Hi Team,
I am running Samba 4.19.4 on bookworm, clients are Windows 10 22H2 with
automatic win-updates enabled.
The [global] section of smb.conf:
[global]
??????? netbios name = DC01
??????? realm = EXAMPLE.COM
??????? server role = active directory domain controller
??????? server services = -dns
??????? workgroup = EXAMPLE
??????? kerberos method = secrets and keytab
??????? kerberos encryption types = strong
??????? rpc server dynamic port range = 50000-55000
??????? ntlm auth = mschapv2-and-ntlmv2-only
??????? disable netbios = yes
??????? template homedir = /home/%U
??????? template shell = /bin/bash
??????? tls enabled = yes
??????? tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
??????? tls cafile = /etc/ssl/certs/ca.pem
??????? tls keyfile = /var/lib/samba/private/tls/dc01.example.com.key
??????? tls certfile = /etc/ssl/certs/dc01.example.com.crt
??????? load printers = no
??????? printing = bsd
??????? printcap name = /dev/null
??????? disable spoolss = yes
??????? smb ports = 445
??????? smbd profiling level = on
??????? server min protocol = SMB3_11
??????? client min protocol = SMB3_11
??????? restrict anonymous = 2
??????? map acl inherit = yes
??????? panic action = /usr/share/samba/panic-action %d
??????? server smb encrypt = desired
??????? interfaces = lo eth0
??????? bind interfaces only = yes
??????? allow dns updates = disabled
??????? ldap server require strong auth = yes
??????? ldap ssl = start tls
??????? dedicated keytab file = /var/lib/samba/private/secrets.keytab
??????? log level = 3 winbind:2
auth_json_audit:3@/var/log/samba/audit_auth.log
??????? full_audit:success = open fsync_recv fsync_send ftruncate
pwrite pwrite_recv pwrite_send renameat unlinkat write
??????? full_audit:failure = open pread read
??????? full_audit:prefix = samba: IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
??????? full_audit:facility = local6
??????? full_audit:priority = NOTICE
??????? idmap config *:range = 1000000-1999999
??????? host msdfs = yes
??????? max log size = 0
??????? vfs objects = dfs_samba4, acl_xattr, full_audit
??????? tls crlfile = /etc/ssl/certs/crl.pem
??????? tls dh params file = /etc/ssl/certs/dhparam.pem
Now a user has an interesting issue, she can login on Windows without
issues but when changing the password Windows complains the password is
wrong.
In log.samba on the DC, I see this:
[2024/02/22 12:15:57.646475,? 3]
auth/auth_log.c:858(log_authentication_event_human_readable)
? Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[user1 at EXAMPLE] at [Thu, 22 Feb 2024 12:15:57.646467 CET] with
[aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
remote host [ipv4:192.168.0.211:50757] became [EXAMPLE]\[user1]
[S-1-5-21-1366037735-1163107043-795354949-1003]. local host [NULL]
[2024/02/22 12:15:57.646564,? 3]
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.020364
[2024/02/22 12:15:57.646571,? 3]
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
? Kerberos: AS-REQ SUCCESS ipv4:192.168.0.211:50757 user1 at EXAMPLE
kadmin/changepw at EXAMPLE pa=ENC-TS etype=18/18
canon_client_name=user1 at EXAMPLE.COM pac_attributes=1 pa-etype=18
client-pa=ENC-TS,128 end=1708600677 auth=1708600557
etypes=18,17,23,24,-135,3 renew=1709205357 pa-succeeded-kvno=19
reqaddrs=TYPE_20:50433131312020202020202020202020 elapsed=0.020364
flags=renewable-ok,canonicalize,renewable,forwardable
[2024/02/22 12:15:57.647409,? 3]
source4/samba/service_stream.c:67(stream_terminate_connection)
? stream_terminate_connection: Terminating connection -
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
[2024/02/22 12:15:57.648670,? 3]
auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
? Found account name from PAC: user1 [User One]
[2024/02/22 12:15:57.653002,? 3]
lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
? ldb_wrap open of privilege.ldb
[2024/02/22 12:15:57.653253,? 1]
source4/kdc/kpasswd-service-heimdal.c:297(kpasswd_handle_request)
? kpasswd_handle_request: String conversion failed!
[2024/02/22 12:15:57.654054,? 3]
source4/samba/service_stream.c:67(stream_terminate_connection)
? stream_terminate_connection: Terminating connection -
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
This is interesting: kpasswd_handle_request: String conversion failed!
It is the only clue in the server logging that something is not alright,
as far as I can see.
The audit_auth.log does not report any issues:
? {"timestamp": "2024-02-22T12:15:33.140169+0100",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
3}, "eventId": 4624, "logonId":
"19e950ca59b91207", "logonType": 3, "status"
: "NT_STATUS_OK", "localAddress": null,
"remoteAddress":
"ipv4:192.168.0.211:50753", "serviceDescription":
"Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
"clientAccou
nt": "user1 at EXAMPLE", "workstation": null,
"becameAccount": "user1",
"becameDomain": "EXAMPLE", "becameSid":
"S-1-5-21-1366037735-1163107043-795354949-1003",
"mappedAccount":
"user1", "mappedDo
main": "EXAMPLE", "netlogonComputer": null,
"netlogonTrustAccount":
null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null,
"passwordType": "aes256
-cts-hmac-sha1-96", "clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null, "duration": 13086}}
? {"timestamp": "2024-02-22T12:15:33.150004+0100",
"type": "KDC
Authorization", "KDC Authorization": {"version":
{"major": 1, "minor":
0}, "status": "NT_STATUS_OK", "localAddress":
null, "remoteAddress": "
ipv4:192.168.0.211:50754", "serviceDescription":
"host/pc11.exmaple.com at EXAMPLE.COM", "authType":
"TGS-REQ with
Ticket-Granting Ticket", "domain": "EXAMPLE",
"account": "user1", "sid":
"S-1-5-2
1-1366037735-1163107043-795354949-1003", "logonServer":
"DC01",
"authTime": "2024-02-22T12:15:33.141814+0100",
"serverPolicyAccessCheck": null}}
? {"timestamp": "2024-02-22T12:15:57.646491+0100",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
3}, "eventId": 4624, "logonId":
"979e535fc7a6536d", "logonType": 3, "status"
: "NT_STATUS_OK", "localAddress": null,
"remoteAddress":
"ipv4:192.168.0.211:50757", "serviceDescription":
"Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
"clientAccou
nt": "user1 at EXAMPLE", "workstation": null,
"becameAccount": "user1",
"becameDomain": "EXAMPLE", "becameSid":
"S-1-5-21-1366037735-1163107043-795354949-1003",
"mappedAccount":
"user1", "mappedDo
main": "EXAMPLE", "netlogonComputer": null,
"netlogonTrustAccount":
null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null,
"passwordType": "aes256
-cts-hmac-sha1-96", "clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null, "duration": 20296}}
Any ideas what is going wrong here?
- Kees.