.COM ms-self * A AAAA;
> >         grant [hidden email] wildcard * A AAAA SRV
> > CNAME; grant SERVER$@ac.patrikx3.tk wildcard * A AAAA SRV CNAME;
> > };
>
> Did you change the dns domain as well ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NTLMSSP NTLM2 packet check failed due to invalidsignature

Samba - General mailing list
In reply to this post by Samba - General mailing list
>How did you change the domain ?
>Have you reprovisioned ?

Actually, I deleted everything with apt purge, deleted all files, reinstall SAMBA, then I joined with Windows 10 Enterprise (I had to disable to use only 1 interface instead both), but it started “” instead of “ac.patrikx3.com”.

Yes, I had added a few, but it was all working before, same settings, no changes, besides I can auth, just the Domain is weird.
How come it says in Firewall Private instead Domain?
Something is weird. No idea what to do.
Disable the 2nd interface, reinstall everything and join again maybe like that?

The shares are OK by it’s own automatic:



The domain is weird:


It was
patrikx3
ac.patrikx3.tk

I was expecting
patrikx3
ac.patrikx3.com

Now it is patrikx3 2 ☹

> I can join to the domain if only use the
> first interface (I need 2 now). But the first error was the error is
> “” instead of “ac.patrikx3.com”, which is cryptic.
>
> Then, I can use LDAP awesome via my clients and everything, but my
> windows do not understand that I am on the domain, although I can
> login and authenticate, but still I get this error on Samba like: The
> server is not operational.
>
> The last one is:
> NTLMSSP NTLM2 packet check failed due to invalid signature!
>
> Do you guys what it could be? No idea. I tried tons of settings,
> always the same.
>
> Besides, all was generated by the samba provision tool.

Sorry, but I do not believe that, for one thing, the provision never
adds lines that start with a '#'

>
> My samba config:
> [global]
>         netbios name = SERVER
>         realm = AC.PATRIKX3.COM
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc #       server services = s3fs, rpc,
> nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc,
> dnsupdate workgroup = PATRIKX3 server role = active directory domain
> controller idmap_ldb:use rfc2307 = yes
> #       bind interfaces only=yes
> # for join, use this
> #       interfaces=lo enp1s0 127.0.0.1 192.168.78.20
>         allow insecure wide links = yes
> # need for old samba 3 - like the router
>         unix extensions = no
>         local master = yes
>         preferred master = yes
>         template shell = /bin/bash
>         template homedir = /home/%U
>         log level = 3
>
> [netlogon]
>         path = /var/lib/samba/sysvol/ac.patrikx3.com/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> [media]
>         path = /media
>         read only = no
>         guest ok = no
>         force group = media
>         writable = yes
>
> [mounts]
>         path = /mnt
>         read only = no
>         guest ok = no
>         force group = mount
>         writable = yes
>
> [router-logs]
>         path = /var/log-router
>         read only = yes
>         guest ok = yes
>         writable = no
>         browseable = yes
> #       valid users = router
>         force user = root
>        
>
> Sent from Mail for Windows 10
>

I would alter the shares by making them resemble the [netlogon &
[sysvol] shares and then set the permissions from your Windows 10
machine.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NTLMSSP NTLM2 packet check failed due to invalidsignature

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 14 Jul 2017 21:16:35 +0200
Patrik <[hidden email]> wrote:

> yes, bind dlz, i can ping all works as the wiki shows. ping
> ac.patrilx3.com and forestdomaimsomething.ac.patrilx3. com as well.
> just this packet problem in samba log, not generating the
> named.conf.updated file anymore, but no errors in bind dlz.
> ldap is correct i use my clients via ubuntu mint.
>
> showing private instead domain.
>
> reinstall or what? disable 2nd interface, no idea :(
>

Seeing as it is a new install, I would tend towards starting again,
make sure there is no trace of the '.tk' domain anywhere and then
provision again.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NTLMSSP NTLM2 packet check failed due to invalidsignature

Samba - General mailing list
THANKS SO MUCH! I REINSTALLED AND IT IS PERFECT!

CIAO!


On 07/14/2017 09:26 PM, Rowland Penny via samba wrote:

> On Fri, 14 Jul 2017 21:16:35 +0200
> Patrik <[hidden email]> wrote:
>
>> yes, bind dlz, i can ping all works as the wiki shows. ping
>> ac.patrilx3.com and forestdomaimsomething.ac.patrilx3. com as well.
>> just this packet problem in samba log, not generating the
>> named.conf.updated file anymore, but no errors in bind dlz.
>> ldap is correct i use my clients via ubuntu mint.
>>
>> showing private instead domain.
>>
>> reinstall or what? disable 2nd interface, no idea :(
>>
> Seeing as it is a new install, I would tend towards starting again,
> make sure there is no trace of the '.tk' domain anywhere and then
> provision again.
>
> Rowland
>
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba