David Herselman
2017-Jun-14 06:58 UTC
[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth
Hi Rowland, I did enable NTLMv1 to provide necessary support for pppd for PPTP VPN connections and that's working as expected. I however do not find any release notes pertaining to 'winbind use default domain = yes' no longer working on a Samba DC. The Samba man pages appear to detail options which apply to winbindd (https://www.samba.org/samba/docs/man/manpages/winbindd.8.html), which includes the 'winbind use default domain' option. The only reference to this not working on a Samba DC was a post I stumbled on from a while ago where the claim wasn't substantiated and indicated that none of the winbind options in smb.conf applied. Everything worked perfectly on 4.4.5, could you point me somewhere where this was discussed and possibly a work around, as it breaks legacy mail processing? Are the ntlm_auth problems pertaining to the following debug not an issue and as such acceptable?: [2017/06/12 15:46:21.303848, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY PS: Apologies about the late reply, I only discovered your reply on the samba mailing list archive. It would appear that it takes a while before new subscribers start receiving messages... Regards David Herselman -----Original Message----- From: Rowland Penny Sent: Mon Jun 12 15:52:40 UTC 2017 To: 'samba at lists.samba.org' <samba at lists.samba.org> Subject: RE: [Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth On Mon, 12 Jun 2017 13:56:14 +0000 David Herselman via samba <samba at lists.samba.org> wrote:> Hi everyone, > > We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be > experiencing a problem with authentication, when the RPC domain is > not supplied as part of the username. >'winbind use default domain = yes' doesn't work on a DC I think your main problem can be explained by this extract from the release notes for 4.5.0: NTLMv1 authentication disabled by default ----------------------------------------- In order to improve security we have changed the default value for the "ntlm auth" option from "yes" to "no". This may have impact on very old clients which doesn't support NTLMv2 yet. The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. By default, Samba will only allow NTLMv2 via NTLMSSP now, as we have the following default "lanman auth = no", "ntlm auth = no" and "raw NTLMv2 auth = no". Rowland
Rowland Penny
2017-Jun-14 08:34 UTC
[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth
On Wed, 14 Jun 2017 06:58:18 +0000 David Herselman <dhe at syrex.co> wrote:> Hi Rowland, > > I did enable NTLMv1 to provide necessary support for pppd for PPTP > VPN connections and that's working as expected.OK, but I suggest you find a more secure way of doing things.> I however do not > find any release notes pertaining to 'winbind use default domain > yes' no longer working on a Samba DC.This could be, as far as I am aware, it has never worked on a DC.> The Samba man pages appear to > detail options which apply to winbindd > (https://www.samba.org/samba/docs/man/manpages/winbindd.8.html), > which includes the 'winbind use default domain' option. The only > reference to this not working on a Samba DC was a post I stumbled on > from a while ago where the claim wasn't substantiated and indicated > that none of the winbind options in smb.conf applied.There isn't anything in 'man smb.conf' either, but there is this in the release notes for 4.6.0: ID Mapping We discovered that the majority of users have an invalid or incorrect ID mapping configuration. We implemented checks in the 'testparm' tool to validate the ID mapping configuration. You should run it and check if it prints any warnings or errors after upgrading! If it does you should fix them. See the 'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage. There are some ID mapping backends which are not allowed to be used for the default backend. Winbind will no longer start if an invalid backend is configured as the default backend. To avoid problems in future we advise all users to run 'testparm' after changing the smb.conf file!> > Everything worked perfectly on 4.4.5, could you point me somewhere > where this was discussed and possibly a work around, as it breaks > legacy mail processing?Can you prove it worked on 4.4.5, if so, there must have been a regression and you could try filing a bug report. I must however point out again, that ''winbind use default domain = yes' never worked for me on a DC, so I never tried setting it. It may be that a change unintentionally made it work, but another later change stopped it working again.> > Are the ntlm_auth problems pertaining to the following debug not an > issue and as such acceptable?: [2017/06/12 15:46:21.303848, 1, > pid=31947, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport) > rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create > NETLOGON credentials: NT_STATUS_NO_MEMORYSomething like this is never acceptable, provide Samba is set up correctly in the first place.> > PS: Apologies about the late reply, I only discovered your reply on > the samba mailing list archive. It would appear that it takes a while > before new subscribers start receiving messages... >Do not worry about replying late, you were faster than a lot of people ;-) Unless something has changed, you should start receiving messages almost immediately, but it looks like whatever the problem was, you are now getting them. Rowland
Possibly Parallel Threads
- 'winbind use default domain' doesn't appear to work with ntlm_auth
- upg. CentOS 7.5 to 7.6: unable to mount smb shares - samba NT domain member using ldap
- ntlm_auth only supports ntlmv1 and not ntlmv2 ?
- Fwd: ntlm_auth and freeradius
- Fwd: ntlm_auth and freeradius