Jordan Castillo
2019-Jan-22 21:43 UTC
[Samba] smbclient works, mount.cifs fails NT_STATUS_LOGON_FAILURE in Samba 4.8.3
Hello, I am attempting to debug an issue with my Samba configuration. It has been working fine, but we recently updated Samba from 4.6.x to 4.8.3 and are now seeing some issues authenticating. Most of our servers are still working fine after the upgrade, but one server is giving us issues. A little more environment info: The server is running Centos 7.1. Windows clients can connect OK. We are using sssd server-side to connect to Active Directory for Windows auth. Linux and OS X clients are encountering issues mounting the smb share directly, although this was working correctly prior to updating sssd and samba. I am working on a Fedora 28 workstation. When I attempt to connect to the share with smbclient using this command: `smbclient //server.domain.com/SHARED -U DOMAIN.COM\\jsmith` I enter my password, it works and appears to auth with kerberos: ``` [2019/01/22 13:23:53.850746, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'gssapi_spnego' registered [2019/01/22 13:23:53.850783, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'gssapi_krb5' registered [2019/01/22 13:23:53.850808, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2019/01/22 13:23:53.850819, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'spnego' registered [2019/01/22 13:23:53.850836, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'schannel' registered [2019/01/22 13:23:53.850846, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'naclrpc_as_system' registered [2019/01/22 13:23:53.850855, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2019/01/22 13:23:53.850870, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'ntlmssp' registered [2019/01/22 13:23:53.850919, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'ntlmssp_resume_ccache' registered [2019/01/22 13:23:53.850935, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'http_basic' registered [2019/01/22 13:23:53.850953, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'http_ntlm' registered [2019/01/22 13:23:53.850962, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'http_negotiate' registered [2019/01/22 13:23:56.488705, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac) Found account name from PAC: jsmith [John Smith] [2019/01/22 13:23:56.488742, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [jsmith at DOMAIN.COM] ``` When I attempt to mount the share with mount using this command: `sudo mount -v -t cifs -o username=jsmith,domain=domain.com // server.domain.com/SHARED SHARED` I get hit with 'mount error(13): Permission denied' client-side and see this output in the server's log: ``` [2019/01/22 13:26:49.466127, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'gssapi_spnego' registered [2019/01/22 13:26:49.466161, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'gssapi_krb5' registered [2019/01/22 13:26:49.466177, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2019/01/22 13:26:49.466249, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'spnego' registered [2019/01/22 13:26:49.466274, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'schannel' registered [2019/01/22 13:26:49.466341, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'naclrpc_as_system' registered [2019/01/22 13:26:49.466353, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2019/01/22 13:26:49.466403, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'ntlmssp' registered [2019/01/22 13:26:49.466411, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'ntlmssp_resume_ccache' registered [2019/01/22 13:26:49.466420, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'http_basic' registered [2019/01/22 13:26:49.466430, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'http_ntlm' registered [2019/01/22 13:26:49.466439, 3] ../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'http_negotiate' registered [2019/01/22 13:26:49.469535, 3] ../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe0080225 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP_NEGOTIATE_56 [2019/01/22 13:26:49.469907, 3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth) Got user=[jsmith] domain=[domain.com] workstation=[] len1=0 len2=168 [2019/01/22 13:26:49.470215, 2] ../source3/param/loadparm.c:2799(lp_do_section) Processing section "[rhome]" [2019/01/22 13:26:49.470263, 2] ../source3/param/loadparm.c:2799(lp_do_section) Processing section "[it_home]" [2019/01/22 13:26:49.470297, 2] ../source3/param/loadparm.c:2799(lp_do_section) Processing section "[vpnhome]" [2019/01/22 13:26:49.470357, 2] ../source3/param/loadparm.c:2799(lp_do_section) Processing section "[shared]" [2019/01/22 13:26:49.470412, 2] ../source3/param/loadparm.c:2799(lp_do_section) Processing section "[dev-share]" [2019/01/22 13:26:49.470457, 2] ../source3/param/loadparm.c:2799(lp_do_section) Processing section "[scans]" [2019/01/22 13:26:49.470528, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [domain.com]\[jsmith]@[] with the new password interface [2019/01/22 13:26:49.470538, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [domain.com]\[jsmith]@[] [2019/01/22 13:26:49.470582, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [jsmith] -> [jsmith] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1 [2019/01/22 13:26:49.470619, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [domain.com]\[jsmith] at [Tue, 22 Jan 2019 13:26:49.470605 PST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [] remote host [ipv4:192.168.10.100:55024] mapped to [domain.com]\[jsmith]. local host [ipv4:192.168.20.200:445] ``` Here is my smb.conf file: ``` [global] min protocol = SMB2 workgroup = DOMAIN realm = DOMAIN.COM security = ads password server = ad1.domain.com ad2.domain.com kerberos method = secrets and keytab template shell = /bin/bash encrypt passwords = yes log file = /var/log/samba/log.%U log level = 2 auth:4 idmap config * : backend = tdb idmap config * : range = 500-9999999999 idmap config DOMAIN.COM:default = true idmap config DOMAIN.COM:backend = ad idmap config DOMAIN.COM:range = 500-9999999999 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes ``` In case it helps, sssd.conf: ``` [sssd] domains = domain.com config_file_version = 2 services = nss, pam [domain/domain.com] debug_level = 0x1310 ad_domain = domain.com ad_server = ad1.domain.com dyndns_update = false krb5_realm = DOMAIN.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u ``` Can anyone help me figure out what might be wrong with my config that is causing a different auth flow for smbclient vs. mounting the share directly? It appears that mounting it is skipping krb5 auth and/or causing the username to not be formatted correctly. Would appreciate any insight anyone can offer.
Rowland Penny
2019-Jan-23 08:31 UTC
[Samba] smbclient works, mount.cifs fails NT_STATUS_LOGON_FAILURE in Samba 4.8.3
On Tue, 22 Jan 2019 13:43:33 -0800 Jordan Castillo via samba <samba at lists.samba.org> wrote:> Hello, > > I am attempting to debug an issue with my Samba configuration. It has > been working fine, but we recently updated Samba from 4.6.x to 4.8.3 > and are now seeing some issues authenticating. > > Most of our servers are still working fine after the upgrade, but one > server is giving us issues. A little more environment info: The > server is running Centos 7.1. Windows clients can connect OK. We are > using sssd server-side to connect to Active Directory for Windows > auth. Linux and OS X clients are encountering issues mounting the smb > share directly, although this was working correctly prior to updating > sssd and samba. > > I am working on a Fedora 28 workstation. When I attempt to connect to > the share with smbclient using this command: > > `smbclient //server.domain.com/SHARED -U DOMAIN.COM\\jsmith` > > I enter my password, it works and appears to auth with kerberos:No it isn't, that's using NTLM and NTLMv2 became the default at 4.7.0> > ``` > [2019/01/22 13:23:53.850746, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'gssapi_spnego' registered > [2019/01/22 13:23:53.850783, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'gssapi_krb5' registered > [2019/01/22 13:23:53.850808, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'gssapi_krb5_sasl' registered > [2019/01/22 13:23:53.850819, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'spnego' registered > [2019/01/22 13:23:53.850836, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'schannel' registered > [2019/01/22 13:23:53.850846, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'naclrpc_as_system' registered > [2019/01/22 13:23:53.850855, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'sasl-EXTERNAL' registered > [2019/01/22 13:23:53.850870, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'ntlmssp' registered > [2019/01/22 13:23:53.850919, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'ntlmssp_resume_ccache' registered > [2019/01/22 13:23:53.850935, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'http_basic' registered > [2019/01/22 13:23:53.850953, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'http_ntlm' registered > [2019/01/22 13:23:53.850962, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'http_negotiate' registered > [2019/01/22 13:23:56.488705, 3] > ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac) > Found account name from PAC: jsmith [John Smith] > [2019/01/22 13:23:56.488742, 3] > ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) > Kerberos ticket principal name is [jsmith at DOMAIN.COM] > ``` > When I attempt to mount the share with mount using this command: > > `sudo mount -v -t cifs -o username=jsmith,domain=domain.com // > server.domain.com/SHARED SHARED`If you want to use kerberos, you have to tell mount.cifs to use it with 'sec=krb5' or 'sec=krb5i', see 'man mount.cifs' for more info> > I get hit with 'mount error(13): Permission denied' client-side and > see this output in the server's log: > > ``` > [2019/01/22 13:26:49.466127, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'gssapi_spnego' registered > [2019/01/22 13:26:49.466161, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'gssapi_krb5' registered > [2019/01/22 13:26:49.466177, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'gssapi_krb5_sasl' registered > [2019/01/22 13:26:49.466249, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'spnego' registered > [2019/01/22 13:26:49.466274, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'schannel' registered > [2019/01/22 13:26:49.466341, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'naclrpc_as_system' registered > [2019/01/22 13:26:49.466353, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'sasl-EXTERNAL' registered > [2019/01/22 13:26:49.466403, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'ntlmssp' registered > [2019/01/22 13:26:49.466411, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'ntlmssp_resume_ccache' registered > [2019/01/22 13:26:49.466420, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'http_basic' registered > [2019/01/22 13:26:49.466430, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'http_ntlm' registered > [2019/01/22 13:26:49.466439, 3] > ../auth/gensec/gensec_start.c:977(gensec_register) > GENSEC backend 'http_negotiate' registered > [2019/01/22 13:26:49.469535, 3] > ../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0xe0080225 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SEAL > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP_NEGOTIATE_56 > [2019/01/22 13:26:49.469907, 3] > ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth) > Got user=[jsmith] domain=[domain.com] workstation=[] len1=0 len2=168 > [2019/01/22 13:26:49.470215, 2] > ../source3/param/loadparm.c:2799(lp_do_section) > Processing section "[rhome]" > [2019/01/22 13:26:49.470263, 2] > ../source3/param/loadparm.c:2799(lp_do_section) > Processing section "[it_home]" > [2019/01/22 13:26:49.470297, 2] > ../source3/param/loadparm.c:2799(lp_do_section) > Processing section "[vpnhome]" > [2019/01/22 13:26:49.470357, 2] > ../source3/param/loadparm.c:2799(lp_do_section) > Processing section "[shared]" > [2019/01/22 13:26:49.470412, 2] > ../source3/param/loadparm.c:2799(lp_do_section) > Processing section "[dev-share]" > [2019/01/22 13:26:49.470457, 2] > ../source3/param/loadparm.c:2799(lp_do_section) > Processing section "[scans]" > [2019/01/22 13:26:49.470528, 3] > ../source3/auth/auth.c:189(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [domain.com]\[jsmith]@[] > with the new password interface > [2019/01/22 13:26:49.470538, 3] > ../source3/auth/auth.c:192(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [domain.com]\[jsmith]@[] > [2019/01/22 13:26:49.470582, 2] > ../source3/auth/auth.c:332(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [jsmith] -> [jsmith] > FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1 > [2019/01/22 13:26:49.470619, 2] > ../auth/auth_log.c:760(log_authentication_event_human_readable) > Auth: [SMB2,(null)] user [domain.com]\[jsmith] at [Tue, 22 Jan 2019 > 13:26:49.470605 PST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] > workstation [] remote host [ipv4:192.168.10.100:55024] mapped to > [domain.com]\[jsmith]. > local host [ipv4:192.168.20.200:445] > ``` > Here is my smb.conf file: > > ``` > [global] > min protocol = SMB2 > workgroup = DOMAIN > realm = DOMAIN.COM > security = ads > password server = ad1.domain.com ad2.domain.comDon't set 'password server', let Samba find the password server.> kerberos method = secrets and keytab > template shell = /bin/bash > encrypt passwords = yes > > log file = /var/log/samba/log.%U > log level = 2 auth:4 > > idmap config * : backend = tdb > idmap config * : range = 500-9999999999 > idmap config DOMAIN.COM:default = true > idmap config DOMAIN.COM:backend = ad > idmap config DOMAIN.COM:range = 500-9999999999There are 4 things wrong with the above block: 1) '500' is a bad number to start from. 2) The ranges are not supposed to overlap, you don't get much more of an overlap than when the ranges match. 3) You have used 'DOMAIN.COM' which is your realm, it should be 'DOMAIN' which is the workgroup. 4) You are using sssd (which is not supported by Samba) so you shouldn't have it anyway.> > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > ``` > > In case it helps, sssd.conf:No it doesn't, Samba doesn't support sssd. Rowland
Possibly Parallel Threads
- Samba 4.2 AD member accesible by name but not by IP
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Samba share not working: getpwuid(1000) failed, Failed to finalize nt token & NT_STATUS_UNSUCCESSFUL
- Samba 4.17 AD Cannot connect to shares as administrator
- Samba 4.17 Cannot join Win7 clients to domain