samba - Dec 2016 - winbind joining NT4-style domain - two strange issues

A new Debian(unstable) machine with Samba 4.5.2 is trying to join an
NT4-style Samba domain hosted on a Debian(wheezy) Server with 3.6.6
which can't be changed but has been working for some years now with a
couple of windows clients.

Joining the domain was quite easy (only surprise was "client ipc
signing"), and "wbinfo -u" gives me a list with all domain users.

BUT (issue one) "getent passwd" listed only local users in the
beginning. Google has many hits for this with many different reasons.
Learning from them I now have a smb.conf with the following relevant
entries:

| netbios name = DALET-STG
| workgroup = SYNTH
| wins support = no
| wins server = herkules.synth.intern
| client ipc signing = auto
| server role = member server
| security = domain
| password server = herkules.synth.intern
| idmap config *:backend = tdb
| idmap config *:range = 1000-9999
| idmap config SYNTH:backend = rid
| idmap config SYNTH:range = 10000-19999
| winbind separator = +
| winbind enum groups = yes
| winbind enum users = yes
| winbind use default domain = no

After configuring "idmap config SYNTH:backend=rid" to my surprise
"getent passwd" now returns exactly ONE domain user (actually it
returns *my* user). So I can do:

| $ wbinfo -a SYNTH+user1%pass1
| plaintext password authentication succeeded
| challenge/response password authentication succeeded
|
| $ wbinfo -a SYNTH+user2%pass2
| plaintext password authentication succeeded
| challenge/response password authentication succeeded
|
| $ getent passwd SYNTH+user1
| SYNTH+user1:*:13000:10513:Stefan Froehlich:/home/SYNTH/user1:/bin/bash
|
| $ getent passwd SYNTH+user2
| [no output at all]

ONLY user1 is found, nothing else, whatever I do (I was desperate
enough to even reboot the machine, but... well, I did not expect it
to help and it did not).

Does anyone have a clue what is going on here? What to try next?


The seccond odd thing is PAM authentication. I configured
pam_winbind and tried to connect via ssh and via postgresql - using
the non-mapped account of user2 in the example above. Both of them
are running through exactly the same PAM configuration, but still
postgrseql succeeds and ssh login fails. I had a look at the level 9
debug logs on the server side and found out the following (so most
likely this is an issue on the rather ancient 3.6.6 machine, but
still I would be REALLY thankful for help).

Connection attempt from postgres:

| [2016/12/17 20:55:55.268015,  3] auth/auth.c:219(check_ntlm_password)
|   check_ntlm_password:  Checking password for unmapped user
[SYNTH]\[user2]@[\\DALET-STG] with the new password interface
| [2016/12/17 20:55:55.268040,  3] auth/auth.c:222(check_ntlm_password)
|   check_ntlm_password:  mapped user is: [SYNTH]\[user2]@[\\DALET-STG]

[about 50 lines snipped]

| [2016/12/17 20:55:55.268723,  5] lib/username.c:171(Get_Pwnam_alloc)
|   Finding user user2
| [2016/12/17 20:55:55.268746,  5] lib/username.c:116(Get_Pwnam_internals)
|   Trying _Get_Pwnam(), username as lowercase is user2
| [2016/12/17 20:55:55.268773,  5] lib/username.c:149(Get_Pwnam_internals)
|   Get_Pwnam_internals did find user [user2]!
| [2016/12/17 20:55:55.268808,  3]
passdb/lookup_sid.c:1754(get_primary_group_sid)
|   Forcing Primary Group to 'Domain Users' for user2
| [2016/12/17 20:55:55.268835,  4] smbd/sec_ctx.c:214(push_sec_ctx)
|   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
| [2016/12/17 20:55:55.268860,  4] smbd/uid.c:460(push_conn_ctx)
|   push_conn_ctx(100) : conn_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.268884,  4] smbd/sec_ctx.c:314(set_sec_ctx)
|   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
| [2016/12/17 20:55:55.268908,  5]
../libcli/security/security_token.c:53(security_token_debug)
|   Security token: (NULL)
| [2016/12/17 20:55:55.268931,  5] auth/token_util.c:527(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2016/12/17 20:55:55.268972,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.269007,  4] lib/substitute.c:527(automount_server)
|   Home server: herkules
| [2016/12/17 20:55:55.269039,  4] lib/substitute.c:527(automount_server)
|   Home server: herkules
| [2016/12/17 20:55:55.269070,  4] smbd/sec_ctx.c:214(push_sec_ctx)
|   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
| [2016/12/17 20:55:55.269095,  4] smbd/uid.c:460(push_conn_ctx)
|   push_conn_ctx(100) : conn_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.269119,  4] smbd/sec_ctx.c:314(set_sec_ctx)
|   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
| [2016/12/17 20:55:55.269142,  5]
../libcli/security/security_token.c:53(security_token_debug)
|   Security token: (NULL)
| [2016/12/17 20:55:55.269165,  5] auth/token_util.c:527(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2016/12/17 20:55:55.269208,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.269243,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
|   pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
| [2016/12/17 20:55:55.269274,  4] auth/check_samsec.c:183(sam_account_ok)
|   sam_account_ok: Checking SMB password for user user2
| [2016/12/17 20:55:55.269302,  5] auth/check_samsec.c:165(logon_hours_ok)
|   logon_hours_ok: user user2 allowed to logon at this time (Sat Dec 17
19:55:55 2016
|   )
| [2016/12/17 20:55:55.269334,  4] smbd/sec_ctx.c:214(push_sec_ctx)
|   push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.269360,  4] smbd/uid.c:460(push_conn_ctx)
|   push_conn_ctx(100) : conn_ctx_stack_ndx = 0


Connection attempt from ssh:

| [2016/12/17 20:55:19.843012,  3] auth/auth.c:219(check_ntlm_password)
|   check_ntlm_password:  Checking password for unmapped user
[SYNTH]\[user2]@[\\DALET-STG] with the new password interface
| [2016/12/17 20:55:19.843038,  3] auth/auth.c:222(check_ntlm_password)
|   check_ntlm_password:  mapped user is: [SYNTH]\[user2]@[\\DALET-STG]

[completely identical lines to the above log file snipped]

| [2016/12/17 20:55:19.844194,  5] auth/token_util.c:527(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2016/12/17 20:55:19.844236,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:19.844271,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
|   pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
| [2016/12/17 20:55:19.844301,  3]
../libcli/auth/ntlm_check.c:238(hash_password_check)
|   ntlm_password_check: Interactive logon: NT password check failed for user
user2
| [2016/12/17 20:55:19.844329,  4] smbd/sec_ctx.c:214(push_sec_ctx)
|   push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:19.844354,  4] smbd/uid.c:460(push_conn_ctx)
|   push_conn_ctx(100) : conn_ctx_stack_ndx = 0

This seems completely irrational to me - in both cases the same
password has been entered, exactly the same piece of software is
called, but - reproducible! - a different result is returned.

Again, I highly welcome any hints and suggestions. If any additional
file or configuration information is needed of either client or
server, or if I should try out something, just tell. 

Bye,
Stefan

On Sat, 17 Dec 2016 22:12:28 +0100
Stefan Froehlich via samba <samba at lists.samba.org> wrote:
> A new Debian(unstable) machine with Samba 4.5.2 is trying to join an
> NT4-style Samba domain hosted on a Debian(wheezy) Server with 3.6.6
> which can't be changed but has been working for some years now with a
> couple of windows clients.
> 
> Joining the domain was quite easy (only surprise was "client ipc
> signing"), and "wbinfo -u" gives me a list with all domain
users.
> 
> BUT (issue one) "getent passwd" listed only local users in the
> beginning. Google has many hits for this with many different reasons.
> Learning from them I now have a smb.conf with the following relevant
> entries:
> 
> | netbios name = DALET-STG
> | workgroup = SYNTH
> | wins support = no
> | wins server = herkules.synth.intern
> | client ipc signing = auto
> | server role = member server
> | security = domain
> | password server = herkules.synth.intern
> | idmap config *:backend = tdb
> | idmap config *:range = 1000-9999
> | idmap config SYNTH:backend = rid
> | idmap config SYNTH:range = 10000-19999
> | winbind separator = +
> | winbind enum groups = yes
> | winbind enum users = yes
> | winbind use default domain = no
> 
From version 4.5.0, the default 'ntlm auth' option in smb.conf was
change from "yes" to "no". Try adding 'ntlm auth =
yes' to your smb.conf

Rowland

On Sat, Dec 17, 2016 at 09:51:57PM +0000, Rowland Penny via samba
wrote:
> > | netbios name = DALET-STG
> > | workgroup = SYNTH
> > | wins support = no
> > | wins server = herkules.synth.intern
> > | client ipc signing = auto
> > | server role = member server
> > | security = domain
> > | password server = herkules.synth.intern
> > | idmap config *:backend = tdb
> > | idmap config *:range = 1000-9999
> > | idmap config SYNTH:backend = rid
> > | idmap config SYNTH:range = 10000-19999
> > | winbind separator = +
> > | winbind enum groups = yes
> > | winbind enum users = yes
> > | winbind use default domain = no
> From version 4.5.0, the default 'ntlm auth' option in smb.conf was
> change from "yes" to "no". Try adding 'ntlm auth =
yes' to your
> smb.conf
Thans, I added that - unfortunately it did not change anything.

In fact the problem was exactly the same with Samba 4.2.10 (shipping
with Debian jessie). I only upgraded to 4.5.2 before posting to this
list in order to avoid any "upgrade to the recent version" replies.

Bye,
Stefan