samba - Apr 2020 - Samba update cause windows incorrect password

On 22-04-2020 17:29, Rowland penny via samba wrote:
> On 22/04/2020 16:06, Enrico Morelli via samba wrote:
>> Dear,
>> 
>> on my debian system I upgraded samba from 4.5.16 to 4.9.5. My samba
>> server is configured as domain controller.
>> 
>> Now happens a strange thing. From a windows 10 client I'm able to 
>> login
>> with a domain user without problem. But if I logout and try to enter
>> the password for the same user, Windows tells me that the password is
>> incorrect.
>> 
>> To be able to loing, I've to select Other User, enter username and
>> password and all works fine. But if I logout and enter the same
>> password, Windows tells me "Incorrect password".
>> 
>> In the samba log file I've only:
>> 
>>   ./source3/auth/auth_winbind.c:129(check_winbind_security)
>>    check_winbind_security: pdb_enum_trusted_domains() failed -
>> NT_STATUS_NOT_IMPLEMENTED
>> 
>> No other error messages:
>> 
>> Follow some configuration from smb.conf:
>> 
> Please do not do that, it doesn't help, please post the entire smb.conf
> 
> Rowland
Ok.


[global]
	workgroup = DOMAIN
	server string = Samba Server Version %v

	netbios name = pdc
	hosts allow = 127. 192.168.100.
	name resolve order = lmhosts
	security = user
	passdb backend = tdbsam

	ntlm auth = yes
	lanman auth = no
	client ntlmv2 auth = yes
	client use spnego = no
	domain master = yes
	local master = yes
	domain logons = yes

         server max protocol = NT1
	#server max protocol = SMB3
	#server min protocol = SMB3

	browse list = yes

	# the login script name depends on the machine name
;	logon script = %m.bat
	# the login script name depends on the unix user used
	logon script = logon.bat
	logon path = \\%L\Profiles\%U
	# disables profiles support by specifing an empty path
	logon drive = Z:
	;logon path ;	logon home 
	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d
/n
ohome -s /bin/false "%u"
	delete user script = /usr/sbin/userdel "%u"
	delete user from group script = /usr/sbin/userdel "%u" "%g"
	delete group script = /usr/sbin/groupdel "%g"
	wins support = yes
;	wins server = w.x.y.z
	wins proxy = yes

	dns proxy = yes
[homes]
	comment = Home Directories
	browseable = no
	writable = yes
	hide dot files = yes
	nt acl support = no
	create mask = 0600
	directory mask = 0700
	;valid users = %S
;	valid users = MYDOMAIN\%S
[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon
	browseable = no
	read only = yes
	guest ok = no
	writable = no

[Profiles.V6]
	path = /win_shares/profiles/%u.V6
	read only = no
	create mask = 0600
	directory mask = 0700
	browseable = no
	guest ok = no
	printable = no

-- 
-----------------------------------------------------------
   Enrico Morelli
   System Administrator | Programmer | Web Developer

   CERM - Polo Scientifico
   via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------

On 22/04/2020 19:25, Enrico Morelli via samba wrote:
>> On 22/04/2020 16:06, Enrico Morelli via samba wrote:
>>> Dear,
>>>
>>> on my debian system I upgraded samba from 4.5.16 to 4.9.5. My samba
>>> server is configured as domain controller.
>>>
>>> Now happens a strange thing. From a windows 10 client I'm able
to login
>>> with a domain user without problem. But if I logout and try to
enter
>>> the password for the same user, Windows tells me that the password
is
>>> incorrect.
>>>
>>> To be able to loing, I've to select Other User, enter username
and
>>> password and all works fine. But if I logout and enter the same
>>> password, Windows tells me "Incorrect password".
>>>
Apart from multiple default lines, there doesn't seem to anything really 
wrong with your smb.conf, so it looks like this could be yet another 
reason to not use Windows 10 with an NT4-style PDC.

You could try raising the log level, add 'log level = 10' to the 
smb.conf and restart Samba, but beware, this will lead to a lot of output.

Rowland

On Wed, 2020-04-22 at 20:01 +0100, Rowland penny via samba
wrote:
> On 22/04/2020 19:25, Enrico Morelli via samba wrote:
> > > On 22/04/2020 16:06, Enrico Morelli via samba wrote:
> > > > Dear,
> > > > 
> > > > on my debian system I upgraded samba from 4.5.16 to 4.9.5.
My
> > > > samba
> > > > server is configured as domain controller.
> > > > 
> > > > Now happens a strange thing. From a windows 10 client
I'm able
> > > > to login
> > > > with a domain user without problem. But if I logout and try
to
> > > > enter
> > > > the password for the same user, Windows tells me that the
> > > > password is
> > > > incorrect.
> > > > 
> > > > To be able to loing, I've to select Other User, enter
username
> > > > and
> > > > password and all works fine. But if I logout and enter the
same
> > > > password, Windows tells me "Incorrect password".
> > > > 
> 
> Apart from multiple default lines, there doesn't seem to anything
> really 
> wrong with your smb.conf, so it looks like this could be yet another 
> reason to not use Windows 10 with an NT4-style PDC.
> 
> You could try raising the log level, add 'log level = 10' to the 
> smb.conf and restart Samba, but beware, this will lead to a lot of
> output.
Thanks Rowland.  This is the right approach.  Once we get that, we
should be (even log level 5 would show it) able to work out what
username form was being sent in both cases, and see if we can map
between them.

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba