Ivan Strohner
2013-Feb-11 17:31 UTC
[Samba] Windows 7 against Samba+LDAP does not work with some passwords
Dear all, I have installed Samba (3.6.6) on Debian wheezy and configured it to authenticate against LDAP (encrypted passwords, no lanman). I want simple shares with user security. I have configured PAM/NSS from the same LDAP and it works fine. WinXP works fine, smbclient works fine, but Windows 7 only works for SOME passwords. Some work, some do not. Samba is configured with restricted LDAP bind dn, but should see all attributes (except for the userPassword attribute, which is not used by samba afaik). During setup I have provided it with administrator LDAP access to populate some basic data and to see exactly how users are defined, but I have removed the populated samba groups from LDAP, since we do not use Samba as domain server. I set the password in sambaNTPassword attribute in LDAP. I have tried with the following password examples: ist (password matching login name): it works hash stored in LDAP: 96AF2AA9537DCF6C6DF9E4D347BF5E12 other primitive passwords, such as IST, ist123, istist work as well but password such as: T8h0KmJ3 does not work hash: EB2EF7BFBA2396D001A4774D21C936C5 In Windows XP or by smbclient every password works. I have done the few tweaks of Windows 7: * Local Policies -> Security Options -> Network Security: LAN Manager authentication level -> Send LM & NTLM - use NTLMv2 session security if negotiated * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters: DomainCompatibilityMode (1), DNSNameResolutionRequired (0) * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters: RequireSignOrSeal (1), RequireStrongKey (1) If needed I can provide some packet dumps. Thanks in advance for any help, Ivan I am including: My samba configuration: --- 8< --- [global] workgroup = DIGITALSYSTEMS netbios name = FILE1 server string = File Server domain logons = no domain master = no wins support = no dns proxy = no log file = /var/log/samba/log.%m log level = 3 max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d pam password change = yes unix password sync = no ldap password sync = no load printers = no printing = cups printcap name = cups passdb backend = ldapsam:ldaps://ldap.isvc.dsnet:636/ ldap ssl = no ldap suffix = o=digitalsystems ldap admin dn = cn=file,ou=systems,o=digitalsystems ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' security = user lanman auth = no ntlm auth = Yes encrypt passwords = true --- 8< --- Negative authentication log (the point seems to be "NT MD4 password check failed for user"). --- 8< --- [2013/02/11 18:11:45.199144, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [coruscant]\[ist]@[CORUSCANT] with the new password interface [2013/02/11 18:11:45.199179, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [FILE1]\[ist]@[CORUSCANT] [2013/02/11 18:11:45.199835, 2] lib/smbldap.c:1018(smbldap_open_connection) smbldap_open_connection: connection opened [2013/02/11 18:11:45.205532, 3] lib/smbldap.c:1240(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2013/02/11 18:11:45.206169, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: ist [2013/02/11 18:11:45.207028, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1012 [2013/02/11 18:11:45.208209, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1012 [2013/02/11 18:11:45.208358, 3] ../libcli/auth/ntlm_check.c:413(ntlm_password_check) ntlm_password_check: NT MD4 password check failed for user ist [2013/02/11 18:11:45.208765, 2] passdb/pdb_ldap.c:1180(init_ldap_from_sam) init_ldap_from_sam: Setting entry for user: ist [2013/02/11 18:11:45.208813, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [ist] -> [ist] FAILED with error NT_STATUS_WRONG_PASSWORD [2013/02/11 18:11:45.208849, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2013/02/11 18:11:45.212611, 3] smbd/process.c:1662(process_smb) Transaction 3 of length 142 (0 toread) [2013/02/11 18:11:45.212644, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 10233) conn 0x0 [2013/02/11 18:11:45.212669, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2013/02/11 18:11:45.212690, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/02/11 18:11:45.212711, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/02/11 18:11:45.212733, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2013/02/11 18:11:45.212766, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 40 [2013/02/11 18:11:45.212794, 3] ../libcli/auth/ntlmssp.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088297 [2013/02/11 18:11:45.215172, 3] smbd/process.c:1662(process_smb) Transaction 4 of length 274 (0 toread) [2013/02/11 18:11:45.215199, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 10233) conn 0x0 [2013/02/11 18:11:45.215227, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2013/02/11 18:11:45.215249, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/02/11 18:11:45.215272, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/02/11 18:11:45.215295, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2013/02/11 18:11:45.215325, 3] ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth) Got user=[ist] domain=[coruscant] workstation=[CORUSCANT] len1=24 len2=24 [2013/02/11 18:11:45.215366, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [coruscant]\[ist]@[CORUSCANT] with the new password interface [2013/02/11 18:11:45.215390, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [FILE1]\[ist]@[CORUSCANT] [2013/02/11 18:11:45.216085, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: ist [2013/02/11 18:11:45.217158, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1012 [2013/02/11 18:11:45.217284, 3] ../libcli/auth/ntlm_check.c:413(ntlm_password_check) ntlm_password_check: NT MD4 password check failed for user ist [2013/02/11 18:11:45.217353, 2] passdb/pdb_ldap.c:1180(init_ldap_from_sam) init_ldap_from_sam: Setting entry for user: ist [2013/02/11 18:11:45.217396, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [ist] -> [ist] FAILED with error NT_STATUS_WRONG_PASSWORD [2013/02/11 18:11:45.217425, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2013/02/11 18:11:51.781219, 3] smbd/process.c:1662(process_smb) Transaction 5 of length 142 (0 toread) [2013/02/11 18:11:51.781327, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 10233) conn 0x0 [2013/02/11 18:11:51.781365, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2013/02/11 18:11:51.781388, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/02/11 18:11:51.781409, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/02/11 18:11:51.781438, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2013/02/11 18:11:51.781481, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 40 [2013/02/11 18:11:51.781527, 3] ../libcli/auth/ntlmssp.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088297 [2013/02/11 18:11:51.783928, 3] smbd/process.c:1662(process_smb) Transaction 6 of length 274 (0 toread) [2013/02/11 18:11:51.783964, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 10233) conn 0x0 [2013/02/11 18:11:51.783991, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2013/02/11 18:11:51.784012, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/02/11 18:11:51.784033, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/02/11 18:11:51.784055, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2013/02/11 18:11:51.784088, 3] ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth) Got user=[ist] domain=[CORUSCANT] workstation=[CORUSCANT] len1=24 len2=24 [2013/02/11 18:11:51.784151, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [CORUSCANT]\[ist]@[CORUSCANT] with the new password interface [2013/02/11 18:11:51.784176, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [FILE1]\[ist]@[CORUSCANT] [2013/02/11 18:11:51.785168, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: ist [2013/02/11 18:11:51.786427, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1012 [2013/02/11 18:11:51.786562, 3] ../libcli/auth/ntlm_check.c:413(ntlm_password_check) ntlm_password_check: NT MD4 password check failed for user ist [2013/02/11 18:11:51.786624, 2] passdb/pdb_ldap.c:1180(init_ldap_from_sam) init_ldap_from_sam: Setting entry for user: ist [2013/02/11 18:11:51.786667, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [ist] -> [ist] FAILED with error NT_STATUS_WRONG_PASSWORD [2013/02/11 18:11:51.786696, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2013/02/11 18:12:04.452412, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 192.168.2.23 read error NT_STATUS_CONNECTION_RESET. [2013/02/11 18:12:04.452579, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) --- 8< --- Positive authentication log (with simple password). I have removed some negative attempts from start - I believe these are windows sending my workstation password: --- 8< --- [2013/02/11 18:05:37.848626, 3] smbd/process.c:1662(process_smb) Transaction 5 of length 142 (0 toread) [2013/02/11 18:05:37.848735, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 9649) conn 0x0 [2013/02/11 18:05:37.848772, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2013/02/11 18:05:37.848795, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/02/11 18:05:37.848816, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/02/11 18:05:37.848848, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2013/02/11 18:05:37.848891, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 40 [2013/02/11 18:05:37.848936, 3] ../libcli/auth/ntlmssp.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088297 [2013/02/11 18:05:37.851290, 3] smbd/process.c:1662(process_smb) Transaction 6 of length 274 (0 toread) [2013/02/11 18:05:37.851326, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 9649) conn 0x0 [2013/02/11 18:05:37.851352, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2013/02/11 18:05:37.851373, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/02/11 18:05:37.851394, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/02/11 18:05:37.851415, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2013/02/11 18:05:37.851447, 3] ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth) Got user=[ist] domain=[CORUSCANT] workstation=[CORUSCANT] len1=24 len2=24 [2013/02/11 18:05:37.851511, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [CORUSCANT]\[ist]@[CORUSCANT] with the new password interface [2013/02/11 18:05:37.851535, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [FILE1]\[ist]@[CORUSCANT] [2013/02/11 18:05:37.852518, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: ist [2013/02/11 18:05:37.853881, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1012 [2013/02/11 18:05:37.855119, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 2089 .. repeated for lot of various groups .. [2013/02/11 18:05:37.871170, 3] auth/auth.c:268(check_ntlm_password) check_ntlm_password: sam authentication for user [ist] succeeded [2013/02/11 18:05:37.871202, 2] auth/auth.c:309(check_ntlm_password) check_ntlm_password: authentication for user [ist] -> [ist] -> [ist] succeeded [2013/02/11 18:05:37.876503, 3] ../libcli/auth/ntlmssp_sign.c:535(ntlmssp_sign_init) NTLMSSP Sign/Seal - Initialising with flags: [2013/02/11 18:05:37.876534, 3] ../libcli/auth/ntlmssp.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088215 [2013/02/11 18:05:37.876573, 3] smbd/password.c:298(register_existing_vuid) register_existing_vuid: User name: ist Real name: ist [2013/02/11 18:05:37.876598, 3] smbd/password.c:308(register_existing_vuid) register_existing_vuid: UNIX uid 1012 is UNIX user ist, and will be vuid 102 [2013/02/11 18:05:37.876907, 3] smbd/password.c:238(register_homes_share) Adding homes service for user 'ist' using home directory: '/home/ist' [2013/02/11 18:05:37.876962, 3] param/loadparm.c:6582(lp_add_home) adding home's share [ist] for user 'ist' at '/home/ist' [2013/02/11 18:05:37.879764, 3] smbd/process.c:1662(process_smb) Transaction 7 of length 100 (0 toread) [2013/02/11 18:05:37.879907, 3] smbd/process.c:1467(switch_message) switch message SMBtconX (pid 9649) conn 0x0 [2013/02/11 18:05:37.879987, 3] lib/access.c:338(allow_access) Allowed connection from 192.168.2.23 (192.168.2.23) [2013/02/11 18:05:37.880043, 3] smbd/service.c:872(make_connection_snum) Connect path is '/tmp' for service [IPC$] [2013/02/11 18:05:37.880104, 3] smbd/vfs.c:102(vfs_init_default) Initialising default vfs hooks [2013/02/11 18:05:37.880133, 3] smbd/vfs.c:128(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2013/02/11 18:05:37.880404, 3] smbd/service.c:1114(make_connection_snum) coruscant (192.168.2.23) connect to service IPC$ initially as user ist (uid=1012, gid=1012) (pid 9649) [2013/02/11 18:05:37.880438, 3] smbd/reply.c:871(reply_tcon_and_X) tconX service=IPC$ [2013/02/11 18:05:37.883713, 3] smbd/process.c:1662(process_smb) Transaction 8 of length 104 (0 toread) [2013/02/11 18:05:37.883764, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 9649) conn 0x7ff244f5d710 [2013/02/11 18:05:37.885833, 3] smbd/process.c:1662(process_smb) Transaction 9 of length 76 (0 toread) [2013/02/11 18:05:37.885864, 3] smbd/process.c:1467(switch_message) switch message SMBtrans2 (pid 9649) conn 0x7ff244f5d710 [2013/02/11 18:05:37.888125, 3] smbd/process.c:1662(process_smb) Transaction 10 of length 228 (0 toread) [2013/02/11 18:05:37.888154, 3] smbd/process.c:1467(switch_message) switch message SMBwriteX (pid 9649) conn 0x7ff244f5d710 [2013/02/11 18:05:37.888208, 3] rpc_server/srv_pipe.c:889(api_pipe_bind_req) api_pipe_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/02/11 18:05:37.888238, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \srvsvc [2013/02/11 18:05:37.888264, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/02/11 18:05:37.888305, 3] smbd/pipes.c:361(pipe_write_andx_done) writeX-IPC nwritten=160 [2013/02/11 18:05:37.890046, 3] smbd/process.c:1662(process_smb) Transaction 11 of length 63 (0 toread) [2013/02/11 18:05:37.890072, 3] smbd/process.c:1467(switch_message) switch message SMBreadX (pid 9649) conn 0x7ff244f5d710 [2013/02/11 18:05:37.890101, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 28 [2013/02/11 18:05:37.890142, 3] smbd/pipes.c:485(pipe_read_andx_done) readX-IPC min=1024 max=1024 nread=68 [2013/02/11 18:05:37.892251, 3] smbd/process.c:1662(process_smb) Transaction 12 of length 192 (0 toread) [2013/02/11 18:05:37.892280, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 9649) conn 0x7ff244f5d710 [2013/02/11 18:05:37.892313, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=104 params=0 setup=2 [2013/02/11 18:05:37.892339, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/02/11 18:05:37.892361, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 1220) [2013/02/11 18:05:37.892396, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP) api_rpcTNP: rpc command: SRVSVC_NETSHAREENUMALL [2013/02/11 18:05:37.892532, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 208 [2013/02/11 18:05:37.894773, 3] smbd/process.c:1662(process_smb) Transaction 13 of length 45 (0 toread) [2013/02/11 18:05:37.894801, 3] smbd/process.c:1467(switch_message) switch message SMBclose (pid 9649) conn 0x7ff244f5d710 [2013/02/11 18:05:37.894826, 3] smbd/reply.c:4848(reply_close) close fd=-1 fnum=4640 (numopen=1) --- 8< --- __________________________________________________ Tento email a ak?ko?vek pr?lohy k nemu prilo?en? m??u obsahova? d?vern? alebo v?hradn? formul?cie alebo inform?cie, ktor? s? chr?nen? pr?vnym poriadkom. Je ur?en? v?hradne pre vyu?ite osobou alebo subjektom ktor?m bol adresovan?. Ak nie ste po?adovan?m pr?jemcom, alebo ste tento email dostali chybne, ozn?mte to pros?m okam?ite odosielate?ovi a tento email vyma?te. Ak?ko?vek neautorizovan?, priame alebo nepriame kop?rovanie, spr?stup?ovanie, distrib?cia alebo in? vyu?itie t?chto materi?lov alebo ich ?asti je zak?zan? a m??e by? pova?ovan? za nez?konn?. This e-mail, and any document attached hereby, may contain confidential and/or privileged information or information protected by legal regulations. It is intended solely for the use of the individual or entity to whom it is addressed. If you are not the intended recipient or have received this e-mail in error please notify the sender immediately and delete this e-mail. Any unauthorized, direct or indirect, copying, disclosure, distribution or other use of the material or parts thereof is prohibited and may be unlawful. Digital Systems a.s. ?dern?cka 9, 851 01 Bratislava 5 Slovak Republic http://www.digitalsystems.eu/
Maybe Matching Threads
Wisdom of the Ancients
