samba - Apr 2019 - User mapping/login issue

I have been a bit divorced from Samba for a while and am stumped by a recently
seen issue.

My Samba server (V4.8.3) is Centos 7 and the remote clients are windoze boxes at
the other end of a VPN (OpenVPN).
At some point in "recent" history, access to shares on the Centos
server started to fail with password failures.
The reason seems to be associated with user mapping. (See log fragment below).

I have added entries to smbusers trying to map the remote user to local user
simon without success.

There is no windoze domain server involved.

The clients can FTP to the server and retrieve emails via IMAP.

What am I missing?


[2019/04/18 16:10:52.327632, 3] ../source3/auth/auth.c:189(auth_check_ntlm_pass
word)
check_ntlm_password: Checking password for unmapped user [SIMON-DELLPC]\[simo
n]@[SIMON-DELLPC] with the new password interface
[2019/04/18 16:10:52.327658, 3] ../source3/auth/auth.c:192(auth_check_ntlm_pass
word)
check_ntlm_password: mapped user is: [SIMON-DELLPC]\[simon]@[SIMON-DELLPC]
[2019/04/18 16:10:52.327686, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

On Sun, 21 Apr 2019 08:59:01 +0930
Stephen Davies via samba <samba at lists.samba.org> wrote:
> I have been a bit divorced from Samba for a while and am stumped by a
> recently seen issue.
> 
> My Samba server (V4.8.3) is Centos 7 and the remote clients are
> windoze boxes at the other end of a VPN (OpenVPN). At some point in
> "recent" history, access to shares on the Centos server started
to
> fail with password failures. The reason seems to be associated with
> user mapping. (See log fragment below).
> 
> I have added entries to smbusers trying to map the remote user to
> local user simon without success.
> 
> There is no windoze domain server involved.
> 
> The clients can FTP to the server and retrieve emails via IMAP.
> 
> What am I missing?
> 
> 
> [2019/04/18 16:10:52.327632,
> 3] ../source3/auth/auth.c:189(auth_check_ntlm_pass word)
> check_ntlm_password: Checking password for unmapped user
> [SIMON-DELLPC]\[simo n]@[SIMON-DELLPC] with the new password interface
> [2019/04/18 16:10:52.327658,
> 3] ../source3/auth/auth.c:192(auth_check_ntlm_pass word)
> check_ntlm_password: mapped user is:
> [SIMON-DELLPC]\[simon]@[SIMON-DELLPC] [2019/04/18 16:10:52.327686,
> 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) :
> sec_ctx_stack_ndx = 2
By default NTLMv1 is now turned off, could this be your problem ?, try
(as a test) adding 'ntlm auth = yes' to your smb.conf and
reload/restart Samba.

If this doesn't work, can you please post your smb.conf and tells us
what the Windows machines are.

Rowland

On Sat, Apr 20, 2019 at 7:29 PM Stephen Davies via samba
<samba at lists.samba.org> wrote:
>
> I have been a bit divorced from Samba for a while and am stumped by a
recently seen issue.
>
> My Samba server (V4.8.3) is Centos 7 and the remote clients are windoze
boxes at the other end of a VPN (OpenVPN).
> At some point in "recent" history, access to shares on the Centos
server started to fail with password failures.
> The reason seems to be associated with user mapping. (See log fragment
below).
>
> I have added entries to smbusers trying to map the remote user to local
user simon without success.
>
> There is no windoze domain server involved.
>
> The clients can FTP to the server and retrieve emails via IMAP.
>
> What am I missing?
Just as a matter of course: check SSH access, if any user accounts
have permitted SSH, verify consistent NTP between all the servers.
FTP..... can have login access permitted by local password files that
have nothing to do with Kerberos, and your clients may not even be
aware. Also, FTP, is *not* encrypted. I'd discuss with your clients
switching to a more secure protocol, such as FTPS (which is supported
via vsftpd on CentOS sysetms) or SFTP with a robust chroot cage (to
prevent shell access) or WebDAV over SSL. (Web based, works
surprisingly well.).

I've seen many internal and external setups that had poor NTP setups
and dirifted so far apart in time that the necessary time
synchronization for Kerberos started failiing. And DNS can.... become
an adventure in VPN segregated environments. I'd check both NTP and
DNS between the Samba server and these clients for consistency.

On 21/04/19 17:12, Rowland Penny wrote:
> On Sun, 21 Apr 2019 08:59:01 +0930
> Stephen Davies via samba <samba at lists.samba.org> wrote:
> 
>> I have been a bit divorced from Samba for a while and am stumped by a
>> recently seen issue.
>>
>> My Samba server (V4.8.3) is Centos 7 and the remote clients are
>> windoze boxes at the other end of a VPN (OpenVPN). At some point in
>> "recent" history, access to shares on the Centos server
started to
>> fail with password failures. The reason seems to be associated with
>> user mapping. (See log fragment below).
>>
>> I have added entries to smbusers trying to map the remote user to
>> local user simon without success.
>>
>> There is no windoze domain server involved.
>>
>> The clients can FTP to the server and retrieve emails via IMAP.
>>
>> What am I missing?
>>
>>
>> [2019/04/18 16:10:52.327632,
>> 3] ../source3/auth/auth.c:189(auth_check_ntlm_pass word)
>> check_ntlm_password: Checking password for unmapped user
>> [SIMON-DELLPC]\[simo n]@[SIMON-DELLPC] with the new password interface
>> [2019/04/18 16:10:52.327658,
>> 3] ../source3/auth/auth.c:192(auth_check_ntlm_pass word)
>> check_ntlm_password: mapped user is:
>> [SIMON-DELLPC]\[simon]@[SIMON-DELLPC] [2019/04/18 16:10:52.327686,
>> 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) :
>> sec_ctx_stack_ndx = 2
> 
> By default NTLMv1 is now turned off, could this be your problem ?, try
> (as a test) adding 'ntlm auth = yes' to your smb.conf and
> reload/restart Samba.
> 
> If this doesn't work, can you please post your smb.conf and tells us
> what the Windows machines are.
> 
> Rowland
> 
> 
There is no ntlm auth entry in smb.conf (included below)  but I don't think 
the NTLM setting is the cause as I can use smbclient to successfully login as 
user simon and get the following log fragment:

[2019/04/23 14:33:59.978465,  3] 
../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
   Got user=[simon] domain=[BENPARTS] workstation=[SERVER] len1=24 len2=224
[2019/04/23 14:33:59.978554,  3] ../source3/param/loadparm.c:3868(lp_load_ex)
   lp_load_ex: refreshing parameters
[2019/04/23 14:33:59.978656,  3] ../source3/param/loadparm.c:547(init_globals)
.
.
.
   adding IPC service
[2019/04/23 14:33:59.987819,  3] 
../source3/auth/auth.c:189(auth_check_ntlm_password) 

   check_ntlm_password:  Checking password for unmapped user 
[BENPARTS]\[simon]@[SERVER] with the new password interface 

[2019/04/23 14:33:59.987843,  3] 
../source3/auth/auth.c:192(auth_check_ntlm_password) 

   check_ntlm_password:  mapped user is: [BENPARTS]\[simon]@[SERVER]

No smbuser entry is required for this combination so it looks as if the remote 
Windows workgroup/domain is not being handled.

The remote client involved is running W10 Professional 64-bit.

The full smb.conf is:

#======================= Global Settings
====================================[global]

     workgroup = BENPARTS

     netbios name = server

     # server string is the equivalent of the NT Description field
     server string = Samba Server %v

     printcap name = cups
     load printers = yes

     printing = cups

     log file = /var/log/samba/log.%m

     max log size = 50

     log level = 4

     guest account = benparts
     # Allow users to map to guest:
     map to guest = baduser

     # Security mode. Most people will want user level security. See
     # security_level.txt for details.
     security = user
     passdb backend = tdbsam
     # Use password server option only with security = server or security =
domain
       username level = 8

     encrypt passwords = yes

     preferred master = yes

     name resolve order = host lmhosts wins bcast

     wins support = yes

     preserve case = yes
     dos charset = 850
     unix charset = ISO8859-1
     domain master = yes
     domain logons = yes
     os level = 128
     add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 
'Machine Account' -s /bin/false -M '%u'
#============================ Share Definitions
=============================[homes]
     comment = Home Directories
     browseable = no
     writable = yes

[printers]
     comment = All Printers
     path = /var/spool/samba
     browseable = no
     # to allow user 'guest account' to print.
     guest ok = yes
     writable = no
     printable = yes
     create mode = 0700
     # ====================================     # print command: see above for
details.
     # ====================================     print command = lpr-cups -P %p
-o raw %s -r # using client side printer
drivers.

[print$]
     path = /var/lib/samba/printers
     browseable = yes
     read only = yes
     write list = @adm root
     guest ok = yes

[pdf-generator]
     path = /var/tmp
     guest ok = No
     printable = Yes
     comment = PDF Generator (only valid users)
     #print command = /usr/share/samba/scripts/print-pdf file path win_path 
recipient IP doc_name &
     print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I
&

[pdf-screen]
     copy = pdf-generator
     comment = PDF Generator - Screen quality (only valid users)
     print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I 
"" %S &

[pdf-printer]
     copy = pdf-generator
     comment = PDF Generator - Print quality (only valid users)
     print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I 
"" %S &

[pdf-prepress]
     copy = pdf-generator
     comment = PDF Generator - PrePress quality (only valid users)
     print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I 
"" %S &

# This one is useful for people to share files
[tmp]
    comment = Temporary file space
    path = /tmp
    read only = no
    public = yes


[var]
     comment = General shared storage
     path = /var
     read only = no
     public = yes

Thank you,
Stephen