I've got an OmniOS box that three times now since being patched for
CVE-2020-1472 has fallen back to the improper netlogon auth method,
generating event ID 5827 and no longer authenticating SMB users. When it
does this the only thing I've been able to do to recover is reboot the
OmniOS box.
The first two instances were running r151030cm, when it happened Saturday I
upgraded to r151030cy, issue repeated again last night. The box is joined
to a single Windows AD domain run by two Win 2019 servers.
The only 'interesting' logging I can find on the Omni side is in
network-smb-server, I see an INVALID_PARAMETER before the ACCESS_DENIED
spam.
@ Wed May 5 15:45:38 2021
smbd.info: logon[our.ad.domain\backup]: ACCESS_DENIED
smbd: service shutting down
@ Wed May 5 15:50:47 2021
smbd.err: SMF initialization problem: %s
: handle not bound
smbd: service terminated
[ May 5 15:57:30 Enabled. ]
[ May 5 15:58:55 Executing start method ("/usr/lib/smbsrv/smbd start"). ]
smbd: smbd starting, pid 540
smbd: NetBIOS services disabled
smbd: service initialized
[ May 5 15:58:55 Method "start" exited with status 0. ]
smbd_dc_monitor: online
smbd_localtime_monitor: online
@ Wed May 5 15:59:06 2021
smbd.info: smbd_dc_update: our.ad.domain: located
secondary-adc-10.our.ad.domain
@ Thu May 6 10:48:49 2021
smbd.info: smbd_dc_monitor_refresh
@ Thu May 6 10:48:50 2021
smbd.info: smbd_dc_update: our.ad.domain: located
primary-adc-10.our.ad.domain
@ Thu May 6 10:48:51 2021
smbd.err: netr_get_handle: open failed (0xC002001D); renegotiating...
@ Tue May 11 01:38:56 2021
smbd.info: smbd_dc_monitor_refresh
smbd.info: smbd_dc_update: our.ad.domain: located
secondary-adc-10.our.ad.domain
@ Tue May 11 01:38:57 2021
smbd.err: netr_get_handle: open failed (0xC002001D); renegotiating...
@ Tue May 11 03:28:57 2021
smbd.info: smbd_dc_monitor_refresh
smbd.info: smbd_dc_update: our.ad.domain: located
primary-adc-10.our.ad.domain
@ Fri May 14 13:46:59 2021
smbd.err: ndr_rpc_bind: smbrdr_ctx_new(Srv=primary-adc-10.our.ad.domain
Dom=GWI User=BIDD-SAN-10$), BAD_NETWORK_PATH (0xc00000be)
smbd.err: ndr_rpc_bind: smbrdr_ctx_new(Srv=primary-adc-10.our.ad.domain
Dom=GWI User=BIDD-SAN-10$), BAD_NETWORK_PATH (0xc00000be)
smbd.info: smb_ddiscover, bad DC: primary-adc-10.our.ad.domain
smbd.err: netr_get_handle: open failed (BAD_NETWORK_PATH); renegotiating...
smbd.info: smbd_dc_monitor_refresh
@ Fri May 14 13:47:00 2021
smbd.info: smbd_dc_update: our.ad.domain: located
secondary-adc-10.our.ad.domain
@ Fri May 14 16:57:00 2021
smbd.info: smbd_dc_monitor_refresh
@ Fri May 14 16:57:01 2021
smbd.info: smbd_dc_update: our.ad.domain: located
primary-adc-10.our.ad.domain
@ Sat May 15 04:02:36 2021
smbd.info: logon[our.ad.domain\backup]: INVALID_PARAMETER
smbd.info: logon[our.ad.domain\backup]: ACCESS_DENIED
@ Sat May 15 04:02:57 2021
smbd.info: logon[our.ad.domain\backup]: ACCESS_DENIED
@ Sat May 15 04:03:17 2021
smbd.info: logon[our.ad.domain\backup]: ACCESS_DENIED
<SNIP to next reboot>
@ Sat May 15 10:48:18 2021
smbd.info: logon[our.ad.domain\backup]: ACCESS_DENIED
[ May 15 11:07:49 Enabled. ]
[ May 15 11:10:05 Executing start method ("/usr/lib/smbsrv/smbd start"). ]
smbd: smbd starting, pid 542
smbd: NetBIOS services disabled
smbd: service initialized
[ May 15 11:10:06 Method "start" exited with status 0. ]
smbd_dc_monitor: online
smbd_localtime_monitor: online
@ Sat May 15 11:10:17 2021
smbd.info: smbd_dc_update: our.ad.domain: located
primary-adc-10.our.ad.domain
@ Sun May 16 21:34:24 2021
smbd.info: logon[our.ad.domain\backup]: INVALID_PARAMETER
@ Sun May 16 21:34:27 2021
smbd.info: logon[our.ad.domain\backup]: ACCESS_DENIED
Enabling the unsecure netlogon bypass GPO in Windows for the box
immediately got it authing again without a reboot, although it's generating
event ID 5830 entries as expected. Until I've got a handle on why this is
happening, I'll have to leave the bypass in place.
------------------------------------------
illumos: illumos-discuss
Permalink:
https://illumos.topicbox.com/groups/discuss/T118e9252853b58b3-M807d4bb38e5253a1cea99e6b
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
