Bryan Chan
2013-May-03 20:50 UTC
[Samba] Password server behaves differently for clients from Windows 7 Professional and Windows 7 Enterprise
Hi, I have been using Samba as a file server and a domain controller in a mixed AIX/Windows environment for a long time. Due to changes in the network infrastructure in my lab, I have to stop using my own LDAP server and Samba domain controller, and migrate all my user accounts to a central proprietary directory server. On AIX, I now use a proprietary loadable authentication module on AIX to talk to that server. To Samba, the accounts just look like local accounts, except that passwords are not managed locally. I want to continue serving files using Samba on my AIX box, but I cannot use a local smbpasswd file because there is no way to sync passwords between the proprietary server with the local smbpasswd file. So I tried using server security and delegating authentication to a SMB interface provided by the directory server. Here are the relevant parts of my smb.conf: netbios name = MILAN security = server password server = tlbgsa.ibm.com encrypt passwords = yes ntlm auth = no lanman auth = no use spnego = no server schannel = no server signing = disabled client plaintext auth = no client lanman auth = no client ntlmv2 auth = yes client schannel = no client signing = auto client use spnego = no When clients on Windows XP, Windows Server 2003, and Windows 7 Professional connect to shares on \\milan, they are successfully authenticated by the password server: [2013/05/02 17:08:17,? 3] auth/auth_sam.c:check_sam_security(282) ? check_sam_security: Couldn't find user 'bryanpkc' in passdb. [2013/05/02 17:08:17,? 5] auth/auth.c:check_ntlm_password(272) ? check_ntlm_password: sam authentication for user [bryanpkc] FAILED with error NT_STATUS_NO_SUCH_USER [2013/05/02 17:08:18,? 3] auth/auth.c:check_ntlm_password(269) ? check_ntlm_password: smbserver authentication for user [bryanpkc] succeeded [2013/05/02 17:08:18,? 5] auth/auth.c:check_ntlm_password(295) ? check_ntlm_password:? PAM Account for user [bryanpkc] succeeded [2013/05/02 17:08:18,? 2] auth/auth.c:check_ntlm_password(308) ? check_ntlm_password:? authentication for user [bryanpkc] -> [bryanpkc] -> [bryanpkc] succeeded However, when I try the same operation on Windows Server 2008, Windows Vista, and Windows 7 Enterprise, the authentication attempt is rejected by the password server: [2013/05/02 17:01:06,? 5] auth/auth.c:check_ntlm_password(272) ? check_ntlm_password: sam authentication for user [bryanpkc] FAILED with error NT_STATUS_NO_SUCH_USER [2013/05/02 17:01:06,? 1] auth/auth_server.c:check_smbserver_security(410) ? password server TLBGSA.IBM.COM rejected the password: NT_STATUS_LOGON_FAILURE [2013/05/02 17:01:06,? 5] auth/auth.c:check_ntlm_password(272) ? check_ntlm_password: smbserver authentication for user [bryanpkc] FAILED with error NT_STATUS_LOGON_FAILURE [2013/05/02 17:01:06,? 2] auth/auth.c:check_ntlm_password(318) I have more verbose logs (log level = 10) that show the different behaviours, but I am not able to tell why the connection attempt works on some machines but not on others. Any suggestion? I can send the log files if necessary. Thanks, -- Bryan Chan bryan.chan at ca.ibm.com
Andrew Bartlett
2013-May-06 09:46 UTC
[Samba] Password server behaves differently for clients from Windows 7 Professional and Windows 7 Enterprise
On Fri, 2013-05-03 at 16:50 -0400, Bryan Chan wrote:> > Hi, > > I have been using Samba as a file server and a domain controller in a mixed > AIX/Windows environment for a long time. Due to changes in the network > infrastructure in my lab, I have to stop using my own LDAP server and Samba > domain controller, and migrate all my user accounts to a central > proprietary > directory server. On AIX, I now use a proprietary loadable authentication > module on AIX to talk to that server. To Samba, the accounts just look like > local accounts, except that passwords are not managed locally. > > I want to continue serving files using Samba on my AIX box, but I cannot > use a > local smbpasswd file because there is no way to sync passwords between the > proprietary server with the local smbpasswd file. So I tried using server > security and delegating authentication to a SMB interface provided by the > directory server. Here are the relevant parts of my smb.conf: > > netbios name = MILAN > security = serverAs you have found, security=server is a bad idea, and for this reason has been removed from Samba 4.0. In particular, it is incompatible with NTLMv2, which is used by your more modern clients listed here. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org