samba - Sep 2018 - IOS connections to Samba 4 worked for years, now authentication fails

We have samba 4.8 and 4.9 servers that are Active Directory members. Windows
and other samba clients can access the shares, and for years, iOS devices
worked fine with Samba 4. But a few months ago, Apple IOS 10 and 11 devices
started failing to authenticate. The problem is common to several iOS apps,
FileBrowser, SMBManager, and some others all fail. The App vendors are
stonewalling us, and giving stupid advice like restarting the devices.

 

The logs on the Samba servers say FAILED with error NT_STATUS_LOGON_FAILURE,
regardless of what type of username+password, with or without the domain
name.

 

The problem is only between iOS and Samba. These same iOS clients can
connect to Windows 7 and Windows server 2008 shares, and Windows and Samba
clients can access the shares as expected.

 

What happened, and is there a way around this issue?

On Fri, 28 Sep 2018 21:38:07 -0700
Deft Developer via samba <samba at lists.samba.org> wrote:
> We have samba 4.8 and 4.9 servers that are Active Directory members.
> Windows and other samba clients can access the shares, and for years,
> iOS devices worked fine with Samba 4. But a few months ago, Apple IOS
> 10 and 11 devices started failing to authenticate. The problem is
> common to several iOS apps, FileBrowser, SMBManager, and some others
> all fail. The App vendors are stonewalling us, and giving stupid
> advice like restarting the devices.
> 
>  
> 
> The logs on the Samba servers say FAILED with error
> NT_STATUS_LOGON_FAILURE, regardless of what type of
> username+password, with or without the domain name.
> 
>  
> 
> The problem is only between iOS and Samba. These same iOS clients can
> connect to Windows 7 and Windows server 2008 shares, and Windows and
> Samba clients can access the shares as expected.
> 
>  
> 
> What happened, and is there a way around this issue?
> 
We are going to need more info here, what is in smb.conf for a start.
When did the problem start ?
Was it after an update of Samba ?
If so, what version did you upgrade from ?

Rowland

Am Freitag, 28. September 2018, 21:38:07 CEST schrieb Deft Developer via 
samba:
> We have samba 4.8 and 4.9 servers that are Active Directory members.
> Windows and other samba clients can access the shares, and for years,
> iOS devices worked fine with Samba 4. But a few months ago, Apple IOS
> 10 and 11 devices started failing to authenticate. The problem is
> common to several iOS apps, FileBrowser, SMBManager, and some 
others
> all fail. The App vendors are stonewalling us, and giving stupid
> advice like restarting the devices.
> 
> 
> 
> The logs on the Samba servers say FAILED with error
> NT_STATUS_LOGON_FAILURE, regardless of what type of
> username+password, with or without the domain name.
> 
> 
> 
> The problem is only between iOS and Samba. These same iOS clients can
> connect to Windows 7 and Windows server 2008 shares, and Windows 
and
> Samba clients can access the shares as expected.
May be, your samba servers have the smb1 protocol disabled now.

Reenable the smb1 protocol on your samba servers and you will get back 
network neighborhood. All your apps which depends on smb version 1 will 
work again, at the risk that your network is insecure.

If that is the case you should do something soon.

Today one should use "network discovery" for domain browsing or 
something else like avahi or ...
> What happened, and is there a way around this issue?

-- 

Gruss
	Harry Jede

On Sat, 29 Sep 2018 16:27:36 -0700
"Deft Developer" <dev at hymes.name> wrote:
> I will do the best I can to provide all the needed info.
> I will focus on 1 server, GABRIEL, and one share "garage"
> It is a samba AD member server on a local subnet.
> Here, samba was compiled from sources, release 4.8.3 .
> Samba was built and installed on CentOS 7.5.1804
> This samba rungs with a user directory prefix, because it is not the
> CentOS release. That can't be un-installed because of other
> dependencies. SELinux runs on this system, but there are no denials
> being logged anywhere. Nor are there any filesystem or permissions
> errors being logged. The smb.conf file is at the end of this message.
> 
> iOS devices worked well enough on Samba  CentOS rpms of 4.3 and 4.4,
> but we had many  Active Directory issues on CentOS's 4.5. In
> particular, adcli dumps core, and machine accounts always expire. So
> I updated to 4.8 , and eventually got all Windows and Linux platforms
> working together. After that is when I noticed that I could not
> authenticate anymore with Apple iOS devices. Apple devices update
> their Apps and OSs all the time, so it is not certain which Apple
> change, or Samba change broke authentication.
> 
You have quite a few default settings in your smb.conf and a few things
I don't fully understand why you have them.

Your main 'idmap congig' block is this:

idmap config PANDIMONIUM:backend = ad
idmap config PANDIMONIUM:schema_mode = template
idmap config PANDIMONIUM:range = 751001100-751001999
idmap config PANDIMONIUM:unix_nss_info = no
idmap config PANDIMONIUM:unix_primary_group = yes

Why are you using 'template' with the 'ad' backend, it
doesn't exist:

From 'man idmap_ad'

schema_mode = <rfc2307 | sfu | sfu20>
Defines the schema that idmap_ad should use when querying Active Directory
regarding user and group information. 
This can be either the RFC2307 schema support included in Windows 2003 R2
or the Service for Unix (SFU) schema. 
For SFU 3.0 or 3.5 please choose "sfu", for SFU 2.0 please choose
"sfu20".
Please note that the behavior of primary group membership is controlled
by the unix_primary_group option.

Is there some reason for using such a high range ?

'unix_nss_info = no' is the default.

I think your thinking behind the 'template' setting is these two lines:

logon path = /home/%D/%U/profile
logon home = /home/%D/%U

Two things wrong with those two lines, the 'ad' backend will pull that
info from AD (provided it is set) and the format is wrong, it expects
something like '//fileserver/share'

the last comment about your smb .conf is that you have set 'guest ok'
on the [garage] share, but the guest user will never get anywhere near
the share ;-)

I would change your smb.conf to this:

[global]
        workgroup = PANDIMONIUM
        realm = PANDIMONIUM.ORG
        security = ADS
        server string = Gabriel %v
        netbios name = GABRIEL
        interfaces = lo enp4s0 192.168.0.0/24
        log file = /var/log/samba/log.%m
        max log size = 50
        log level = 2 auth:3

        # Default idmap config for local BUILTIN accounts and groups
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        # idmap config for the PANDIMONIUM domain
        idmap config PANDIMONIUM:backend = ad
        idmap config PANDIMONIUM:range = 751001100-751001999
        idmap config PANDIMONIUM:unix_primary_group = yes
        template shell = /bin/bash

        kerberos method = secrets and keytab
        local master = no
        preferred master = no
        unix extensions = no
        allow insecure wide links = yes
        username map = /home/PANDIMONIUM/hsheldon/opt/samba-4/etc/samba/user.map

[garage]
        path = /usr/exports/garage
        invalid users = root
        write list = hsheldon administrator @admins ajahr idunhr bruzicka
        read only = No
        hide dot files = no
        comment = Storage and Workspace
        case sensitive = yes

I would also investigate 'man vfs_catia', 'man vfs_fruit' and
'man
vfs_streams_xattr'

Rowland