thr3ads.net - samba - [Samba] Authentication failure after upgrade from 4.5.8 to 4.13.13 [Aug 2022]

If this information is useful, please help other people find it:
Share via:

Curtis Spencer

2022-Aug-04 22:52 UTC

[Samba] Authentication failure after upgrade from 4.5.8 to 4.13.13

I had a Debian 9 server running Samba v4.5.16 with the following global
config in `/etc/samba/smb/conf`:

```
[global]
netbios name = TEST
workgroup = EXAMPLE
server string = Member Server
os level = 40
domain master = no
security = domain
map untrusted to domain = yes
preserve case = yes
case sensitive = yes
wins support = no
wins server = dc.ccb
mangling method = hash2
unix extensions = no
interfaces = bond0 lo
bind interfaces only = yes
printcap name   = /dev/null
load printers   = no
log level = 3
```
We are using OpenLDAP as a backend for authentication.

I recently upgraded that server to Debian 11 and Samba v4.13.13. Following
the upgrade, I am still able to SSH into the server using my OpenLDAP
credentials and I have confirmed that running `getent passwd` returns a
list of both local users and LDAP users.

However, since upgrading, I am encountering authentication problems when
trying to mount a samba share to either a Windows or a Linux laptop using
the same LDAP credentials that work for SSH and that used to work for
mounting Samba shares.

Tailing `/var/log/samba/log.smbd` on the server while trying to
authenticate, I see the following:

```
[2022/08/04 14:23:25.274315,  2]
../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
  Registered MSG_REQ_POOL_USAGE
[2022/08/04 14:23:25.274714,  3] ../../lib/util/access.c:369(allow_access)
  Allowed connection from 192.168.144.122 (192.168.144.122)
[2022/08/04 14:23:25.275370,  3]
../../source3/smbd/oplock.c:1427(init_oplocks)
  init_oplocks: initializing messages.
[2022/08/04 14:23:25.275495,  3]
../../source3/smbd/process.c:1956(process_smb)
  Transaction 0 of length 214 (0 toread)
[2022/08/04 14:23:25.275879,  3]
../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
  Selected protocol SMB3_11
[2022/08/04 14:23:25.278158,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2022/08/04 14:23:25.278218,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2022/08/04 14:23:25.278237,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2022/08/04 14:23:25.278254,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'spnego' registered
[2022/08/04 14:23:25.278270,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'schannel' registered
[2022/08/04 14:23:25.278287,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2022/08/04 14:23:25.278303,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2022/08/04 14:23:25.278320,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2022/08/04 14:23:25.278339,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/08/04 14:23:25.278356,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'http_basic' registered
[2022/08/04 14:23:25.278372,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2022/08/04 14:23:25.278389,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2022/08/04 14:23:25.278410,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'krb5' registered
[2022/08/04 14:23:25.278438,  3]
../../auth/gensec/gensec_start.c:987(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2022/08/04 14:23:25.285501,  3]
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2022/08/04 14:23:25.286556,  3]
../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
  Got user=[test_user] domain=[WORKGROUP]
workstation=[<***computer_name***>] len1=24 len2=230
[2022/08/04 14:23:25.286633,  3]
../../source3/auth/auth.c:200(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[WORKGROUP]\[test_user]@[<***computer_name***>] with the new password
interface
[2022/08/04 14:23:25.286680,  3]
../../source3/auth/auth.c:203(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is:
[WORKGROUP]\[test_user]@[<***computer_name***>]
[2022/08/04 14:23:25.300379,  0]
../../source3/auth/auth_util.c:1913(check_account)
  check_account: Failed to convert SID
S-1-5-21-1165166887-308749777-1031590606-13278 to a UID
(dom_user[EXAMPLE\test_user])
[2022/08/04 14:23:25.300479,  2]
../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [test_user] -> [test_user]
FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2022/08/04 14:23:25.300535,  2]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [WORKGROUP]\[test_user] at [Thu, 04 Aug 2022
14:23:25.300519 PDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER]
workstation [<***computer_name***>] remote host
[ipv4:192.168.144.122:44930]
mapped to [WORKGROUP]\[test_user]. local host [ipv4:192.168.5.17:445]
  {"timestamp": "2022-08-04T14:23:25.300658-0700",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor": 2},
"eventId": 4625, "logonId": "0",
"logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress":
"ipv4:192.168.5.17:445",
"remoteAddress": "ipv4:192.168.144.122:44930",
"serviceDescription":
"SMB2", "authDescription": null, "clientDomain":
"WORKGROUP",
"clientAccount": "test_user", "workstation":
"<***computer_name***>",
"becameAccount": null, "becameDomain": null,
"becameSid": null,
"mappedAccount": "test_user", "mappedDomain":
"WORKGROUP",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"NTLMv2", "duration":
15307}}
[2022/08/04 14:23:25.300750,  3]
../../auth/gensec/spnego.c:1443(gensec_spnego_server_negTokenTarg_step)
  gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
NT_STATUS_NO_SUCH_USER
[2022/08/04 14:23:25.300810,  3]
../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at
../../source3/smbd/smb2_sesssetup.c:146
[2022/08/04 14:23:25.301672,  3]
../../source3/smbd/server_exit.c:220(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)
```

When I run `testparm`, I see the following warnings:

```
# testparm
Load smb config files from /etc/samba/smb.conf
Unknown parameter encountered: "map untrusted to domain"
Ignoring unknown parameter "map untrusted to domain"
Loaded services file OK.
Weak crypto is allowed
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions
```

It appears `map untrusted to domain` was removed in v4.8 (
https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed). From
what I can tell, I think this might be related to the problem, though I
have found very little information about what this setting did or how to
replicate the behavior after upgrading to >= v4.8.

I've spent the better part of two days trying to debug this and feel like
I'm spinning my wheels. Any guidance on how to debug this, how to upgrade
from v4.5.8 to 4.13.13, or what config changes need to be made to get
things working in 4.13.13 would be most appreciated!

Thanks,

Curtis

*Curtis Spencer*
Infrastructure Engineer



232 N. Almon St. | Moscow, ID | 83843

*Emsi Burning Glass is now Lightcast

Rowland Penny

2022-Aug-05 07:23 UTC

head link

[Samba] Authentication failure after upgrade from 4.5.8 to 4.13.13

On Thu, 2022-08-04 at 15:52 -0700, Curtis Spencer via samba
wrote:> I had a Debian 9 server running Samba v4.5.16 with the following
> global
> config in `/etc/samba/smb/conf`:
> 
> ```
> [global]
> netbios name = TEST
> workgroup = EXAMPLE
> server string = Member Server
> os level = 40
> domain master = no
> security = domain
> map untrusted to domain = yes
> preserve case = yes
> case sensitive = yes
> wins support = no
> wins server = dc.ccb
> mangling method = hash2
> unix extensions = no
> interfaces = bond0 lo
> bind interfaces only = yes
> printcap name   = /dev/null
> load printers   = no
> log level = 3
> ```
> We are using OpenLDAP as a backend for authentication.
> 
> I recently upgraded that server to Debian 11 and Samba v4.13.13.
> Following
> the upgrade, I am still able to SSH into the server using my OpenLDAP
> credentials and I have confirmed that running `getent passwd` returns
> a
> list of both local users and LDAP users.
You didn't upgrade far enough, you need to (in my opinion) upgrade to
AD, Samba is working hard on removing SMBv1 and your setup requires it.
It was turned off by default at 4.11.0, so you could try adding these
lines to your smb.conf:

client min protocol = NT1
server min protocol = NT1

You may also have to add:
ntlm auth = yes

Also ensure that winbind is running.

Rowland

samba - Aug 2022 - Authentication failure after upgrade from 4.5.8 to 4.13.13

[Samba] Authentication failure after upgrade from 4.5.8 to 4.13.13

[Samba] Authentication failure after upgrade from 4.5.8 to 4.13.13