samba 4.5.0 strange windows 10 issue | incorrect password

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

samba 4.5.0 strange windows 10 issue | incorrect password

yabko
This post was updated on .
i'm having intermittent issues with windows 10 clients (dont have win7/xp) on the network. i frequently get users being unable to login even when they put correct credentials. when that happens wbinfo --authenticate user completes successfully on the controller (just one on the network), same with authenticating webmail/intranet against PDC works. time is in sync. sometimes rebooting the PC helps it and they're able to login. is there anyone experiencing similar issue ? it seems to be happening on the client side only if the PDC itself works.

happened today. users password was expired and win10 prompted for change. user changed it and win said change successful. when user tried to sign in it said password incorrect. rebooted and user was able to get in. wbinfo was successfully authenticating before reboot with the new password.

this is my smb.conf

# Global parameters
[global]
        workgroup = DOMAIN
        realm = DOMAIN.LAN
        netbios name = PDC
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
#167.206.112.138
        log file = /var/log/samba/samba.log
        max log size = 10000
        log level = 3
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no
        lanman auth = yes
        ntlm auth = yes
        raw NTLMv2 auth = yes

        allow dns updates = nonsecure
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

Samba - General mailing list
On Mon, 17 Oct 2016 12:42:39 -0700 (PDT)
yabko via samba <[hidden email]> wrote:

> i'm having intermittent issues with windows 10 clients (dont have
> win7/xp) on the network. i frequently get users being unable to login
> even when they put correct credentials. when that happens wbinfo
> --authenticate user completes successfully on the controller (just
> one on the network), same with authenticating webmail/intranet
> against PDC works. time is in sync. sometimes rebooting the PC helps
> it and they're able to login. is there anyone experiencing similar
> issue ? it seems to be happening on the client side only if the PDC
> itself works.
>
> happened today. users password was expired and win10 prompted for
> change. user changed it and win said change successful. when user
> tried to sign in it said password incorrect. rebooted and user was
> able to get in. wbinfo was successfully authenticating before reboot
> with the new password.
>

Can you please post more info, what OS, how are you running Samba, I
know you mention a 'PDC', but is this an NT4-style domain or is it
really an AD DC ?
Can you post your smb.conf ?

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

yabko
This post was updated on .
hi server role is

server role = active directory domain controller

i googled the error and it says that there could be two computer accounts of the same name

i pulled this from the event log

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server 50wks19$. The target name used was 50WKS19$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (WMPNY.LAN) is different from the client domain (WMPNY.LAN), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

but checking DNS/ADUC i don't see any 50wks19 twice. all are windows 10x64

smb posted in OP
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

Samba - General mailing list
On Mon, 17 Oct 2016 13:51:18 -0700 (PDT)
yabko via samba <[hidden email]> wrote:

> hi server role is
>
> server role = active directory domain controller
>
> i googled the error and it says that there could be two computer
> accounts of the same name
>
> i pulled this from the event log
>
> The Kerberos client received a KRB_AP_ERR_MODIFIED error from the
> server 50wks19$. The target name used was 50WKS19$. This indicates
> that the target server failed to decrypt the ticket provided by the
> client. This can occur when the target server principal name (SPN) is
> registered on an account other than the account the target service is
> using. Ensure that the target SPN is only registered on the account
> used by the server. This error can also happen if the target service
> account password is different than what is configured on the Kerberos
> Key Distribution Center for that target service. Ensure that the
> service on the server and the KDC are both configured to use the same
> password. If the server name is not fully qualified, and the target
> domain (WMPNY.LAN) is different from the client domain (WMPNY.LAN),
> check if there are identically named server accounts in these two
> domains, or use the fully-qualified name to identify the server.
>
> but checking DNS/ADUC i don't see any 50wks19 twice. all are windows
> 10x64
>

Well, all I gained from that is you haven't got a PDC, it is an AD DC.

What OS are you using ?
What is in smb.conf ?
What is in /etc/krb5.conf ?
what is in /etc/resolv.conf ?
what is in /etc/hosts ?
what is in /etc/hostname ?
what is the ipaddress of the AD DC ?

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

yabko
This post was updated on .
Well, all I gained from that is you haven't got a PDC, it is an AD DC.

What OS are you using ?
What is in smb.conf ?
What is in /etc/krb5.conf ?
what is in /etc/resolv.conf ?
what is in /etc/hosts ?
what is in /etc/hostname ?
what is the ipaddress of the AD DC ?

Rowland

-------------------

Rowland yes it's ADDC the hostname is just PDC. Sorry for the confusion

The server is

Description:    Debian GNU/Linux 6.0.6 (squeeze)
Release:        6.0.6
Codename:       squeeze

/etc/krb5.conf
[libdefaults]
        default_realm = WMPNY.LAN
        dns_lookup_realm = false
        dns_lookup_kdc = true

/etc/resolv.conf

search wmpny.lan
domain wmpny.lan
nameserver 10.18.66.5

/etc/hosts
127.0.0.1       localhost
127.0.1.1       pdc.wmpny.local pdc

/etc/hostname
pdc

ip address is 10.18.66.5

i also found this https://blogs.technet.microsoft.com/askds/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers/#pi145002=1

forest and domain functional level is 2008_R2

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

Samba - General mailing list

See inline comments:

On Mon, 17 Oct 2016 18:06:36 -0700 (PDT)
yabko via samba <[hidden email]> wrote:

> Well, all I gained from that is you haven't got a PDC, it is an AD DC.
>
> What OS are you using ?
> What is in smb.conf ?
> What is in /etc/krb5.conf ?
> what is in /etc/resolv.conf ?
> what is in /etc/hosts ?
> what is in /etc/hostname ?
> what is the ipaddress of the AD DC ?
>
> Rowland
>
> -------------------
>
> Rowland yes it's ADDC the hostname is just PDC. Sorry for the
> confusion
>
> The server is
>
> Description:    Debian GNU/Linux 6.0.6 (squeeze)
> Release:        6.0.6
> Codename:       squeeze
>

You do know that squeeze is EOL ?

> /etc/krb5.conf
> [libdefaults]
>         default_realm = WMPNY.LAN
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> /etc/resolv.conf
>
> search wmpny.lan
> domain wmpny.lan
> nameserver 10.18.66.5

I would suggest removing the 'domain' line, it is turning off the
'search' line, you cannot have both lines in resolv.conf

>
> /etc/hosts
> 127.0.0.1       localhost
> 127.0.1.1       pdc.wmpny.local pdc

This is very likely your problem, /etc/hosts should be:

127.0.0.1 localhost
10.18.66.5 pdc.wmpny.local pdc

and as you have '127.0.1.1', this probably means you are using
Network-Manager, if so, stop this from using dnsmasq.
As you are using '.local', I would also suggest turning off Avahi, if
this is running.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

Samba - General mailing list
On Tue, 18 Oct 2016 08:09:10 +0100
Rowland Penny via samba <[hidden email]> wrote:

>
> See inline comments:
>
> On Mon, 17 Oct 2016 18:06:36 -0700 (PDT)
> yabko via samba <[hidden email]> wrote:
>
> > Well, all I gained from that is you haven't got a PDC, it is an AD
> > DC.
> >
> > What OS are you using ?
> > What is in smb.conf ?
> > What is in /etc/krb5.conf ?
> > what is in /etc/resolv.conf ?
> > what is in /etc/hosts ?
> > what is in /etc/hostname ?
> > what is the ipaddress of the AD DC ?
> >
> > Rowland
> >
> > -------------------
> >
> > Rowland yes it's ADDC the hostname is just PDC. Sorry for the
> > confusion
> >
> > The server is
> >
> > Description:    Debian GNU/Linux 6.0.6 (squeeze)
> > Release:        6.0.6
> > Codename:       squeeze
> >
>
> You do know that squeeze is EOL ?
>
> > /etc/krb5.conf
> > [libdefaults]
> >         default_realm = WMPNY.LAN
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> > /etc/resolv.conf
> >
> > search wmpny.lan
> > domain wmpny.lan
> > nameserver 10.18.66.5
>
> I would suggest removing the 'domain' line, it is turning off the
> 'search' line, you cannot have both lines in resolv.conf
>
> >
> > /etc/hosts
> > 127.0.0.1       localhost
> > 127.0.1.1       pdc.wmpny.local pdc
>
> This is very likely your problem, /etc/hosts should be:
>
> 127.0.0.1 localhost
> 10.18.66.5 pdc.wmpny.local pdc
>
> and as you have '127.0.1.1', this probably means you are using
> Network-Manager, if so, stop this from using dnsmasq.
> As you are using '.local', I would also suggest turning off Avahi, if
> this is running.
>
> Rowland
>
>

I completely missed this:

From /etc/krb5.conf:

default_realm = WMPNY.LAN

From /etc/hosts:

127.0.1.1       pdc.wmpny.local pdc

'WMPNY.LAN' or 'wmpny.local', which is it, they both should be the same
(apart from case)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

yabko
hi Rowland

domain is wmpny.lan not .local, so i made the changes to the files where you caught the mismatch

i know squeeze is EOL but it's internal and i never had issues with it. do you think upgrading OS would resolve this issue ? It's been running fine since samba4 4.0 days with the "unchanged" conf files.

adjusted the files to your suggestions

/etc/hosts

127.0.0.1       localhost
10.18.66.5      pdc.wmpny.lan   pdc

/etc/resolv.conf

search wmpny.lan
#domain wmpny.lan
nameserver 10.18.66.5

I just had it happen again today before i made your config file edits. Will fully update client OS (win10x64) and monitor.


Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

Samba - General mailing list
.lan .local .... Both reserved by Apple's mDNS/ZeroConf..
( sorry )

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens yabko via samba
> Verzonden: dinsdag 18 oktober 2016 16:30
> Aan: [hidden email]
> Onderwerp: Re: [Samba] samba 4.5.0 strange windows 10 issue | incorrect
> password
>
> hi Rowland
>
> domain is wmpny.lan not .local, so i made the changes to the files where
> you
> caught the mismatch
>
> i know squeeze is EOL but it's internal and i never had issues with it. do
> you think upgrading OS would resolve this issue ? It's been running fine
> since samba4 4.0 days with the "unchanged" conf files.
>
> adjusted the files to your suggestions
>
> /etc/hosts
>
> 127.0.0.1       localhost
> 10.18.66.5      pdc.wmpny.lan   pdc
>
> /etc/resolv.conf
>
> search wmpny.lan
> #domain wmpny.lan
> nameserver 10.18.66.5
>
> I just had it happen again today before i made your config file edits.
> Will
> fully update client OS (win10x64) and monitor.
>
>
>
>
>
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/samba-4-
> 5-0-strange-windows-10-issue-incorrect-password-tp4709799p4709834.html
> Sent from the Samba - General mailing list archive at Nabble.com.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

Samba - General mailing list
In reply to this post by yabko
But please post the smb.conf  sanitize it if needed.
You didnt post it as requested and without it is only guessing..  


samba4 4.0 days with the "unchanged" conf files.
So you didnt update the the latest defaults im guessing..  
This can be you problem.

And its also possible your missing cifs protocol thingies.
https://wiki.samba.org/index.php/LinuxCIFSKernel 
What is your running kernel?


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens yabko via samba
> Verzonden: dinsdag 18 oktober 2016 16:30
> Aan: [hidden email]
> Onderwerp: Re: [Samba] samba 4.5.0 strange windows 10 issue | incorrect
> password
>
> hi Rowland
>
> domain is wmpny.lan not .local, so i made the changes to the files where
> you
> caught the mismatch
>
> i know squeeze is EOL but it's internal and i never had issues with it. do
> you think upgrading OS would resolve this issue ? It's been running fine
> since samba4 4.0 days with the "unchanged" conf files.
>
> adjusted the files to your suggestions
>
> /etc/hosts
>
> 127.0.0.1       localhost
> 10.18.66.5      pdc.wmpny.lan   pdc
>
> /etc/resolv.conf
>
> search wmpny.lan
> #domain wmpny.lan
> nameserver 10.18.66.5
>
> I just had it happen again today before i made your config file edits.
> Will
> fully update client OS (win10x64) and monitor.
>
>
>
>
>
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/samba-4-
> 5-0-strange-windows-10-issue-incorrect-password-tp4709799p4709834.html
> Sent from the Samba - General mailing list archive at Nabble.com.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

yabko
In reply to this post by Samba - General mailing list
avahi is nor running
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

yabko
smb.conf

[global]
        workgroup = WMPNY
        realm = WMPNY.LAN
        netbios name = PDC
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
#167.206.112.138
        log file = /var/log/samba/samba.log
        max log size = 10000
        log level = 3
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no
        lanman auth = yes
        ntlm auth = yes
        raw NTLMv2 auth = yes

        allow dns updates = nonsecure

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/wmpny.lan/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[profiles]
        path = /usr/local/samba/var/profiles
        read only = No

[home]
        path = /home/home
        read only = No
        vfs objects = acl_xattr recycle
        recycle:keeptree = yes
        recycle:versions = yes
        recycle:maxsize = 1073741824


uname -r

2.6.32-5-amd64

when i said unchanged config files i meant the changes Rowland suggested. it's been running with the "bad" values he pointed out for a while now.
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

Samba - General mailing list

See inline comments:

On Tue, 18 Oct 2016 07:49:39 -0700 (PDT)
yabko via samba <[hidden email]> wrote:

> smb.conf
>
> [global]
>         workgroup = WMPNY
>         realm = WMPNY.LAN
>         netbios name = PDC
>         server role = active directory domain controller
>         dns forwarder = 8.8.8.8
> #167.206.112.138
>         log file = /var/log/samba/samba.log
>         max log size = 10000
>         log level = 3
>         idmap_ldb:use rfc2307 = yes
>         ldap server require strong auth = no
>         lanman auth = yes
>         ntlm auth = yes
>         raw NTLMv2 auth = yes

OK, I can understand adding 'ldap server require strong auth', but why
add 'lanman auth', 'ntlm auth' and 'raw NTLMv2 auth' if all your
clients are using windows 10 ?

>
>         allow dns updates = nonsecure
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/wmpny.lan/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
> [profiles]
>         path = /usr/local/samba/var/profiles
>         read only = No
>
> [home]
>         path = /home/home
>         read only = No
>         vfs objects = acl_xattr recycle
>         recycle:keeptree = yes
>         recycle:versions = yes
>         recycle:maxsize = 1073741824
>
>
> uname -r
>
> 2.6.32-5-amd64

This is a very old kernel, if you were to upgrade to wheezy, you would
get 3.2

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

yabko
Rowland

Some of our older Network scanners scanning to samba shares (addc has few shares available) were using the old smb protocol so i've read that these settings had to be enabled for it to work. Since then i believe we've updated firmware on them to handle newer SMB protocols so i'll try to take these out and test again

I guess i'll have to update it first and see. I just don't want the upgrade process to break the samba. Would it be "safer" to create another DC and join rather than doing in place upgrade ?
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

Samba - General mailing list
On Tue, 18 Oct 2016 09:03:18 -0700 (PDT)
yabko via samba <[hidden email]> wrote:

> Rowland
>
> Some of our older Network scanners scanning to samba shares (addc has
> few shares available) were using the old smb protocol so i've read
> that these settings had to be enabled for it to work. Since then i
> believe we've updated firmware on them to handle newer SMB protocols
> so i'll try to take these out and test again
>
> I guess i'll have to update it first and see. I just don't want the
> upgrade process to break the samba. Would it be "safer" to create
> another DC and join rather than doing in place upgrade ?
>

It is perfectly safe to upgrade Samba in place, but it would be even
better to add another DC ;-)

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

yabko
i meant upgrading the OS (squeeze) that samba4 is compiled on, rather than installing new OS (jessie) with samba4 on and joining as new DC. if i go with another DC route would it matter if samba4 is compiled or installed from a package or should i compile it like on the first initial DC?
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.5.0 strange windows 10 issue | incorrect password

Samba - General mailing list
On Tue, 18 Oct 2016 09:38:31 -0700 (PDT)
yabko via samba <[hidden email]> wrote:

> i meant upgrading the OS (squeeze) that samba4 is compiled on, rather
> than installing new OS (jessie) with samba4 on and joining as new DC.
> if i go with another DC route would it matter if samba4 is compiled
> or installed from a package or should i compile it like on the first
> initial DC?
>

Sorry, in that case I would go with a new DC and compile Samba
yourself, that way you will get a supported OS and an up to date Samba.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Can Logon & Join NT4-style Domain, Can't Change Password

Samba - General mailing list
In reply to this post by Samba - General mailing list
The following article by Microsoft was updated on 2016-10-14: https://support.microsoft.com/en-us/kb/3167679

It acknowledges the problem and proposes to set a registry key to enable NTLM authentification. Fot the details see paragraph "Known issue 7" in the article linked above.

- Under "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa"
- Create the key "NegoAllowNtlmPwdChangeFallback" and set its value to 1

So far it works on some of our machines, we haven't tested it extensively.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Can Logon & Join NT4-style Domain, Can't Change Password

yabko
This post was updated on .
Thank you Rowland, ill check the kb article. hopefully MS addresses the problem

as far as adding another DC would having the errors that dbcheck couldn't fix be a problem ?

http://samba.2283325.n4.nabble.com/4-5-0-upgrade-samba-tool-dbcheck-errors-td4708101.html#a4708200

it supposed to be fixed in the next release but my question is if these errors would prevent from adding another DC