Users can no longer login to RHEL 6 systems using their Windows AD account after SMB1 has been disab

最新推荐文章于 2021-09-11 15:42:08 发布
最新推荐文章于 2021-09-11 15:42:08 发布
阅读量577 收藏
点赞数
分类专栏: 运维
原文链接:https://access.redhat.com/solutions/3037571
版权

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Samba-3.x with Winbind enrolled into a Windows AD domain

Issue

1. As a result of the WannaCrypt ransomware threat, we disabled the SMB1 protocol in our Windows Active-Directory environment. After the change, users were not able to login to Linux-Systems using their Windows AD account.

2. When joining new systems into the Active-Directory domain does not work anymore and fails with the error NT_STATUS_CONNECTION_RESET.

Resolution

  • Red Hat recommends to upgrade all affected systems to the current version of Red Hat Enterprise Linux 7.

    If an upgrade is not feasible, a possible workaround might be to enable SMB1 again after Microsoft's Security Bulletin MS017-010 has been deployed.

  • When Samba's file-server functionality is not used and user authentication is based on Kerberos only, then moving to SSSD with the ad-backend might be another option. This solution uses the adcli package to enroll the system into the Windows AD domain. Please note that SSSD does not support NTLMSSP though.

Root Cause

While SMB2 is supported in Samba-3 on RHEL 6 for the Samba Shares themselves, Winbind can only communicate over SMB1. When SMB1 is disabled on the Windows domain, winbind will no longer be able to receive user information to allow authentication. RHEL 5 does not support SMB2 for Samba shares.

Diagnostic Steps

When trying to join the AD domain after disabling SMB1 support, an NT_STATUS_CONNECTION_RESET error is seen:

Raw

[root@server ~]# net -d 10 ads join -U adminaccount -S addc.example.com
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter client signing = mandatory
doing parameter hosts allow = 127.
doing parameter restrict anonymous = 2
doing parameter passdb backend = tdbsam
doing parameter encrypt passwords = yes
doing parameter server string = Nothingness
doing parameter load printers = no
doing parameter smb passwd file = /etc/samba/passwd
doing parameter guest ok = no
doing parameter workgroup = MCW
doing parameter realm = EXAMPLE.COM
doing parameter security = ads
doing parameter idmap config * : backend = rid
doing parameter idmap config * : range = 16227216-33357931
doing parameter template shell = /bin/bash
doing parameter winbind use default domain = true
doing parameter winbind offline logon = true
doing parameter winbind enum users = no
doing parameter winbind enum groups = no
doing parameter allow trusted domains = no
doing parameter winbind offline logon = true
doing parameter winbind nested groups = yes
doing parameter winbind expand groups = 3
doing parameter server string = SAMBA
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter min protocol = SMB2
doing parameter max protocol = SMB2
doing parameter debuglevel = 10
doing parameter server signing = yes
doing parameter client signing = yes
doing parameter lanman auth = yes
doing parameter ntlm auth = yes
doing parameter client use spnego = yes
doing parameter client NTLMv2 auth = yes
doing parameter client ipc signing = auto
doing parameter ldap ssl ads = yes
doing parameter ldap ssl = start tls
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_MEMBER
Substituting charset 'UTF-8' for LOCALE
Netbios name list:-
my_netbios_names[0]="SERVER"
added interface bond1:1 ip=xxx.xxx.xx6.225 bcast=xxx.xxx.255.255 netmask=255.255.0.0
added interface bond0 ip=xxx.xxx.xx2.211 bcast=xxx.xxx.xx2.255 netmask=255.255.255.128
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter adminaccount's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : 'addc.example.com'
            machine_name             : 'SERVER'
            domain_name              : *
                domain_name              : 'EXAMPLE.COM'
            account_ou               : NULL
            admin_account            : 'adminaccount'
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
Connecting to host=addc.example.com
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for EXAMPLE.COM: "SIE-Production"
internal_resolve_name: looking up addc.example.com#20 (sitename SIE-Production)
Adding cache entry with key = NBT/addc.example.com#20 and timeout = Thu Jan  1 00:00:00 1970
 (-1495054631 seconds in the past)
no entry for addc.example.com#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name addc.example.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name addc.example.com<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost 
resolve_wins: Attempting wins lookup for name addc.example.com<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name addc.example.com<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for addc.example.com#20: xxx.xxx.xx3.3
Adding cache entry with key = NBT/addc.example.com#20 and timeout = Wed May 10 21:08:11 2017
 (660 seconds ahead)
internal_resolve_name: returning 1 addresses: xxx.xxx.xx3.3:0 
Running timed event "tevent_req_timedout" 0x7f6510035f10
Connecting to xxx.xxx.xx3.3 at port 445
Socket options:
     SO_KEEPALIVE = 0
     SO_REUSEADDR = 0
     SO_BROADCAST = 0
     TCP_NODELAY = 1
     TCP_KEEPCNT = 9
     TCP_KEEPIDLE = 7200
     TCP_KEEPINTVL = 75
     IPTOS_LOWDELAY = 0
     IPTOS_THROUGHPUT = 0
     SO_REUSEPORT = 0
     SO_SNDBUF = 19800
     SO_RCVBUF = 87380
     SO_SNDLOWAT = 1
     SO_RCVLOWAT = 1
     SO_SNDTIMEO = 0
     SO_RCVTIMEO = 0
     TCP_QUICKACK = 1
Substituting charset 'UTF-8' for LOCALE
failed negprot: NT_STATUS_CONNECTION_RESET
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : NULL
            dns_domain_name          : NULL
            forest_name              : NULL
            dn                       : NULL
            domain_sid               : NULL
                domain_sid               : (NULL SID)
            modified_config          : 0x00 (0)
            error_string             : 'failed to lookup DC info for domain 'EXAMPLE.COM' over rpc: NT_STATUS_CONNECTION_RESET'
            domain_is_ad             : 0x00 (0)
            result                   : WERR_NETNAME_DELETED
lang_tdb_init: /usr/lib64/samba/.msg: No such file or directory
Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.COM' over rpc: NT_STATUS_CONNECTION_RESET
return code = -1
[root@server ~]#

 

weixin_888988
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
错误集:smbclient访问Windows共享文件夹报错误:protocol negotiation failed: NT_STATUS_CONNECTION_RESET
qq_35456705的博客
03-17 4282
smbclient访问Windows共享文件夹报错误:protocol negotiation failed: NT_STATUS_CONNECTION_RESET 文章目录smbclient访问Windows共享文件夹报错误:protocol negotiation failed: NT_STATUS_CONNECTION_RESET报错现象:解决办法: 报错现象: [root@bogon ~]#smbclient -L//192.168.2.1/ protocol negotiation failed:
{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period
qq331565760的专栏
04-27 1025
Failed to join domain: failed to lookup DC info for domain 'example.com' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. Joining the domain example.com failed! linux 加入AD域失败, 报错如上 如果你的li
window共享权限设定,Linux挂载出现NT_STATUS_CONNECTION_RESET报错上教程!
Wsxyi的博客
02-03 1993
windows端共享权限设定一.操作步骤1.解禁Guest2.设置共享目录权限3.设置本地策略4.查看网段5.linux挂载端,扫描共享目录6.挂载共享目录 一.操作步骤 Windows端共享权限设定: 1.解禁Guest 右击我的电脑选择管理-->本地用户和组-->在用户项中双击Guest用户-->取消账号已禁用选项 2.设置共享目录权限 右击共享目录点属性-->在共享页面中点击共享选项-->下拉选择共享对象为Everyone-->点击共享按钮 3.设置本地策略 打
linux基础——Linux系统挂载Windows系统的文件
m0_47161295的博客
09-07 259
一、Linux系统挂载Windows系统的文件 前提:Windows被挂载的文件需要开启共享,共享功能需要设置好。 smbclient:在计算机上,可以使用 smbclient 实用程序列出到共享的连接 例如:查看共享计算机的共享文件 [root@localhost ~]# smbclient -L //192.168.100.3/ Enter SAMBA\root's password: Sharename Type Comment --------- ----
RHEL6.zip_rhel6
09-24
一个红帽rhel6的系统操作,一个在linux系统上变化很大的系统!是学习linux系统的兄弟们必备的一个学习材料
rhel6.0-dns-configuration.rar_rhel6
09-19
在Red Hat Enterprise Linux 6.0(RHEL6)中,DNS(Domain Name System)配置是网络服务的核心组成部分,它负责将易于记忆的域名转换为网络可以识别的IP地址。DNS服务器扮演着至关重要的角色,使得用户能够通过主机...
rhel6 ansible 2.6 离线yum安装包
02-28
在本文中,我们将深入探讨如何在RHEL6系统上离线使用Ansible 2.6进行YUM安装包管理。RHEL6(Red Hat Enterprise Linux 6)是Red Hat公司发布的Linux操作系统的一个版本,而Ansible 2.6是自动化运维工具Ansible的一个...
快速汉化RHEL6RHEL7.doc
12-25
在Linux操作系统中,尤其是企业级的Red Hat Enterprise Linux (RHEL)系统,有时需要将英文界面汉化为中文,以方便非英文环境下的用户使用。本文档提供了快速汉化RHEL6和RHEL7的方法,同时也适用于CentOS的对应版本。...
浅谈RHEL7和RHEL6的主要变化
09-15
在本文中,我们将深入探讨RHEL7与RHEL6之间的一些关键变化,这些变化涉及到操作系统的核心组件、系统管理工具以及服务配置等多个方面。 首先,RHEL7引入了新的文件系统EXT4,替代了RHEL6中的XFS。EXT4提供更快的...
Ubuntu 挂载windows共享文件夹
Eraser的博客
11-18 599
环境 Ubuntu14 windows共享目录//172.16.10.126/user2/ 1.安装smbclient 2.smbclient -L //IP地址 -U 用户名”查看一下该用户共享权限下的共享情况。 报错:NT_STATUS_CONNECTION_RESET 解决: 打开/etc/samba/smb.conf文件,在global标签下增加如下两个参数项: client min protocol = CORE client max protocol = SMB3 .
关于Ubuntu16.04连接Windows10共享失败的问题解决
三道的专栏
08-15 7310
最近电脑升级了Ubuntu16.04,用下来还算可以吧,但是在samba共享的时候发生了一些问题。Ubuntu在文件管理器中的网络中连接其他Linux电脑的共享没有问题,但是连接Windows的系统共享就会显示连接超时。 一开始以为是Windows防火墙的问题,但是关闭后故障依旧,把samba等一系列服务全部重装,问题依旧,尝试使用smbclient命令行工具连接共享, smbclient...
Windows 异常代码查询
my_angle2016的博客
07-28 1307
00000000 STATUS_SUCCESS 00000000 STATUS_WAIT_0 00000001 STATUS_WAIT_1 00000002 STATUS_WAIT_2 00000003 STATUS_WAIT_3 0000003F STATUS_WAIT_63 00000080 STATUS_ABANDONED 00000080 STATUS_ABANDONED_WAIT_0 000000BF STATUS_ABANDONED_WAIT_63 000000C0 STATUS_USER_AP
smbclient 报错:protocol negotiation failed: NT_STATUS_CONNECTION_RESET
u013992330的博客
07-04 7780
smbclient访问Windows共享文件夹报如下错误: 解决办法: 打开/etc/samba/smb.conf文件,在global标签下增加如下两个参数项: client min protocol = CORE client max protocol = SMB3
Connection reset原因分析和解决方案
热门推荐
weixin_34384557的博客
09-20 1万+
为什么80%的码农都做不了架构师?>>> ...
Constant definitions for the NTSTATUS values.
AMK 的专栏
11-09 2935
由于在msdn中没有列出所有ntstatus的值,为了调试程序方便,以下从ntstatus.h中抽出了部分ntstatus的值。  26 /*27 * Exception codes28 */29 30 #define STATUS_SUCCESS                   ((NTSTATUS) 0x00000000)31 #define STATUS_SEVERITY_SUC
NTSTATUS codes
如鹿渴慕泉水的专栏
09-11 2241
NTSTATUS codes These are from the Windows Server 2008 DDK. Download the script that generated this page here. Original script by Jon Larimer. I have tried to contact Jon about this updated listing, but there seems to be no mailbox attached to that address
将samba加入到windows
★ 分享、传播、open source
12-03 4588
将samba加入到windows域那什么是域呢? 一台Windows计算机,它要么隶属于工作组,要么隶属于域。所以说到域,我们就不得不提一下工作组,工作组是MS的概念,一般的普遍称谓是对等网。工作组(Work Group)就是将不同的电脑按功能分别列入不同的组中,以方便管理。比如在一个网络内,可能有成百上千台工作电脑,如果这些电脑不进行分组,都列在“网上邻居”内,可想而知会有多么乱。与工作组有所
docker System has not been booted with systemd as init system (PID 1). Can't operate.
最新发布
06-24
当您遇到 "System has not been booted with systemd as init system (PID 1). Can't operate." 这样的错误消息时,这通常意味着您尝试在没有使用Systemd作为初始化系统的环境中操作Docker。Systemd是许多Linux发行版(如Ubuntu、Debian和Fedora)的默认init系统,而Docker在基于Systemd的系统中运行更加顺畅。 这个错误通常发生在以下情况: 1. **非Systemd环境**:您可能在非Systemd的Linux发行版(如CentOS早期版本或某些旧版RHEL)上,或者在没有正确配置Systemd支持的服务器上试图运行Docker容器。 2. **手动安装Docker**:如果您手动编译并安装了Docker,可能会导致Systemd集成不完整,从而引发这个问题。 3. **启动Docker时的Systemd服务不存在**:如果您的Docker服务没有正确设置为Systemd自动启动,或者已经手动停用了,也会触发这个错误。 解决这个问题的方法包括: - **确认Systemd支持**:确保您的系统确实启用了Systemd,并且Docker已经按照Systemd规范安装。 - **检查Docker服务状态**:运行`systemctl status docker` 或 `systemctl is-active docker` 来查看Docker服务是否正在运行,如果不是,可以尝试启动它。 - **更新或重新安装Docker**:在某些情况下,可能是由于旧版本的Docker不支持当前的Systemd,更新到最新版本或重新安装Docker可能会解决问题。 - **配置Systemd**:对于非Systemd系统,您可能需要找到非Systemd的启动脚本来管理Docker,比如Upstart或sysvinit。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值