Mike Robbert
2023-Jun-23 18:08 UTC
[Samba] [EXTERNAL] Re: Unable to authenticate to share using UPN
Sorry about that I typed and sent a full message, but it looks like the entire
body got swallowed up in transit. Here is the full text again. Let's hope
this one works.
I have a server running CentOS 7.9 with the system provided Samba packages
(4.10.16-24.el7_9). It is joined to an Active Directory domain and acting as a
member server. The active Directory domain has a user object with among others,
the following attributes defined
sAMAccountName = m12345678
gecos = Zach Detest
gidNumer = 12345678
uid = zach_detest
uidNumer = 12345678
unixHomeDirectory = /home/m12345678
userPrincipalName = zach_destest at domain.tld
The smb.conf on the server looks like this:
[global]
additional dns hostnames = dct-hanas-2.domain.tld
debug class = Yes
debug pid = Yes
debug uid = Yes
disable spoolss = Yes
kerberos method = secrets and keytab
load printers = No
local master = No
log file = /var/log/samba/log.%I
max log size = 0
netbios name = SERVER-DEV
nt pipe support = No
printcap name = /dev/null
realm = ADDOM.DOMAIN.TLD
security = ADS
server min protocol = SMB2
server string = Fileserver %m
template homedir = /home/%U@%D
template shell = /bin/bash
unix extensions = No
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = ADDOM
fruit:nfs_aces = no
idmap config * : range = 1-999
idmap config addom : unix_primary_group = yes
idmap config addom : unix_nss_info = yes
idamp config addom : schema_mode = rfc2307
idmap config addom : backend = ad
idmap config addom : range = 1000-999999999
idmap config * : backend = tdb
acl group control = Yes
create mask = 0664
directory mask = 0775
dos filemode = Yes
force create mode = 0664
force directory mode = 0775
include = /etc/samba/samba-shares.share
map acl inherit = Yes
nt acl support = No
printing = bsd
read only = No
vfs objects = catia fruit streams_xattr
[test-open]
path = /tmp/test-open
Both wbinfo and getent work to resolve this users information using either
samaccountname or UPN
[root at dct-hanas-2 samba]# wbinfo -i m12345678
m12345678:*:12345678:12345678:Zach Detest:/home/m12345678:/bin/bash
[root at dct-hanas-2 samba]# wbinfo -i zach_detest at domain.tld
m12345678:*:12345678:12345678:Zach Detest:/home/m12345678:/bin/bash
[root at dct-hanas-2 samba]# getent passwd m12345678
m12345678:*:12345678:12345678:Zach Detest:/home/m12345678:/bin/bash
[root at dct-hanas-2 samba]# getent passwd zach_detest at domain.tld
m12345678:*:12345678:12345678:Zach Detest:/home/m12345678:/bin/bash
As expected resolving the uid field does not work:
[root at dct-hanas-2 samba]# wbinfo -i zach_detest
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user zach_detest
[root at dct-hanas-2 samba]# getent passwd zach_detest
I am able to map the share from a client host using the samaccountname, but the
problem is that we want the users to be able to use either their uid or UPN and
mapping using those usernames don?t work.
Below are the logs from log level 3 for an authentication attempt using the
username zach_detest at domain.tld
[2023/06/23 10:05:49.969713, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2023/06/23 10:05:50.006889, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[zach_detest] domain=[domain.tld] workstation=[ITS-MACBOOK09] len1=24
len2=254
[2023/06/23 10:05:50.007015, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:3881(lp_load_ex)
lp_load_ex: refreshing parameters
[2023/06/23 10:05:50.007181, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:550(init_globals)
Initialising global parameters
[2023/06/23 10:05:50.007415, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:2795(lp_do_section)
Processing section "[global]"
[2023/06/23 10:05:50.008547, 2, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:2812(lp_do_section)
Processing section "[test-open]"
[2023/06/23 10:05:50.008692, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:1630(lp_add_ipc)
adding IPC service
[2023/06/23 10:05:50.008789, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[domain.tld]\[zach_detest]@[ITS-MACBOOK09] with the new password interface
[2023/06/23 10:05:50.008831, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is:
[domain.tld]\[zach_detest]@[ITS-MACBOOK09]
[2023/06/23 10:05:50.011740, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/check_samsec.c:400(check_sam_security)
check_sam_security: Couldn't find user 'zach_detest' in passdb.
[2023/06/23 10:05:50.011820, 2, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [zach_detest] ->
[zach_detest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/06/23 10:05:50.011932, 2, pid=22679, effective(0, 0), real(0, 0),
class=auth_audit]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [domain.tld]\[zach_detest] at [Fri, 23 Jun 2023
10:05:50.011889 MDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation
[ITS-MACBOOK09] remote host [ipv4:138.67.168.73:51158] mapped to
[domain.tld]\[zach_detest]. local host [ipv4:138.67.209.40:445]
{"timestamp": "2023-06-23T10:05:50.012231-0600",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 1},
"eventId": 4625, "logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress":
"ipv4:138.67.209.40:445", "remoteAddress":
"ipv4:138.67.168.73:51158", "serviceDescription":
"SMB2", "authDescription": null, "clientDomain":
"domain.tld", "clientAccount": "zach_detest",
"workstation": "ITS-MACBOOK09", "becameAccount":
null, "becameDomain": null, "becameSid": null,
"mappedAccount": "zach_detest", "mappedDomain":
"domain.tld", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"NTLMv2", "duration": 42977}}
[2023/06/23 10:05:50.012555, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth]
../../auth/gensec/spnego.c:1444(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
NT_STATUS_NO_SUCH_USER
[2023/06/23 10:05:50.012663, 3, pid=22679, effective(0, 0), real(0, 0),
class=smb2] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2023/06/23 10:05:50.048193, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2023/06/23 10:05:50.080011, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[zach_detest] domain=[ADDOM] workstation=[ITS-MACBOOK09] len1=24
len2=254
[2023/06/23 10:05:50.080110, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:3881(lp_load_ex)
lp_load_ex: refreshing parameters
[2023/06/23 10:05:50.080222, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:550(init_globals)
Initialising global parameters
[2023/06/23 10:05:50.080443, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:2795(lp_do_section)
Processing section "[global]"
[2023/06/23 10:05:50.081499, 2, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:2812(lp_do_section)
Processing section "[test-open]"
[2023/06/23 10:05:50.081635, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:1630(lp_add_ipc)
adding IPC service
[2023/06/23 10:05:50.081811, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[ADDOM]\[zach_detest]@[ITS-MACBOOK09] with the new password interface
[2023/06/23 10:05:50.081886, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [ADDOM]\[zach_detest]@[ITS-MACBOOK09]
[2023/06/23 10:05:50.083899, 2, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [zach_detest] ->
[zach_detest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/06/23 10:05:50.084007, 2, pid=22679, effective(0, 0), real(0, 0),
class=auth_audit]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [ADDOM]\[zach_detest] at [Fri, 23 Jun 2023
10:05:50.083982 MDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation
[ITS-MACBOOK09] remote host [ipv4:138.67.168.73:51158] mapped to
[ADDOM]\[zach_detest]. local host [ipv4:138.67.209.40:445]
{"timestamp": "2023-06-23T10:05:50.084307-0600",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 1},
"eventId": 4625, "logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress":
"ipv4:138.67.209.40:445", "remoteAddress":
"ipv4:138.67.168.73:51158", "serviceDescription":
"SMB2", "authDescription": null, "clientDomain":
"ADDOM", "clientAccount": "zach_detest",
"workstation": "ITS-MACBOOK09", "becameAccount":
null, "becameDomain": null, "becameSid": null,
"mappedAccount": "zach_detest", "mappedDomain":
"ADDOM", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"NTLMv2", "duration": 36356}}
[2023/06/23 10:05:50.084448, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth]
../../auth/gensec/spnego.c:1444(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
NT_STATUS_NO_SUCH_USER
[2023/06/23 10:05:50.084538, 3, pid=22679, effective(0, 0), real(0, 0),
class=smb2] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2023/06/23 10:05:50.141119, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2023/06/23 10:05:50.171506, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[zach_detest] domain=[domain.tld@\server-dev.domain.tld]
workstation=[ITS-MACBOOK09] len1=24 len2=254
[2023/06/23 10:05:50.171601, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:3881(lp_load_ex)
lp_load_ex: refreshing parameters
[2023/06/23 10:05:50.171700, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:550(init_globals)
Initialising global parameters
[2023/06/23 10:05:50.171865, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:2795(lp_do_section)
Processing section "[global]"
[2023/06/23 10:05:50.172995, 2, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:2812(lp_do_section)
Processing section "[test-open]"
[2023/06/23 10:05:50.173124, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/param/loadparm.c:1630(lp_add_ipc)
adding IPC service
[2023/06/23 10:05:50.173179, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[domain.tld@\server-dev.domain.tld]\[zach_detest]@[ITS-MACBOOK09] with the new
password interface
[2023/06/23 10:05:50.173220, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is:
[domain.tld@\server-dev.domain.tld]\[zach_detest]@[ITS-MACBOOK09]
[2023/06/23 10:05:50.175303, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/check_samsec.c:400(check_sam_security)
check_sam_security: Couldn't find user 'zach_detest' in passdb.
[2023/06/23 10:05:50.175367, 2, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [zach_detest] ->
[zach_detest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/06/23 10:05:50.175442, 2, pid=22679, effective(0, 0), real(0, 0),
class=auth_audit]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [domain.tld@\\server-dev.domain.tld]\[zach_detest] at
[Fri, 23 Jun 2023 10:05:50.175418 MDT] with [NTLMv2] status
[NT_STATUS_NO_SUCH_USER] workstation [ITS-MACBOOK09] remote host
[ipv4:138.67.168.73:51158] mapped to
[domain.tld@\\server-dev.domain.tld]\[zach_detest]. local host
[ipv4:138.67.209.40:445]
{"timestamp": "2023-06-23T10:05:50.175524-0600",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 1},
"eventId": 4625, "logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress":
"ipv4:138.67.209.40:445", "remoteAddress":
"ipv4:138.67.168.73:51158", "serviceDescription":
"SMB2", "authDescription": null, "clientDomain":
domain.tld@\\server-dev.domain.tld, "clientAccount":
"zach_detest", "workstation": "ITS-MACBOOK09",
"becameAccount": null, "becameDomain": null,
"becameSid": null, "mappedAccount": "zach_detest",
"mappedDomain": domain.tld@\\server-dev.domain.tld,
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null, "passwordType": "NTLMv2", "duration":
34608}}
[2023/06/23 10:05:50.175644, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth]
../../auth/gensec/spnego.c:1444(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
NT_STATUS_NO_SUCH_USER
[2023/06/23 10:05:50.175732, 3, pid=22679, effective(0, 0), real(0, 0),
class=smb2] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2023/06/23 10:05:52.335644, 3, pid=22679, effective(0, 0), real(0, 0)]
../../source3/smbd/server_exit.c:236(exit_server_common)
Server exit (NT_STATUS_END_OF_FILE)
How can we get UPN authentication working?
Hopefully this problem is fully described well enough that this isn?t a guessing
game, but if I missed any important information, please let me know what you?d
like to see and I will happily provide it.
________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny
via samba <samba at lists.samba.org>
Sent: Friday, June 23, 2023 10:23
To: samba at lists.samba.org
Cc: Rowland Penny
Subject: [EXTERNAL] Re: [Samba] Unable to authenticate to share using UPN
CAUTION: This email originated from outside of the Colorado School of Mines
organization. Do not click on links or open attachments unless you recognize the
sender and know the content is safe.
On 23/06/2023 17:15, Mike Robbert via samba wrote:
Mike, you are going to have to write something in your posts, we are not
mindreaders :-)
What have you tried ? On what OS, with what version of Samba ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2023-Jun-24 09:16 UTC
[Samba] [EXTERNAL] Re: Unable to authenticate to share using UPN
On 23/06/2023 19:08, Mike Robbert wrote:> Sorry about that I typed and sent a full message, but it looks like the entire body got swallowed up in transit. Here is the full text again. Let's hope this one works. > > I have a server running CentOS 7.9 with the system provided Samba packages (4.10.16-24.el7_9). It is joined to an Active Directory domain and acting as a member server. The active Directory domain has a user object with among others, the following attributes defined > sAMAccountName = m12345678 > gecos = Zach Detest > gidNumer = 12345678 > uid = zach_detest > uidNumer = 12345678 > unixHomeDirectory = /home/m12345678 > userPrincipalName = zach_destest at domain.tld > > The smb.conf on the server looks like this: > > [global] > additional dns hostnames = dct-hanas-2.domain.tldUnless red-hat backported this, 'additional dns hostnames' didn't appear until Samba 4.11.0 at the earliest (I say that because I cannot find just when it was added, but it isn't in 'man smb.conf' for 4.10.x, but it is in 'man smb.conf' for 4.11.x).> debug class = Yes > debug pid = Yes > debug uid = Yes > disable spoolss = Yes > kerberos method = secrets and keytab > load printers = No > local master = No > log file = /var/log/samba/log.%I > max log size = 0 > netbios name = SERVER-DEV > nt pipe support = No > printcap name = /dev/null > realm = ADDOM.DOMAIN.TLD > security = ADS > server min protocol = SMB2 > server string = Fileserver %m > template homedir = /home/%U@%D > template shell = /bin/bash > unix extensions = No > winbind offline logon = Yes > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = ADDOM > fruit:nfs_aces = no > idmap config * : range = 1-999 > idmap config addom : unix_primary_group = yes > idmap config addom : unix_nss_info = yes > idamp config addom : schema_mode = rfc2307 > idmap config addom : backend = ad > idmap config addom : range = 1000-999999999 > idmap config * : backend = tdbDo you mind if I ask why you are using such strange (to me) ranges ? They would seem to preclude having any local users and groups.> acl group control = Yes > create mask = 0664 > directory mask = 0775 > dos filemode = Yes > force create mode = 0664 > force directory mode = 0775 > include = /etc/samba/samba-shares.share > map acl inherit = Yes > nt acl support = No > printing = bsd > read only = No > vfs objects = catia fruit streams_xattr > > > [test-open] > path = /tmp/test-open > > Both wbinfo and getent work to resolve this users information using either samaccountname or UPN >They are the attributes that work with user searches, however 'uid' (being a multi value ldap attribute) doesn't, This isn't just a Samba or Unix thing, Windows works in the same way. It looks to me (and I could be totally wrong) that sssd must have code that can use the 'uid' value and then set that as the owner of a file. If it is doing this, then how does it get around 'uid' being a multi valued attribute ? It is strange you have raised this, Stefan Kania raised virtually the same subject about a week ago and during this week, a bug report was listed: https://bugzilla.samba.org/show_bug.cgi?id=15399 I replied to Stefan here: https://lists.samba.org/archive/samba/2023-June/245561.html Rowland