samba - Apr 2016 - samba 4.4.2 ads member not authenticating properly

Hello,

I have a Centos 7 system running samba that is joined to an ADS.  When I
was running 4.4.0 everything worked just fine.  When I installed 4.4.2
samba stopped authenticating passwords against the ads properly.  I am
using sssd and have verified that it is working correctly and able to
validate passwords.  I am not running winbind.  Both 4.4.0 and 4.4.2 were
compiled using exactly the same environment.

I have turned on log level 3 to try and figure out what is going on.  Under
4.4.0 I can see that samba is using the the server machine password to
communicate with the ads.

  Connecting to xxx.xxx.xx.x at port 445
[2016/04/14 14:10:21.519533,  3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2016/04/14 14:10:21.541269,  3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
  check_ntlm_password: winbind authentication for user [elric] succeeded
[2016/04/14 14:10:21.541340,  2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [elric] -> [elric] ->
[elric@***.udel.edu] succeeded

I am not seeing this step in the 4.4.2 logging, instead:

  Connecting to xxx.xxx.xx.x at port 445
[2016/04/14 15:42:00.043844,  3]
../source3/libsmb/cliconnect.c:1798(cli_session_setup_spnego_send)
  Doing spnego session setup (blob length=120)
[2016/04/14 15:42:00.043946,  3]
../source3/libsmb/cliconnect.c:1825(cli_session_setup_spnego_send)
  got OID=1.3.6.1.4.1.311.2.2.30
  got OID=1.2.840.48018.1.2.2
  got OID=1.2.840.113554.1.2.2
  got OID=1.2.840.113554.1.2.2.3
  got OID=1.3.6.1.4.1.311.2.2.10
[2016/04/14 15:42:00.043975,  3]
../source3/libsmb/cliconnect.c:1835(cli_session_setup_spnego_send)
  got principal=not_defined_in_RFC4178 at please_ignore
[2016/04/14 15:42:00.045446,  3]
../auth/ntlmssp/ntlmssp_client.c:275(ntlmssp_client_challenge)
  Got challenge flags:
[2016/04/14 15:42:00.045487,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62898215
[2016/04/14 15:42:00.045614,  3]
../auth/ntlmssp/ntlmssp_client.c:731(ntlmssp_client_challenge)
  NTLMSSP: Set final flags:
[2016/04/14 15:42:00.045630,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088a15
[2016/04/14 15:42:00.045644,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2016/04/14 15:42:00.045655,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088a15
[2016/04/14 15:42:00.047444,  3]
../source3/libsmb/cliconnect.c:2173(cli_session_setup_done_spnego)
  SPNEGO login failed: Logon failure

In both cases I am seeing the correct preferred server list and the same
mapped user information.

Assuming that this was being caused by some of the new security flags I
have tried to turn some of the new features off.  I was unable to get
things working

Can anyone point me in the right direction?

Thanks, Mark

-- 
Mark Grabowski
University of Delaware Library
University of Delaware
(302) 831-3310

> I have a Centos 7 system running samba that is joined to an ADS.  When I
> was running 4.4.0 everything worked just fine.  When I installed 4.4.2
> samba stopped authenticating passwords against the ads properly.  I am
> using sssd and have verified that it is working correctly and able to
> validate passwords.  I am not running winbind.  Both 4.4.0 and 4.4.2 were
> compiled using exactly the same environment.
>
> (...)
>
> Can anyone point me in the right direction?
>
Did you read this document?

https://www.samba.org/samba/history/samba-4.4.2.html

It details several new defaults and behavior changes with version 4.4.2.

The latest news page also has a bit more on the new defaults if that
helps. It might be a bit clearer.

https://www.samba.org/samba/latest_news.html


On 15/04/16 10:40, Miguel Medalha wrote:
>
>> I have a Centos 7 system running samba that is joined to an ADS.  When
I
>> was running 4.4.0 everything worked just fine.  When I installed 4.4.2
>> samba stopped authenticating passwords against the ads properly.  I am
>> using sssd and have verified that it is working correctly and able to
>> validate passwords.  I am not running winbind.  Both 4.4.0 and 4.4.2
>> were
>> compiled using exactly the same environment.
>>
>> (...)
>>
>> Can anyone point me in the right direction?
>>
>
> Did you read this document?
>
> https://www.samba.org/samba/history/samba-4.4.2.html
>
> It details several new defaults and behavior changes with version 4.4.2.
>
>