On Tue, 2018-10-16 at 15:18 -0700, Emil Henry wrote:> Hi Andrew! > > I included it in one response, but may have not done a Reply All. Am resending it. > > Thanks.It is reading the hashes, so it looks like it is working. Dumb question, but are you really sure the password is right? Otherwise, it might be some very odd NTLMv2 thing. Try (on the client) 'client ntlmv2 auth = no' and 'ntlm auth = yes' (on the server) just to rule that out. Also please try with Samba 4.9, Samba 4.1 is very old and there may be something else we have fixed. Thanks, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Hi Andrew!
I am not 100% sure that the password is correct. I was told that it was
changed to the one I am testing. But, when I try the old password, I get a
different error message (NT_STATUS_INVALID_SID). I will attached the
output.
I added the 'ntlm auth = yes' to the smb.conf. How would I change the
client?
The version of Samba that we are running is 4.7.1, which is the latest
version that is available in the yum repository.
Thanks.
[root at SMBServer ~]# smbclient //localhost/share -U johndoe -d 10
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
Processing section "[global]"
doing parameter security = user
doing parameter ldap user suffix = ou=people
doing parameter ldap group suffix = ou=groups
doing parameter ldap ssl = off
doing parameter ldap passwd sync = yes
doing parameter ldap delete dn = no
doing parameter workgroup = example.com
doing parameter server string = "Samba Drives"
doing parameter netbios name = SMBServer
doing parameter log file = /var/log/samba/log.%m
doing parameter log level = 5
doing parameter max log size = 50
doing parameter ldap suffix = "o=EXAMPLE"
doing parameter ldap admin dn =
"cn=PUser,ou=Proxies,ou=Auth,o=EXAMPLE"
doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com
doing parameter ntlm auth = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface enp7s0f1 ip=192.168.2.122 bcast=192.168.2.255
netmask=255.255.255.0
added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SMBServer"
Client started (version 4.7.1).
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec 31
04:00:00 PM 1969 PST] (-1539746033 seconds in the past)
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up localhost#20 (sitename (null))
name localhost#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 127.0.0.1 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061296
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
session request ok
negotiated dialect[SMB3_11] against server[localhost]
got OID=1.3.6.1.4.1.311.2.2.10
Enter EXAMPLE.COM\johndoe's password:
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_SERVER
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
short string '', sent with NULL termination despite NOTERM flag in IDL
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Indicates the SID structure is not valid.
session setup failed: NT_STATUS_INVALID_SID
On Tue, Oct 16, 2018 at 5:39 PM Andrew Bartlett <abartlet at samba.org>
wrote:
> On Tue, 2018-10-16 at 15:18 -0700, Emil Henry wrote:
> > Hi Andrew!
> >
> > I included it in one response, but may have not done a Reply All. Am
> resending it.
> >
> > Thanks.
>
> It is reading the hashes, so it looks like it is working. Dumb
> question, but are you really sure the password is right?
>
> Otherwise, it might be some very odd NTLMv2 thing. Try (on the client)
> 'client ntlmv2 auth = no' and 'ntlm auth = yes' (on the
server) just to
> rule that out.
>
> Also please try with Samba 4.9, Samba 4.1 is very old and there may be
> something else we have fixed.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>
On Tue, 2018-10-16 at 20:20 -0700, Emil Henry wrote:> Hi Andrew! > > I am not 100% sure that the password is correct. I was told that it > was changed to the one I am testing. But, when I try the old > password, I get a different error message (NT_STATUS_INVALID_SID). I > will attached the output.Then it is the old password, and you have other issues you need to sort out. Again, the server-side log will show more about what is wrong, but look up the error message, it typically means your primary group ID is mapped incorrectly in idmap.> I added the 'ntlm auth = yes' to the smb.conf. How would I change the client?The client uses the smb.conf on the host it runs on. But the above suggests that the issue was just a wrong password.> The version of Samba that we are running is 4.7.1, which is the latest version that is available in the yum repository.OK, I must have mis-read that. Sorry, Andrew Bartlett> Thanks. > > [root at SMBServer ~]# smbclient //localhost/share -U johndoe -d 10 > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > Processing section "[global]" > doing parameter security = user > doing parameter ldap user suffix = ou=people > doing parameter ldap group suffix = ou=groups > doing parameter ldap ssl = off > doing parameter ldap passwd sync = yes > doing parameter ldap delete dn = no > doing parameter workgroup = example.com > doing parameter server string = "Samba Drives" > doing parameter netbios name = SMBServer > doing parameter log file = /var/log/samba/log.%m > doing parameter log level = 5 > doing parameter max log size = 50 > doing parameter ldap suffix = "o=EXAMPLE" > doing parameter ldap admin dn = "cn=PUser,ou=Proxies,ou=Auth,o=EXAMPLE" > doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com > doing parameter ntlm auth = yes > pm_process() returned Yes > lp_servicenumber: couldn't find homes > added interface enp7s0f1 ip=192.168.2.122 bcast=192.168.2.255 netmask=255.255.255.0 > added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 netmask=255.255.255.0 > Netbios name list:- > my_netbios_names[0]="SMBServer" > Client started (version 4.7.1). > Opening cache file at /var/lib/samba/gencache.tdb > Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb > Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec 31 04:00:00 PM 1969 PST] (-1539746033 seconds in the past) > sitename_fetch: No stored sitename for realm '' > internal_resolve_name: looking up localhost#20 (sitename (null)) > name localhost#20 found. > remove_duplicate_addrs2: looking for duplicate address/port pairs > Connecting to 127.0.0.1 at port 445 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 2626560 > SO_RCVBUF = 1061296 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > session request ok > negotiated dialect[SMB3_11] against server[localhost] > got OID=1.3.6.1.4.1.311.2.2.10 > Enter EXAMPLE.COM\johndoe's password: > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > Starting GENSEC mechanism spnego > Starting GENSEC submechanism ntlmssp > negotiate: struct NEGOTIATE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmNegotiate (1) > NegotiateFlags : 0x62088215 (1644724757) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 0: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 0: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > 1: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > DomainNameLen : 0x0000 (0) > DomainNameMaxLen : 0x0000 (0) > DomainName : * > DomainName : '' > WorkstationLen : 0x0000 (0) > WorkstationMaxLen : 0x0000 (0) > Workstation : * > Workstation : '' > Version: struct ntlmssp_VERSION > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > ProductBuild : 0x0000 (0) > Reserved: ARRAY(3) > [0] : 0x00 (0) > [1] : 0x00 (0) > [2] : 0x00 (0) > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > Got challenge flags: > Got NTLMSSP neg_flags=0x628a8215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_SERVER > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > short string '', sent with NULL termination despite NOTERM flag in IDL > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > SPNEGO login failed: Indicates the SID structure is not valid. > session setup failed: NT_STATUS_INVALID_SID > > > On Tue, Oct 16, 2018 at 5:39 PM Andrew Bartlett <abartlet at samba.org> wrote: > > On Tue, 2018-10-16 at 15:18 -0700, Emil Henry wrote: > > > Hi Andrew! > > > > > > I included it in one response, but may have not done a Reply All. Am resending it. > > > > > > Thanks. > > > > It is reading the hashes, so it looks like it is working. Dumb > > question, but are you really sure the password is right? > > > > Otherwise, it might be some very odd NTLMv2 thing. Try (on the client) > > 'client ntlmv2 auth = no' and 'ntlm auth = yes' (on the server) just to > > rule that out. > > > > Also please try with Samba 4.9, Samba 4.1 is very old and there may be > > something else we have fixed. > > > > Thanks, > > > > Andrew Bartlett > > > >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Am Dienstag, 16. Oktober 2018, 20:20:49 CEST schrieb Emil Henry via samba:> Hi Andrew! > > I am not 100% sure that the password is correct. I was told that it > was changed to the one I am testing.To be unsure is bad in our business. Their maybe three password stored in ldap for a regular user.> But, when I try the old > password, I get a different error message (NT_STATUS_INVALID_SID).I assume that your server was working before you upgrade to 4.7.1 Until now we dont know if the admin password is correct, so we use anonymous bind for ldap. Invalid Sid happens often on upgrading. If for any reason i.e. wrong ldap admin password smbd can not read ldap db. TRY: # ldapsearch -xLLL 'sambadomainname=*' sambaDomainName sambaSID dn: sambaDomainName=SCHULE,dc=afrika,dc=xx sambaDomainName: SCHULE sambaSID: S-1-5-21-1507708399-2130971284-2230424465 These sid is your domain sid. Compare it with the sid samba uses: # net getdomainsid SID for local machine ALIX is: S-1-5-21-1507708399-2130971284-2230424465 SID for domain SCHULE is: S-1-5-21-1507708399-2130971284-2230424465 you may wish to verify your account sids: # ldapsearch -xLLL 'sambasid=S-1-5-21*' sambaSID|less "man net" will give you the command to reset the domain sid to the old one.> I > will attached the output. > > I added the 'ntlm auth = yes' to the smb.conf. How would I change the > client? > > The version of Samba that we are running is 4.7.1, which is the latest > version that is available in the yum repository. > > Thanks.-- Gruss Harry Jede
Seemingly Similar Threads
- Samba v3 works with LDAP, but not Samba v4
- Samba v3 works with LDAP, but not Samba v4
- DRS Replication between two DC's Failing
- cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
- authentication problem after upgrade to Debian Jessie