Aaron J. Zirbes
2005-Feb-02 17:30 UTC
[Samba] stumped, security = domain FAILS for NTLMv2 only
I have a Samba only domain (Samba PDC, Samba Member Servers) where security = domain. Versions are all 3.0.10 compiled with --enable-cups --with-utmp --with-acl-support Backend is tdbsam All smb.confs have the following: ... pdc: security = user members: security = domain ... restrict anonymous = 2 encrypt passwords = yes lanman auth = no ntlm auth = no client ntlmv2 auth = yes client schannel = yes server schannel = yes client signing = auto server signing = auto ... Domain controller works like a charm, all Windows2000/XP clients are locked down the same schannel=yes,ntlmv2 only,restrict anon=2. All clients can auth through each other (I can view shares on other workstations) net rpc testjoin returns "OK" from all samba-3.0.10 members attempts to connect to samba-3.0.10 member server fail with session setup failed: NT_STATUS_LOGON_FAILURE unix accounts exists for domain members. winbindd is up and running on members as auth only (no account creation) attempts to connect to windows members succeed. If security = user is used on members, and a smbpasswd -a command is issued to assign the samba password on members (which makes the membership useless), connection attempts succeed. Logs on the Samba member server [RHEL] look like this: [2005/02/02 10:26:59, 10] auth/auth_util.c:make_user_info(201) made an encrypted user_info for myuser (myuser) [2005/02/02 10:26:59, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [MYDOMAIN]\[myuser]@[LINUXBOX] with the new password interface [2005/02/02 10:26:59, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [MYDOMAIN]\[myuser]@[LINUXBOX] [2005/02/02 10:26:59, 10] auth/auth.c:check_ntlm_password(231) check_ntlm_password: auth_context challenge created by random [2005/02/02 10:26:59, 10] auth/auth.c:check_ntlm_password(233) challenge is: [2005/02/02 10:26:59, 10] auth/auth.c:check_ntlm_password(259) check_ntlm_password: guest had nothing to say [2005/02/02 10:26:59, 6] auth/auth_sam.c:check_samstrict_security(358) check_samstrict_security: MYDOMAIN is not one of my local names (ROLE_DOMAIN_MEMBER) [2005/02/02 10:26:59, 10] auth/auth.c:check_ntlm_password(259) check_ntlm_password: sam had nothing to say [2005/02/02 10:26:59, 5] auth/auth.c:check_ntlm_password(271) check_ntlm_password: winbind authentication for user [myuser] FAILED with error NT_STATUS_WRONG_PASSWORD [2005/02/02 10:26:59, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [myuser] -> [myuser] FAILED with error NT_STATUS_WRONG_PASSWORD Logs on the domain controller [FreeBSD] look like this: [2005/02/02 10:26:59, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [MYDOMAIN]\[myuser]@[LINUXBOX] with the new password interface [2005/02/02 10:26:59, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [MYDOMAIN]\[myuser]@[LINUXBOX] [2005/02/02 10:26:59, 4] libsmb/ntlm_check.c:ntlm_password_check(288) ntlm_password_check: Checking NTLMv2 password with domain [MYDOMAIN] [2005/02/02 10:26:59, 4] libsmb/ntlm_check.c:ntlm_password_check(298) ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [MYDOMAIN] [2005/02/02 10:26:59, 4] libsmb/ntlm_check.c:ntlm_password_check(308) ntlm_password_check: Checking NTLMv2 password without a domain [2005/02/02 10:26:59, 3] libsmb/ntlm_check.c:ntlm_password_check(317) ntlm_password_check: NTLMv2 password check failed [2005/02/02 10:26:59, 5] auth/auth.c:check_ntlm_password(271) check_ntlm_password: sam authentication for user [myuser] FAILED with error NT_STATUS_WRONG_PASSWORD [2005/02/02 10:26:59, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [MYDOMAIN] was for this SAM. [2005/02/02 10:26:59, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [myuser] -> [myuser] FAILED with error NT_STATUS_WRONG_PASSWORD I am stumped. Is a tdbsam backend unsupported for security = domain? (not stated in docs) Do I have to move to an LDAP backend? Although this is not noted in any documentation I have found. Side note: I noticed that even though I am setting auth to NTLMv2 ONLY, the password databases are still storing the LANMAN hashes... is there a reason for this? -- Aaron Zirbes Systems Administrator Environmental Health Sciences University of Minnesota