On 24/04/2020 11:38, Enrico Morelli via samba wrote:> On Thu, 23 Apr 2020 08:08:39 +1200 > Andrew Bartlett via samba <samba at lists.samba.org> wrote: > >> On Wed, 2020-04-22 at 20:01 +0100, Rowland penny via samba wrote: >>> On 22/04/2020 19:25, Enrico Morelli via samba wrote: >>>>> On 22/04/2020 16:06, Enrico Morelli via samba wrote: >>>>>> Dear, >>>>>> >>>>>> on my debian system I upgraded samba from 4.5.16 to 4.9.5. My >>>>>> samba >>>>>> server is configured as domain controller. >>>>>> >>>>>> Now happens a strange thing. From a windows 10 client I'm able >>>>>> to login >>>>>> with a domain user without problem. But if I logout and try to >>>>>> enter >>>>>> the password for the same user, Windows tells me that the >>>>>> password is >>>>>> incorrect. >>>>>> >>>>>> To be able to loing, I've to select Other User, enter username >>>>>> and >>>>>> password and all works fine. But if I logout and enter the >>>>>> same password, Windows tells me "Incorrect password". >>>>>> >>> Apart from multiple default lines, there doesn't seem to anything >>> really >>> wrong with your smb.conf, so it looks like this could be yet >>> another reason to not use Windows 10 with an NT4-style PDC. >>> >>> You could try raising the log level, add 'log level = 10' to the >>> smb.conf and restart Samba, but beware, this will lead to a lot of >>> output. >> Thanks Rowland. This is the right approach. Once we get that, we >> should be (even log level 5 would show it) able to work out what >> username form was being sent in both cases, and see if we can map >> between them. >> >> Andrew Bartlett >> > I'd set the loglevel to 5 and happens a strange thing: > > SAM Logon (Interactive). Domain:[CERMDOMAIN]. > User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN] > [2020/04/24 12:04:50.144675, > 5] ../source3/rpc_server/netlogon/srv_netlog_nt.c:1628(_netr_LogonSamLogon_base) > Attempting validation level 3 for unmapped username visitor2. > [2020/04/24 12:04:50.144698, > 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module: > Attempting to find an auth method to match sam_netlogon3 [2020/04/24 > 12:04:50.144715, 5] ../source3/auth/auth.c:437(load_auth_module) > load_auth_module: auth method sam_netlogon3 has a valid init > [2020/04/24 12:04:50.144729, > 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module: > Attempting to find an auth method to match winbind [2020/04/24 > 12:04:50.144743, 5] ../source3/auth/auth.c:437(load_auth_module) > load_auth_module: auth method winbind has a valid init [2020/04/24 > 12:04:50.144894, > 5] ../source3/auth/auth_util.c:122(make_user_info_map) Mapping user > [DOMAIN]\[visitor2] from workstation [STUDENTI2] [2020/04/24 > 12:04:50.144910, 5] ../source3/auth/user_info.c:64(make_user_info) > attempting to make a user_info for visitor2 (visitor2) > [2020/04/24 12:04:50.144962, > 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [DOMAIN]\[visitor2]@[STUDENTI2] with the new password interface > [2020/04/24 12:04:50.144978, > 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [DOMAIN]\[visitor2]@[STUDENTI2] > [2020/04/24 12:04:50.145020, > 5] ../source3/auth/auth_sam.c:162(auth_sam_netlogon3_auth) > auth_sam_netlogon3_auth: DOMAIN is not our domain name (DC for > CERMDOMAIN) > 2020/04/24 12:04:50.145228, > 5] ../source3/auth/auth.c:251(auth_check_ntlm_password) > auth_check_ntlm_password: winbind authentication for user [visitor2] > FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0 [2020/04/24 > 12:04:50.145246, > 2] ../source3/auth/auth.c:334(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [visitor2] -> [visitor2] > FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0 [2020/04/24 > 12:04:50.145276, > 2] ../auth/auth_log.c:610(log_authentication_event_human_readable) > Auth: [SamLogon,(null)] user [DOMAIN]\[visitor2] at [Fri, 24 Apr 2020 > 12:04:50.145263 CEST] with [Supplied-NT-Hash] status > [NT_STATUS_NO_SUCH_USER] workstation [STUDENTI2] remote host > [ipv4:192.168.100.12:51475] mapped to [DOMAIN]\[visitor2]. local host > [ipv4:192.168.100.27:445] > > > Seems like the studenti2 PC is in a wrong domain, but I checked that and > it is on the correct CERMDOMAIN domain. > In the past we had an old samba server that served as DC for DOMAIN > domain. But now, all the machine are configured to use the new domain > and before the update all worked fine. > > I'm very confused because this is the behavior of all the windows 10 > machines in the domain. > > I also tried to remove the studenti2 machine from the domain and > put it again without any result. >Problem is that you posted this in your smb.conf: ??? workgroup = DOMAIN Is the 'DOMAIN' actually 'CERMDOMAIN' ? or is it something else ? Rowland
Enrico Morelli
2020-Apr-24  11:32 UTC
[Samba] Samba update cause windows incorrect password
On Fri, 24 Apr 2020 11:59:23 +0100 Rowland penny via samba <samba at lists.samba.org> wrote:> On 24/04/2020 11:38, Enrico Morelli via samba wrote: > > On Thu, 23 Apr 2020 08:08:39 +1200 > > Andrew Bartlett via samba <samba at lists.samba.org> wrote: > > > >> On Wed, 2020-04-22 at 20:01 +0100, Rowland penny via samba wrote: > >>> On 22/04/2020 19:25, Enrico Morelli via samba wrote: > >>>>> On 22/04/2020 16:06, Enrico Morelli via samba wrote: > >>>>>> Dear, > >>>>>> > >>>>>> on my debian system I upgraded samba from 4.5.16 to 4.9.5. My > >>>>>> samba > >>>>>> server is configured as domain controller. > >>>>>> > >>>>>> Now happens a strange thing. From a windows 10 client I'm able > >>>>>> to login > >>>>>> with a domain user without problem. But if I logout and try to > >>>>>> enter > >>>>>> the password for the same user, Windows tells me that the > >>>>>> password is > >>>>>> incorrect. > >>>>>> > >>>>>> To be able to loing, I've to select Other User, enter username > >>>>>> and > >>>>>> password and all works fine. But if I logout and enter the > >>>>>> same password, Windows tells me "Incorrect password". > >>>>>> > >>> Apart from multiple default lines, there doesn't seem to anything > >>> really > >>> wrong with your smb.conf, so it looks like this could be yet > >>> another reason to not use Windows 10 with an NT4-style PDC. > >>> > >>> You could try raising the log level, add 'log level = 10' to the > >>> smb.conf and restart Samba, but beware, this will lead to a lot of > >>> output. > >> Thanks Rowland. This is the right approach. Once we get that, we > >> should be (even log level 5 would show it) able to work out what > >> username form was being sent in both cases, and see if we can map > >> between them. > >> > >> Andrew Bartlett > >> > > I'd set the loglevel to 5 and happens a strange thing: > > > > SAM Logon (Interactive). Domain:[CERMDOMAIN]. > > User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN] > > [2020/04/24 12:04:50.144675, > > 5] ../source3/rpc_server/netlogon/srv_netlog_nt.c:1628(_netr_LogonSamLogon_base) > > Attempting validation level 3 for unmapped username visitor2. > > [2020/04/24 12:04:50.144698, > > 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module: > > Attempting to find an auth method to match sam_netlogon3 [2020/04/24 > > 12:04:50.144715, 5] ../source3/auth/auth.c:437(load_auth_module) > > load_auth_module: auth method sam_netlogon3 has a valid init > > [2020/04/24 12:04:50.144729, > > 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module: > > Attempting to find an auth method to match winbind [2020/04/24 > > 12:04:50.144743, 5] ../source3/auth/auth.c:437(load_auth_module) > > load_auth_module: auth method winbind has a valid init [2020/04/24 > > 12:04:50.144894, > > 5] ../source3/auth/auth_util.c:122(make_user_info_map) Mapping user > > [DOMAIN]\[visitor2] from workstation [STUDENTI2] [2020/04/24 > > 12:04:50.144910, 5] ../source3/auth/user_info.c:64(make_user_info) > > attempting to make a user_info for visitor2 (visitor2) > > [2020/04/24 12:04:50.144962, > > 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) > > check_ntlm_password: Checking password for unmapped user > > [DOMAIN]\[visitor2]@[STUDENTI2] with the new password interface > > [2020/04/24 12:04:50.144978, > > 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) > > check_ntlm_password: mapped user is: > > [DOMAIN]\[visitor2]@[STUDENTI2] [2020/04/24 12:04:50.145020, > > 5] ../source3/auth/auth_sam.c:162(auth_sam_netlogon3_auth) > > auth_sam_netlogon3_auth: DOMAIN is not our domain name (DC for > > CERMDOMAIN) > > 2020/04/24 12:04:50.145228, > > 5] ../source3/auth/auth.c:251(auth_check_ntlm_password) > > auth_check_ntlm_password: winbind authentication for user [visitor2] > > FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0 > > [2020/04/24 12:04:50.145246, > > 2] ../source3/auth/auth.c:334(auth_check_ntlm_password) > > check_ntlm_password: Authentication for user [visitor2] -> > > [visitor2] FAILED with error NT_STATUS_NO_SUCH_USER, > > authoritative=0 [2020/04/24 12:04:50.145276, > > 2] ../auth/auth_log.c:610(log_authentication_event_human_readable) > > Auth: [SamLogon,(null)] user [DOMAIN]\[visitor2] at [Fri, 24 Apr > > 2020 12:04:50.145263 CEST] with [Supplied-NT-Hash] status > > [NT_STATUS_NO_SUCH_USER] workstation [STUDENTI2] remote host > > [ipv4:192.168.100.12:51475] mapped to [DOMAIN]\[visitor2]. local > > host [ipv4:192.168.100.27:445] > > > > > > Seems like the studenti2 PC is in a wrong domain, but I checked > > that and it is on the correct CERMDOMAIN domain. > > In the past we had an old samba server that served as DC for DOMAIN > > domain. But now, all the machine are configured to use the new > > domain and before the update all worked fine. > > > > I'm very confused because this is the behavior of all the windows 10 > > machines in the domain. > > > > I also tried to remove the studenti2 machine from the domain and > > put it again without any result. > > > Problem is that you posted this in your smb.conf: > > ??? workgroup = DOMAIN > > Is the 'DOMAIN' actually 'CERMDOMAIN' ? or is it something else ? > > RowlandThe actual domain is CERMDOMAIN. Sorry. -- ----------------------------------------------------------- Enrico Morelli System Administrator | Programmer | Web Developer CERM - Polo Scientifico via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY ------------------------------------------------------------
On 24/04/2020 12:32, Enrico Morelli via samba wrote:> On Fri, 24 Apr 2020 11:59:23 +0100 > Rowland penny via samba <samba at lists.samba.org> wrote: > >> On 24/04/2020 11:38, Enrico Morelli via samba wrote: >>> On Thu, 23 Apr 2020 08:08:39 +1200 >>> Andrew Bartlett via samba <samba at lists.samba.org> wrote: >>> >>>> On Wed, 2020-04-22 at 20:01 +0100, Rowland penny via samba wrote: >>>>> On 22/04/2020 19:25, Enrico Morelli via samba wrote: >>>>>>> On 22/04/2020 16:06, Enrico Morelli via samba wrote: >>>>>>>> Dear, >>>>>>>> >>>>>>>> on my debian system I upgraded samba from 4.5.16 to 4.9.5. My >>>>>>>> samba >>>>>>>> server is configured as domain controller. >>>>>>>> >>>>>>>> Now happens a strange thing. From a windows 10 client I'm able >>>>>>>> to login >>>>>>>> with a domain user without problem. But if I logout and try to >>>>>>>> enter >>>>>>>> the password for the same user, Windows tells me that the >>>>>>>> password is >>>>>>>> incorrect. >>>>>>>> >>>>>>>> To be able to loing, I've to select Other User, enter username >>>>>>>> and >>>>>>>> password and all works fine. But if I logout and enter the >>>>>>>> same password, Windows tells me "Incorrect password". >>>>>>>> >>>>> Apart from multiple default lines, there doesn't seem to anything >>>>> really >>>>> wrong with your smb.conf, so it looks like this could be yet >>>>> another reason to not use Windows 10 with an NT4-style PDC. >>>>> >>>>> You could try raising the log level, add 'log level = 10' to the >>>>> smb.conf and restart Samba, but beware, this will lead to a lot of >>>>> output. >>>> Thanks Rowland. This is the right approach. Once we get that, we >>>> should be (even log level 5 would show it) able to work out what >>>> username form was being sent in both cases, and see if we can map >>>> between them. >>>> >>>> Andrew Bartlett >>>> >>> I'd set the loglevel to 5 and happens a strange thing: >>> >>> SAM Logon (Interactive). Domain:[CERMDOMAIN]. >>> User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN] >>> [2020/04/24 12:04:50.144675, >>> 5] ../source3/rpc_server/netlogon/srv_netlog_nt.c:1628(_netr_LogonSamLogon_base) >>> Attempting validation level 3 for unmapped username visitor2. >>> [2020/04/24 12:04:50.144698, >>> 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module: >>> Attempting to find an auth method to match sam_netlogon3 [2020/04/24 >>> 12:04:50.144715, 5] ../source3/auth/auth.c:437(load_auth_module) >>> load_auth_module: auth method sam_netlogon3 has a valid init >>> [2020/04/24 12:04:50.144729, >>> 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module: >>> Attempting to find an auth method to match winbind [2020/04/24 >>> 12:04:50.144743, 5] ../source3/auth/auth.c:437(load_auth_module) >>> load_auth_module: auth method winbind has a valid init [2020/04/24 >>> 12:04:50.144894, >>> 5] ../source3/auth/auth_util.c:122(make_user_info_map) Mapping user >>> [DOMAIN]\[visitor2] from workstation [STUDENTI2] [2020/04/24 >>> 12:04:50.144910, 5] ../source3/auth/user_info.c:64(make_user_info) >>> attempting to make a user_info for visitor2 (visitor2) >>> [2020/04/24 12:04:50.144962, >>> 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) >>> check_ntlm_password: Checking password for unmapped user >>> [DOMAIN]\[visitor2]@[STUDENTI2] with the new password interface >>> [2020/04/24 12:04:50.144978, >>> 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) >>> check_ntlm_password: mapped user is: >>> [DOMAIN]\[visitor2]@[STUDENTI2] [2020/04/24 12:04:50.145020, >>> 5] ../source3/auth/auth_sam.c:162(auth_sam_netlogon3_auth) >>> auth_sam_netlogon3_auth: DOMAIN is not our domain name (DC for >>> CERMDOMAIN) >>> 2020/04/24 12:04:50.145228, >>> 5] ../source3/auth/auth.c:251(auth_check_ntlm_password) >>> auth_check_ntlm_password: winbind authentication for user [visitor2] >>> FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0 >>> [2020/04/24 12:04:50.145246, >>> 2] ../source3/auth/auth.c:334(auth_check_ntlm_password) >>> check_ntlm_password: Authentication for user [visitor2] -> >>> [visitor2] FAILED with error NT_STATUS_NO_SUCH_USER, >>> authoritative=0 [2020/04/24 12:04:50.145276, >>> 2] ../auth/auth_log.c:610(log_authentication_event_human_readable) >>> Auth: [SamLogon,(null)] user [DOMAIN]\[visitor2] at [Fri, 24 Apr >>> 2020 12:04:50.145263 CEST] with [Supplied-NT-Hash] status >>> [NT_STATUS_NO_SUCH_USER] workstation [STUDENTI2] remote host >>> [ipv4:192.168.100.12:51475] mapped to [DOMAIN]\[visitor2]. local >>> host [ipv4:192.168.100.27:445] >>> >>> >>> Seems like the studenti2 PC is in a wrong domain, but I checked >>> that and it is on the correct CERMDOMAIN domain. >>> In the past we had an old samba server that served as DC for DOMAIN >>> domain. But now, all the machine are configured to use the new >>> domain and before the update all worked fine. >>> >>> I'm very confused because this is the behavior of all the windows 10 >>> machines in the domain. >>> >>> I also tried to remove the studenti2 machine from the domain and >>> put it again without any result. >>> >> Problem is that you posted this in your smb.conf: >> >> ??? workgroup = DOMAIN >> >> Is the 'DOMAIN' actually 'CERMDOMAIN' ? or is it something else ? >> >> Rowland > The actual domain is CERMDOMAIN. Sorry.OK, at the top of your log fragment is this: SAM Logon (Interactive). Domain:[CERMDOMAIN]. User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN] So, your actual Domain is 'CERMDOMAIN', but the Win 10 machine seems to be sending 'DOMAIN', which isn't 'CERMDOMAIN', is this correct ? If it is, then the problem seems to be a Windows one, it doesn't look like it is sending the correct data. Do you recognise what 'DOMAIN' is ? Is it the dns domain ? or the name of the computer ? Rowland