If on the RWDCs "restrict anonymous = 2" is set the communication of a RODC fails. If I try to auth a user with wbinfo -a that is in the "Allowed RODC Password Replication Group" but not preloaded I get this error in the logs: Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 15:43:30.146704, 1] ../../source3/winbindd/winbindd_cm.c:1310(cm_prepare_connection) Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: Failed to prepare SMB connection to dc2.hq.domain.de: NT_STATUS_ACCESS_DENIED Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 15:43:30.147548, 2] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: Auth: [winbind,NTLM_AUTH, wbinfo, 34390] user [DOMAIN-02]\[bir] at [Mon, 15 Feb 2021 15:43:30.147532 CET] with [NTLMv2] status [NT_STATUS_ACCESS_DENIED] workstation [RODC] remote host [unix:] mapped to [(null)]\[(null)]. local host [unix:] On the contacted RWDC I see this at loglevel 6: Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Allowed connection from 10.1.0.77 (10.1.0.77) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.143398, 5] ../../lib/util/debug.c:811(debug_dump_status) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: INFO: Current debug levels: Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: all: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: tdb: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: printdrivers: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: lanman: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: smb: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: rpc_parse: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: rpc_srv: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: rpc_cli: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: passdb: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: sam: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: winbind: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: vfs: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: idmap: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: quota: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: acls: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: locking: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: msdfs: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dmapi: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: registry: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: scavenger: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dns: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: ldb: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: tevent: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: kerberos: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: drs_repl: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: smb2: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: smb2_credits: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_password_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_password_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_transaction_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_transaction_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_group_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_group_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144075, 3] ../../source3/smbd/oplock.c:1427(init_oplocks) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: init_oplocks: initializing messages. Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144103, 5] ../../source3/lib/messages.c:725(messaging_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Registering messaging pointer for type 774 - private_data=0x55e1c4745da0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144117, 5] ../../source3/lib/messages.c:725(messaging_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Registering messaging pointer for type 778 - private_data=0x55e1c4745da0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144141, 5] ../../source3/lib/messages.c:725(messaging_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Registering messaging pointer for type 770 - private_data=0x55e1c4745da0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144158, 5] ../../source3/lib/messages.c:725(messaging_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Registering messaging pointer for type 801 - private_data=0x55e1c4745da0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144187, 5] ../../source3/lib/messages.c:725(messaging_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Registering messaging pointer for type 787 - private_data=0x55e1c4745da0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144213, 5] ../../source3/lib/messages.c:725(messaging_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Registering messaging pointer for type 779 - private_data=0x55e1c4745da0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144236, 5] ../../source3/lib/messages.c:725(messaging_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Registering messaging pointer for type 15 - private_data=(nil) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144255, 5] ../../source3/lib/messages.c:740(messaging_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Overriding messaging pointer for type 15 - private_data=(nil) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144273, 5] ../../source3/lib/messages.c:772(messaging_deregister) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Deregistering messaging pointer for type 16 - private_data=(nil) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144298, 5] ../../source3/lib/messages.c:725(messaging_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Registering messaging pointer for type 16 - private_data=0x55e1c4745da0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144312, 5] ../../source3/lib/messages.c:772(messaging_deregister) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Deregistering messaging pointer for type 33 - private_data=0x55e1c3a5b150 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144326, 5] ../../source3/lib/messages.c:725(messaging_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Registering messaging pointer for type 33 - private_data=0x55e1c4745da0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144339, 5] ../../source3/lib/messages.c:772(messaging_deregister) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Deregistering messaging pointer for type 790 - private_data=(nil) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144355, 5] ../../source3/lib/messages.c:725(messaging_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Registering messaging pointer for type 790 - private_data=0x55e1c4745da0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144369, 5] ../../source3/lib/messages.c:772(messaging_deregister) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Deregistering messaging pointer for type 791 - private_data=(nil) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144382, 5] ../../source3/lib/messages.c:772(messaging_deregister) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Deregistering messaging pointer for type 1 - private_data=(nil) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.144395, 5] ../../source3/lib/messages.c:725(messaging_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Registering messaging pointer for type 1 - private_data=(nil) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164146, 3] ../../source3/smbd/process.c:1957(process_smb) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Transaction 0 of length 242 (0 toread) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164212, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164253, 5] ../../libcli/security/security_token.c:52(security_token_debug) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Security token: (NULL) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164266, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: UNIX token of user 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Primary group is 0 and contains 0 supplementary groups Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164294, 5] ../../source3/smbd/uid.c:494(smbd_change_to_root_user) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: change_to_root_user: now uid=(0,0) gid=(0,0) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164321, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164336, 4] ../../source3/smbd/uid.c:562(push_conn_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: push_conn_ctx(0) : conn_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164347, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164357, 5] ../../libcli/security/security_token.c:52(security_token_debug) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Security token: (NULL) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164367, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: UNIX token of user 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Primary group is 0 and contains 0 supplementary groups Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164409, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164431, 5] ../../lib/util/debug.c:811(debug_dump_status) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: INFO: Current debug levels: Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: all: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: tdb: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: printdrivers: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: lanman: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: smb: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: rpc_parse: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: rpc_srv: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: rpc_cli: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: passdb: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: sam: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: winbind: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: vfs: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: idmap: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: quota: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: acls: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: locking: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: msdfs: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dmapi: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: registry: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: scavenger: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dns: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: ldb: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: tevent: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: kerberos: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: drs_repl: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: smb2: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: smb2_credits: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_password_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_password_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_transaction_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_transaction_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_group_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_group_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164684, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Selected protocol SMB3_11 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164723, 5] ../../source3/auth/auth.c:536(make_auth3_context_for_ntlm) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Making default auth method list for server role = 'active directory domain controller' Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164738, 5] ../../source3/auth/auth.c:51(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Attempting to register auth backend anonymous Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164753, 5] ../../source3/auth/auth.c:63(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Successfully added auth method 'anonymous' Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164764, 5] ../../source3/auth/auth.c:51(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Attempting to register auth backend sam Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164777, 5] ../../source3/auth/auth.c:63(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Successfully added auth method 'sam' Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164790, 5] ../../source3/auth/auth.c:51(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Attempting to register auth backend sam_ignoredomain Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164801, 5] ../../source3/auth/auth.c:63(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Successfully added auth method 'sam_ignoredomain' Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164816, 5] ../../source3/auth/auth.c:51(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Attempting to register auth backend sam_netlogon3 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164826, 5] ../../source3/auth/auth.c:63(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Successfully added auth method 'sam_netlogon3' Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164837, 5] ../../source3/auth/auth.c:51(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Attempting to register auth backend winbind Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164849, 5] ../../source3/auth/auth.c:63(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Successfully added auth method 'winbind' Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164860, 5] ../../source3/auth/auth.c:51(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Attempting to register auth backend unix Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164870, 5] ../../source3/auth/auth.c:63(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Successfully added auth method 'unix' Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164882, 5] ../../source3/auth/auth.c:51(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Attempting to register auth backend samba4 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164893, 5] ../../source3/auth/auth.c:63(smb_register_auth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Successfully added auth method 'samba4' Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.164903, 5] ../../source3/auth/auth.c:425(load_auth_module) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: load_auth_module: Attempting to find an auth method to match samba4 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166002, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'gssapi_spnego' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166023, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'gssapi_krb5' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166037, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'gssapi_krb5_sasl' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166049, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'spnego' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166063, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'schannel' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166073, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'naclrpc_as_system' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166084, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'sasl-EXTERNAL' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166095, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'ntlmssp' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166105, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'ntlmssp_resume_ccache' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166116, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'http_basic' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166129, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'http_ntlm' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166140, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'http_negotiate' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166151, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'krb5' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166162, 3] ../../auth/gensec/gensec_start.c:988(gensec_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: GENSEC backend 'fake_gssapi_krb5' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166173, 5] ../../source3/auth/auth.c:450(load_auth_module) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: load_auth_module: auth method samba4 has a valid init Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.166630, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: ldb_wrap open of secrets.ldb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.167003, 3] ../../source4/auth/ntlm/auth.c:867(auth_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: AUTH backend 'sam' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.167030, 3] ../../source4/auth/ntlm/auth.c:867(auth_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: AUTH backend 'sam_ignoredomain' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.167044, 3] ../../source4/auth/ntlm/auth.c:867(auth_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: AUTH backend 'anonymous' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.167055, 3] ../../source4/auth/ntlm/auth.c:867(auth_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: AUTH backend 'winbind' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.167066, 3] ../../source4/auth/ntlm/auth.c:867(auth_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: AUTH backend 'name_to_ntstatus' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.167076, 3] ../../source4/auth/ntlm/auth.c:867(auth_register) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: AUTH backend 'unix' registered Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.168554, 5] ../../auth/gensec/gensec_start.c:750(gensec_start_mech) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Starting GENSEC mechanism spnego Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.168714, 5] ../../auth/gensec/gensec_start.c:750(gensec_start_mech) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Starting GENSEC submechanism gssapi_krb5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.170373, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.170406, 5] ../../libcli/security/security_token.c:52(security_token_debug) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Security token: (NULL) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.170418, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: UNIX token of user 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Primary group is 0 and contains 0 supplementary groups Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.170440, 5] ../../source3/smbd/uid.c:494(smbd_change_to_root_user) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: change_to_root_user: now uid=(0,0) gid=(0,0) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.170463, 5] ../../lib/dbwrap/dbwrap.c:148(dbwrap_lock_order_lock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_lock: check lock order 1 for /var/cache/samba/smbXsrv_session_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.170537, 5] ../../lib/dbwrap/dbwrap.c:180(dbwrap_lock_order_unlock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_unlock: release lock order 1 for /var/cache/samba/smbXsrv_session_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.170567, 5] ../../source3/auth/auth.c:536(make_auth3_context_for_ntlm) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Making default auth method list for server role = 'active directory domain controller' Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.170584, 5] ../../source3/auth/auth.c:425(load_auth_module) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: load_auth_module: Attempting to find an auth method to match samba4 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.170600, 5] ../../source3/auth/auth.c:450(load_auth_module) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: load_auth_module: auth method samba4 has a valid init Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.170997, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: ldb_wrap open of secrets.ldb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172360, 5] ../../auth/gensec/gensec_start.c:750(gensec_start_mech) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Starting GENSEC mechanism spnego Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172388, 5] ../../lib/dbwrap/dbwrap.c:148(dbwrap_lock_order_lock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_lock: check lock order 1 for /var/cache/samba/smbXsrv_session_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172410, 5] ../../lib/dbwrap/dbwrap.c:180(dbwrap_lock_order_unlock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_unlock: release lock order 1 for /var/cache/samba/smbXsrv_session_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172424, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172436, 4] ../../source3/smbd/uid.c:562(push_conn_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: push_conn_ctx(0) : conn_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172447, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172458, 5] ../../libcli/security/security_token.c:52(security_token_debug) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Security token: (NULL) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172468, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: UNIX token of user 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Primary group is 0 and contains 0 supplementary groups Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172544, 5] ../../auth/gensec/gensec_start.c:750(gensec_start_mech) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Starting GENSEC submechanism ntlmssp Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172574, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Got NTLMSSP neg_flags=0x62088215 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_UNICODE Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_REQUEST_TARGET Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_SIGN Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_NTLM Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_ALWAYS_SIGN Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_VERSION Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_128 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_KEY_EXCH Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172690, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172732, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172747, 4] ../../source3/smbd/uid.c:562(push_conn_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: push_conn_ctx(0) : conn_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172758, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172768, 5] ../../libcli/security/security_token.c:52(security_token_debug) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Security token: (NULL) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172781, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: UNIX token of user 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Primary group is 0 and contains 0 supplementary groups Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.172804, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173628, 5] ../../lib/dbwrap/dbwrap.c:148(dbwrap_lock_order_lock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_lock: check lock order 1 for /var/cache/samba/smbXsrv_session_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173683, 5] ../../lib/dbwrap/dbwrap.c:180(dbwrap_lock_order_unlock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_unlock: release lock order 1 for /var/cache/samba/smbXsrv_session_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173725, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173737, 5] ../../libcli/security/security_token.c:52(security_token_debug) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Security token: (NULL) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173750, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: UNIX token of user 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Primary group is 0 and contains 0 supplementary groups Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173771, 5] ../../source3/smbd/uid.c:494(smbd_change_to_root_user) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: change_to_root_user: now uid=(0,0) gid=(0,0) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173786, 5] ../../lib/dbwrap/dbwrap.c:148(dbwrap_lock_order_lock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_lock: check lock order 1 for /var/cache/samba/smbXsrv_session_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173801, 5] ../../lib/dbwrap/dbwrap.c:180(dbwrap_lock_order_unlock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_unlock: release lock order 1 for /var/cache/samba/smbXsrv_session_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173814, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173826, 4] ../../source3/smbd/uid.c:562(push_conn_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: push_conn_ctx(0) : conn_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173837, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173848, 5] ../../libcli/security/security_token.c:52(security_token_debug) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Security token: (NULL) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173858, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: UNIX token of user 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Primary group is 0 and contains 0 supplementary groups Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173885, 3] ../../auth/ntlmssp/ntlmssp_server.c:513(ntlmssp_server_preauth) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Got user=[] domain=[] workstation=[] len1=0 len2=0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173898, 3] ../../source4/auth/ntlm/auth.c:243(auth_check_password_send) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth_check_password_send: Checking password for unmapped user []\[]@[] Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth_check_password_send: user is: []\[]@[] Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173923, 5] ../../source4/auth/ntlm/auth.c:70(auth_get_challenge) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth_get_challenge: returning previous challenge by module random (normal) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173934, 5] ../../lib/util/util.c:722(dump_data) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [0000] A0 84 59 89 C9 C6 50 84 ..Y...P. Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173957, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.173978, 5] ../../source4/auth/ntlm/auth.c:493(auth_check_password_recv) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth_check_password_recv: anonymous authentication for user [NT AUTHORITY\ANONYMOUS LOGON] succeeded Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174003, 5] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Auth: [SMB2,NTLMSSP] user []\[] at [Tue, 16 Feb 2021 06:48:32.173997 CET] with [No-Password] status [NT_STATUS_OK] workstation [] remote host [ipv4:10.1.0.77:52026] became [NT AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7]. local host [ipv4:192.168.0.106:445] Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: {"timestamp": "2021-02-16T06:48:32.174065+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:192.168.0.106:445", "remoteAddress": "ipv4:10.1.0.77:52026", "serviceDescription": "SMB2", "authDescription": "NTLMSSP", "clientDomain": "", "clientAccount": "", "workstation": "", "becameAccount": "ANONYMOUS LOGON", "becameDomain": "NT AUTHORITY", "becameSid": "S-1-5-7", "mappedAccount": "", "mappedDomain": "", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "No-Password", "duration": 2927}} Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174122, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP Sign/Seal - Initialising with flags: Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174136, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Got NTLMSSP neg_flags=0x62008215 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_UNICODE Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_REQUEST_TARGET Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_SIGN Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_NTLM Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_ALWAYS_SIGN Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_VERSION Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_128 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_KEY_EXCH Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174181, 5] ../../auth/ntlmssp/ntlmssp_sign.c:792(ntlmssp_sign_reset) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP Sign/Seal - using NTLM1 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174201, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP Sign/Seal - Initialising with flags: Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174213, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Got NTLMSSP neg_flags=0x62008215 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_UNICODE Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_REQUEST_TARGET Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_SIGN Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_NTLM Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_ALWAYS_SIGN Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_VERSION Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_128 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP_NEGOTIATE_KEY_EXCH Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174254, 5] ../../auth/ntlmssp/ntlmssp_sign.c:792(ntlmssp_sign_reset) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: NTLMSSP Sign/Seal - using NTLM1 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174269, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174281, 4] ../../source3/smbd/uid.c:562(push_conn_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: push_conn_ctx(0) : conn_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174291, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174301, 5] ../../libcli/security/security_token.c:52(security_token_debug) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Security token: (NULL) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174311, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: UNIX token of user 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Primary group is 0 and contains 0 supplementary groups Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174334, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de winbindd[971610]: [2021/02/16 06:48:32.174475, 3] ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version) Feb 16 06:48:32 dc4.hq.domain.de winbindd[971610]: winbindd_interface_version: [nss_winbind (971786)]: request interface version (version = 31) Feb 16 06:48:32 dc4.hq.domain.de winbindd[971610]: [2021/02/16 06:48:32.174555, 3] ../../source3/winbindd/winbindd_sids_to_xids.c:50(winbindd_sids_to_xids_send) Feb 16 06:48:32 dc4.hq.domain.de winbindd[971610]: sids_to_xids Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174608, 5] ../../source4/auth/unix_token.c:131(security_token_to_unix_token) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Successfully converted security token to a unix token:Security token SIDs (4): Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: SID[ 0]: S-1-5-7 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: SID[ 1]: S-1-1-0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: SID[ 2]: S-1-5-2 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: SID[ 3]: S-1-5-64-10 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Privileges (0x 0): Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Rights (0x 0): Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174680, 5] ../../auth/auth_log.c:753(log_successful_authz_event_human_readable) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Successful AuthZ: [SMB2,NTLMSSP] user [NT AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Tue, 16 Feb 2021 06:48:32.174662 CET] Remote host [ipv4:10.1.0.77:52026] local host [ipv4:192.168.0.106:445] Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: {"timestamp": "2021-02-16T06:48:32.174712+0100", "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress": "ipv4:192.168.0.106:445", "remoteAddress": "ipv4:10.1.0.77:52026", "serviceDescription": "SMB2", "authType": "NTLMSSP", "domain": "NT AUTHORITY", "account": "ANONYMOUS LOGON", "sid": "S-1-5-7", "sessionId": "8ee53b36-dea5-4ac4-9b5c-15a6a3c58519", "logonServer": "DC4", "transportProtection": "SMB", "accountFlags": "0x00000010"}} Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.174774, 5] ../../lib/util/debug.c:811(debug_dump_status) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: INFO: Current debug levels: Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: all: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: tdb: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: printdrivers: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: lanman: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: smb: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: rpc_parse: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: rpc_srv: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: rpc_cli: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: passdb: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: sam: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: winbind: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: vfs: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: idmap: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: quota: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: acls: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: locking: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: msdfs: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dmapi: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: registry: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: scavenger: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dns: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: ldb: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: tevent: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: auth_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: kerberos: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: drs_repl: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: smb2: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: smb2_credits: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_password_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_password_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_transaction_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_transaction_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_group_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dsdb_group_json_audit: 5 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.175034, 5] ../../lib/dbwrap/dbwrap.c:148(dbwrap_lock_order_lock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_lock: check lock order 1 for /var/cache/samba/smbXsrv_session_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.175084, 5] ../../lib/dbwrap/dbwrap.c:180(dbwrap_lock_order_unlock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_unlock: release lock order 1 for /var/cache/samba/smbXsrv_session_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.177955, 5] ../../lib/dbwrap/dbwrap.c:148(dbwrap_lock_order_lock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_lock: check lock order 1 for /var/cache/samba/smbXsrv_session_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178000, 5] ../../lib/dbwrap/dbwrap.c:180(dbwrap_lock_order_unlock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_unlock: release lock order 1 for /var/cache/samba/smbXsrv_session_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178016, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178030, 5] ../../libcli/security/security_token.c:52(security_token_debug) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Security token: (NULL) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178041, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: UNIX token of user 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Primary group is 0 and contains 0 supplementary groups Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178061, 5] ../../source3/smbd/uid.c:494(smbd_change_to_root_user) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: change_to_root_user: now uid=(0,0) gid=(0,0) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178089, 5] ../../lib/dbwrap/dbwrap.c:148(dbwrap_lock_order_lock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_lock: check lock order 1 for /var/cache/samba/smbXsrv_tcon_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178128, 5] ../../lib/dbwrap/dbwrap.c:180(dbwrap_lock_order_unlock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_unlock: release lock order 1 for /var/cache/samba/smbXsrv_tcon_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178150, 3] ../../lib/util/access.c:371(allow_access) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Allowed connection from 10.1.0.77 (10.1.0.77) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178164, 1] ../../source3/smbd/service.c:355(create_connection_session_info) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: create_connection_session_info: guest user (from session setup) not permitted to access this share (IPC$) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178175, 1] ../../source3/smbd/service.c:544(make_connection_snum) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: create_connection_session_info failed: NT_STATUS_ACCESS_DENIED Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178192, 5] ../../lib/dbwrap/dbwrap.c:148(dbwrap_lock_order_lock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_lock: check lock order 1 for /var/cache/samba/smbXsrv_tcon_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178208, 5] ../../lib/dbwrap/dbwrap.c:180(dbwrap_lock_order_unlock) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: dbwrap_lock_order_unlock: release lock order 1 for /var/cache/samba/smbXsrv_tcon_global.tdb Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.178221, 3] ../../source3/smbd/smb2_server.c:3863(smbd_smb2_request_error_ex) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:151 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.179379, 3] ../../source3/smbd/smb2_server.c:3863(smbd_smb2_request_error_ex) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NETWORK_NAME_DELETED] || at ../../source3/smbd/smb2_server.c:3147 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.180041, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.180067, 5] ../../libcli/security/security_token.c:52(security_token_debug) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: Security token: (NULL) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: [2021/02/16 06:48:32.180079, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) Feb 16 06:48:32 dc4.hq.domain.de smbd[971786]: UNIX token of user 0 This also prevents samba_dnsupdate from running corectly.
This works now at Samba version 4.14.11. Wanted to try if this now works with "restrict anonymous = 2" and it did. So this Bug can be closed I think.
Sorry about this. With the resent fixes bugs 13879, 14641, 15001, 15003 in the RODC code I tested a bit more and this still does not work. As Andrew explained here: https://lists.samba.org/archive/samba/2021-February/234612.html restrict anonymous = 2 breaks any auth that is not preloaded.
(In reply to Christian Naumer from comment #2) The problem is that winbindd still starts with an smb connection, which is not really used at all in the end, as the netlogon and lsa connection use ncacn_ip_tcp. But if the smb connection fails (with ACCESS_DENIED in this case) the whole thing breaks. I think we need to rewrite the code to start with an netlogon ncacn_ip_tcp connection and then only SMB (ncacn_np) as fallback, but it requires a lot of restructuring first.
Thanks for the feedback. If there is anything I can do to help let me know. However, I am not a developer ...
We should retest a Samba RODC against windows after patching for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925