#6660 AD servers are reporting Netlogin errors and spammed with Event Sentry alert messages
Opened 3 years ago by pvoborni. Modified 2 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1411817

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
We have AD trust with example.test (AD domain) from our IPA servers using
idm.test (IPA domain)

 root@idm3{~}: ipa-replica-manage -v list
idm3.idm.test: master
idm2.idm.test: master
 root@idm3{~}:

Our AD servers are reporting Netlogin errors and spammed with Event Sentry
alert messages, which seem to correspond with this log message.

Jan 10 08:34:31 idm3 smbd[14606]: [2017/01/10 08:34:31.407852,  0]
../source3/rpc_server/netlogon/srv_netlog_nt.c:1007(_netr_ServerAuthenticate3)
Jan 10 08:34:31 idm3 smbd[14606]:  _netr_ServerAuthenticate3:
netlogon_creds_server_check failed. Rejecting auth request from client CLT-EXM01
machine account example.test.


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-14.el7_3.1.1.x86_64

How reproducible:
Always

Steps to Reproduce:
1.  Restarting ipa will always result with the messages listed above occurring
the logs.

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5

3 years ago

Metadata Update from @mbasti:
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

3 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/632

3 years ago

Metadata Update from @pvoborni:
- Issue assigned to frenaud (was: someone)

3 years ago

Info added in issue 6815:

When a trust is established with AD, the AD server periodically calls NETR_SERVERPASSWORDSET2 and the operation fails with NT_STATUS_NOT_IMPLEMENTED (log in /var/log/samba/smbd.lsasd.xx):

[2017/03/24 10:30:18.736045,  1, pid=70262, effective(99, 99), real(99, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
       netr_ServerPasswordSet2: struct netr_ServerPasswordSet2
          out: struct netr_ServerPasswordSet2
              return_authenticator     : *
                  return_authenticator: struct netr_Authenticator
                      cred: struct netr_Credential
                          data                     : ced899cf781997ca
                      timestamp                : (time_t)0
              result                   : NT_STATUS_NOT_IMPLEMENTED

pdb_update_sam_account() is called but ipasam doesn't provide this function, meaning that the default samba implementation is used and returns NT_STATUS_NOT_IMPLEMENTED.

We need to implement ipasam_update_sam_account().

Note: setting NT hash only is a bit complicated because we should be expecting to synchronize both Kerberos and NT hash passwords for the same entry. Since this is trusted domain object entry, having them not in sync would cause broken trust operations for SSSD.

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)

2 years ago

FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)

2 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)

2 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)

2 years ago

Login to comment on this ticket.

Metadata