samba - Jan 2022 - Samba 4.14.5 NTLMv1

Rowland, at the end is an output from testparm.

In the meantime I switched client NTLMv2 auth = No. Now, also the smbclient
at the same server uses NTLMv1 and it works.

But not for the PLC / micro-device, it always leads to the log message:
check_ntlm_password:  Authentication for user [ USER  ] -> [ USER  ] FAILED
with error NT_STATUS_NO_SUCH_USER, authoritative=1

Here is a log entry from last year. The section -> [DOMAIN\ USER  ] is
missing today. May it is not a problem with NTLMv1 but something within
user mapping?
[2021/10/04 03:52:15.251868,  2]
../../source3/auth/auth.c:328(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [USER] -> [ USER  ] ->
[DOMAIN\ USER  ] succeeded

testparm -v :

[global]
        abort shutdown script         add group script         additional dns
hostnames         add machine script         addport command         addprinter
command         add share command         add user script         add user to
group script         afs token lifetime = 604800
        afs username map         aio max threads = 100
        algorithmic rid base = 1000
        allow dcerpc auth level connect = No
        allow dns updates = secure only
        allow insecure wide links = No
        allow nt4 crypto = No
        allow trusted domains = Yes
        allow unsafe cluster upgrade = No
        apply group policies = No
        async dns timeout = 10
        async smb echo handler = No
        auth event notification = No
        auto services         binddns dir = /var/lib/samba/bind-dns
        bind interfaces only = No
        browse list = Yes
        cache directory = /var/lib/samba
        change notify = Yes
        change share command         check password script         cldap port =
389
        client ipc max protocol = default
        client ipc min protocol = default
        client ipc signing = default
        client lanman auth = No
        client ldap sasl wrapping = sign
        client max protocol = default
        client min protocol = NT1
        client NTLMv2 auth = No
        client plaintext auth = No
        client schannel = Yes
        client signing = default
        client smb encrypt = default
        client use spnego principal = No
        client use spnego = Yes
        cluster addresses         clustering = No
        config backend = file
        config file         create krb5 conf = Yes
        ctdbd socket         ctdb locktime warn threshold = 0
        ctdb timeout = 0
        cups connection timeout = 30
        cups encrypt = No
        cups server         dcerpc endpoint servers = epmapper, wkssvc, rpcecho,
samr,
netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver
        deadtime = 10080
        debug class = No
        debug encryption = No
        debug hires timestamp = Yes
        debug pid = No
        debug prefix timestamp = No
        debug uid = No
        dedicated keytab file         default service         defer sharing
violations = Yes
        delete group script         deleteprinter command         delete share
command         delete user from group script         delete user script        
dgram port = 138
        disable netbios = No
        disable spoolss = No
        dns forwarder         dns proxy = Yes
        dns update command = /usr/sbin/samba_dnsupdate
        dns zone scavenging = No
        domain logons = No
        domain master = Auto
        dos charset = CP850
        dsdb event notification = No
        dsdb group change notification = No
        dsdb password event notification = No
        enable asu support = No
        enable core files = Yes
        enable privileges = Yes
        encrypt passwords = Yes
        enhanced browsing = Yes
        enumports command         eventlog list         get quota command       
getwd cache = Yes
        gpo update command = /usr/sbin/samba-gpupdate
        guest account = nobody
        homedir map         host msdfs = Yes
        hostname lookups = No
        idmap backend = tdb
        idmap cache time = 604800
        idmap gid         idmap negative cache time = 120
        idmap uid         include system krb5 conf = Yes
        init logon delay = 100
        init logon delayed hosts         interfaces         iprint server       
keepalive = 300
        kerberos encryption types = all
        kerberos method = secrets and keytab
        kernel change notify = Yes
        kpasswd port = 464
        krb5 port = 88
        lanman auth = Yes
        large readwrite = Yes
        ldap admin dn         ldap connection timeout = 2
        ldap debug level = 0
        ldap debug threshold = 10
        ldap delete dn = No
        ldap deref = auto
        ldap follow referral = Auto
        ldap group suffix         ldap idmap suffix         ldap machine suffix 
ldap max anonymous request size = 256000
        ldap max authenticated request size = 16777216
        ldap max search request size = 256000
        ldap page size = 1000
        ldap passwd sync = no
        ldap replication sleep = 1000
        ldap server require strong auth = Yes
        ldap ssl = start tls
        ldap suffix         ldap timeout = 15
        ldap user suffix         lm announce = Auto
        lm interval = 60
        load printers = Yes
        local master = Yes
        lock directory = /var/lib/samba/lock
        lock spin time = 200
        log file = /var/log/samba/%m.log
        logging         log level = 1
        log nt token command         logon drive         logon home = \\%N\%U
        logon path = \\%N\%U\profile
        logon script         log writeable files on exit = No
        lpq cache time = 30
        lsa over netlogon = No
        machine password timeout = 604800
        mangle prefix = 1
        mangling method = hash2
        map to guest = Never
        max disk size = 0
        max log size = 5000
        max mux = 50
        max open files = 16384
        max smbd processes = 0
        max stat cache size = 512
        max ttl = 259200
        max wins ttl = 518400
        max xmit = 16644
        mdns name = netbios
        message command         min domain uid = 1000
        min receivefile size = 0
        min wins ttl = 21600
        mit kdc command         multicast dns register = Yes
        name cache timeout = 660
        name resolve order = lmhosts wins host bcast
        nbt client socket address = 0.0.0.0
        nbt port = 137
        ncalrpc dir = /run/samba/ncalrpc
        netbios aliases         netbios name = SAMBA03
        netbios scope         neutralize nt4 emulation = No
        NIS homedir = No
        nmbd bind explicit broadcast = Yes
        nsupdate command = /usr/bin/nsupdate -g
        ntlm auth = ntlmv1-permitted
        nt pipe support = Yes
        ntp signd socket directory = /var/lib/samba/ntp_signd
        nt status support = Yes
        null passwords = No
        obey pam restrictions = No
        old password allowed period = 60
        oplock break wait time = 0
        os2 driver map         os level = 20
        pam password change = No
        panic action         passdb backend = tdbsam
        passdb expand explicit = No
        passwd chat = *new*password* %n\n *new*password* %n\n *changed*
        passwd chat debug = No
        passwd chat timeout = 2
        passwd program         password hash gpg key ids         password hash
userPassword schemes         password server = *
        perfcount module         pid directory = /run
        preferred master = Auto
        prefork backoff increment = 10
        prefork children = 4
        prefork maximum backoff = 120
        preload modules         printcap cache time = 750
        printcap name         private dir = /var/lib/samba/private
        raw NTLMv2 auth = No
        read raw = Yes
        realm = mydomain.INTERN
        registry shares = No
        reject md5 clients = No
        reject md5 servers = No
        remote announce         remote browse sync         rename user script   
require strong key = Yes
        reset on zero vc = No
        restrict anonymous = 0
        root directory         rpc big endian = No
        rpc server dynamic port range = 49152-65535
        rpc server port = 0
        samba kcc command = /usr/sbin/samba_kcc
        security = ADS
        server max protocol = SMB3
        server min protocol = NT1
        server multi channel support = No
        server role = auto
        server schannel = Yes
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, dns
        server signing = default
        server string = Samba 4.14.5
        set primary group script         set quota command         share backend
= classic
        show add printer wizard = Yes
        shutdown script         smb2 disable lock sequence checking = No
        smb2 disable oplock break retry = No
        smb2 leases = Yes
        smb2 max credits = 8192
        smb2 max read = 8388608
        smb2 max trans = 8388608
        smb2 max write = 8388608
        smbd profiling level = off
        smb passwd file = /var/lib/samba/private/smbpasswd
        smb ports = 445 139
        socket options = TCP_NODELAY
        spn update command = /usr/sbin/samba_spnupdate
        stat cache = Yes
        state directory = /var/lib/samba
        svcctl list         syslog = 1
        syslog only = No
        template homedir = /home/%U
        template shell = /bin/bash
        time server = No
        timestamp logs = Yes
        tls cafile = tls/ca.pem
        tls certfile = tls/cert.pem
        tls crlfile         tls dh params file         tls enabled = Yes
        tls keyfile = tls/key.pem
        tls priority = NORMAL:-VERS-SSL3.0
        tls verify peer = as_strict_as_possible
        unicode = Yes
        unix charset = UTF-8
        unix extensions = Yes
        unix password sync = No
        use mmap = Yes
        username level = 0
        username map         username map cache time = 0
        username map script         usershare allow guests = No
        usershare max shares = 0
        usershare owner only = Yes
        usershare path = /var/lib/samba/usershares
        usershare prefix allow list         usershare prefix deny list        
usershare template share         utmp = No
        utmp directory         winbind cache time = 300
        winbindd socket directory = /run/samba/winbindd
        winbind enum groups = No
        winbind enum users = No
        winbind expand groups = 0
        winbind max clients = 200
        winbind max domain connections = 1
        winbind nested groups = Yes
        winbind normalize names = No
        winbind nss info = rfc2307
        winbind offline logon = Yes
        winbind reconnect delay = 30
        winbind refresh tickets = Yes
        winbind request timeout = 60
        winbind rpc only = No
        winbind scan trusted domains = Yes
        winbind sealed pipes = Yes
        winbind separator = \
        winbind use default domain = Yes
        winbind use krb5 enterprise principals = No
        wins hook         wins proxy = No
        wins server         wins support = No
        workgroup = mydomain
        write raw = Yes
        wtmp directory         idmap config * : range = 10000-999999
        idmap config mydomain : unix_primary_group = yes
        idmap config mydomain : unix_nss_info = yes
        idmap config mydomain : schema_mode = rfc2307
        idmap config mydomain : backend = rid
        idmap config mydomain : range = 2000000-2999999
        idmap config * : backend = tdb
        access based share enum = No
        acl allow execute always = No
        acl check permissions = Yes
        acl group control = No
        acl map full control = Yes
        administrative share = No
        admin users         afs share = No
        aio read size = 1
        aio write behind         aio write size = 1
        allocation roundup size = 0
        available = Yes
        blocking locks = Yes
        block size = 1024
        browseable = Yes
        case sensitive = Auto
        check parent directory delete on close = No
        comment         copy         create mask = 0744
        csc policy = manual
        cups options         default case = lower
        default devmode = Yes
        delete readonly = No
        delete veto files = No
        dfree cache time = 0
        dfree command         directory mask = 0755
        directory name cache size = 100
        dmapi support = No
        dont descend         dos filemode = No
        dos filetime resolution = No
        dos filetimes = Yes
        durable handles = Yes
        ea support = Yes
        fake directory create times = No
        fake oplocks = No
        follow symlinks = Yes
        smbd force process locks = No
        force create mode = 0000
        force directory mode = 0000
        force group         force printername = No
        force unknown acl user = No
        force user         fstype = NTFS
        guest ok = No
        guest only = No
        hide dot files = Yes
        hide files         hide new files timeout = 0
        hide special files = No
        hide unreadable = No
        hide unwriteable files = No
        honor change notify privilege = No
        hosts allow         hosts deny         include         inherit acls = No
        inherit owner = no
        inherit permissions = No
        invalid users         kernel oplocks = No
        kernel share modes = Yes
        level2 oplocks = Yes
        locking = Yes
        lppause command         lpq command = %p
        lpresume command         lprm command         magic output         magic
script         mangled names = illegal
        mangling char = ~
        map acl inherit = No
        map archive = Yes
        map hidden = No
        map readonly = no
        map system = No
        max connections = 0
        max print jobs = 1000
        max reported print jobs = 0
        min print space = 0
        msdfs proxy         msdfs root = No
        msdfs shuffle referrals = No
        nt acl support = Yes
        ntvfs handler = unixuid, default
        oplocks = Yes
        path         posix locking = Yes
        postexec         preexec         preexec close = No
        preserve case = Yes
        printable = No
        print command         printer name         printing = cups
        printjob username = %U
        print notify backchannel = No
        queuepause command         queueresume command         read list        
read only = Yes
        root postexec         root preexec         root preexec close = No
        server smb encrypt = default
        short preserve case = Yes
        smbd async dosmode = No
        smbd getinfo ask sharemode = Yes
        smbd max async dosmode = 0
        smbd search ask sharemode = Yes
        spotlight = No
        spotlight backend = noindex
        store dos attributes = Yes
        strict allocate = No
        strict locking = Auto
        strict rename = No
        strict sync = Yes
        sync always = No
        use client driver = No
        use sendfile = No
        valid users         veto files         veto oplock files         vfs
objects         volume         wide links = No
        write list =

On Wed, 2022-01-19 at 15:38 +0100, Eric Lehmann via samba
wrote:
> Rowland, at the end is an output from testparm.
> 
> In the meantime I switched client NTLMv2 auth = No. Now, also the
> smbclient
> at the same server uses NTLMv1 and it works.
> 
> But not for the PLC / micro-device, it always leads to the log
> message:
> check_ntlm_password:  Authentication for user [ USER  ] -> [ USER  ]
> FAILED
> with error NT_STATUS_NO_SUCH_USER, authoritative=1
> 
> Here is a log entry from last year. The section -> [DOMAIN\ USER  ]
> is
> missing today. May it is not a problem with NTLMv1 but something
> within
> user mapping?
> [2021/10/04 03:52:15.251868,  2]
> ../../source3/auth/auth.c:328(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [USER] -> [ USER  ]
> ->
> [DOMAIN\ USER  ] succeeded
> 
> testparm -v :
> 
Would you mind running the 'testparm' command again, but this time
without the '-v' ?

Rowland