Andrew Bartlett
2020-Apr-22 20:08 UTC
[Samba] Samba update cause windows incorrect password
On Wed, 2020-04-22 at 20:01 +0100, Rowland penny via samba wrote:> On 22/04/2020 19:25, Enrico Morelli via samba wrote: > > > On 22/04/2020 16:06, Enrico Morelli via samba wrote: > > > > Dear, > > > > > > > > on my debian system I upgraded samba from 4.5.16 to 4.9.5. My > > > > samba > > > > server is configured as domain controller. > > > > > > > > Now happens a strange thing. From a windows 10 client I'm able > > > > to login > > > > with a domain user without problem. But if I logout and try to > > > > enter > > > > the password for the same user, Windows tells me that the > > > > password is > > > > incorrect. > > > > > > > > To be able to loing, I've to select Other User, enter username > > > > and > > > > password and all works fine. But if I logout and enter the same > > > > password, Windows tells me "Incorrect password". > > > > > > Apart from multiple default lines, there doesn't seem to anything > really > wrong with your smb.conf, so it looks like this could be yet another > reason to not use Windows 10 with an NT4-style PDC. > > You could try raising the log level, add 'log level = 10' to the > smb.conf and restart Samba, but beware, this will lead to a lot of > output.Thanks Rowland. This is the right approach. Once we get that, we should be (even log level 5 would show it) able to work out what username form was being sent in both cases, and see if we can map between them. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Enrico Morelli
2020-Apr-24 10:38 UTC
[Samba] Samba update cause windows incorrect password
On Thu, 23 Apr 2020 08:08:39 +1200 Andrew Bartlett via samba <samba at lists.samba.org> wrote:> On Wed, 2020-04-22 at 20:01 +0100, Rowland penny via samba wrote: > > On 22/04/2020 19:25, Enrico Morelli via samba wrote: > > > > On 22/04/2020 16:06, Enrico Morelli via samba wrote: > > > > > Dear, > > > > > > > > > > on my debian system I upgraded samba from 4.5.16 to 4.9.5. My > > > > > samba > > > > > server is configured as domain controller. > > > > > > > > > > Now happens a strange thing. From a windows 10 client I'm able > > > > > to login > > > > > with a domain user without problem. But if I logout and try to > > > > > enter > > > > > the password for the same user, Windows tells me that the > > > > > password is > > > > > incorrect. > > > > > > > > > > To be able to loing, I've to select Other User, enter username > > > > > and > > > > > password and all works fine. But if I logout and enter the > > > > > same password, Windows tells me "Incorrect password". > > > > > > > > > Apart from multiple default lines, there doesn't seem to anything > > really > > wrong with your smb.conf, so it looks like this could be yet > > another reason to not use Windows 10 with an NT4-style PDC. > > > > You could try raising the log level, add 'log level = 10' to the > > smb.conf and restart Samba, but beware, this will lead to a lot of > > output. > > Thanks Rowland. This is the right approach. Once we get that, we > should be (even log level 5 would show it) able to work out what > username form was being sent in both cases, and see if we can map > between them. > > Andrew Bartlett >I'd set the loglevel to 5 and happens a strange thing: SAM Logon (Interactive). Domain:[CERMDOMAIN]. User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN] [2020/04/24 12:04:50.144675, 5] ../source3/rpc_server/netlogon/srv_netlog_nt.c:1628(_netr_LogonSamLogon_base) Attempting validation level 3 for unmapped username visitor2. [2020/04/24 12:04:50.144698, 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module: Attempting to find an auth method to match sam_netlogon3 [2020/04/24 12:04:50.144715, 5] ../source3/auth/auth.c:437(load_auth_module) load_auth_module: auth method sam_netlogon3 has a valid init [2020/04/24 12:04:50.144729, 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module: Attempting to find an auth method to match winbind [2020/04/24 12:04:50.144743, 5] ../source3/auth/auth.c:437(load_auth_module) load_auth_module: auth method winbind has a valid init [2020/04/24 12:04:50.144894, 5] ../source3/auth/auth_util.c:122(make_user_info_map) Mapping user [DOMAIN]\[visitor2] from workstation [STUDENTI2] [2020/04/24 12:04:50.144910, 5] ../source3/auth/user_info.c:64(make_user_info) attempting to make a user_info for visitor2 (visitor2) [2020/04/24 12:04:50.144962, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [DOMAIN]\[visitor2]@[STUDENTI2] with the new password interface [2020/04/24 12:04:50.144978, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [DOMAIN]\[visitor2]@[STUDENTI2] [2020/04/24 12:04:50.145020, 5] ../source3/auth/auth_sam.c:162(auth_sam_netlogon3_auth) auth_sam_netlogon3_auth: DOMAIN is not our domain name (DC for CERMDOMAIN) 2020/04/24 12:04:50.145228, 5] ../source3/auth/auth.c:251(auth_check_ntlm_password) auth_check_ntlm_password: winbind authentication for user [visitor2] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0 [2020/04/24 12:04:50.145246, 2] ../source3/auth/auth.c:334(auth_check_ntlm_password) check_ntlm_password: Authentication for user [visitor2] -> [visitor2] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0 [2020/04/24 12:04:50.145276, 2] ../auth/auth_log.c:610(log_authentication_event_human_readable) Auth: [SamLogon,(null)] user [DOMAIN]\[visitor2] at [Fri, 24 Apr 2020 12:04:50.145263 CEST] with [Supplied-NT-Hash] status [NT_STATUS_NO_SUCH_USER] workstation [STUDENTI2] remote host [ipv4:192.168.100.12:51475] mapped to [DOMAIN]\[visitor2]. local host [ipv4:192.168.100.27:445] Seems like the studenti2 PC is in a wrong domain, but I checked that and it is on the correct CERMDOMAIN domain. In the past we had an old samba server that served as DC for DOMAIN domain. But now, all the machine are configured to use the new domain and before the update all worked fine. I'm very confused because this is the behavior of all the windows 10 machines in the domain. I also tried to remove the studenti2 machine from the domain and put it again without any result. -- ----------------------------------------------------------- Enrico Morelli System Administrator | Programmer | Web Developer CERM - Polo Scientifico via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY ------------------------------------------------------------
On 24/04/2020 11:38, Enrico Morelli via samba wrote:> On Thu, 23 Apr 2020 08:08:39 +1200 > Andrew Bartlett via samba <samba at lists.samba.org> wrote: > >> On Wed, 2020-04-22 at 20:01 +0100, Rowland penny via samba wrote: >>> On 22/04/2020 19:25, Enrico Morelli via samba wrote: >>>>> On 22/04/2020 16:06, Enrico Morelli via samba wrote: >>>>>> Dear, >>>>>> >>>>>> on my debian system I upgraded samba from 4.5.16 to 4.9.5. My >>>>>> samba >>>>>> server is configured as domain controller. >>>>>> >>>>>> Now happens a strange thing. From a windows 10 client I'm able >>>>>> to login >>>>>> with a domain user without problem. But if I logout and try to >>>>>> enter >>>>>> the password for the same user, Windows tells me that the >>>>>> password is >>>>>> incorrect. >>>>>> >>>>>> To be able to loing, I've to select Other User, enter username >>>>>> and >>>>>> password and all works fine. But if I logout and enter the >>>>>> same password, Windows tells me "Incorrect password". >>>>>> >>> Apart from multiple default lines, there doesn't seem to anything >>> really >>> wrong with your smb.conf, so it looks like this could be yet >>> another reason to not use Windows 10 with an NT4-style PDC. >>> >>> You could try raising the log level, add 'log level = 10' to the >>> smb.conf and restart Samba, but beware, this will lead to a lot of >>> output. >> Thanks Rowland. This is the right approach. Once we get that, we >> should be (even log level 5 would show it) able to work out what >> username form was being sent in both cases, and see if we can map >> between them. >> >> Andrew Bartlett >> > I'd set the loglevel to 5 and happens a strange thing: > > SAM Logon (Interactive). Domain:[CERMDOMAIN]. > User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN] > [2020/04/24 12:04:50.144675, > 5] ../source3/rpc_server/netlogon/srv_netlog_nt.c:1628(_netr_LogonSamLogon_base) > Attempting validation level 3 for unmapped username visitor2. > [2020/04/24 12:04:50.144698, > 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module: > Attempting to find an auth method to match sam_netlogon3 [2020/04/24 > 12:04:50.144715, 5] ../source3/auth/auth.c:437(load_auth_module) > load_auth_module: auth method sam_netlogon3 has a valid init > [2020/04/24 12:04:50.144729, > 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module: > Attempting to find an auth method to match winbind [2020/04/24 > 12:04:50.144743, 5] ../source3/auth/auth.c:437(load_auth_module) > load_auth_module: auth method winbind has a valid init [2020/04/24 > 12:04:50.144894, > 5] ../source3/auth/auth_util.c:122(make_user_info_map) Mapping user > [DOMAIN]\[visitor2] from workstation [STUDENTI2] [2020/04/24 > 12:04:50.144910, 5] ../source3/auth/user_info.c:64(make_user_info) > attempting to make a user_info for visitor2 (visitor2) > [2020/04/24 12:04:50.144962, > 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [DOMAIN]\[visitor2]@[STUDENTI2] with the new password interface > [2020/04/24 12:04:50.144978, > 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [DOMAIN]\[visitor2]@[STUDENTI2] > [2020/04/24 12:04:50.145020, > 5] ../source3/auth/auth_sam.c:162(auth_sam_netlogon3_auth) > auth_sam_netlogon3_auth: DOMAIN is not our domain name (DC for > CERMDOMAIN) > 2020/04/24 12:04:50.145228, > 5] ../source3/auth/auth.c:251(auth_check_ntlm_password) > auth_check_ntlm_password: winbind authentication for user [visitor2] > FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0 [2020/04/24 > 12:04:50.145246, > 2] ../source3/auth/auth.c:334(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [visitor2] -> [visitor2] > FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0 [2020/04/24 > 12:04:50.145276, > 2] ../auth/auth_log.c:610(log_authentication_event_human_readable) > Auth: [SamLogon,(null)] user [DOMAIN]\[visitor2] at [Fri, 24 Apr 2020 > 12:04:50.145263 CEST] with [Supplied-NT-Hash] status > [NT_STATUS_NO_SUCH_USER] workstation [STUDENTI2] remote host > [ipv4:192.168.100.12:51475] mapped to [DOMAIN]\[visitor2]. local host > [ipv4:192.168.100.27:445] > > > Seems like the studenti2 PC is in a wrong domain, but I checked that and > it is on the correct CERMDOMAIN domain. > In the past we had an old samba server that served as DC for DOMAIN > domain. But now, all the machine are configured to use the new domain > and before the update all worked fine. > > I'm very confused because this is the behavior of all the windows 10 > machines in the domain. > > I also tried to remove the studenti2 machine from the domain and > put it again without any result. >Problem is that you posted this in your smb.conf: ??? workgroup = DOMAIN Is the 'DOMAIN' actually 'CERMDOMAIN' ? or is it something else ? Rowland