Girouard, Yvon
2021-Jan-15 15:58 UTC
[Samba] Authentication problems with AD after migration of Samba from 3.5 to 3.6
Hi,
We have updated Samba from 3.5 to 3.6 on 2 Linux RedHat 5.8 servers, both
authenticating with AD. On the first server everything is working as expected.
On the second server, authentication with AD does not work. The OS version and
configuration files are the same on both servers.
Nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns winbind
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
sudoers: files ldap
krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FDOM:/var/log/kadmind.log
[libdefaults]
default_realm = DOM.REG.QC.CA
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
DOM.REG.QC.CA = {
default_domain = DOM.REG.QC.CA
}
[domain_realm]
.dom.reg.qc.ca = DOM.REG.QC.CA
dom.reg.qc.ca = DOM.REG.QC.CA
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Smb.conf
[global]
workgroup = DOM
realm = DOM.REG.QC.CA
netbios name = SERVER123
ldap timeout = 200
local master = no
preferred master = no
server string = Samba Server Version %v
security = ADS
encrypt passwords = yes
log level = 10
log file = /var/log/samba/%m.log
max log size = 102400
template shell = /bin/false
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind expand groups = 3
winbind separator = +
idmap config * : backend = tdb
idmap config * : range = 120000-199999
idmap config DOM : range = 20000-99999
max protocol = SMB2
inherit acls = Yes
store dos attributes = yes
winbind cache time = 3600
[sharefs]
path = /sharefs
browseable = yes
writeable = yes
inherit permissions = yes
force group = images-rw
create mask = 0664
directory mask = 2775
valid users = @shareauth, @shareadmin
write list = @shareauth, @shareadmin
Logs on the server that is working
[2021/01/14 14:48:29.804475, 6] param/loadparm.c:7542(lp_file_list_changed)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Thu Jan 14
14:36:06 2021
[2021/01/14 14:48:29.804619, 5] auth/auth_util.c:111(make_user_info_map)
Mapping user [DOM]\[user86] from workstation [WS1108286]
[2021/01/14 14:48:29.805772, 5] auth/user_info.c:59(make_user_info)
attempting to make a user_info for user86 (user86)
[2021/01/14 14:48:29.805851, 5] auth/user_info.c:70(make_user_info)
making strings for user86's user_info struct
[2021/01/14 14:48:29.805912, 5] auth/user_info.c:87(make_user_info)
making blobs for user86's user_info struct
[2021/01/14 14:48:29.805971, 10] auth/user_info.c:123(make_user_info)
made a user_info for user86 (user86)
[2021/01/14 14:48:29.806029, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[DOM]\[user86]@[WS1108286] with the new password interface
[2021/01/14 14:48:29.806089, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [DOM]\[user86]@[WS1108286]
[2021/01/14 14:48:29.806147, 10] auth/auth.c:231(check_ntlm_password)
check_ntlm_password: auth_context challenge created by random
[2021/01/14 14:48:29.806205, 10] auth/auth.c:233(check_ntlm_password)
challenge is:
[2021/01/14 14:48:29.806262, 5] ../lib/util/util.c:415(dump_data)
[0000] 3C 3F F5 E8 F2 9A A1 2A <?.....*
[2021/01/14 14:48:29.806341, 10] auth/auth_builtin.c:44(check_guest_security)
Check auth for: [user86]
[2021/01/14 14:48:29.806399, 10] auth/auth.c:269(check_ntlm_password)
check_ntlm_password: guest had nothing to say
[2021/01/14 14:48:29.806460, 10] auth/auth_sam.c:75(auth_samstrict_auth)
Check auth for: [user86]
[2021/01/14 14:48:29.806517, 8] lib/util.c:1521(is_myname)
is_myname("DOM") returns 0
[2021/01/14 14:48:29.806576, 6] auth/auth_sam.c:88(auth_samstrict_auth)
check_samstrict_security: DOM is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2021/01/14 14:48:29.806637, 10] auth/auth.c:269(check_ntlm_password)
check_ntlm_password: sam had nothing to say
[2021/01/14 14:48:29.806698, 10] auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [user86]
[2021/01/14 14:48:29.806757, 4] smbd/sec_ctx.c:214(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2021/01/14 14:48:29.806819, 4] smbd/uid.c:460(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2021/01/14 14:48:29.806878, 4] smbd/sec_ctx.c:314(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/01/14 14:48:29.806936, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2021/01/14 14:48:29.806993, 5] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2021/01/14 14:48:29.910449, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2021/01/14 14:48:29.910569, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user DOM+user86
[2021/01/14 14:48:29.910633, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is dom+user86
[2021/01/14 14:48:30.162671, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals did find user [DOM+user86]!
[2021/01/14 14:48:30.162775, 3] auth/auth.c:278(check_ntlm_password)
check_ntlm_password: winbind authentication for user [user86] succeeded
Log on server that is not working
[2020/12/21 18:10:52.075178, 6] param/loadparm.c:7542(lp_file_list_changed)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Mon Dec 21
18:01:24 2020
[2020/12/21 18:10:52.076322, 5] auth/auth_util.c:111(make_user_info_map)
Mapping user [DOM]\[user86] from workstation [WS1108286]
[2020/12/21 18:10:52.078983, 5] auth/user_info.c:59(make_user_info)
attempting to make a user_info for user86 (user86)
[2020/12/21 18:10:52.079546, 5] auth/user_info.c:70(make_user_info)
making strings for user86's user_info struct
[2020/12/21 18:10:52.080100, 5] auth/user_info.c:87(make_user_info)
making blobs for user86's user_info struct
[2020/12/21 18:10:52.080676, 10] auth/user_info.c:123(make_user_info)
made a user_info for user86 (user86)
[2020/12/21 18:10:52.081229, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[DOM]\[user86]@[WS1108286] with the new password interface
[2020/12/21 18:10:52.081795, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [DOM]\[user86]@[WS1108286]
[2020/12/21 18:10:52.082348, 10] auth/auth.c:231(check_ntlm_password)
check_ntlm_password: auth_context challenge created by random
[2020/12/21 18:10:52.082903, 10] auth/auth.c:233(check_ntlm_password)
challenge is:
[2020/12/21 18:10:52.083453, 5] ../lib/util/util.c:415(dump_data)
[0000] 80 1A E7 6C D3 12 AE 23 ...l...#
[2020/12/21 18:10:52.084029, 10] auth/auth_builtin.c:44(check_guest_security)
Check auth for: [user86]
[2020/12/21 18:10:52.084583, 10] auth/auth.c:269(check_ntlm_password)
check_ntlm_password: guest had nothing to say
[2020/12/21 18:10:52.085139, 10] auth/auth_sam.c:75(auth_samstrict_auth)
Check auth for: [user86]
[2020/12/21 18:10:52.085691, 8] lib/util.c:1521(is_myname)
is_myname("DOM") returns 0
[2020/12/21 18:10:52.086250, 6] auth/auth_sam.c:88(auth_samstrict_auth)
check_samstrict_security: DOM is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2020/12/21 18:10:52.086809, 10] auth/auth.c:269(check_ntlm_password)
check_ntlm_password: sam had nothing to say
[2020/12/21 18:10:52.087364, 10] auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [user86]
[2020/12/21 18:10:52.087977, 4] smbd/sec_ctx.c:214(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2020/12/21 18:10:52.088565, 4] smbd/uid.c:460(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2020/12/21 18:10:52.089129, 4] smbd/sec_ctx.c:314(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2020/12/21 18:10:52.089682, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2020/12/21 18:10:52.090235, 5] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2020/12/21 18:10:52.154608, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/12/21 18:10:52.155917, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user DOM+user86
[2020/12/21 18:10:52.157044, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is dom+user86
[2020/12/21 18:10:52.159178, 5] lib/username.c:124(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is DOM+user86
[2020/12/21 18:10:52.161287, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is DOM+UDUBO86
[2020/12/21 18:10:52.163367, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in dom+user86
[2020/12/21 18:10:52.164553, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [DOM+user86]!
[2020/12/21 18:10:52.165684, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user user86
[2020/12/21 18:10:52.166806, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is user86
[2020/12/21 18:10:52.168885, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is UDUBO86
[2020/12/21 18:10:52.171035, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in user86
[2020/12/21 18:10:52.172165, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [user86]!
[2020/12/21 18:10:52.173804, 3] auth/auth_util.c:1087(check_account)
Failed to find authenticated user DOM+user86 via getpwnam(), denying access.
[2020/12/21 18:10:52.174950, 5] auth/auth.c:281(check_ntlm_password)
check_ntlm_password: winbind authentication for user [user86] FAILED with
error NT_STATUS_NO_SUCH_USER
[2020/12/21 18:10:52.176084, 2] auth/auth.c:330(check_ntlm_password)
check_ntlm_password: Authentication for user [user86] -> [user86] FAILED
with error NT_STATUS_NO_SUCH_USER
[2020/12/21 18:10:52.177247, 10]
smbd/smb2_server.c:2046(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at
smbd/smb2_sesssetup.c:94
[2020/12/21 18:10:52.178376, 10]
smbd/smb2_server.c:1949(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] body[8]
dyn[yes:1] at smbd/smb2_server.c:2076
Again both servers were working fine before the upgrade.
Any help would be appreciated.
Thanks,
Y.
Rowland penny
2021-Jan-15 18:27 UTC
[Samba] Authentication problems with AD after migration of Samba from 3.5 to 3.6
On 15/01/2021 15:58, Girouard, Yvon via samba wrote:> Hi, > > We have updated Samba from 3.5 to 3.6 on 2 Linux RedHat 5.8 servers, both authenticating with AD.Is there some reason why you upgraded to a dead version of Samba ? On a dead OS ?> On the first server everything is working as expected. On the second server, authentication with AD does not work. The OS version and configuration files are the same on both servers. > > Nsswitch.conf > passwd: files winbind > shadow: files winbind > group: files winbind > hosts: files dns winbind'winbind' should only be in the passwd & group lines.> Smb.conf > [global] > workgroup = DOM > realm = DOM.REG.QC.CA > netbios name = SERVER123 > ldap timeout = 200 > local master = no > preferred master = no > server string = Samba Server Version %v > security = ADS > encrypt passwords = yes > log level = 10 > log file = /var/log/samba/%m.log > max log size = 102400 > template shell = /bin/false > load printers = no > show add printer wizard = no > printcap name = /dev/null > disable spoolss = yes > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind nested groups = yes > winbind expand groups = 3 > winbind separator = + > idmap config * : backend = tdb > idmap config * : range = 120000-199999 > idmap config DOM : range = 20000-99999There appears to be a line missing 'idmap config DOM : backend = rid' Though the 'rid' part could be 'ad' if you have rfc2307 attributes in AD.> max protocol = SMB2 > inherit acls = Yes > store dos attributes = yes > winbind cache time = 3600 > [sharefs] > path = /sharefs > browseable = yes > writeable = yes > inherit permissions = yes > force group = images-rw > create mask = 0664 > directory mask = 2775 > valid users = @shareauth, @shareadmin > write list = @shareauth, @shareadmin > > > > Log on server that is not working > > [2020/12/21 18:10:52.084029, 10] auth/auth_builtin.c:44(check_guest_security) > Check auth for: [user86] > [2020/12/21 18:10:52.084583, 10] auth/auth.c:269(check_ntlm_password) > check_ntlm_password: guest had nothing to say > [2020/12/21 18:10:52.085139, 10] auth/auth_sam.c:75(auth_samstrict_auth) > Check auth for: [user86] > [2020/12/21 18:10:52.085691, 8] lib/util.c:1521(is_myname) > is_myname("DOM") returns 0 > [2020/12/21 18:10:52.086250, 6] auth/auth_sam.c:88(auth_samstrict_auth) > check_samstrict_security: DOM is not one of my local names (ROLE_DOMAIN_MEMBER) > [2020/12/21 18:10:52.086809, 10] auth/auth.c:269(check_ntlm_password) > check_ntlm_password: sam had nothing to say > [2020/12/21 18:10:52.087364, 10] auth/auth_winbind.c:50(check_winbind_security) > Check auth for: [user86] > [2020/12/21 18:10:52.087977, 4] smbd/sec_ctx.c:214(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2020/12/21 18:10:52.088565, 4] smbd/uid.c:460(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2020/12/21 18:10:52.089129, 4] smbd/sec_ctx.c:314(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2020/12/21 18:10:52.089682, 5] ../libcli/security/security_token.c:53(security_token_debug) > Security token: (NULL) > [2020/12/21 18:10:52.090235, 5] auth/token_util.c:527(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2020/12/21 18:10:52.154608, 4] smbd/sec_ctx.c:422(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2020/12/21 18:10:52.155917, 5] lib/username.c:171(Get_Pwnam_alloc) > Finding user DOM+user86 > [2020/12/21 18:10:52.157044, 5] lib/username.c:116(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as lowercase is dom+user86 > [2020/12/21 18:10:52.159178, 5] lib/username.c:124(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as given is DOM+user86 > [2020/12/21 18:10:52.161287, 5] lib/username.c:134(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as uppercase is DOM+UDUBO86Why did 'user86' change to 'UDUB086' ?????? Rowland