CINXE.COM
#1052245 - SMB authentication failure against main server - Debian Bug report logs
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html><head> <link rel="icon" href="/favicon.png"> <title>#1052245 - SMB authentication failure against main server - Debian Bug report logs</title> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" href="/css/bugs.css" type="text/css"> <link rel="canonical" href="<a href="bugreport.cgi?bug=1052245">1052245</a>"> <script type="text/javascript"> <!-- function toggle_infmessages() { allDivs=document.getElementsByTagName("div"); for (var i = 0 ; i < allDivs.length ; i++ ) { if (allDivs[i].className == "infmessage") { allDivs[i].style.display=(allDivs[i].style.display == 'none' | allDivs[i].style.display == '') ? 'block' : 'none'; } } } --> </script> </head> <body> <h1>Debian Bug report logs - <a href="mailto:1052245@bugs.debian.org">#1052245</a><br> SMB authentication failure against main server</h1> <div class="versiongraph"><a href="version.cgi?found=debian-edu-config%2F2.12.36;info=1;collapse=1;package=debian-edu-config;absolute=0"><img alt="version graph" src="version.cgi?found=debian-edu-config%2F2.12.36;absolute=0;width=2;collapse=1;package=debian-edu-config;height=2"></a></div> <div class="pkginfo"> <p>Package: <a class="submitter" href="pkgreport.cgi?package=debian-edu-config">debian-edu-config</a>; Maintainer for <a href="pkgreport.cgi?package=debian-edu-config">debian-edu-config</a> is <a href="pkgreport.cgi?maint=debian-edu%40lists.debian.org">Debian Edu Developers <debian-edu@lists.debian.org></a>; Source for <a href="pkgreport.cgi?package=debian-edu-config">debian-edu-config</a> is <a href="pkgreport.cgi?src=debian-edu-config">src:debian-edu-config</a> (<a href="https://tracker.debian.org/pkg/debian-edu-config">PTS</a>, <a href="https://buildd.debian.org/debian-edu-config">buildd</a>, <a href="https://qa.debian.org/popcon.php?package=debian-edu-config">popcon</a>). </p> </div> <div class="buginfo"> <p>Reported by: <a href="pkgreport.cgi?submitter=guido%40berhoerster.name">Guido Berhoerster <guido@berhoerster.name></a></p> <p>Date: Tue, 19 Sep 2023 12:10:01 UTC</p> <p>Severity: normal</p> <p></p> <p>Found in version debian-edu-config/2.12.36</p> </div> <p><a href="mailto:1052245@bugs.debian.org">Reply</a> or <a href="mailto:1052245-subscribe@bugs.debian.org">subscribe</a> to this bug.</p> <p><input id="uselessmesages" type="checkbox"><label for="uselessmessages">Display info messages</label></p><div class="msgreceived"><p>View this report as an <a href="bugreport.cgi?bug=1052245;mbox=yes">mbox folder</a>, <a href="bugreport.cgi?bug=1052245;mbox=yes;mboxstatus=yes">status mbox</a>, <a href="bugreport.cgi?bug=1052245;mbox=yes;mboxmaint=yes">maintainer mbox</a></p></div> <div class="infmessage"><hr><p> <a name="1"></a> <!-- request_addr: debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org> --> <!-- time:1695125403 --> <strong>Report forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org></code>:<br> <code>Bug#1052245</code>; Package <code>debian-edu-config</code>. (Tue, 19 Sep 2023 12:10:03 GMT) (<a href="bugreport.cgi?bug=1052245;msg=2">full text</a>, <a href="bugreport.cgi?bug=1052245;mbox=yes;msg=2">mbox</a>, <a href="#1">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="3"></a> <!-- request_addr: Guido Berhoerster <guido@berhoerster.name> --> <!-- time:1695125403 --> <strong>Acknowledgement sent</strong> to <code>Guido Berhoerster <guido@berhoerster.name></code>:<br> New Bug report received and forwarded. Copy sent to <code>Debian Edu Developers <debian-edu@lists.debian.org></code>. (Tue, 19 Sep 2023 12:10:03 GMT) (<a href="bugreport.cgi?bug=1052245;msg=4">full text</a>, <a href="bugreport.cgi?bug=1052245;mbox=yes;msg=4">mbox</a>, <a href="#3">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="5"></a><a name="msg5"></a><a href="#5">Message #5</a> received at submit@bugs.debian.org (<a href="bugreport.cgi?bug=1052245;msg=5">full text</a>, <a href="bugreport.cgi?bug=1052245;mbox=yes;msg=5">mbox</a>, <a href="mailto:1052245@bugs.debian.org?References=%3C9c9bc125-53b5-c296-759e-1b63ffe1c0c5%40berhoerster.name%3E&In-Reply-To=%3C9c9bc125-53b5-c296-759e-1b63ffe1c0c5%40berhoerster.name%3E&subject=Re%3A%20SMB%20authentication%20failure%20against%20main%20server&body=On%20Tue%2C%2019%20Sep%202023%2014%3A08%3A33%20%2B0200%20Guido%20Berhoerster%20%3Cguido%40berhoerster.name%3E%20wrote%3A%0A%3E%20Package%3A%20debian-edu-config%0A%3E%20Version%3A%202.12.36%0A%3E%20%0A%3E%20Currently%2C%20it%20is%20not%20possible%20with%20either%20gvfs%20nor%20smbclient%20to%20access%20a%20user%27s%0A%3E%20home%20directory%20due%20to%20an%20authentication%20failure.%0A%3E%20%0A%3E%20%24%20klist%0A%3E%20Ticket%20cache%3A%20FILE%3A%2Ftmp%2Fkrb5cc_1003_X8fbPu%0A%3E%20Default%20principal%3A%20gber%40INTERN%0A%3E%20%0A%3E%20Valid%20starting%20%20%20%20%20Expires%20%20%20%20%20%20%20%20%20%20%20%20Service%20principal%0A%3E%2009%2F19%2F23%2013%3A12%3A44%20%2009%2F19%2F23%2023%3A12%3A44%20%20krbtgt%2FINTERN%40INTERN%0A%3E%20%09renew%20until%2009%2F20%2F23%2013%3A12%3A44%0A%3E%2009%2F19%2F23%2013%3A13%3A16%20%2009%2F19%2F23%2023%3A12%3A44%20%20cifs%2Ftjener.intern%40INTERN%0A%3E%20%09renew%20until%2009%2F20%2F23%2013%3A12%3A44%0A%3E%20%0A%3E%20%24%20smbclient%20-d%2099%20--use-kerberos%3Drequired%20-U%20%27TJENER%5Cgber%27%20%27%5C%5Ctjener.intern%5Chomes%5C%27%0A%3E%20INFO%3A%20Current%20debug%20levels%3A%0A%3E%20%20%20all%3A%2099%0A%3E%20%20%20tdb%3A%2099%0A%3E%20%20%20printdrivers%3A%2099%0A%3E%20%20%20lanman%3A%2099%0A%3E%20%20%20smb%3A%2099%0A%3E%20%20%20rpc_parse%3A%2099%0A%3E%20%20%20rpc_srv%3A%2099%0A%3E%20%20%20rpc_cli%3A%2099%0A%3E%20%20%20passdb%3A%2099%0A%3E%20%20%20sam%3A%2099%0A%3E%20%20%20auth%3A%2099%0A%3E%20%20%20winbind%3A%2099%0A%3E%20%20%20vfs%3A%2099%0A%3E%20%20%20idmap%3A%2099%0A%3E%20%20%20quota%3A%2099%0A%3E%20%20%20acls%3A%2099%0A%3E%20%20%20locking%3A%2099%0A%3E%20%20%20msdfs%3A%2099%0A%3E%20%20%20dmapi%3A%2099%0A%3E%20%20%20registry%3A%2099%0A%3E%20%20%20scavenger%3A%2099%0A%3E%20%20%20dns%3A%2099%0A%3E%20%20%20ldb%3A%2099%0A%3E%20%20%20tevent%3A%2099%0A%3E%20%20%20auth_audit%3A%2099%0A%3E%20%20%20auth_json_audit%3A%2099%0A%3E%20%20%20kerberos%3A%2099%0A%3E%20%20%20drs_repl%3A%2099%0A%3E%20%20%20smb2%3A%2099%0A%3E%20%20%20smb2_credits%3A%2099%0A%3E%20%20%20dsdb_audit%3A%2099%0A%3E%20%20%20dsdb_json_audit%3A%2099%0A%3E%20%20%20dsdb_password_audit%3A%2099%0A%3E%20%20%20dsdb_password_json_audit%3A%2099%0A%3E%20%20%20dsdb_transaction_audit%3A%2099%0A%3E%20%20%20dsdb_transaction_json_audit%3A%2099%0A%3E%20%20%20dsdb_group_audit%3A%2099%0A%3E%20%20%20dsdb_group_json_audit%3A%2099%0A%3E%20lp_load_ex%3A%20refreshing%20parameters%0A%3E%20Initialising%20global%20parameters%0A%3E%20rlimit_max%3A%20increasing%20rlimit_max%20%281024%29%20to%20minimum%20Windows%20limit%20%2816384%29%0A%3E%20INFO%3A%20Current%20debug%20levels%3A%0A">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=guido%40berhoerster.name" alt=""> <div class="header"><span class="headerfield">From:</span> Guido Berhoerster <guido@berhoerster.name></div> <div class="header"><span class="headerfield">To:</span> submit@bugs.debian.org</div> <div class="header"><span class="headerfield">Subject:</span> SMB authentication failure against main server</div> <div class="header"><span class="headerfield">Date:</span> Tue, 19 Sep 2023 14:08:33 +0200</div> </div> <pre class="message">Package: debian-edu-config Version: 2.12.36 Currently, it is not possible with either gvfs nor smbclient to access a user's home directory due to an authentication failure. $ klist Ticket cache: FILE:/tmp/krb5cc_1003_X8fbPu Default principal: gber@INTERN Valid starting Expires Service principal 09/19/23 13:12:44 09/19/23 23:12:44 krbtgt/INTERN@INTERN renew until 09/20/23 13:12:44 09/19/23 13:13:16 09/19/23 23:12:44 cifs/tjener.intern@INTERN renew until 09/20/23 13:12:44 $ smbclient -d 99 --use-kerberos=required -U 'TJENER\gber' '\\tjener.intern\homes\' INFO: Current debug levels: all: 99 tdb: 99 printdrivers: 99 lanman: 99 smb: 99 rpc_parse: 99 rpc_srv: 99 rpc_cli: 99 passdb: 99 sam: 99 auth: 99 winbind: 99 vfs: 99 idmap: 99 quota: 99 acls: 99 locking: 99 msdfs: 99 dmapi: 99 registry: 99 scavenger: 99 dns: 99 ldb: 99 tevent: 99 auth_audit: 99 auth_json_audit: 99 kerberos: 99 drs_repl: 99 smb2: 99 smb2_credits: 99 dsdb_audit: 99 dsdb_json_audit: 99 dsdb_password_audit: 99 dsdb_password_json_audit: 99 dsdb_transaction_audit: 99 dsdb_transaction_json_audit: 99 dsdb_group_audit: 99 dsdb_group_json_audit: 99 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 99 tdb: 99 printdrivers: 99 lanman: 99 smb: 99 rpc_parse: 99 rpc_srv: 99 rpc_cli: 99 passdb: 99 sam: 99 auth: 99 winbind: 99 vfs: 99 idmap: 99 quota: 99 acls: 99 locking: 99 msdfs: 99 dmapi: 99 registry: 99 scavenger: 99 dns: 99 ldb: 99 tevent: 99 auth_audit: 99 auth_json_audit: 99 kerberos: 99 drs_repl: 99 smb2: 99 smb2_credits: 99 dsdb_audit: 99 dsdb_json_audit: 99 dsdb_password_audit: 99 dsdb_password_json_audit: 99 dsdb_transaction_audit: 99 dsdb_transaction_json_audit: 99 dsdb_group_audit: 99 dsdb_group_json_audit: 99 Processing section "[global]" doing parameter workgroup = skolelinux doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter logging = file doing parameter panic action = /usr/share/samba/panic-action %d doing parameter server role = standalone server doing parameter obey pam restrictions = yes doing parameter unix password sync = yes doing parameter passwd program = /usr/bin/passwd %u doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . doing parameter pam password change = yes doing parameter map to guest = bad user doing parameter usershare allow guests = yes pm_process() returned Yes lp_servicenumber: couldn't find homes added interface eth0 ip=10.0.2.20 bcast=10.255.255.255 netmask=255.0.0.0 Password for [TJENER\gber]:Client started (version 4.17.10-Debian). Opening cache file at /run/samba/gencache.tdb tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permission denied gencache_init: Opening user cache file /skole/tjener/home0/gber/.cache/samba/gencache.tdb. sitename_fetch: No stored sitename for realm '' internal_resolve_name: looking up tjener.intern#20 (sitename (null)) namecache_fetch: name tjener.intern#20 found. remove_duplicate_addrs2: looking for duplicate address/port pairs samba_tevent: Added timed event "tevent_req_timedout": 0x55612aa9f2b0 Connecting to 10.0.2.2 at port 445 samba_tevent: Added timed event "tevent_req_timedout": 0x55612aa9fb50 samba_tevent: Added timed event "tevent_req_timedout": 0x55612aa87d00 samba_tevent: Destroying timer event 0x55612aa9f2b0 "tevent_req_timedout" samba_tevent: Destroying timer event 0x55612aa9fb50 "tevent_req_timedout" socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0 samba_tevent: Destroying timer event 0x55612aa87d00 "tevent_req_timedout" session request ok samba_tevent: Added timed event "tevent_req_timedout": 0x55612aa986f0 samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aa9ed60 samba_tevent: Cancel immediate event 0x55612aa9ed60 "tevent_req_trigger" samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aa9ed60 samba_tevent: Run immediate event "tevent_req_trigger": 0x55612aa9ed60 samba_tevent: Destroying timer event 0x55612aa986f0 "tevent_req_timedout" samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aaa0cd0 samba_tevent: Run immediate event "tevent_req_trigger": 0x55612aaa0cd0 negotiated dialect[SMB3_11] against server[tjener.intern] cli_session_setup_spnego_send: Connect to tjener.intern as gber@TJENER using SPNEGO GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'ncalrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aa9fa10 gensec_update_send: gse_krb5[0x55612aaa0ad0]: subreq: 0x55612aa9f920 gensec_update_send: spnego[0x55612aa9e7c0]: subreq: 0x55612aaa3610 samba_tevent: Run immediate event "tevent_req_trigger": 0x55612aa9fa10 gensec_update_done: gse_krb5[0x55612aaa0ad0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55612aa9f920/../../source3/librpc/crypto/gse.c:895]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x55612aa9fae0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:906] gensec_update_done: spnego[0x55612aa9e7c0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55612aaa3610/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x55612aaa37d0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116] samba_tevent: Added timed event "tevent_req_timedout": 0x55612aa986f0 samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aaadc30 samba_tevent: Cancel immediate event 0x55612aaadc30 "tevent_req_trigger" samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aaadc30 samba_tevent: Run immediate event "tevent_req_trigger": 0x55612aaadc30 samba_tevent: Destroying timer event 0x55612aa986f0 "tevent_req_timedout" samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aaad6a0 samba_tevent: Run immediate event "tevent_req_trigger": 0x55612aaad6a0 SPNEGO login failed: An invalid parameter was passed to a service or function. session setup failed: NT_STATUS_INVALID_PARAMETER The samba log on tjener: [2023/09/19 14:04:01.336794, 5] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm) make_auth3_context_for_ntlm: Making default auth method list for server role = 'standalone server', encrypt passwords = yes [2023/09/19 14:04:01.336861, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend anonymous [2023/09/19 14:04:01.336882, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'anonymous' [2023/09/19 14:04:01.336893, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend sam [2023/09/19 14:04:01.336901, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'sam' [2023/09/19 14:04:01.336908, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend sam_ignoredomain [2023/09/19 14:04:01.336914, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'sam_ignoredomain' [2023/09/19 14:04:01.336922, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend sam_netlogon3 [2023/09/19 14:04:01.336929, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'sam_netlogon3' [2023/09/19 14:04:01.336935, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend winbind [2023/09/19 14:04:01.336942, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'winbind' [2023/09/19 14:04:01.336950, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend unix [2023/09/19 14:04:01.336961, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'unix' [2023/09/19 14:04:01.336969, 5] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match anonymous [2023/09/19 14:04:01.336978, 5] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method anonymous has a valid init [2023/09/19 14:04:01.336985, 5] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match sam_ignoredomain [2023/09/19 14:04:01.336991, 5] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method sam_ignoredomain has a valid init [2023/09/19 14:04:01.338828, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'gssapi_spnego' registered [2023/09/19 14:04:01.338852, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'gssapi_krb5' registered [2023/09/19 14:04:01.338862, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2023/09/19 14:04:01.338870, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'spnego' registered [2023/09/19 14:04:01.338878, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'schannel' registered [2023/09/19 14:04:01.338887, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'ncalrpc_as_system' registered [2023/09/19 14:04:01.338895, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2023/09/19 14:04:01.338903, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'ntlmssp' registered [2023/09/19 14:04:01.338911, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'ntlmssp_resume_ccache' registered [2023/09/19 14:04:01.338919, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'http_basic' registered [2023/09/19 14:04:01.338927, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'http_ntlm' registered [2023/09/19 14:04:01.338935, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'http_negotiate' registered [2023/09/19 14:04:01.338945, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'krb5' registered [2023/09/19 14:04:01.338954, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2023/09/19 14:04:01.339044, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech) Starting GENSEC mechanism spnego [2023/09/19 14:04:01.339083, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech) Starting GENSEC submechanism ntlmssp [2023/09/19 14:04:01.342752, 5] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm) make_auth3_context_for_ntlm: Making default auth method list for server role = 'standalone server', encrypt passwords = yes [2023/09/19 14:04:01.342788, 5] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match anonymous [2023/09/19 14:04:01.342801, 5] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method anonymous has a valid init [2023/09/19 14:04:01.342811, 5] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match sam_ignoredomain [2023/09/19 14:04:01.342820, 5] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method sam_ignoredomain has a valid init [2023/09/19 14:04:01.342873, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech) Starting GENSEC mechanism spnego [2023/09/19 14:04:01.342936, 1] ../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT [2023/09/19 14:04:01.342972, 5] ../../auth/gensec/gensec.c:534(gensec_update_done) gensec_update_done: spnego[0x5618c5c0b850]: NT_STATUS_INVALID_PARAMETER -- Guido Berhoerster </pre> <div class="infmessage"><hr><p> <a name="6"></a> <!-- request_addr: debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org> --> <!-- time:1695735362 --> <strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org></code>:<br> <code>Bug#1052245</code>; Package <code>debian-edu-config</code>. (Tue, 26 Sep 2023 13:36:02 GMT) (<a href="bugreport.cgi?bug=1052245;msg=7">full text</a>, <a href="bugreport.cgi?bug=1052245;mbox=yes;msg=7">mbox</a>, <a href="#6">link</a>).</p></p></div> <div class="infmessage"><hr><p> <a name="8"></a> <!-- request_addr: Guido Berhoerster <guido@berhoerster.name> --> <!-- time:1695735362 --> <strong>Acknowledgement sent</strong> to <code>Guido Berhoerster <guido@berhoerster.name></code>:<br> Extra info received and forwarded to list. Copy sent to <code>Debian Edu Developers <debian-edu@lists.debian.org></code>. (Tue, 26 Sep 2023 13:36:02 GMT) (<a href="bugreport.cgi?bug=1052245;msg=9">full text</a>, <a href="bugreport.cgi?bug=1052245;mbox=yes;msg=9">mbox</a>, <a href="#8">link</a>).</p></p></div> <hr><p class="msgreceived"><a name="10"></a><a name="msg10"></a><a href="#10">Message #10</a> received at 1052245@bugs.debian.org (<a href="bugreport.cgi?bug=1052245;msg=10">full text</a>, <a href="bugreport.cgi?bug=1052245;mbox=yes;msg=10">mbox</a>, <a href="mailto:1052245@bugs.debian.org?References=%3C9c9bc125-53b5-c296-759e-1b63ffe1c0c5%40berhoerster.name%3E%0A%20%3C9c9bc125-53b5-c296-759e-1b63ffe1c0c5%40berhoerster.name%3E%0A%20%3C0b112f8f-bcc7-23cc-80c6-aec126f41bbd%40berhoerster.name%3E&subject=Re%3A%20SMB%20authentication%20failure%20against%20main%20server&In-Reply-To=%3C0b112f8f-bcc7-23cc-80c6-aec126f41bbd%40berhoerster.name%3E&body=On%20Tue%2C%2026%20Sep%202023%2015%3A33%3A06%20%2B0200%20Guido%20Berhoerster%20%3Cguido%40berhoerster.name%3E%20wrote%3A%0A%3E%20So%20debugging%20this%20with%20Wireshark%20showed%20that%20during%20the%20SPNEGO%20negotiation%2C%0A%3E%20server%20and%20client%20could%20not%20settle%20on%20a%20mutually%20supported%20authentication%0A%3E%20mechanism.%20The%20server%20was%20only%20offering%20NTLMSSP%20while%20the%20client%20offers%20MS%0A%3E%20KRB5%2FKRB5%20%28due%20to%20--use-kerberos%3Drequired%29.%0A%3E%20%0A%3E%20The%20server%20needs%20to%20have%20%22kerberos%20method%22%20set%20to%20use%20the%20right%20keytab%2C%20for%0A%3E%20some%20reason%20%22system%20keytab%22%20does%20not%20work%20and%20I%20had%20to%20explicitly%20set%0A%3E%20%0A%3E%20%20%20%20kerberos%20method%20%3D%20dedicated%20keytab%0A%3E%20%20%20%20dedicated%20keytab%20file%20%3D%20%2Fetc%2Fkrb5.keytab%0A%3E%20%0A%3E%20This%20allows%20SPNEGO%20negotiation%20to%20succeed%20but%20leads%20to%20the%20next%20error%3A%0A%3E%20%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755056%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A565%28make_auth3_context_for_ntlm%29%0A%3E%20%20%20make_auth3_context_for_ntlm%3A%20Making%20default%20auth%20method%20list%20for%20server%20role%20%3D%20%27standalone%20server%27%2C%20encrypt%20passwords%20%3D%20yes%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755119%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A52%28smb_register_auth%29%0A%3E%20%20%20Attempting%20to%20register%20auth%20backend%20anonymous%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755141%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A64%28smb_register_auth%29%0A%3E%20%20%20Successfully%20added%20auth%20method%20%27anonymous%27%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755154%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A52%28smb_register_auth%29%0A%3E%20%20%20Attempting%20to%20register%20auth%20backend%20sam%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755164%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A64%28smb_register_auth%29%0A%3E%20%20%20Successfully%20added%20auth%20method%20%27sam%27%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755173%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A52%28smb_register_auth%29%0A%3E%20%20%20Attempting%20to%20register%20auth%20backend%20sam_ignoredomain%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755183%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A64%28smb_register_auth%29%0A%3E%20%20%20Successfully%20added%20auth%20method%20%27sam_ignoredomain%27%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755191%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A52%28smb_register_auth%29%0A%3E%20%20%20Attempting%20to%20register%20auth%20backend%20sam_netlogon3%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755201%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A64%28smb_register_auth%29%0A%3E%20%20%20Successfully%20added%20auth%20method%20%27sam_netlogon3%27%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755210%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A52%28smb_register_auth%29%0A%3E%20%20%20Attempting%20to%20register%20auth%20backend%20winbind%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755219%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A64%28smb_register_auth%29%0A%3E%20%20%20Successfully%20added%20auth%20method%20%27winbind%27%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755228%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A52%28smb_register_auth%29%0A%3E%20%20%20Attempting%20to%20register%20auth%20backend%20unix%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755237%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A64%28smb_register_auth%29%0A%3E%20%20%20Successfully%20added%20auth%20method%20%27unix%27%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755246%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A426%28load_auth_module%29%0A%3E%20%20%20load_auth_module%3A%20Attempting%20to%20find%20an%20auth%20method%20to%20match%20anonymous%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755276%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A451%28load_auth_module%29%0A%3E%20%20%20load_auth_module%3A%20auth%20method%20anonymous%20has%20a%20valid%20init%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755286%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A426%28load_auth_module%29%0A%3E%20%20%20load_auth_module%3A%20Attempting%20to%20find%20an%20auth%20method%20to%20match%20sam_ignoredomain%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.755296%2C%20%205%5D%20..%2F..%2Fsource3%2Fauth%2Fauth.c%3A451%28load_auth_module%29%0A%3E%20%20%20load_auth_module%3A%20auth%20method%20sam_ignoredomain%20has%20a%20valid%20init%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.757684%2C%20%203%5D%20..%2F..%2Fauth%2Fgensec%2Fgensec_start.c%3A1083%28gensec_register%29%0A%3E%20%20%20GENSEC%20backend%20%27gssapi_spnego%27%20registered%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.757719%2C%20%203%5D%20..%2F..%2Fauth%2Fgensec%2Fgensec_start.c%3A1083%28gensec_register%29%0A%3E%20%20%20GENSEC%20backend%20%27gssapi_krb5%27%20registered%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.757732%2C%20%203%5D%20..%2F..%2Fauth%2Fgensec%2Fgensec_start.c%3A1083%28gensec_register%29%0A%3E%20%20%20GENSEC%20backend%20%27gssapi_krb5_sasl%27%20registered%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.757744%2C%20%203%5D%20..%2F..%2Fauth%2Fgensec%2Fgensec_start.c%3A1083%28gensec_register%29%0A%3E%20%20%20GENSEC%20backend%20%27spnego%27%20registered%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.757754%2C%20%203%5D%20..%2F..%2Fauth%2Fgensec%2Fgensec_start.c%3A1083%28gensec_register%29%0A%3E%20%20%20GENSEC%20backend%20%27schannel%27%20registered%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.757764%2C%20%203%5D%20..%2F..%2Fauth%2Fgensec%2Fgensec_start.c%3A1083%28gensec_register%29%0A%3E%20%20%20GENSEC%20backend%20%27ncalrpc_as_system%27%20registered%0A%3E%20%5B2023%2F09%2F26%2015%3A21%3A29.757774%2C%20%203%5D%20..%2F..%2Fauth%2Fgensec%2Fgensec_start.c%3A1083%28gensec_register%29%0A">reply</a>):</p> <div class="headers"> <img src="/cgi-bin/libravatar.cgi?email=guido%40berhoerster.name" alt=""> <div class="header"><span class="headerfield">From:</span> Guido Berhoerster <guido@berhoerster.name></div> <div class="header"><span class="headerfield">To:</span> 1052245@bugs.debian.org</div> <div class="header"><span class="headerfield">Subject:</span> Re: SMB authentication failure against main server</div> <div class="header"><span class="headerfield">Date:</span> Tue, 26 Sep 2023 15:33:06 +0200</div> </div> <pre class="message">So debugging this with Wireshark showed that during the SPNEGO negotiation, server and client could not settle on a mutually supported authentication mechanism. The server was only offering NTLMSSP while the client offers MS KRB5/KRB5 (due to --use-kerberos=required). The server needs to have "kerberos method" set to use the right keytab, for some reason "system keytab" does not work and I had to explicitly set kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab This allows SPNEGO negotiation to succeed but leads to the next error: [2023/09/26 15:21:29.755056, 5] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm) make_auth3_context_for_ntlm: Making default auth method list for server role = 'standalone server', encrypt passwords = yes [2023/09/26 15:21:29.755119, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend anonymous [2023/09/26 15:21:29.755141, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'anonymous' [2023/09/26 15:21:29.755154, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend sam [2023/09/26 15:21:29.755164, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'sam' [2023/09/26 15:21:29.755173, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend sam_ignoredomain [2023/09/26 15:21:29.755183, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'sam_ignoredomain' [2023/09/26 15:21:29.755191, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend sam_netlogon3 [2023/09/26 15:21:29.755201, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'sam_netlogon3' [2023/09/26 15:21:29.755210, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend winbind [2023/09/26 15:21:29.755219, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'winbind' [2023/09/26 15:21:29.755228, 5] ../../source3/auth/auth.c:52(smb_register_auth) Attempting to register auth backend unix [2023/09/26 15:21:29.755237, 5] ../../source3/auth/auth.c:64(smb_register_auth) Successfully added auth method 'unix' [2023/09/26 15:21:29.755246, 5] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match anonymous [2023/09/26 15:21:29.755276, 5] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method anonymous has a valid init [2023/09/26 15:21:29.755286, 5] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match sam_ignoredomain [2023/09/26 15:21:29.755296, 5] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method sam_ignoredomain has a valid init [2023/09/26 15:21:29.757684, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'gssapi_spnego' registered [2023/09/26 15:21:29.757719, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'gssapi_krb5' registered [2023/09/26 15:21:29.757732, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2023/09/26 15:21:29.757744, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'spnego' registered [2023/09/26 15:21:29.757754, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'schannel' registered [2023/09/26 15:21:29.757764, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'ncalrpc_as_system' registered [2023/09/26 15:21:29.757774, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2023/09/26 15:21:29.757784, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'ntlmssp' registered [2023/09/26 15:21:29.757793, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'ntlmssp_resume_ccache' registered [2023/09/26 15:21:29.757803, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'http_basic' registered [2023/09/26 15:21:29.757813, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'http_ntlm' registered [2023/09/26 15:21:29.757822, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'http_negotiate' registered [2023/09/26 15:21:29.757835, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'krb5' registered [2023/09/26 15:21:29.757853, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2023/09/26 15:21:29.757980, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech) Starting GENSEC mechanism spnego [2023/09/26 15:21:29.758031, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech) Starting GENSEC submechanism gse_krb5 [2023/09/26 15:21:29.767904, 5] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm) make_auth3_context_for_ntlm: Making default auth method list for server role = 'standalone server', encrypt passwords = yes [2023/09/26 15:21:29.767924, 5] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match anonymous [2023/09/26 15:21:29.767931, 5] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method anonymous has a valid init [2023/09/26 15:21:29.767936, 5] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match sam_ignoredomain [2023/09/26 15:21:29.767941, 5] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method sam_ignoredomain has a valid init [2023/09/26 15:21:29.767971, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech) Starting GENSEC mechanism spnego [2023/09/26 15:21:29.768004, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech) Starting GENSEC submechanism gse_krb5 [2023/09/26 15:21:29.768378, 1] ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac) auth3_generate_session_info_pac: Unexpected PAC for [atest@INTERN] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE This leads to a bug in Samba, based on false assumptions, which was introduced in 2021 and makes it impossible to use MIT Kerberos authentication with the standalone server role. There is a long thread on the Samba list starting at <a href="https://lists.samba.org/archive/samba/2023-April/244842.html">https://lists.samba.org/archive/samba/2023-April/244842.html</a> about it, the actual cause is described by Andrew Bartlett from the Samba team: > So I knew this would happen, sorry about that. > > When we did the big 2021 security fixes, we strictly set a line between > 'AD has a PAC' and 'MIT Krb5 (traditional) does not'. > > This was meant to ensure that folks would not connect Samba as a > 'standalone' server in an AD domain, bypassing the security mitigation > we put in place against the 'dollar ticket attack' where users could > create an account called 'root$' but print it as 'root'. > > The problem is that subsequent to that, I saw that the MIT folks > decided to always issue a PAC, just without the LOGON_INFO > component. Samba doesn't do well with that, and a fix is needed both > in this code an in winbindd to change the test from 'has a PAC' to 'has a PAC with LOGON_INFO'. (see <a href="https://lists.samba.org/archive/samba/2023-April/244999.html">https://lists.samba.org/archive/samba/2023-April/244999.html</a>) So if we don't want to set up a AD DC we will probably not be able to use Kerberos authentication with our current setup. -- Guido Berhoerster </pre> <hr> <p class="msgreceived">Send a report that <a href="https://bugs.debian.org/cgi-bin/bugspam.cgi?bug=1052245">this bug log contains spam</a>.</p> <hr> <ADDRESS>Debian bug tracking system administrator <<A HREF="mailto:owner@bugs.debian.org">owner@bugs.debian.org</A>>. Last modified: <!--timestamp-->Mon Feb 24 06:09:32 2025<!--end timestamp-->; Machine Name: <!--machinename-->buxtehude<!--machinename--> <P> <A HREF="https://www.debian.org/Bugs/">Debian Bug tracking system</A> </p> <p> Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from <a href="https://bugs.debian.org/debbugs-source/">https://bugs.debian.org/debbugs-source/</a>. </p> <p> Copyright 漏 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors. </p> </ADDRESS> </body> </html>