Troubleshooting Windows client unable to join a Samba 4 Active Directory (Logon failure: unknown user name or bad password)

Written by - 0 comments

Published on March 30th 2021 - Listed in Linux Windows Samba


While playing around with a setup where Samba 4 is running as a PDC (Primary Domain Controller) of a newly created domain EXAMPLE.COM, of course I wanted to test whether Windows clients would be able to join the Samba 4 managed domain.

The setup

The setup is not very complicated. As this is a test setup purely for my own education, it's all in the same 192.168.15.0/25 range. Samba was installed inside a LXC container running Ubuntu 20.04. Realm is set to EXAMPLE.COM, domain is example.com. Samba was set up following the official documentation and a more specific guide for Ubuntu machines (very helpful to differentiate between the different Systemd unit files!).

The domain controller was installed using a very basic samba-tool domain provision command without any special parameters.

The Windows client was installed as a virtual machine (using VMware Player) and bridged into the physical network.

Primary Domain Controller on Ubuntu 20.04 with Samba 4

It's worth to note that I ran into the problem where the Ubuntu LXC container started up not with my defined fixed IP address (in the container's config file) but rather with a DHCP address. This happens due to a problem in the netplan IP configuration package. This was fixed but the DHCP address stuck, too. So for a while and during the Domain provisioning the Ubuntu container temporarily had two ip addresses configured. Why this is important you will soon find out.

Windows 7 cannot join the EXAMPLE domain

Once the Windows 7 client was installed, it was time to change the computer settings and add the machine to the domain.

However the first attempt failed as the domain EXAMPLE could not be found. The reason for this was the Windows machine received DNS servers from the DHCP server which defines public DNS servers 1.1.1.1 and 8.8.8.8. To be able to join the domain, the client needs to use the domain controller as DNS server.

So this is obviously an easy fix. 

But the next attempt to join the domain still failed with the following error:

The following error occurred attempting to join the domain "EXAMPLE": Logon failure: unknown user name or bad password.

To join the domain I used the credentials of the "Administrator" user. The error would hint to a wrong password. But the password was triple-checked and was definitely correct. This can be verified by accessing the netlogon share on the domain controller:

root@focal:~# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter EXAMPLE\Administrator's password: [entered password]
  .                                   D        0  Tue Mar 30 08:16:53 2021
  ..                                  D        0  Tue Mar 30 08:16:57 2021

        10255636 blocks of size 1024. 8401408 blocks available

Log analysis

The first idea was that there could be a problem with the Samba DNS server (INTERNAL_DNS backend). Maybe the machine fails to register because it cannot be created in Samba's internal DNS server?

After setting log level = 3 in /etc/samba/smb.conf (global section), another domain join was tested. The following output was logged in /var/log/samba/log.samba:

 ==> log.samba <==
[2021/03/30 09:42:11.860552,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ Administrator@EXAMPLE.COM from ipv4:192.168.15.10:49265 for krbtgt/EXAMPLE.COM@EXAMPLE.COM
[2021/03/30 09:42:11.862685,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: 128
[2021/03/30 09:42:11.862712,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- Administrator@EXAMPLE.COM
[2021/03/30 09:42:11.862731,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- Administrator@EXAMPLE.COM
[2021/03/30 09:42:11.862759,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- Administrator@EXAMPLE.COM
[2021/03/30 09:42:11.863202,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2021/03/30 09:42:11.870595,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ Administrator@EXAMPLE.COM from ipv4:192.168.15.10:49266 for krbtgt/EXAMPLE.COM@EXAMPLE.COM
[2021/03/30 09:42:11.873167,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2021/03/30 09:42:11.873207,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- Administrator@EXAMPLE.COM
[2021/03/30 09:42:11.873225,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- Administrator@EXAMPLE.COM
[2021/03/30 09:42:11.873284,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- Administrator@EXAMPLE.COM using aes256-cts-hmac-sha1-96
[2021/03/30 09:42:11.873327,  3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[Administrator@EXAMPLE.COM] at [Tue, 30 Mar 2021 09:42:11.873314 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.15.10:49266] became [EXAMPLE]\[Administrator] [S-1-5-21-2031982775-3412234441-723590836-500]. local host [NULL]
  {"timestamp": "2021-03-30T09:42:11.873370+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "f4940a1bcf532438", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:192.168.15.10:49266", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "Administrator@EXAMPLE.COM", "workstation": null, "becameAccount": "Administrator", "becameDomain": "EXAMPLE", "becameSid": "S-1-5-21-2031982775-3412234441-723590836-500", "mappedAccount": "Administrator", "mappedDomain": "EXAMPLE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 2862}}
[2021/03/30 09:42:11.905040,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2021-03-30T09:42:11 starttime: unset endtime: 2021-03-30T19:42:11 renew till: 2021-04-06T09:42:11
[2021/03/30 09:42:11.905186,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2021/03/30 09:42:11.905232,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
[2021/03/30 09:42:11.905895,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[...]

The Samba Domain Controller received the Kerberos requests from the Windows client (using DHCP address 192.168.15.10). The authentication of Administrator worked correctly (NT_STATUS_OK) but then there was a NT_STATUS_CONNECTION_DISCONNECTED at the end. No real error indicating what was causing this. Windows then re-tried the domain join for another two attempts but then stopped and finally showed the already known error message.

The Setting up Samba as an Active Directory Domain Controller wiki page contains a section to validate DNS records. So I went through them:

root@focal:~# host -t SRV _ldap._tcp.example.com.
_ldap._tcp.example.com has SRV record 0 100 389 focal.example.com.

root@focal:~# host -t SRV _kerberos._udp.example.com.
_kerberos._udp.example.com has SRV record 0 100 88 focal.example.com.

root@focal:~# host -t A focal.example.com.
focal.example.com has address 192.168.15.10
focal.example.com has address 192.168.15.192

And here we have the problem: The hostname focal.example.com points to two internal IP addresses. The static IP address configured in the LXC's config file 192.168.15.192 and the initial IP address obtained from DHCP (192.168.15.10) before the netplan fix was applied. No wonder there was a weird mixup when Windows tried to connect to the primary domain controller pointing to the same IP as is now used in the client (the freed DHCP IP went from the LXC container to the VM).

Fixing DNS record

Obviously the DNS entry needs to be fixed and the wrong A record (192.168.15.10) needs to be removed. To delete a DNS record in Samba's internal DNS server the samba-tool command with the dns sub-command is used.

This sub-command expects the following input:

samba-tool dns delete <Hostname or IP of DC> <zone> <record> <type> <value>

root@focal:~# samba-tool dns delete 192.168.15.192 example.com focal A 192.168.15.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:192.168.15.192[,sign]
Cannot do GSSAPI to an IP address
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
Password for [Administrator@EXAMPLE.COM]: [Entered password]
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Record deleted successfully

The record was deleted. Another host lookup now shows that only one IP address is returned for the focal hostname:

root@focal:~# host -t A focal.example.com.
focal.example.com has address 192.168.15.192

Windows 7 joining the domain

Now with the DNS entry fixed, it was time to try again. Would Windows 7 connect this time?

And yes, finally the client was able to join the domain:

Lesson learned

The preparations on the machine BEFORE running samba-tool domain provision are very important. Make sure to:

  • use a static IP address (disable DHCP)
  • adjust /etc/resolv.conf and point the single nameserver entry to itself (the static IP address used by the DC)
  • remove existing /etc/samba/smb.conf and /etc/krb5.conf config files
  • make sure the Samba services smbd, nmbd and winbind are stopped (Samba as a Domain Controller works differently, using samba as daemon) and disabled in Systemd
  • get used to the Systemd unit file samba-ad-dc


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.