samba - Mar 2017 - Samba file server 4.4.4 - trust relationship

Hello experts

I currently have a file server running on CentOS 7. The file server is
joined to the enterprise.com domain (with Samba 4.5).

The enterprise.com domain (with samba 4.5) maintains a trust relationship
with the example.com domain running on windows server 2012R2.

The problem occurs when a user of the example.com (windows server) domain
authenticates on a workstation of the enterprise.com domain and tries to
access a file server or samba4 domain controller share. Access is denied.

Below is the logs of attempted access from a windows 10 workstation (joined
to the enterprise.com domain) to the file server using a user from the
example.com domain


[2017/03/15 19:36:47.678066,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from 10.10.10.31 (10.10.10.31)
[2017/03/15 19:36:47.678174,  3] ../source3/smbd/oplock.c:1310(init_oplocks)
  init_oplocks: initializing messages.
[2017/03/15 19:36:47.799334,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 0 of length 178 (0 toread)
[2017/03/15 19:36:47.799518,  3]
../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
  Selected protocol SMB3_11
[2017/03/15 19:36:47.803391,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe2088297
[2017/03/15 19:36:47.804004,  3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
  Got user=[solange] domain=[GNULINUX] workstation=[WINDOWS10] len1=24
len2=306
[2017/03/15 19:36:47.804068,  3]
../source3/param/loadparm.c:3742(lp_load_ex)
  lp_load_ex: refreshing parameters
[2017/03/15 19:36:47.804116,  3]
../source3/param/loadparm.c:544(init_globals)
  Initialising global parameters
[2017/03/15 19:36:47.804189,  3]
../source3/param/loadparm.c:2671(lp_do_section)
  Processing section "[global]"
[2017/03/15 19:36:47.804235,  2]
../source3/param/loadparm.c:2688(lp_do_section)
  Processing section "[rh]"
[2017/03/15 19:36:47.804282,  2]
../source3/param/loadparm.c:2688(lp_do_section)
  Processing section "[diretoria]"
[2017/03/15 19:36:47.804342,  3]
../source3/param/loadparm.c:1588(lp_add_ipc)
  adding IPC service
[2017/03/15 19:36:47.804471,  3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[GNULINUX]\[solange]@[WINDOWS10] with the new password interface
[2017/03/15 19:36:47.804485,  3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [GNULINUX]\[solange]@[WINDOWS10]
[2017/03/15 19:36:47.804547,  3]
../source3/libsmb/namequery.c:3117(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/03/15 19:36:47.806880,  3] ../source3/libads/ldap.c:618(ads_connect)
  Successfully contacted LDAP server 10.10.10.10
[2017/03/15 19:36:47.806935,  3]
../source3/libsmb/namequery.c:3117(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/03/15 19:36:47.810180,  3]
../source3/libsmb/namequery.c:3117(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/03/15 19:36:47.815598,  3]
../source3/lib/util_sock.c:515(open_socket_out_send)
  Connecting to 10.10.10.10 at port 445
[2017/03/15 19:36:47.833059,  3]
../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
  Doing spnego session setup (blob length=96)
[2017/03/15 19:36:47.833140,  3]
../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
  got OID=1.2.840.48018.1.2.2
  got OID=1.2.840.113554.1.2.2
  got OID=1.3.6.1.4.1.311.2.2.10
[2017/03/15 19:36:47.833152,  3]
../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
  got principal=not_defined_in_RFC4178 at please_ignore
[2017/03/15 19:36:47.837268,  3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
  Got challenge flags:
[2017/03/15 19:36:47.837310,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62898215
[2017/03/15 19:36:47.837350,  3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
  NTLMSSP: Set final flags:
[2017/03/15 19:36:47.837358,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2017/03/15 19:36:47.837370,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/03/15 19:36:47.837377,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2017/03/15 19:36:47.838566,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/03/15 19:36:47.838589,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2017/03/15 19:36:47.844950,  3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2017/03/15 19:36:47.856611,  0]
../source3/auth/auth_domain.c:225(domain_client_validate)
  domain_client_validate: unable to validate password for user solange in
domain GNULINUX to Domain controller SRVDC1.COORP.GNULINUX. Error was
NT_STATUS_NO_SUCH_USER.
[2017/03/15 19:36:47.857771,  2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [solange] -> [solange]
FAILED with error NT_STATUS_NO_SUCH_USER
[2017/03/15 19:36:47.857807,  2]
../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/03/15 19:36:47.857854,  3]
../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2017/03/15 19:36:47.858475,  3]
../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)
[2017/03/15 19:36:47.860728,  3]
../source3/lib/util_procid.c:54(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: Arquivo ou diretório não
encontrado

--------------------------------------------------------------------------------------------------------------------------------


When access is made by any user of the enterprise.com domain it is granted
successfully and is not asking for authentication.

Note: The file server is integrated with the enterprise.com domain using
sssd to map users and groups (working seamlessly). Also uses samba to share
files

-- 
Att,

Edson Oliveira

Hello experts

I currently have a file server running on CentOS 7. The file server is
joined to the enterprise.com domain (with Samba 4.5).

The enterprise.com domain (with samba 4.5) maintains a trust relationship
with the example.com domain running on windows server 2012R2.

The problem occurs when a user of the example.com (windows server) domain
authenticates on a workstation of the enterprise.com domain and tries to
access a file server or samba4 domain controller share. Access is denied.

Below is the logs of attempted access from a windows 10 workstation (joined
to the enterprise.com domain) to the file server using a user from the
example.com domain


[2017/03/15 19:36:47.678066,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from 10.10.10.31 (10.10.10.31)
[2017/03/15 19:36:47.678174,  3] ../source3/smbd/oplock.c:1310(init_oplocks)
  init_oplocks: initializing messages.
[2017/03/15 19:36:47.799334,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 0 of length 178 (0 toread)
[2017/03/15 19:36:47.799518,  3] ../source3/smbd/smb2_negprot.
c:278(smbd_smb2_request_process_negprot)
  Selected protocol SMB3_11
[2017/03/15 19:36:47.803391,  3] ../auth/ntlmssp/ntlmssp_util.
c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe2088297
[2017/03/15 19:36:47.804004,  3] ../auth/ntlmssp/ntlmssp_
server.c:452(ntlmssp_server_preauth)
  Got user=[solange] domain=[GNULINUX] workstation=[WINDOWS10] len1=24
len2=306
[2017/03/15 19:36:47.804068,  3] ../source3/param/loadparm.c:
3742(lp_load_ex)
  lp_load_ex: refreshing parameters
[2017/03/15 19:36:47.804116,  3] ../source3/param/loadparm.c:
544(init_globals)
  Initialising global parameters
[2017/03/15 19:36:47.804189,  3] ../source3/param/loadparm.c:
2671(lp_do_section)
  Processing section "[global]"
[2017/03/15 19:36:47.804235,  2] ../source3/param/loadparm.c:
2688(lp_do_section)
  Processing section "[rh]"
[2017/03/15 19:36:47.804282,  2] ../source3/param/loadparm.c:
2688(lp_do_section)
  Processing section "[diretoria]"
[2017/03/15 19:36:47.804342,  3] ../source3/param/loadparm.c:
1588(lp_add_ipc)
  adding IPC service
[2017/03/15 19:36:47.804471,  3] ../source3/auth/auth.c:178(
auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[GNULINUX]\[solange]@[WINDOWS10] with the new password interface
[2017/03/15 19:36:47.804485,  3] ../source3/auth/auth.c:181(
auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [GNULINUX]\[solange]@[WINDOWS10]
[2017/03/15 19:36:47.804547,  3] ../source3/libsmb/namequery.c:
3117(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/03/15 19:36:47.806880,  3] ../source3/libads/ldap.c:618(ads_connect)
  Successfully contacted LDAP server 10.10.10.10
[2017/03/15 19:36:47.806935,  3] ../source3/libsmb/namequery.c:
3117(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/03/15 19:36:47.810180,  3] ../source3/libsmb/namequery.c:
3117(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/03/15 19:36:47.815598,  3] ../source3/lib/util_sock.c:
515(open_socket_out_send)
  Connecting to 10.10.10.10 at port 445
[2017/03/15 19:36:47.833059,  3] ../source3/libsmb/cliconnect.
c:1837(cli_session_setup_spnego_send)
  Doing spnego session setup (blob length=96)
[2017/03/15 19:36:47.833140,  3] ../source3/libsmb/cliconnect.
c:1864(cli_session_setup_spnego_send)
  got OID=1.2.840.48018.1.2.2
  got OID=1.2.840.113554.1.2.2
  got OID=1.3.6.1.4.1.311.2.2.10
[2017/03/15 19:36:47.833152,  3] ../source3/libsmb/cliconnect.
c:1874(cli_session_setup_spnego_send)
  got principal=not_defined_in_RFC4178 at please_ignore
[2017/03/15 19:36:47.837268,  3] ../auth/ntlmssp/ntlmssp_
client.c:270(ntlmssp_client_challenge)
  Got challenge flags:
[2017/03/15 19:36:47.837310,  3] ../auth/ntlmssp/ntlmssp_util.
c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62898215
[2017/03/15 19:36:47.837350,  3] ../auth/ntlmssp/ntlmssp_
client.c:726(ntlmssp_client_challenge)
  NTLMSSP: Set final flags:
[2017/03/15 19:36:47.837358,  3] ../auth/ntlmssp/ntlmssp_util.
c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2017/03/15 19:36:47.837370,  3] ../auth/ntlmssp/ntlmssp_sign.
c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/03/15 19:36:47.837377,  3] ../auth/ntlmssp/ntlmssp_util.
c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2017/03/15 19:36:47.838566,  3] ../auth/ntlmssp/ntlmssp_sign.
c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/03/15 19:36:47.838589,  3] ../auth/ntlmssp/ntlmssp_util.
c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2017/03/15 19:36:47.844950,  3] ../lib/ldb-samba/ldb_wrap.c:
325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2017/03/15 19:36:47.856611,  0] ../source3/auth/auth_domain.c:
225(domain_client_validate)
  domain_client_validate: unable to validate password for user solange in
domain GNULINUX to Domain controller SRVDC1.COORP.GNULINUX. Error was
NT_STATUS_NO_SUCH_USER.
[2017/03/15 19:36:47.857771,  2] ../source3/auth/auth.c:315(
auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [solange] -> [solange]
FAILED with error NT_STATUS_NO_SUCH_USER
[2017/03/15 19:36:47.857807,  2] ../auth/gensec/spnego.c:719(
gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/03/15 19:36:47.857854,  3] ../source3/smbd/smb2_server.c:
3098(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2017/03/15 19:36:47.858475,  3] ../source3/smbd/server_exit.c:
246(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)
[2017/03/15 19:36:47.860728,  3] ../source3/lib/util_procid.c:
54(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: Arquivo ou diretório não
encontrado

------------------------------------------------------------
--------------------------------------------------------------------


When access is made by any user of the enterprise.com domain it is granted
successfully and is not asking for authentication.

Note: The file server is integrated with the enterprise.com domain using
sssd to map users and groups (working seamlessly). Also uses samba to share
files


How can I access a share with a user from a different domain than the
workstation joined?

-- 
Att,

Edson Oliveira