Bug#1052245: SMB authentication failure against main server

To: submit@bugs.debian.org
Subject: Bug#1052245: SMB authentication failure against main server
From: Guido Berhoerster <guido@berhoerster.name>
Date: Tue, 19 Sep 2023 14:08:33 +0200
Message-id: <[🔎] 9c9bc125-53b5-c296-759e-1b63ffe1c0c5@berhoerster.name>
Reply-to: Guido Berhoerster <guido@berhoerster.name>, 1052245@bugs.debian.org
Package: debian-edu-config
Version: 2.12.36

Currently, it is not possible with either gvfs nor smbclient to access a user's
home directory due to an authentication failure.

$ klist
Ticket cache: FILE:/tmp/krb5cc_1003_X8fbPu
Default principal: gber@INTERN

Valid starting     Expires            Service principal
09/19/23 13:12:44  09/19/23 23:12:44  krbtgt/INTERN@INTERN
	renew until 09/20/23 13:12:44
09/19/23 13:13:16  09/19/23 23:12:44  cifs/tjener.intern@INTERN
	renew until 09/20/23 13:12:44

$ smbclient -d 99 --use-kerberos=required -U 'TJENER\gber' '\\tjener.intern\homes\'
INFO: Current debug levels:
  all: 99
  tdb: 99
  printdrivers: 99
  lanman: 99
  smb: 99
  rpc_parse: 99
  rpc_srv: 99
  rpc_cli: 99
  passdb: 99
  sam: 99
  auth: 99
  winbind: 99
  vfs: 99
  idmap: 99
  quota: 99
  acls: 99
  locking: 99
  msdfs: 99
  dmapi: 99
  registry: 99
  scavenger: 99
  dns: 99
  ldb: 99
  tevent: 99
  auth_audit: 99
  auth_json_audit: 99
  kerberos: 99
  drs_repl: 99
  smb2: 99
  smb2_credits: 99
  dsdb_audit: 99
  dsdb_json_audit: 99
  dsdb_password_audit: 99
  dsdb_password_json_audit: 99
  dsdb_transaction_audit: 99
  dsdb_transaction_json_audit: 99
  dsdb_group_audit: 99
  dsdb_group_json_audit: 99
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 99
  tdb: 99
  printdrivers: 99
  lanman: 99
  smb: 99
  rpc_parse: 99
  rpc_srv: 99
  rpc_cli: 99
  passdb: 99
  sam: 99
  auth: 99
  winbind: 99
  vfs: 99
  idmap: 99
  quota: 99
  acls: 99
  locking: 99
  msdfs: 99
  dmapi: 99
  registry: 99
  scavenger: 99
  dns: 99
  ldb: 99
  tevent: 99
  auth_audit: 99
  auth_json_audit: 99
  kerberos: 99
  drs_repl: 99
  smb2: 99
  smb2_credits: 99
  dsdb_audit: 99
  dsdb_json_audit: 99
  dsdb_password_audit: 99
  dsdb_password_json_audit: 99
  dsdb_transaction_audit: 99
  dsdb_transaction_json_audit: 99
  dsdb_group_audit: 99
  dsdb_group_json_audit: 99
Processing section "[global]"
doing parameter workgroup = skolelinux
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter server role = standalone server
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=10.0.2.20 bcast=10.255.255.255 netmask=255.0.0.0
Password for [TJENER\gber]:Client started (version 4.17.10-Debian).
Opening cache file at /run/samba/gencache.tdb
tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permission denied
gencache_init: Opening user cache file /skole/tjener/home0/gber/.cache/samba/gencache.tdb.
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up tjener.intern#20 (sitename (null))
namecache_fetch: name tjener.intern#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
samba_tevent: Added timed event "tevent_req_timedout": 0x55612aa9f2b0
Connecting to 10.0.2.2 at port 445
samba_tevent: Added timed event "tevent_req_timedout": 0x55612aa9fb50
samba_tevent: Added timed event "tevent_req_timedout": 0x55612aa87d00
samba_tevent: Destroying timer event 0x55612aa9f2b0 "tevent_req_timedout"
samba_tevent: Destroying timer event 0x55612aa9fb50 "tevent_req_timedout"
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
samba_tevent: Destroying timer event 0x55612aa87d00 "tevent_req_timedout"
 session request ok
samba_tevent: Added timed event "tevent_req_timedout": 0x55612aa986f0
samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aa9ed60
samba_tevent: Cancel immediate event 0x55612aa9ed60 "tevent_req_trigger"
samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aa9ed60
samba_tevent: Run immediate event "tevent_req_trigger": 0x55612aa9ed60
samba_tevent: Destroying timer event 0x55612aa986f0 "tevent_req_timedout"
samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aaa0cd0
samba_tevent: Run immediate event "tevent_req_trigger": 0x55612aaa0cd0
 negotiated dialect[SMB3_11] against server[tjener.intern]
cli_session_setup_spnego_send: Connect to tjener.intern as gber@TJENER using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aa9fa10
gensec_update_send: gse_krb5[0x55612aaa0ad0]: subreq: 0x55612aa9f920
gensec_update_send: spnego[0x55612aa9e7c0]: subreq: 0x55612aaa3610
samba_tevent: Run immediate event "tevent_req_trigger": 0x55612aa9fa10
gensec_update_done: gse_krb5[0x55612aaa0ad0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55612aa9f920/../../source3/librpc/crypto/gse.c:895]: state[2] error[0 (0x0)]  state[struct gensec_gse_update_state (0x55612aa9fae0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:906]
gensec_update_done: spnego[0x55612aa9e7c0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55612aaa3610/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x55612aaa37d0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
samba_tevent: Added timed event "tevent_req_timedout": 0x55612aa986f0
samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aaadc30
samba_tevent: Cancel immediate event 0x55612aaadc30 "tevent_req_trigger"
samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aaadc30
samba_tevent: Run immediate event "tevent_req_trigger": 0x55612aaadc30
samba_tevent: Destroying timer event 0x55612aa986f0 "tevent_req_timedout"
samba_tevent: Schedule immediate event "tevent_req_trigger": 0x55612aaad6a0
samba_tevent: Run immediate event "tevent_req_trigger": 0x55612aaad6a0
SPNEGO login failed: An invalid parameter was passed to a service or function.

session setup failed: NT_STATUS_INVALID_PARAMETER

The samba log on tjener:

[2023/09/19 14:04:01.336794,  5] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm)
  make_auth3_context_for_ntlm: Making default auth method list for server role = 'standalone server', encrypt passwords = yes
[2023/09/19 14:04:01.336861,  5] ../../source3/auth/auth.c:52(smb_register_auth)
  Attempting to register auth backend anonymous
[2023/09/19 14:04:01.336882,  5] ../../source3/auth/auth.c:64(smb_register_auth)
  Successfully added auth method 'anonymous'
[2023/09/19 14:04:01.336893,  5] ../../source3/auth/auth.c:52(smb_register_auth)
  Attempting to register auth backend sam
[2023/09/19 14:04:01.336901,  5] ../../source3/auth/auth.c:64(smb_register_auth)
  Successfully added auth method 'sam'
[2023/09/19 14:04:01.336908,  5] ../../source3/auth/auth.c:52(smb_register_auth)
  Attempting to register auth backend sam_ignoredomain
[2023/09/19 14:04:01.336914,  5] ../../source3/auth/auth.c:64(smb_register_auth)
  Successfully added auth method 'sam_ignoredomain'
[2023/09/19 14:04:01.336922,  5] ../../source3/auth/auth.c:52(smb_register_auth)
  Attempting to register auth backend sam_netlogon3
[2023/09/19 14:04:01.336929,  5] ../../source3/auth/auth.c:64(smb_register_auth)
  Successfully added auth method 'sam_netlogon3'
[2023/09/19 14:04:01.336935,  5] ../../source3/auth/auth.c:52(smb_register_auth)
  Attempting to register auth backend winbind
[2023/09/19 14:04:01.336942,  5] ../../source3/auth/auth.c:64(smb_register_auth)
  Successfully added auth method 'winbind'
[2023/09/19 14:04:01.336950,  5] ../../source3/auth/auth.c:52(smb_register_auth)
  Attempting to register auth backend unix
[2023/09/19 14:04:01.336961,  5] ../../source3/auth/auth.c:64(smb_register_auth)
  Successfully added auth method 'unix'
[2023/09/19 14:04:01.336969,  5] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match anonymous
[2023/09/19 14:04:01.336978,  5] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method anonymous has a valid init
[2023/09/19 14:04:01.336985,  5] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2023/09/19 14:04:01.336991,  5] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method sam_ignoredomain has a valid init
[2023/09/19 14:04:01.338828,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2023/09/19 14:04:01.338852,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2023/09/19 14:04:01.338862,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2023/09/19 14:04:01.338870,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'spnego' registered
[2023/09/19 14:04:01.338878,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'schannel' registered
[2023/09/19 14:04:01.338887,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'ncalrpc_as_system' registered
[2023/09/19 14:04:01.338895,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2023/09/19 14:04:01.338903,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2023/09/19 14:04:01.338911,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2023/09/19 14:04:01.338919,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'http_basic' registered
[2023/09/19 14:04:01.338927,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2023/09/19 14:04:01.338935,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2023/09/19 14:04:01.338945,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'krb5' registered
[2023/09/19 14:04:01.338954,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2023/09/19 14:04:01.339044,  5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech)
  Starting GENSEC mechanism spnego
[2023/09/19 14:04:01.339083,  5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech)
  Starting GENSEC submechanism ntlmssp
[2023/09/19 14:04:01.342752,  5] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm)
  make_auth3_context_for_ntlm: Making default auth method list for server role = 'standalone server', encrypt passwords = yes
[2023/09/19 14:04:01.342788,  5] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match anonymous
[2023/09/19 14:04:01.342801,  5] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method anonymous has a valid init
[2023/09/19 14:04:01.342811,  5] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2023/09/19 14:04:01.342820,  5] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method sam_ignoredomain has a valid init
[2023/09/19 14:04:01.342873,  5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech)
  Starting GENSEC mechanism spnego
[2023/09/19 14:04:01.342936,  1] ../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_step)
  gensec_spnego_server_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
[2023/09/19 14:04:01.342972,  5] ../../auth/gensec/gensec.c:534(gensec_update_done)
  gensec_update_done: spnego[0x5618c5c0b850]: NT_STATUS_INVALID_PARAMETER

-- 
Guido Berhoerster
Reply to:
Follow-Ups:
- Bug#1052245: SMB authentication failure against main server
  - From: Guido Berhoerster <guido@berhoerster.name>
Prev by Date: Processed: Bug#926388 marked as pending in debian-edu-config
Next by Date: Bug#1052247: Blocks (ana)cron daily jobs and system shutdown for too long
Previous by thread: Workshop about FUSS
Next by thread: Bug#1052245: SMB authentication failure against main server
Index(es):
- Date
- Thread