samba - Jun 2017 - 'winbind use default domain' doesn't appear to work with ntlm_auth

Hi Rowland,

I did enable NTLMv1 to provide necessary support for pppd for PPTP VPN
connections and that's working as expected. I however do not find any
release notes pertaining to 'winbind use default domain = yes' no longer
working on a Samba DC. The Samba man pages appear to detail options which apply
to winbindd (https://www.samba.org/samba/docs/man/manpages/winbindd.8.html),
which includes the 'winbind use default domain' option. The only
reference to this not working on a Samba DC was a post I stumbled on from a
while ago where the claim wasn't substantiated and indicated that none of
the winbind options in smb.conf applied.

Everything worked perfectly on 4.4.5, could you point me somewhere where this
was discussed and possibly a work around, as it breaks legacy mail processing?

Are the ntlm_auth problems pertaining to the following debug not an issue and as
such acceptable?:
[2017/06/12 15:46:21.303848,  1, pid=31947, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
  rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON
credentials: NT_STATUS_NO_MEMORY



PS: Apologies about the late reply, I only discovered your reply on the samba
mailing list archive. It would appear that it takes a while before new
subscribers start receiving messages...


Regards
David Herselman


-----Original Message-----
From: Rowland Penny
Sent: Mon Jun 12 15:52:40 UTC 2017
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: RE: [Samba] 'winbind use default domain' doesn't appear to
work with ntlm_auth

On Mon, 12 Jun 2017 13:56:14 +0000
David Herselman via samba <samba at lists.samba.org> wrote:
> Hi everyone,
> 
> We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be
> experiencing a problem with authentication, when the RPC domain is
> not supplied as part of the username.
> 
'winbind use default domain = yes' doesn't work on a DC

I think your main problem can be explained by this extract from the
release notes for 4.5.0:

NTLMv1 authentication disabled by default
-----------------------------------------

In order to improve security we have changed
the default value for the "ntlm auth" option from
"yes" to "no". This may have impact on very old
clients which doesn't support NTLMv2 yet.

The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.

By default, Samba will only allow NTLMv2 via NTLMSSP now,
as we have the following default "lanman auth = no",
"ntlm auth = no" and "raw NTLMv2 auth = no".

Rowland

On Wed, 14 Jun 2017 06:58:18 +0000
David Herselman <dhe at syrex.co> wrote:
> Hi Rowland,
> 
> I did enable NTLMv1 to provide necessary support for pppd for PPTP
> VPN connections and that's working as expected. 
OK, but I suggest you find a more secure way of doing things.
> I however do not
> find any release notes pertaining to 'winbind use default domain >
yes' no longer working on a Samba DC.
This could be, as far as I am aware, it has never worked on a DC.
> The Samba man pages appear to
> detail options which apply to winbindd
> (https://www.samba.org/samba/docs/man/manpages/winbindd.8.html),
> which includes the 'winbind use default domain' option. The only
> reference to this not working on a Samba DC was a post I stumbled on
> from a while ago where the claim wasn't substantiated and indicated
> that none of the winbind options in smb.conf applied.
There isn't anything in 'man smb.conf' either, but there is this in
the
release notes for 4.6.0:

ID Mapping

We discovered that the majority of users have an invalid or incorrect
ID mapping configuration. We implemented checks in the 'testparm' tool
to validate the ID mapping configuration. You should run it and check
if it prints any warnings or errors after upgrading! If it does you
should fix them. See the 'IDENTITY MAPPING CONSIDERATIONS' section in
the smb.conf manpage. There are some ID mapping backends which are not
allowed to be used for the default backend. Winbind will no longer
start if an invalid backend is configured as the default backend.

To avoid problems in future we advise all users to run 'testparm' after
changing the smb.conf file! 
> 
> Everything worked perfectly on 4.4.5, could you point me somewhere
> where this was discussed and possibly a work around, as it breaks
> legacy mail processing?
Can you prove it worked on 4.4.5, if so, there must have been a
regression and you could try filing a bug report. I must however point
out again, that ''winbind use default domain = yes' never worked for
me
on a DC, so I never tried setting it. It may be that a change
unintentionally made it work, but another later change stopped it
working again.
 
> 
> Are the ntlm_auth problems pertaining to the following debug not an
> issue and as such acceptable?: [2017/06/12 15:46:21.303848,  1,
> pid=31947, effective(0, 0), real(0, 0),
> class=winbind]
../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
> rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create
> NETLOGON credentials: NT_STATUS_NO_MEMORY
Something like this is never acceptable, provide Samba is set up
correctly in the first place.
> 
> PS: Apologies about the late reply, I only discovered your reply on
> the samba mailing list archive. It would appear that it takes a while
> before new subscribers start receiving messages...
> 
Do not worry about replying late, you were faster than a lot of
people ;-)

Unless something has changed, you should start receiving messages
almost immediately, but it looks like whatever the problem was, you
are now getting them.

Rowland