Hénoch Hervé
2018-May-29 12:43 UTC
[Samba] Can't connect anymore a share in domain A from domain B since
Hi, In the past (2 months ago) : I have two AD Domain under Samba 4.1 : A and B. I war able to connect a share in A from B. Now (after upgrade) : I have a W2016 domain (B) and a Samba 4.6 domain (A) but I can't connect a share in A from B. The user from B which try to connect the share in A has the same login in the two domains. So since the upgrade I don't have the same behavior ... From a computer named XXX in domain B I've tried this command : net use z: \\<computer in A>\<share> /USER:login0 at A (where login0 is the same in A and B for the user). If I write a wrong password I have the system error 86 but if i write the good password (must write it twice) i have the system error 5. In Samba logs are : ntlm_password_check: LM password and LMv2 failed for user login0, and NT MD4 password in LM field not permitted ntlm_password_check: Lanman passwords NOT PERMITTED for user login0 ntlm_password_check: LM password and LMv2 failed for user login0, and NT MD4 password in LM field not permitted ntlm_password_check: Lanman passwords NOT PERMITTED for user login0 ntlm_password_check: LM password and LMv2 failed for user login0, and NT MD4 password in LM field not permitted auth_check_password_recv: sam_ignoredomain authentication for user [A\login0] FAILED with error NT_STATUS_WRONG_PASSWORD auth_check_password_send: Checking password for unmapped user [A]\[login0 at A]@[\\XXX] auth_check_password_send: mapped user is: [A]\[login0]@[\\XXX] How can I do such a connection ? I've tried "map untrusted to domain = yes" but it is not working better ... Regard -- *Hervé* *HÉNOCH* *Responsable informatique* Tél. : 0490275744 h.henoch at isc84.org <mailto:h.henoch at isc84.org> /250, chemin de Baigne-Pieds – 84 000 Avignon/ */www.institut-sainte-catherine.org/* <http://www.institut-sainte-catherine.org/>
L.P.H. van Belle
2018-May-29 12:52 UTC
[Samba] Can't connect anymore a share in domain A from domain B since
Try it like this. net use z: \\<computer in A.FQDN\<share> /USER:NTDOM\%username% Does that work for the samba 4.1, if not, check if you windows disabled smbv1 See: https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-by-default-in-windows Best is, upgrade you systems so you can use samba 4.7+ Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Hénoch Hervé via samba > Verzonden: dinsdag 29 mei 2018 14:44 > Aan: Hénoch Hervé via samba > Onderwerp: [Samba] Can't connect anymore a share in domain A > from domain B since > > Hi, > > In the past (2 months ago) : I have two AD Domain under Samba 4.1 : A > and B. I war able to connect a share in A from B. > > Now (after upgrade) : I have a W2016 domain (B) and a Samba > 4.6 domain > (A) but I can't connect a share in A from B. The user from B > which try > to connect the share in A has the same login in the two domains. > > So since the upgrade I don't have the same behavior ... > > From a computer named XXX in domain B I've tried this command : net > use z: \\<computer in A>\<share> /USER:login0 at A (where login0 is the > same in A and B for the user). > > If I write a wrong password I have the system error 86 but if i write > the good password (must write it twice) i have the system error 5. > > In Samba logs are : > > ntlm_password_check: LM password and LMv2 failed for user > login0, and > NT MD4 password in LM field not permitted > ntlm_password_check: Lanman passwords NOT PERMITTED for user login0 > ntlm_password_check: LM password and LMv2 failed for user > login0, and > NT MD4 password in LM field not permitted > ntlm_password_check: Lanman passwords NOT PERMITTED for user login0 > ntlm_password_check: LM password and LMv2 failed for user > login0, and > NT MD4 password in LM field not permitted > auth_check_password_recv: sam_ignoredomain authentication for user > [A\login0] FAILED with error NT_STATUS_WRONG_PASSWORD > auth_check_password_send: Checking password for unmapped user > [A]\[login0 at A]@[\\XXX] > auth_check_password_send: mapped user is: [A]\[login0]@[\\XXX] > > How can I do such a connection ? I've tried "map untrusted to > domain = > yes" but it is not working better ... > > Regard > > -- > *Hervé* *HÉNOCH* > *Responsable informatique* > Tél. : 0490275744 h.henoch at isc84.org <mailto:h.henoch at isc84.org> > > /250, chemin de Baigne-Pieds ? 84 000 Avignon/ > */www.institut-sainte-catherine.org/* > <http://www.institut-sainte-catherine.org/> > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hénoch Hervé
2018-May-29 13:06 UTC
[Samba] Can't connect anymore a share in domain A from domain B since
It say user %unsername% is unknown !!! But if i try : net use z: \\<computer in A.FQDN\<share> /USER:A\username In samba logs change : Kerberos: AS-REQ login0 at A from ipv4:<ip XXX>:51583 for krbtgt/A at A Kerberos: Looking for PKINIT pa-data -- login0 at A Kerberos: Looking for ENC-TS pa-data -- login0 at A Kerberos: Failed to decrypt PA-DATA -- login0 at A (enctype arcfour-hmac-md5) error Decrypt integrity check failed Kerberos: Failed to decrypt PA-DATA -- login0 at A Kerberos: AS-REQ login0 at A from ipv4:<ip XXX>:51585 for krbtgt/A at A Kerberos: Looking for PKINIT pa-data -- login0 at A Kerberos: Looking for ENC-TS pa-data -- login0 at A Kerberos: No preauth found, returning PREAUTH-REQUIRED -- login0 at A Kerberos: AS-REQ login0 at A from ipv4:<ip XXX>:51586 for krbtgt/A at A Kerberos: Looking for PKINIT pa-data -- login0 at A Kerberos: Looking for ENC-TS pa-data -- login0 at A Kerberos: ENC-TS Pre-authentication succeeded -- login0 at A using aes256-cts-hmac-sha1-96 Kerberos: TGS-REQ login0 at A.LOCAL from ipv4:<ip XXX>:51587 for cifs/<file server in A.FQDN at A.LOCAL [canonicalize, renewable, forwardable] Note : if i try : net use z: \\<computer in A.FQDN\<share> /USER:A\username*password* the password is not asked (twice otherwise) Le 29/05/2018 à 14:52, L.P.H. van Belle via samba a écrit :> Try it like this. > > net use z: \\<computer in A.FQDN\<share> /USER:NTDOM\%username% > > Does that work for the samba 4.1, if not, check if you windows disabled smbv1 > See: > https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-by-default-in-windows > > Best is, upgrade you systems so you can use samba 4.7+ > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Hénoch Hervé via samba >> Verzonden: dinsdag 29 mei 2018 14:44 >> Aan: Hénoch Hervé via samba >> Onderwerp: [Samba] Can't connect anymore a share in domain A >> from domain B since >> >> Hi, >> >> In the past (2 months ago) : I have two AD Domain under Samba 4.1 : A >> and B. I war able to connect a share in A from B. >> >> Now (after upgrade) : I have a W2016 domain (B) and a Samba >> 4.6 domain >> (A) but I can't connect a share in A from B. The user from B >> which try >> to connect the share in A has the same login in the two domains. >> >> So since the upgrade I don't have the same behavior ... >> >> From a computer named XXX in domain B I've tried this command : net >> use z: \\<computer in A>\<share> /USER:login0 at A (where login0 is the >> same in A and B for the user). >> >> If I write a wrong password I have the system error 86 but if i write >> the good password (must write it twice) i have the system error 5. >> >> In Samba logs are : >> >> ntlm_password_check: LM password and LMv2 failed for user >> login0, and >> NT MD4 password in LM field not permitted >> ntlm_password_check: Lanman passwords NOT PERMITTED for user login0 >> ntlm_password_check: LM password and LMv2 failed for user >> login0, and >> NT MD4 password in LM field not permitted >> ntlm_password_check: Lanman passwords NOT PERMITTED for user login0 >> ntlm_password_check: LM password and LMv2 failed for user >> login0, and >> NT MD4 password in LM field not permitted >> auth_check_password_recv: sam_ignoredomain authentication for user >> [A\login0] FAILED with error NT_STATUS_WRONG_PASSWORD >> auth_check_password_send: Checking password for unmapped user >> [A]\[login0 at A]@[\\XXX] >> auth_check_password_send: mapped user is: [A]\[login0]@[\\XXX] >> >> How can I do such a connection ? I've tried "map untrusted to >> domain >> yes" but it is not working better ... >> >> Regard >> >> -- >> *Hervé* *HÉNOCH* >> *Responsable informatique* >> Tél. : 0490275744 h.henoch at isc84.org <mailto:h.henoch at isc84.org> >> >> /250, chemin de Baigne-Pieds ? 84 000 Avignon/ >> */www.institut-sainte-catherine.org/* >> <http://www.institut-sainte-catherine.org/> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >-- *Hervé* *HÉNOCH* *Responsable informatique* Tél. : 0490275744 h.henoch at isc84.org <mailto:h.henoch at isc84.org> /250, chemin de Baigne-Pieds – 84 000 Avignon/ */www.institut-sainte-catherine.org/* <http://www.institut-sainte-catherine.org/>
Hénoch Hervé
2018-May-29 13:12 UTC
[Samba] Can't connect anymore a share in domain A from domain B since
In the server where are the shares (under samba) logs give [2018/05/29 12:44:34.191393, 3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid: SID <share name> is not in a valid format [2018/05/29 12:55:40.749026, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from <XXX IP> (<XXX IP>) [2018/05/29 12:55:40.749923, 2] ../lib/util/modules.c:196(do_smb_load_module) Module 'acl_xattr' loaded [2018/05/29 12:55:40.749940, 2] ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service IPC$ [2018/05/29 12:55:40.753925, 3] ../source3/param/loadparm.c:1440(lp_add_home) adding home's share [<share name>] for user '<share name>' at '/opt/%S' Le 29/05/2018 à 14:52, L.P.H. van Belle via samba a écrit :> Try it like this. > > net use z: \\<computer in A.FQDN\<share> /USER:NTDOM\%username% > > Does that work for the samba 4.1, if not, check if you windows disabled smbv1 > See: > https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-by-default-in-windows > > Best is, upgrade you systems so you can use samba 4.7+ > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Hénoch Hervé via samba >> Verzonden: dinsdag 29 mei 2018 14:44 >> Aan: Hénoch Hervé via samba >> Onderwerp: [Samba] Can't connect anymore a share in domain A >> from domain B since >> >> Hi, >> >> In the past (2 months ago) : I have two AD Domain under Samba 4.1 : A >> and B. I war able to connect a share in A from B. >> >> Now (after upgrade) : I have a W2016 domain (B) and a Samba >> 4.6 domain >> (A) but I can't connect a share in A from B. The user from B >> which try >> to connect the share in A has the same login in the two domains. >> >> So since the upgrade I don't have the same behavior ... >> >> From a computer named XXX in domain B I've tried this command : net >> use z: \\<computer in A>\<share> /USER:login0 at A (where login0 is the >> same in A and B for the user). >> >> If I write a wrong password I have the system error 86 but if i write >> the good password (must write it twice) i have the system error 5. >> >> In Samba logs are : >> >> ntlm_password_check: LM password and LMv2 failed for user >> login0, and >> NT MD4 password in LM field not permitted >> ntlm_password_check: Lanman passwords NOT PERMITTED for user login0 >> ntlm_password_check: LM password and LMv2 failed for user >> login0, and >> NT MD4 password in LM field not permitted >> ntlm_password_check: Lanman passwords NOT PERMITTED for user login0 >> ntlm_password_check: LM password and LMv2 failed for user >> login0, and >> NT MD4 password in LM field not permitted >> auth_check_password_recv: sam_ignoredomain authentication for user >> [A\login0] FAILED with error NT_STATUS_WRONG_PASSWORD >> auth_check_password_send: Checking password for unmapped user >> [A]\[login0 at A]@[\\XXX] >> auth_check_password_send: mapped user is: [A]\[login0]@[\\XXX] >> >> How can I do such a connection ? I've tried "map untrusted to >> domain >> yes" but it is not working better ... >> >> Regard >> >> -- >> *Hervé* *HÉNOCH* >> *Responsable informatique* >> Tél. : 0490275744 h.henoch at isc84.org <mailto:h.henoch at isc84.org> >> >> /250, chemin de Baigne-Pieds ? 84 000 Avignon/ >> */www.institut-sainte-catherine.org/* >> <http://www.institut-sainte-catherine.org/> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >-- *Hervé* *HÉNOCH* *Responsable informatique* Tél. : 0490275744 h.henoch at isc84.org <mailto:h.henoch at isc84.org> /250, chemin de Baigne-Pieds – 84 000 Avignon/ */www.institut-sainte-catherine.org/* <http://www.institut-sainte-catherine.org/>