Bug 1121 - SPNEGO nego problem
Summary: SPNEGO nego problem
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: ntlm_auth tool (show other bugs)
Version: 3.0.1
Hardware: Other other
: P3 critical
Target Milestone: none
Assignee: Andrew Bartlett
QA Contact:
Depends on:
Reported: 2004-02-24 03:58 UTC by spurnelle
Modified: 2005-08-24 10:18 UTC (History)
0 users

See Also:

smbclient -d10 output (19.88 KB, text/plain)
2004-02-24 03:59 UTC, spurnelle
no flags Details
A ethereal trace between Samba Server and win2k server (libpcap format) (3.96 KB, application/octet-stream)
2004-02-24 04:00 UTC, spurnelle
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description spurnelle 2004-02-24 03:58:55 UTC
I ask you to answer about  question on my network :
Samba PDC 3.0.1 with ACL and LDAP.

We have on the network the samba server (nimda01) and some win2k server, 
all of win2k server are domain member of my Samba PDC.
On a win2k server, we have a DCOM application that have sometimes a 
The problem is : the server don't answer, no shared directory and no 
DCOM service are available.
But five minutes later, all services is available.

In samba.log, we can see a SPNEGO connexion problem (SMB_err = 49152).
All win2k server are patched to the last microsoft patch (SP4).

Is a samba problem, a windows problem, a network problem.


After E-mail discussion, I put a bug in bugzilla
Comment 1 spurnelle 2004-02-24 03:59:55 UTC
Created attachment 417 [details]
smbclient -d10 output
Comment 2 spurnelle 2004-02-24 04:00:52 UTC
Created attachment 418 [details]
A ethereal trace between Samba Server and win2k server (libpcap format)
Comment 3 spurnelle 2004-02-25 00:13:47 UTC
Some informations about my network : 
- Samba 3.0.1 PDC LDAP+ACL
- All workstation and the PDC have a connection to a WINS server (win2k server)
Comment 4 Andrew Bartlett 2004-02-25 00:44:21 UTC
Exactly what service packs, patches are running on each client and server?
Comment 5 spurnelle 2004-02-25 02:06:57 UTC
ALL servers and clients which run windows 2000 have Service Pack 4.
The latest patche of server with DCOM application is KB82088 (SP5).
But all servers and clients are blaster patches protected.
Comment 6 spurnelle 2004-02-25 03:04:07 UTC
What's mean : 

[2004/02/25 11:29:10, 10] lib/smbldap.c:smbldap_idle_fn(1091)
  ldap connection not connected...

I ask this question because in win2k event viewer, I have a netlogon message
that says "the machine trust account could not be changed because the relay
received bad data"  

BUT (in same log) : 

[2004/02/25 11:21:59, 10] lib/account_pol.c:account_policy_get(134)
  account_policy_get: maximum password age:-1
[2004/02/25 11:21:59, 10] lib/account_pol.c:account_policy_get(134)
  account_policy_get: minimum password age:0
[2004/02/25 11:21:59, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(1028, 221) : sec_ctx_stack_ndx = 1
[2004/02/25 11:21:59, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(675) : conn_ctx_stack_ndx = 0
[2004/02/25 11:21:59, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/02/25 11:21:59, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/02/25 11:21:59, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/02/25 11:21:59, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1370)
  ldapsam_update_sam_account: user corfin01$ to be modified has dn:
[2004/02/25 11:21:59, 2] passdb/pdb_ldap.c:init_ldap_from_sam(769)
  init_ldap_from_sam: Setting entry for user: corfin01$
[2004/02/25 11:21:59, 2] passdb/pdb_ldap.c:ldapsam_update_sam_account(1403)
  ldapsam_update_sam_account: successfully modified uid = corfin01$ in the LDAP
Comment 7 spurnelle 2004-03-01 03:22:19 UTC
You can close the BUG.
I updated to samba 3.0.2a and the system work fine.
Comment 8 Andrew Bartlett 2004-03-01 03:43:04 UTC
Closed per request.  (I should have looked at the version number earlier, this
is a typical case of the 3.0.1 NTLMSSP bug)
Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:18:01 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.