samba - Jan 2019 - smbclient works, mount.cifs fails NT_STATUS_LOGON_FAILURE in Samba 4.8.3

Hello,

I am attempting to debug an issue with my Samba configuration. It has been
working fine, but we recently updated Samba from 4.6.x to 4.8.3 and are now
seeing some issues authenticating.

Most of our servers are still working fine after the upgrade, but one
server is giving us issues. A little more environment info: The server is
running Centos 7.1. Windows clients can connect OK. We are using sssd
server-side to connect to Active Directory for Windows auth. Linux and OS X
clients are encountering issues mounting the smb share directly, although
this was working correctly prior to updating sssd and samba.

I am working on a Fedora 28 workstation. When I attempt to connect to the
share with smbclient using this command:

`smbclient //server.domain.com/SHARED -U DOMAIN.COM\\jsmith`

I enter my password, it works and appears to auth with kerberos:

```
[2019/01/22 13:23:53.850746,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2019/01/22 13:23:53.850783,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2019/01/22 13:23:53.850808,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2019/01/22 13:23:53.850819,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'spnego' registered
[2019/01/22 13:23:53.850836,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'schannel' registered
[2019/01/22 13:23:53.850846,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2019/01/22 13:23:53.850855,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2019/01/22 13:23:53.850870,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2019/01/22 13:23:53.850919,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2019/01/22 13:23:53.850935,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_basic' registered
[2019/01/22 13:23:53.850953,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2019/01/22 13:23:53.850962,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2019/01/22 13:23:56.488705,  3]
../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
  Found account name from PAC: jsmith [John Smith]
[2019/01/22 13:23:56.488742,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [jsmith at DOMAIN.COM]
```
When I attempt to mount the share with mount using this command:

`sudo mount -v -t cifs  -o username=jsmith,domain=domain.com //
server.domain.com/SHARED SHARED`

I get hit with 'mount error(13): Permission denied' client-side and see
this output in the server's log:

```
[2019/01/22 13:26:49.466127,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2019/01/22 13:26:49.466161,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2019/01/22 13:26:49.466177,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2019/01/22 13:26:49.466249,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'spnego' registered
[2019/01/22 13:26:49.466274,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'schannel' registered
[2019/01/22 13:26:49.466341,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2019/01/22 13:26:49.466353,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2019/01/22 13:26:49.466403,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2019/01/22 13:26:49.466411,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2019/01/22 13:26:49.466420,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_basic' registered
[2019/01/22 13:26:49.466430,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2019/01/22 13:26:49.466439,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2019/01/22 13:26:49.469535,  3]
../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe0080225
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SEAL
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
    NTLMSSP_NEGOTIATE_56
[2019/01/22 13:26:49.469907,  3]
../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
  Got user=[jsmith] domain=[domain.com] workstation=[] len1=0 len2=168
[2019/01/22 13:26:49.470215,  2]
../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[rhome]"
[2019/01/22 13:26:49.470263,  2]
../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[it_home]"
[2019/01/22 13:26:49.470297,  2]
../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[vpnhome]"
[2019/01/22 13:26:49.470357,  2]
../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[shared]"
[2019/01/22 13:26:49.470412,  2]
../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[dev-share]"
[2019/01/22 13:26:49.470457,  2]
../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[scans]"
[2019/01/22 13:26:49.470528,  3]
../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[domain.com]\[jsmith]@[]
with the new password interface
[2019/01/22 13:26:49.470538,  3]
../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [domain.com]\[jsmith]@[]
[2019/01/22 13:26:49.470582,  2]
../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [jsmith] -> [jsmith] FAILED
with error NT_STATUS_LOGON_FAILURE, authoritative=1
[2019/01/22 13:26:49.470619,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [domain.com]\[jsmith] at [Tue, 22 Jan 2019
13:26:49.470605 PST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE]
workstation [] remote host [ipv4:192.168.10.100:55024] mapped to
[domain.com]\[jsmith].
local host [ipv4:192.168.20.200:445]
```
Here is my smb.conf file:

```
[global]
   min protocol = SMB2
   workgroup = DOMAIN
   realm = DOMAIN.COM
   security = ads
   password server = ad1.domain.com ad2.domain.com
   kerberos method = secrets and keytab
   template shell = /bin/bash
   encrypt passwords = yes

   log file = /var/log/samba/log.%U
   log level = 2 auth:4

   idmap config * : backend = tdb
   idmap config * : range = 500-9999999999
   idmap config DOMAIN.COM:default = true
   idmap config DOMAIN.COM:backend = ad
   idmap config DOMAIN.COM:range = 500-9999999999

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
```

In case it helps, sssd.conf:

```
[sssd]
domains = domain.com
config_file_version = 2
services = nss, pam

[domain/domain.com]
debug_level = 0x1310
ad_domain = domain.com
ad_server = ad1.domain.com
dyndns_update = false
krb5_realm = DOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
```

Can anyone help me figure out what might be wrong with my config that is
causing a different auth flow for smbclient vs. mounting the share
directly? It appears that mounting it is skipping krb5 auth and/or causing
the username to not be formatted correctly. Would appreciate any insight
anyone can offer.

On Tue, 22 Jan 2019 13:43:33 -0800
Jordan Castillo via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I am attempting to debug an issue with my Samba configuration. It has
> been working fine, but we recently updated Samba from 4.6.x to 4.8.3
> and are now seeing some issues authenticating.
> 
> Most of our servers are still working fine after the upgrade, but one
> server is giving us issues. A little more environment info: The
> server is running Centos 7.1. Windows clients can connect OK. We are
> using sssd server-side to connect to Active Directory for Windows
> auth. Linux and OS X clients are encountering issues mounting the smb
> share directly, although this was working correctly prior to updating
> sssd and samba.
> 
> I am working on a Fedora 28 workstation. When I attempt to connect to
> the share with smbclient using this command:
> 
> `smbclient //server.domain.com/SHARED -U DOMAIN.COM\\jsmith`
> 
> I enter my password, it works and appears to auth with kerberos:
No it isn't, that's using NTLM and NTLMv2 became the default at 4.7.0
> 
> ```
> [2019/01/22 13:23:53.850746,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'gssapi_spnego' registered
> [2019/01/22 13:23:53.850783,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'gssapi_krb5' registered
> [2019/01/22 13:23:53.850808,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'gssapi_krb5_sasl' registered
> [2019/01/22 13:23:53.850819,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'spnego' registered
> [2019/01/22 13:23:53.850836,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'schannel' registered
> [2019/01/22 13:23:53.850846,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'naclrpc_as_system' registered
> [2019/01/22 13:23:53.850855,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'sasl-EXTERNAL' registered
> [2019/01/22 13:23:53.850870,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'ntlmssp' registered
> [2019/01/22 13:23:53.850919,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'ntlmssp_resume_ccache' registered
> [2019/01/22 13:23:53.850935,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'http_basic' registered
> [2019/01/22 13:23:53.850953,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'http_ntlm' registered
> [2019/01/22 13:23:53.850962,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'http_negotiate' registered
> [2019/01/22 13:23:56.488705,  3]
> ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
>   Found account name from PAC: jsmith [John Smith]
> [2019/01/22 13:23:56.488742,  3]
> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>   Kerberos ticket principal name is [jsmith at DOMAIN.COM]
> ```
> When I attempt to mount the share with mount using this command:
> 
> `sudo mount -v -t cifs  -o username=jsmith,domain=domain.com //
> server.domain.com/SHARED SHARED`
If you want to use kerberos, you have to tell mount.cifs to use it with
'sec=krb5' or 'sec=krb5i', see 'man mount.cifs' for more
info
> 
> I get hit with 'mount error(13): Permission denied' client-side and
> see this output in the server's log:
> 
> ```
> [2019/01/22 13:26:49.466127,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'gssapi_spnego' registered
> [2019/01/22 13:26:49.466161,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'gssapi_krb5' registered
> [2019/01/22 13:26:49.466177,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'gssapi_krb5_sasl' registered
> [2019/01/22 13:26:49.466249,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'spnego' registered
> [2019/01/22 13:26:49.466274,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'schannel' registered
> [2019/01/22 13:26:49.466341,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'naclrpc_as_system' registered
> [2019/01/22 13:26:49.466353,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'sasl-EXTERNAL' registered
> [2019/01/22 13:26:49.466403,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'ntlmssp' registered
> [2019/01/22 13:26:49.466411,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'ntlmssp_resume_ccache' registered
> [2019/01/22 13:26:49.466420,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'http_basic' registered
> [2019/01/22 13:26:49.466430,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'http_ntlm' registered
> [2019/01/22 13:26:49.466439,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'http_negotiate' registered
> [2019/01/22 13:26:49.469535,  3]
> ../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0xe0080225
>     NTLMSSP_NEGOTIATE_UNICODE
>     NTLMSSP_REQUEST_TARGET
>     NTLMSSP_NEGOTIATE_SEAL
>     NTLMSSP_NEGOTIATE_NTLM
>     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>     NTLMSSP_NEGOTIATE_128
>     NTLMSSP_NEGOTIATE_KEY_EXCH
>     NTLMSSP_NEGOTIATE_56
> [2019/01/22 13:26:49.469907,  3]
> ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
>   Got user=[jsmith] domain=[domain.com] workstation=[] len1=0 len2=168
> [2019/01/22 13:26:49.470215,  2]
> ../source3/param/loadparm.c:2799(lp_do_section)
>   Processing section "[rhome]"
> [2019/01/22 13:26:49.470263,  2]
> ../source3/param/loadparm.c:2799(lp_do_section)
>   Processing section "[it_home]"
> [2019/01/22 13:26:49.470297,  2]
> ../source3/param/loadparm.c:2799(lp_do_section)
>   Processing section "[vpnhome]"
> [2019/01/22 13:26:49.470357,  2]
> ../source3/param/loadparm.c:2799(lp_do_section)
>   Processing section "[shared]"
> [2019/01/22 13:26:49.470412,  2]
> ../source3/param/loadparm.c:2799(lp_do_section)
>   Processing section "[dev-share]"
> [2019/01/22 13:26:49.470457,  2]
> ../source3/param/loadparm.c:2799(lp_do_section)
>   Processing section "[scans]"
> [2019/01/22 13:26:49.470528,  3]
> ../source3/auth/auth.c:189(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user
> [domain.com]\[jsmith]@[]
> with the new password interface
> [2019/01/22 13:26:49.470538,  3]
> ../source3/auth/auth.c:192(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is: [domain.com]\[jsmith]@[]
> [2019/01/22 13:26:49.470582,  2]
> ../source3/auth/auth.c:332(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [jsmith] -> [jsmith]
> FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
> [2019/01/22 13:26:49.470619,  2]
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>   Auth: [SMB2,(null)] user [domain.com]\[jsmith] at [Tue, 22 Jan 2019
> 13:26:49.470605 PST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE]
> workstation [] remote host [ipv4:192.168.10.100:55024] mapped to
> [domain.com]\[jsmith].
> local host [ipv4:192.168.20.200:445]
> ```
> Here is my smb.conf file:
> 
> ```
> [global]
>    min protocol = SMB2
>    workgroup = DOMAIN
>    realm = DOMAIN.COM
>    security = ads
>    password server = ad1.domain.com ad2.domain.com
Don't set 'password server', let Samba find the password server.
>    kerberos method = secrets and keytab
>    template shell = /bin/bash
>    encrypt passwords = yes
> 
>    log file = /var/log/samba/log.%U
>    log level = 2 auth:4
> 
>    idmap config * : backend = tdb
>    idmap config * : range = 500-9999999999
>    idmap config DOMAIN.COM:default = true
>    idmap config DOMAIN.COM:backend = ad
>    idmap config DOMAIN.COM:range = 500-9999999999
There are 4 things wrong with the above block:

1) '500' is a bad number to start from.
2) The ranges are not supposed to overlap, you don't get much more of an
overlap than when the ranges match.
3) You have used 'DOMAIN.COM' which is your realm, it should be
'DOMAIN' which is the workgroup.
4) You are using sssd (which is not supported by Samba) so you
shouldn't have it anyway.
> 
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
> ```
> 
> In case it helps, sssd.conf:
No it doesn't, Samba doesn't support sssd.

Rowland