mathias dufresne
2015-Jul-01 14:44 UTC
[Samba] [samba] strange: 20 characters max in samAccountName
Hi all, Sernet Samba 4.2.2 as Active Directory on Debian 7.8. No other DC. I can't log in with on Windows systems (Windows 7) when samAccountName are longer than 20 characters. This seems to be a LAN MAN or NT4 limitation which should not happen on AD domain. Any idea what could leads my to that limitation? I can log in using administrator account or any other having a short (enough) samAccountName. I tried to add @ad.domain.tld to samAccountName during log in process without any success. smb.conf is: ------------------------------------------------------------- # Global parameters [global] workgroup = AD.DOMAIN realm = ad.domain.tld netbios name = DC01 server role = active directory domain controller dns forwarder = 10.0.0.240 # DC version of rfc2307 idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/ad.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ------------------------------------------------------------- here are some logs: ----------------------------------------------------------- [2015/07/01 16:36:22.869382, 4] ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule) dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:28 2015 CEST [2015/07/01 16:36:27.902117, 4] ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule) dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:33 2015 CEST [2015/07/01 16:36:28.716277, 4] ../source4/lib/socket/interface.c:121(add_interface) added interface eth0 ip=10.156.248.217 bcast=10.156.255.255 netmask=255.255.240.0 [2015/07/01 16:36:32.935297, 4] ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule) dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:38 2015 CEST [2015/07/01 16:36:36.569356, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN from ipv4: 10.156.248.234:54408 for krbtgt/AD.DOMAIN at AD.DOMAIN [2015/07/01 16:36:36.654528, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: 128 [2015/07/01 16:36:36.654564, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN [2015/07/01 16:36:36.654569, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN [2015/07/01 16:36:36.654590, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: No preauth found, returning PREAUTH-REQUIRED -- abcdef.abcdefg-abcdef at AD.DOMAIN [2015/07/01 16:36:36.655635, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2015/07/01 16:36:36.655666, 5] ../source4/lib/messaging/messaging.c:550(imessaging_cleanup) imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35 [2015/07/01 16:36:36.655687, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2015/07/01 16:36:36.656998, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN from ipv4: 10.156.248.234:54409 for krbtgt/AD.DOMAIN at AD.DOMAIN [2015/07/01 16:36:36.739262, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 128 [2015/07/01 16:36:36.739295, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN [2015/07/01 16:36:36.739300, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN [2015/07/01 16:36:36.739327, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: ENC-TS Pre-authentication succeeded -- abcdef.abcdefg-abcdef at AD.DOMAIN using arcfour-hmac-md5 [2015/07/01 16:36:36.739336, 4] ../source4/auth/sam.c:181(authsam_account_ok) authsam_account_ok: Checking SMB password for user abcdef.abcdefg-abcdef at AD.DOMAIN [2015/07/01 16:36:36.740906, 5] ../source4/auth/sam.c:115(logon_hours_ok) logon_hours_ok: No hours restrictions for user abcdef.abcdefg-abcdef at AD.DOMAIN [2015/07/01 16:36:36.758828, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ authtime: 2015-07-01T16:36:36 starttime: unset endtime: 2015-07-02T02:36:36 renew till: 2015-07-08T16:36:36 [2015/07/01 16:36:36.758886, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using arcfour-hmac-md5/arcfour-hmac-md5 [2015/07/01 16:36:36.758896, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable [2015/07/01 16:36:36.760092, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2015/07/01 16:36:36.760116, 5] ../source4/lib/messaging/messaging.c:550(imessaging_cleanup) imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35 [2015/07/01 16:36:36.760141, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2015/07/01 16:36:36.767240, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN.TLD from ipv4: 10.156.248.234:54410 for host/win7-md02.ad.dgfip.org at AD.DOMAIN.TLD [canonicalize, renewable, forwardable] [2015/07/01 16:36:36.829364, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ authtime: 2015-07-01T16:36:36 starttime: 2015-07-01T16:36:36 endtime: 2015-07-02T02:36:36 renew till: 2015-07-08T16:36:36 [2015/07/01 16:36:36.831057, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2015/07/01 16:36:36.831122, 5] ../source4/lib/messaging/messaging.c:550(imessaging_cleanup) imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35 [2015/07/01 16:36:36.831148, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2015/07/01 16:36:37.967955, 4] ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule) dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:43 2015 CEST ----------------------------------------------------------- These two lines seem to show authentication is working well as Kerberos ticket seems to be granted: [2015/07/01 16:36:36.829364, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ authtime: 2015-07-01T16:36:36 starttime: 2015-07-01T16:36:36 endtime: 2015-07-02T02:36:36 renew till: 2015-07-08T16:36:36 I don't understand why this limitation comes up... Best regards, Mathias
Rowland Penny
2015-Jul-01 15:07 UTC
[Samba] [samba] strange: 20 characters max in samAccountName
On 01/07/15 15:44, mathias dufresne wrote:> Hi all, > > Sernet Samba 4.2.2 as Active Directory on Debian 7.8. No other DC. > > I can't log in with on Windows systems (Windows 7) when samAccountName are > longer than 20 characters. This seems to be a LAN MAN or NT4 limitation > which should not happen on AD domain. > Any idea what could leads my to that limitation? > > I can log in using administrator account or any other having a short > (enough) samAccountName. > I tried to add @ad.domain.tld to samAccountName during log in process > without any success. > > smb.conf is: > ------------------------------------------------------------- > # Global parameters > [global] > workgroup = AD.DOMAIN > realm = ad.domain.tld > netbios name = DC01 > server role = active directory domain controller > > dns forwarder = 10.0.0.240 > # DC version of rfc2307 > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/ad.domain.tld/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > ------------------------------------------------------------- > > here are some logs: > ----------------------------------------------------------- > [2015/07/01 16:36:22.869382, 4] > ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule) > dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:28 2015 CEST > [2015/07/01 16:36:27.902117, 4] > ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule) > dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:33 2015 CEST > [2015/07/01 16:36:28.716277, 4] > ../source4/lib/socket/interface.c:121(add_interface) > added interface eth0 ip=10.156.248.217 bcast=10.156.255.255 > netmask=255.255.240.0 > [2015/07/01 16:36:32.935297, 4] > ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule) > dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:38 2015 CEST > [2015/07/01 16:36:36.569356, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN from ipv4: > 10.156.248.234:54408 for krbtgt/AD.DOMAIN at AD.DOMAIN > [2015/07/01 16:36:36.654528, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: 128 > [2015/07/01 16:36:36.654564, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN > [2015/07/01 16:36:36.654569, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN > [2015/07/01 16:36:36.654590, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- > abcdef.abcdefg-abcdef at AD.DOMAIN > [2015/07/01 16:36:36.655635, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED' > [2015/07/01 16:36:36.655666, 5] > ../source4/lib/messaging/messaging.c:550(imessaging_cleanup) > imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35 > [2015/07/01 16:36:36.655687, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED] > [2015/07/01 16:36:36.656998, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN from ipv4: > 10.156.248.234:54409 for krbtgt/AD.DOMAIN at AD.DOMAIN > [2015/07/01 16:36:36.739262, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: encrypted-timestamp, 128 > [2015/07/01 16:36:36.739295, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN > [2015/07/01 16:36:36.739300, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN > [2015/07/01 16:36:36.739327, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: ENC-TS Pre-authentication succeeded -- > abcdef.abcdefg-abcdef at AD.DOMAIN using arcfour-hmac-md5 > [2015/07/01 16:36:36.739336, 4] > ../source4/auth/sam.c:181(authsam_account_ok) > authsam_account_ok: Checking SMB password for user > abcdef.abcdefg-abcdef at AD.DOMAIN > [2015/07/01 16:36:36.740906, 5] ../source4/auth/sam.c:115(logon_hours_ok) > logon_hours_ok: No hours restrictions for user > abcdef.abcdefg-abcdef at AD.DOMAIN > [2015/07/01 16:36:36.758828, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ authtime: 2015-07-01T16:36:36 starttime: unset endtime: > 2015-07-02T02:36:36 renew till: 2015-07-08T16:36:36 > [2015/07/01 16:36:36.758886, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using > arcfour-hmac-md5/arcfour-hmac-md5 > [2015/07/01 16:36:36.758896, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Requested flags: renewable-ok, canonicalize, renewable, > forwardable > [2015/07/01 16:36:36.760092, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED' > [2015/07/01 16:36:36.760116, 5] > ../source4/lib/messaging/messaging.c:550(imessaging_cleanup) > imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35 > [2015/07/01 16:36:36.760141, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED] > [2015/07/01 16:36:36.767240, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: TGS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN.TLD from ipv4: > 10.156.248.234:54410 for host/win7-md02.ad.dgfip.org at AD.DOMAIN.TLD > [canonicalize, renewable, forwardable] > [2015/07/01 16:36:36.829364, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: TGS-REQ authtime: 2015-07-01T16:36:36 starttime: > 2015-07-01T16:36:36 endtime: 2015-07-02T02:36:36 renew till: > 2015-07-08T16:36:36 > [2015/07/01 16:36:36.831057, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED' > [2015/07/01 16:36:36.831122, 5] > ../source4/lib/messaging/messaging.c:550(imessaging_cleanup) > imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35 > [2015/07/01 16:36:36.831148, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED] > [2015/07/01 16:36:37.967955, 4] > ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule) > dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:43 2015 CEST > ----------------------------------------------------------- > > These two lines seem to show authentication is working well as Kerberos > ticket seems to be granted: > [2015/07/01 16:36:36.829364, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: TGS-REQ authtime: 2015-07-01T16:36:36 starttime: > 2015-07-01T16:36:36 endtime: 2015-07-02T02:36:36 renew till: > 2015-07-08T16:36:36 > > I don't understand why this limitation comes up... > > Best regards, > > MathiasYou cannot have a sAMAccountName that is longer than 20 characters, this is a Microsoft AD restriction, see here: https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx Rowland
Marc Muehlfeld
2015-Jul-01 15:30 UTC
[Samba] [samba] strange: 20 characters max in samAccountName
Hello Mathias, as Rowland already said, it's an AD limitation. Am 01.07.2015 um 16:44 schrieb mathias dufresne:> I can log in using administrator account or any other having a short > (enough) samAccountName. > I tried to add @ad.domain.tld to samAccountName during log in process > without any success.Even if the @ character is allowed, your sAMAccountName attributes should't contain it! You will run into problems some day with it. It's the same with spaces, umlauts, etc. If you see someone login with user at samdom.example.com, then this usually isn't the sAMAccountName attribute. It's the value from the userPrincipalName attribute. http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-76-18/3568.HSG_2D00_8_2D00_13_2D00_13_2D00_01.png If the account doesn't have a userPrincipalName attribute set, then you can only use the value from sAMAccountName for login. Regards, Marc
mathias dufresne
2015-Jul-01 16:44 UTC
[Samba] [samba] strange: 20 characters max in samAccountName
Thank you both precisions : ) My users have no "@" in their names (samAccountName nor userPrincipalName nor anything) except in mail attribute).>From https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspxwhich I read before initial post I understand AD can have this limitation of 20 chars if and only if you decide to support (so) old clients (that we should stop thinking about them). In first table the limit of 20 chars is there. In others tables this limit seems to me pushed up to 256 characters (range-upper line). Now I can read this table in the wrong way (that won't be the first time :), but I thought this limit was removed with AD without the option to support old clients... 2015-07-01 17:30 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:> Hello Mathias, > > as Rowland already said, it's an AD limitation. > > > Am 01.07.2015 um 16:44 schrieb mathias dufresne: > > I can log in using administrator account or any other having a short > > (enough) samAccountName. > > I tried to add @ad.domain.tld to samAccountName during log in process > > without any success. > > Even if the @ character is allowed, your sAMAccountName attributes > should't contain it! You will run into problems some day with it. It's > the same with spaces, umlauts, etc. > > If you see someone login with user at samdom.example.com, then this usually > isn't the sAMAccountName attribute. It's the value from the > userPrincipalName attribute. > > http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-76-18/3568.HSG_2D00_8_2D00_13_2D00_13_2D00_01.png > > If the account doesn't have a userPrincipalName attribute set, then you > can only use the value from sAMAccountName for login. > > > Regards, > Marc >