Girouard, Yvon
2021-Jan-15 15:58 UTC
[Samba] Authentication problems with AD after migration of Samba from 3.5 to 3.6
Hi, We have updated Samba from 3.5 to 3.6 on 2 Linux RedHat 5.8 servers, both authenticating with AD. On the first server everything is working as expected. On the second server, authentication with AD does not work. The OS version and configuration files are the same on both servers. Nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind hosts: files dns winbind bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus sudoers: files ldap krb5.conf default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FDOM:/var/log/kadmind.log [libdefaults] default_realm = DOM.REG.QC.CA dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] DOM.REG.QC.CA = { default_domain = DOM.REG.QC.CA } [domain_realm] .dom.reg.qc.ca = DOM.REG.QC.CA dom.reg.qc.ca = DOM.REG.QC.CA [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Smb.conf [global] workgroup = DOM realm = DOM.REG.QC.CA netbios name = SERVER123 ldap timeout = 200 local master = no preferred master = no server string = Samba Server Version %v security = ADS encrypt passwords = yes log level = 10 log file = /var/log/samba/%m.log max log size = 102400 template shell = /bin/false load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind expand groups = 3 winbind separator = + idmap config * : backend = tdb idmap config * : range = 120000-199999 idmap config DOM : range = 20000-99999 max protocol = SMB2 inherit acls = Yes store dos attributes = yes winbind cache time = 3600 [sharefs] path = /sharefs browseable = yes writeable = yes inherit permissions = yes force group = images-rw create mask = 0664 directory mask = 2775 valid users = @shareauth, @shareadmin write list = @shareauth, @shareadmin Logs on the server that is working [2021/01/14 14:48:29.804475, 6] param/loadparm.c:7542(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Thu Jan 14 14:36:06 2021 [2021/01/14 14:48:29.804619, 5] auth/auth_util.c:111(make_user_info_map) Mapping user [DOM]\[user86] from workstation [WS1108286] [2021/01/14 14:48:29.805772, 5] auth/user_info.c:59(make_user_info) attempting to make a user_info for user86 (user86) [2021/01/14 14:48:29.805851, 5] auth/user_info.c:70(make_user_info) making strings for user86's user_info struct [2021/01/14 14:48:29.805912, 5] auth/user_info.c:87(make_user_info) making blobs for user86's user_info struct [2021/01/14 14:48:29.805971, 10] auth/user_info.c:123(make_user_info) made a user_info for user86 (user86) [2021/01/14 14:48:29.806029, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [DOM]\[user86]@[WS1108286] with the new password interface [2021/01/14 14:48:29.806089, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [DOM]\[user86]@[WS1108286] [2021/01/14 14:48:29.806147, 10] auth/auth.c:231(check_ntlm_password) check_ntlm_password: auth_context challenge created by random [2021/01/14 14:48:29.806205, 10] auth/auth.c:233(check_ntlm_password) challenge is: [2021/01/14 14:48:29.806262, 5] ../lib/util/util.c:415(dump_data) [0000] 3C 3F F5 E8 F2 9A A1 2A <?.....* [2021/01/14 14:48:29.806341, 10] auth/auth_builtin.c:44(check_guest_security) Check auth for: [user86] [2021/01/14 14:48:29.806399, 10] auth/auth.c:269(check_ntlm_password) check_ntlm_password: guest had nothing to say [2021/01/14 14:48:29.806460, 10] auth/auth_sam.c:75(auth_samstrict_auth) Check auth for: [user86] [2021/01/14 14:48:29.806517, 8] lib/util.c:1521(is_myname) is_myname("DOM") returns 0 [2021/01/14 14:48:29.806576, 6] auth/auth_sam.c:88(auth_samstrict_auth) check_samstrict_security: DOM is not one of my local names (ROLE_DOMAIN_MEMBER) [2021/01/14 14:48:29.806637, 10] auth/auth.c:269(check_ntlm_password) check_ntlm_password: sam had nothing to say [2021/01/14 14:48:29.806698, 10] auth/auth_winbind.c:50(check_winbind_security) Check auth for: [user86] [2021/01/14 14:48:29.806757, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2021/01/14 14:48:29.806819, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2021/01/14 14:48:29.806878, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2021/01/14 14:48:29.806936, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2021/01/14 14:48:29.806993, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2021/01/14 14:48:29.910449, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2021/01/14 14:48:29.910569, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user DOM+user86 [2021/01/14 14:48:29.910633, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is dom+user86 [2021/01/14 14:48:30.162671, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [DOM+user86]! [2021/01/14 14:48:30.162775, 3] auth/auth.c:278(check_ntlm_password) check_ntlm_password: winbind authentication for user [user86] succeeded Log on server that is not working [2020/12/21 18:10:52.075178, 6] param/loadparm.c:7542(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Mon Dec 21 18:01:24 2020 [2020/12/21 18:10:52.076322, 5] auth/auth_util.c:111(make_user_info_map) Mapping user [DOM]\[user86] from workstation [WS1108286] [2020/12/21 18:10:52.078983, 5] auth/user_info.c:59(make_user_info) attempting to make a user_info for user86 (user86) [2020/12/21 18:10:52.079546, 5] auth/user_info.c:70(make_user_info) making strings for user86's user_info struct [2020/12/21 18:10:52.080100, 5] auth/user_info.c:87(make_user_info) making blobs for user86's user_info struct [2020/12/21 18:10:52.080676, 10] auth/user_info.c:123(make_user_info) made a user_info for user86 (user86) [2020/12/21 18:10:52.081229, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [DOM]\[user86]@[WS1108286] with the new password interface [2020/12/21 18:10:52.081795, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [DOM]\[user86]@[WS1108286] [2020/12/21 18:10:52.082348, 10] auth/auth.c:231(check_ntlm_password) check_ntlm_password: auth_context challenge created by random [2020/12/21 18:10:52.082903, 10] auth/auth.c:233(check_ntlm_password) challenge is: [2020/12/21 18:10:52.083453, 5] ../lib/util/util.c:415(dump_data) [0000] 80 1A E7 6C D3 12 AE 23 ...l...# [2020/12/21 18:10:52.084029, 10] auth/auth_builtin.c:44(check_guest_security) Check auth for: [user86] [2020/12/21 18:10:52.084583, 10] auth/auth.c:269(check_ntlm_password) check_ntlm_password: guest had nothing to say [2020/12/21 18:10:52.085139, 10] auth/auth_sam.c:75(auth_samstrict_auth) Check auth for: [user86] [2020/12/21 18:10:52.085691, 8] lib/util.c:1521(is_myname) is_myname("DOM") returns 0 [2020/12/21 18:10:52.086250, 6] auth/auth_sam.c:88(auth_samstrict_auth) check_samstrict_security: DOM is not one of my local names (ROLE_DOMAIN_MEMBER) [2020/12/21 18:10:52.086809, 10] auth/auth.c:269(check_ntlm_password) check_ntlm_password: sam had nothing to say [2020/12/21 18:10:52.087364, 10] auth/auth_winbind.c:50(check_winbind_security) Check auth for: [user86] [2020/12/21 18:10:52.087977, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2020/12/21 18:10:52.088565, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2020/12/21 18:10:52.089129, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2020/12/21 18:10:52.089682, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2020/12/21 18:10:52.090235, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2020/12/21 18:10:52.154608, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2020/12/21 18:10:52.155917, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user DOM+user86 [2020/12/21 18:10:52.157044, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is dom+user86 [2020/12/21 18:10:52.159178, 5] lib/username.c:124(Get_Pwnam_internals) Trying _Get_Pwnam(), username as given is DOM+user86 [2020/12/21 18:10:52.161287, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is DOM+UDUBO86 [2020/12/21 18:10:52.163367, 5] lib/username.c:143(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in dom+user86 [2020/12/21 18:10:52.164553, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [DOM+user86]! [2020/12/21 18:10:52.165684, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user user86 [2020/12/21 18:10:52.166806, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is user86 [2020/12/21 18:10:52.168885, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is UDUBO86 [2020/12/21 18:10:52.171035, 5] lib/username.c:143(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in user86 [2020/12/21 18:10:52.172165, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [user86]! [2020/12/21 18:10:52.173804, 3] auth/auth_util.c:1087(check_account) Failed to find authenticated user DOM+user86 via getpwnam(), denying access. [2020/12/21 18:10:52.174950, 5] auth/auth.c:281(check_ntlm_password) check_ntlm_password: winbind authentication for user [user86] FAILED with error NT_STATUS_NO_SUCH_USER [2020/12/21 18:10:52.176084, 2] auth/auth.c:330(check_ntlm_password) check_ntlm_password: Authentication for user [user86] -> [user86] FAILED with error NT_STATUS_NO_SUCH_USER [2020/12/21 18:10:52.177247, 10] smbd/smb2_server.c:2046(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at smbd/smb2_sesssetup.c:94 [2020/12/21 18:10:52.178376, 10] smbd/smb2_server.c:1949(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] body[8] dyn[yes:1] at smbd/smb2_server.c:2076 Again both servers were working fine before the upgrade. Any help would be appreciated. Thanks, Y.
Rowland penny
2021-Jan-15 18:27 UTC
[Samba] Authentication problems with AD after migration of Samba from 3.5 to 3.6
On 15/01/2021 15:58, Girouard, Yvon via samba wrote:> Hi, > > We have updated Samba from 3.5 to 3.6 on 2 Linux RedHat 5.8 servers, both authenticating with AD.Is there some reason why you upgraded to a dead version of Samba ? On a dead OS ?> On the first server everything is working as expected. On the second server, authentication with AD does not work. The OS version and configuration files are the same on both servers. > > Nsswitch.conf > passwd: files winbind > shadow: files winbind > group: files winbind > hosts: files dns winbind'winbind' should only be in the passwd & group lines.> Smb.conf > [global] > workgroup = DOM > realm = DOM.REG.QC.CA > netbios name = SERVER123 > ldap timeout = 200 > local master = no > preferred master = no > server string = Samba Server Version %v > security = ADS > encrypt passwords = yes > log level = 10 > log file = /var/log/samba/%m.log > max log size = 102400 > template shell = /bin/false > load printers = no > show add printer wizard = no > printcap name = /dev/null > disable spoolss = yes > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind nested groups = yes > winbind expand groups = 3 > winbind separator = + > idmap config * : backend = tdb > idmap config * : range = 120000-199999 > idmap config DOM : range = 20000-99999There appears to be a line missing 'idmap config DOM : backend = rid' Though the 'rid' part could be 'ad' if you have rfc2307 attributes in AD.> max protocol = SMB2 > inherit acls = Yes > store dos attributes = yes > winbind cache time = 3600 > [sharefs] > path = /sharefs > browseable = yes > writeable = yes > inherit permissions = yes > force group = images-rw > create mask = 0664 > directory mask = 2775 > valid users = @shareauth, @shareadmin > write list = @shareauth, @shareadmin > > > > Log on server that is not working > > [2020/12/21 18:10:52.084029, 10] auth/auth_builtin.c:44(check_guest_security) > Check auth for: [user86] > [2020/12/21 18:10:52.084583, 10] auth/auth.c:269(check_ntlm_password) > check_ntlm_password: guest had nothing to say > [2020/12/21 18:10:52.085139, 10] auth/auth_sam.c:75(auth_samstrict_auth) > Check auth for: [user86] > [2020/12/21 18:10:52.085691, 8] lib/util.c:1521(is_myname) > is_myname("DOM") returns 0 > [2020/12/21 18:10:52.086250, 6] auth/auth_sam.c:88(auth_samstrict_auth) > check_samstrict_security: DOM is not one of my local names (ROLE_DOMAIN_MEMBER) > [2020/12/21 18:10:52.086809, 10] auth/auth.c:269(check_ntlm_password) > check_ntlm_password: sam had nothing to say > [2020/12/21 18:10:52.087364, 10] auth/auth_winbind.c:50(check_winbind_security) > Check auth for: [user86] > [2020/12/21 18:10:52.087977, 4] smbd/sec_ctx.c:214(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2020/12/21 18:10:52.088565, 4] smbd/uid.c:460(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2020/12/21 18:10:52.089129, 4] smbd/sec_ctx.c:314(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2020/12/21 18:10:52.089682, 5] ../libcli/security/security_token.c:53(security_token_debug) > Security token: (NULL) > [2020/12/21 18:10:52.090235, 5] auth/token_util.c:527(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2020/12/21 18:10:52.154608, 4] smbd/sec_ctx.c:422(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2020/12/21 18:10:52.155917, 5] lib/username.c:171(Get_Pwnam_alloc) > Finding user DOM+user86 > [2020/12/21 18:10:52.157044, 5] lib/username.c:116(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as lowercase is dom+user86 > [2020/12/21 18:10:52.159178, 5] lib/username.c:124(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as given is DOM+user86 > [2020/12/21 18:10:52.161287, 5] lib/username.c:134(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as uppercase is DOM+UDUBO86Why did 'user86' change to 'UDUB086' ?????? Rowland