Environment
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Samba-3.x with Winbind enrolled into a Windows AD domain
Issue
1. As a result of the WannaCrypt ransomware threat, we disabled the SMB1
protocol in our Windows Active-Directory environment. After the change, users were not able to login to Linux-Systems using their Windows AD account.
2. When joining new systems into the Active-Directory domain does not work anymore and fails with the error NT_STATUS_CONNECTION_RESET
.
Resolution
-
Red Hat recommends to upgrade all affected systems to the current version of Red Hat Enterprise Linux 7.
If an upgrade is not feasible, a possible workaround might be to enable SMB1 again after Microsoft's Security Bulletin MS017-010 has been deployed.
-
When Samba's file-server functionality is not used and user authentication is based on Kerberos only, then moving to SSSD with the ad-backend might be another option. This solution uses the
adcli
package to enroll the system into the Windows AD domain. Please note thatSSSD
does not supportNTLMSSP
though.
Root Cause
While SMB2
is supported in Samba-3 on RHEL 6 for the Samba Shares themselves, Winbind can only communicate over SMB1
. When SMB1
is disabled on the Windows domain, winbind
will no longer be able to receive user information to allow authentication. RHEL 5 does not support SMB2
for Samba shares.
Diagnostic Steps
When trying to join the AD domain after disabling SMB1
support, an NT_STATUS_CONNECTION_RESET
error is seen:
[root@server ~]# net -d 10 ads join -U adminaccount -S addc.example.com
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter client signing = mandatory
doing parameter hosts allow = 127.
doing parameter restrict anonymous = 2
doing parameter passdb backend = tdbsam
doing parameter encrypt passwords = yes
doing parameter server string = Nothingness
doing parameter load printers = no
doing parameter smb passwd file = /etc/samba/passwd
doing parameter guest ok = no
doing parameter workgroup = MCW
doing parameter realm = EXAMPLE.COM
doing parameter security = ads
doing parameter idmap config * : backend = rid
doing parameter idmap config * : range = 16227216-33357931
doing parameter template shell = /bin/bash
doing parameter winbind use default domain = true
doing parameter winbind offline logon = true
doing parameter winbind enum users = no
doing parameter winbind enum groups = no
doing parameter allow trusted domains = no
doing parameter winbind offline logon = true
doing parameter winbind nested groups = yes
doing parameter winbind expand groups = 3
doing parameter server string = SAMBA
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter min protocol = SMB2
doing parameter max protocol = SMB2
doing parameter debuglevel = 10
doing parameter server signing = yes
doing parameter client signing = yes
doing parameter lanman auth = yes
doing parameter ntlm auth = yes
doing parameter client use spnego = yes
doing parameter client NTLMv2 auth = yes
doing parameter client ipc signing = auto
doing parameter ldap ssl ads = yes
doing parameter ldap ssl = start tls
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_MEMBER
Substituting charset 'UTF-8' for LOCALE
Netbios name list:-
my_netbios_names[0]="SERVER"
added interface bond1:1 ip=xxx.xxx.xx6.225 bcast=xxx.xxx.255.255 netmask=255.255.0.0
added interface bond0 ip=xxx.xxx.xx2.211 bcast=xxx.xxx.xx2.255 netmask=255.255.255.128
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter adminaccount's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : 'addc.example.com'
machine_name : 'SERVER'
domain_name : *
domain_name : 'EXAMPLE.COM'
account_ou : NULL
admin_account : 'adminaccount'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Connecting to host=addc.example.com
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for EXAMPLE.COM: "SIE-Production"
internal_resolve_name: looking up addc.example.com#20 (sitename SIE-Production)
Adding cache entry with key = NBT/addc.example.com#20 and timeout = Thu Jan 1 00:00:00 1970
(-1495054631 seconds in the past)
no entry for addc.example.com#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name addc.example.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name addc.example.com<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
resolve_wins: Attempting wins lookup for name addc.example.com<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name addc.example.com<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for addc.example.com#20: xxx.xxx.xx3.3
Adding cache entry with key = NBT/addc.example.com#20 and timeout = Wed May 10 21:08:11 2017
(660 seconds ahead)
internal_resolve_name: returning 1 addresses: xxx.xxx.xx3.3:0
Running timed event "tevent_req_timedout" 0x7f6510035f10
Connecting to xxx.xxx.xx3.3 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 19800
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
Substituting charset 'UTF-8' for LOCALE
failed negprot: NT_STATUS_CONNECTION_RESET
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain 'EXAMPLE.COM' over rpc: NT_STATUS_CONNECTION_RESET'
domain_is_ad : 0x00 (0)
result : WERR_NETNAME_DELETED
lang_tdb_init: /usr/lib64/samba/.msg: No such file or directory
Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.COM' over rpc: NT_STATUS_CONNECTION_RESET
return code = -1
[root@server ~]#