samba - Mar 2018 - Primary group is 0 and contains 0 supplementary groups

>
> It might help if you told us how Extreme advised you to configure it.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-set-internal-RADIUS-server-on-WiNG-with-LDAP-based-authentication

http://www.michaelfmcnamara.com/files/motorola/WING5X_How_To_Active_Directory_Authentication_Rev_B.pdf
https://www.manualslib.com/manual/1150860/Motorola-Wing-5-7-1.html
https://www.zebra.com/us/en/products/spec-sheets-latest/rfs6000-spec-sheet-en.pdf

Is there a smb.conf and if so, can you obtain it and post a copy ?


At first it seems to be an ldap client. It does not have any smb.conf or
anything like that.

On Mon, Mar 19, 2018 at 6:36 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 19 Mar 2018 17:31:00 -0300
> Elias Pereira via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > We have a rfs6000 wifi model controller from Extreme Network that has
> > the ability to become a member of the AD. When we configure it
> > according to Extreme support, the error
"NT_STATUS_LOGIN_FAILURE" on
> > the controller and in the samba logs shows the following errors.
> >
>
> It might help if you told us how Extreme advised you to configure it.
>
> I take it that it runs some version of Samba, if some what version ?
> Is there a smb.conf and if so, can you obtain it and post a copy ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Elias Pereira

On Mon, 19 Mar 2018 20:35:42 -0300
Elias Pereira via samba <samba at lists.samba.org> wrote:
> >
> > It might help if you told us how Extreme advised you to configure
> > it.
> 
> 
>
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-set-internal-RADIUS-server-on-WiNG-with-LDAP-based-authentication
> 
After reading this 'Under Server Policy find section Authentication and
set Default Source = LDAP  and Authentication Type = PEAP-MS-CHAPv2'

I think I understand the problem, try adding this to the Samba AD DC:

ntlm auth = yes

If this works, then you now have a system that is using NTLMv1

Rowland

You could try the setting. 

ntlm auth = mschapv2-and-ntlmv2-only 
>From man smb.conf
The available settings are:

                  ·   ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for
all clients.
                  ·   ntlmv2-only (alias no) - Do not allow NTLMv1 to be used,
but permit NTLMv2.
                  ·   mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the
client promises that it is providing MSCHAPv2 authentication (such as the
ntlm_auth tool).
                  ·   disabled - Do not accept NTLM (or LanMan) authentication
of any level, nor permit NTLM password changes.

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: dinsdag 20 maart 2018 8:58
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Primary group is 0 and contains 0 
> supplementary groups
> 
> On Mon, 19 Mar 2018 20:35:42 -0300
> Elias Pereira via samba <samba at lists.samba.org> wrote:
> 
> > >
> > > It might help if you told us how Extreme advised you to configure
> > > it.
> > 
> > 
> > 
> https://gtacknowledge.extremenetworks.com/articles/How_To/How-
> to-set-internal-RADIUS-server-on-WiNG-with-LDAP-based-authentication
> > 
> 
> After reading this 'Under Server Policy find section 
> Authentication and
> set Default Source = LDAP  and Authentication Type = PEAP-MS-CHAPv2'
> 
> I think I understand the problem, try adding this to the Samba AD DC:
> 
> ntlm auth = yes
> 
> If this works, then you now have a system that is using NTLMv1
> 
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Bingo!!!! :D

After putting the option "ntlm auth = mschapv2-and-ntlmv2-only" it was
possible to join the controller to our samba4 AD.

Thank you Rowland and Louis!!! As I said before, you guys do a great job
here on the list. God bless them!

On Tue, Mar 20, 2018 at 7:38 AM, L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> You could try the setting.
>
> ntlm auth = mschapv2-and-ntlmv2-only
>
> From man smb.conf
> The available settings are:
>
>                   ·   ntlmv1-permitted (alias yes) - Allow NTLMv1 and
> above for all clients.
>                   ·   ntlmv2-only (alias no) - Do not allow NTLMv1 to be
> used, but permit NTLMv2.
>                   ·   mschapv2-and-ntlmv2-only - Only allow NTLMv1 when
> the client promises that it is providing MSCHAPv2 authentication (such as
> the ntlm_auth tool).
>                   ·   disabled - Do not accept NTLM (or LanMan)
> authentication of any level, nor permit NTLM password changes.
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland Penny via samba
> > Verzonden: dinsdag 20 maart 2018 8:58
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Primary group is 0 and contains 0
> > supplementary groups
> >
> > On Mon, 19 Mar 2018 20:35:42 -0300
> > Elias Pereira via samba <samba at lists.samba.org> wrote:
> >
> > > >
> > > > It might help if you told us how Extreme advised you to
configure
> > > > it.
> > >
> > >
> > >
> > https://gtacknowledge.extremenetworks.com/articles/How_To/How-
> > to-set-internal-RADIUS-server-on-WiNG-with-LDAP-based-authentication
> > >
> >
> > After reading this 'Under Server Policy find section
> > Authentication and
> > set Default Source = LDAP  and Authentication Type =
PEAP-MS-CHAPv2'
> >
> > I think I understand the problem, try adding this to the Samba AD DC:
> >
> > ntlm auth = yes
> >
> > If this works, then you now have a system that is using NTLMv1
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Elias Pereira