samba - Apr 2020 - Samba update cause windows incorrect password

On 24/04/2020 12:32, Enrico Morelli via samba wrote:
> On Fri, 24 Apr 2020 11:59:23 +0100
> Rowland penny via samba <samba at lists.samba.org> wrote:
>
>> On 24/04/2020 11:38, Enrico Morelli via samba wrote:
>>> On Thu, 23 Apr 2020 08:08:39 +1200
>>> Andrew Bartlett via samba <samba at lists.samba.org> wrote:
>>>   
>>>> On Wed, 2020-04-22 at 20:01 +0100, Rowland penny via samba
wrote:
>>>>> On 22/04/2020 19:25, Enrico Morelli via samba wrote:
>>>>>>> On 22/04/2020 16:06, Enrico Morelli via samba
wrote:
>>>>>>>> Dear,
>>>>>>>>
>>>>>>>> on my debian system I upgraded samba from
4.5.16 to 4.9.5. My
>>>>>>>> samba
>>>>>>>> server is configured as domain controller.
>>>>>>>>
>>>>>>>> Now happens a strange thing. From a windows 10
client I'm able
>>>>>>>> to login
>>>>>>>> with a domain user without problem. But if I
logout and try to
>>>>>>>> enter
>>>>>>>> the password for the same user, Windows tells
me that the
>>>>>>>> password is
>>>>>>>> incorrect.
>>>>>>>>
>>>>>>>> To be able to loing, I've to select Other
User, enter username
>>>>>>>> and
>>>>>>>> password and all works fine. But if I logout
and enter the
>>>>>>>> same password, Windows tells me "Incorrect
password".
>>>>>>>>       
>>>>> Apart from multiple default lines, there doesn't seem
to anything
>>>>> really
>>>>> wrong with your smb.conf, so it looks like this could be
yet
>>>>> another reason to not use Windows 10 with an NT4-style PDC.
>>>>>
>>>>> You could try raising the log level, add 'log level =
10' to the
>>>>> smb.conf and restart Samba, but beware, this will lead to a
lot of
>>>>> output.
>>>> Thanks Rowland.  This is the right approach.  Once we get that,
we
>>>> should be (even log level 5 would show it) able to work out
what
>>>> username form was being sent in both cases, and see if we can
map
>>>> between them.
>>>>
>>>> Andrew Bartlett
>>>>   
>>> I'd set the loglevel to 5 and happens a strange thing:
>>>
>>> SAM Logon (Interactive). Domain:[CERMDOMAIN].
>>> User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN]
>>> [2020/04/24 12:04:50.144675,
>>> 5]
../source3/rpc_server/netlogon/srv_netlog_nt.c:1628(_netr_LogonSamLogon_base)
>>> Attempting validation level 3 for unmapped username visitor2.
>>> [2020/04/24 12:04:50.144698,
>>> 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module:
>>> Attempting to find an auth method to match sam_netlogon3
[2020/04/24
>>> 12:04:50.144715,  5] ../source3/auth/auth.c:437(load_auth_module)
>>> load_auth_module: auth method sam_netlogon3 has a valid init
>>> [2020/04/24 12:04:50.144729,
>>> 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module:
>>> Attempting to find an auth method to match winbind [2020/04/24
>>> 12:04:50.144743,  5] ../source3/auth/auth.c:437(load_auth_module)
>>> load_auth_module: auth method winbind has a valid init [2020/04/24
>>> 12:04:50.144894,
>>> 5] ../source3/auth/auth_util.c:122(make_user_info_map) Mapping user
>>> [DOMAIN]\[visitor2] from workstation [STUDENTI2] [2020/04/24
>>> 12:04:50.144910,  5] ../source3/auth/user_info.c:64(make_user_info)
>>> attempting to make a user_info for visitor2 (visitor2)
>>> [2020/04/24 12:04:50.144962,
>>> 3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
>>> check_ntlm_password:  Checking password for unmapped user
>>> [DOMAIN]\[visitor2]@[STUDENTI2] with the new password interface
>>> [2020/04/24 12:04:50.144978,
>>> 3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
>>> check_ntlm_password:  mapped user is:
>>> [DOMAIN]\[visitor2]@[STUDENTI2] [2020/04/24 12:04:50.145020,
>>> 5] ../source3/auth/auth_sam.c:162(auth_sam_netlogon3_auth)
>>> auth_sam_netlogon3_auth: DOMAIN is not our domain name (DC for
>>> CERMDOMAIN)
>>> 2020/04/24 12:04:50.145228,
>>> 5] ../source3/auth/auth.c:251(auth_check_ntlm_password)
>>> auth_check_ntlm_password: winbind authentication for user
[visitor2]
>>> FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0
>>> [2020/04/24 12:04:50.145246,
>>> 2] ../source3/auth/auth.c:334(auth_check_ntlm_password)
>>> check_ntlm_password:  Authentication for user [visitor2] ->
>>> [visitor2] FAILED with error NT_STATUS_NO_SUCH_USER,
>>> authoritative=0 [2020/04/24 12:04:50.145276,
>>> 2] ../auth/auth_log.c:610(log_authentication_event_human_readable)
>>> Auth: [SamLogon,(null)] user [DOMAIN]\[visitor2] at [Fri, 24 Apr
>>> 2020 12:04:50.145263 CEST] with [Supplied-NT-Hash] status
>>> [NT_STATUS_NO_SUCH_USER] workstation [STUDENTI2] remote host
>>> [ipv4:192.168.100.12:51475] mapped to [DOMAIN]\[visitor2]. local
>>> host [ipv4:192.168.100.27:445]
>>>
>>>
>>> Seems like the studenti2 PC is in a wrong domain, but I checked
>>> that and it is on the correct CERMDOMAIN domain.
>>> In the past we had an old samba server that served as DC for DOMAIN
>>> domain. But now, all the machine are configured to use the new
>>> domain and before the update all worked fine.
>>>
>>> I'm very confused because this is the behavior of all the
windows 10
>>> machines in the domain.
>>>
>>> I also tried to remove the studenti2 machine from the domain and
>>> put it again without any result.
>>>   
>> Problem is that you posted this in your smb.conf:
>>
>>   ??? workgroup = DOMAIN
>>
>> Is the 'DOMAIN' actually 'CERMDOMAIN' ? or is it
something else ?
>>
>> Rowland
> The actual domain is CERMDOMAIN. Sorry.
OK, at the top of your log fragment is this:

SAM Logon (Interactive). Domain:[CERMDOMAIN]. User:[visitor2 at STUDENTI2] 
Requested Domain:[DOMAIN]

So, your actual Domain is 'CERMDOMAIN', but the Win 10 machine seems to 
be sending 'DOMAIN', which isn't 'CERMDOMAIN', is this
correct ?

If it is, then the problem seems to be a Windows one, it doesn't look 
like it is sending the correct data. Do you recognise what 'DOMAIN' is ?
Is it the dns domain ? or the name of the computer ?

Rowland

On Fri, 24 Apr 2020 13:15:57 +0100
Rowland penny via samba <samba at lists.samba.org> wrote:
> On 24/04/2020 12:32, Enrico Morelli via samba wrote:
> > On Fri, 24 Apr 2020 11:59:23 +0100
> > Rowland penny via samba <samba at lists.samba.org> wrote:
> >  
> >> On 24/04/2020 11:38, Enrico Morelli via samba wrote:  
> >>> On Thu, 23 Apr 2020 08:08:39 +1200
> >>> Andrew Bartlett via samba <samba at lists.samba.org>
wrote:
> >>>     
> >>>> On Wed, 2020-04-22 at 20:01 +0100, Rowland penny via samba
> >>>> wrote:  
> >>>>> On 22/04/2020 19:25, Enrico Morelli via samba wrote:  
> >>>>>>> On 22/04/2020 16:06, Enrico Morelli via samba
wrote:
> >>>>>>>> Dear,
> >>>>>>>>
> >>>>>>>> on my debian system I upgraded samba from
4.5.16 to 4.9.5. My
> >>>>>>>> samba
> >>>>>>>> server is configured as domain controller.
> >>>>>>>>
> >>>>>>>> Now happens a strange thing. From a
windows 10 client I'm
> >>>>>>>> able to login
> >>>>>>>> with a domain user without problem. But if
I logout and try
> >>>>>>>> to enter
> >>>>>>>> the password for the same user, Windows
tells me that the
> >>>>>>>> password is
> >>>>>>>> incorrect.
> >>>>>>>>
> >>>>>>>> To be able to loing, I've to select
Other User, enter
> >>>>>>>> username and
> >>>>>>>> password and all works fine. But if I
logout and enter the
> >>>>>>>> same password, Windows tells me
"Incorrect password".
> >>>>>>>>         
> >>>>> Apart from multiple default lines, there doesn't
seem to
> >>>>> anything really
> >>>>> wrong with your smb.conf, so it looks like this could
be yet
> >>>>> another reason to not use Windows 10 with an NT4-style
PDC.
> >>>>>
> >>>>> You could try raising the log level, add 'log
level = 10' to the
> >>>>> smb.conf and restart Samba, but beware, this will lead
to a lot
> >>>>> of output.  
> >>>> Thanks Rowland.  This is the right approach.  Once we get
that,
> >>>> we should be (even log level 5 would show it) able to work
out
> >>>> what username form was being sent in both cases, and see
if we
> >>>> can map between them.
> >>>>
> >>>> Andrew Bartlett
> >>>>     
> >>> I'd set the loglevel to 5 and happens a strange thing:
> >>>
> >>> SAM Logon (Interactive). Domain:[CERMDOMAIN].
> >>> User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN]
> >>> [2020/04/24 12:04:50.144675,
> >>> 5]
../source3/rpc_server/netlogon/srv_netlog_nt.c:1628(_netr_LogonSamLogon_base)
> >>> Attempting validation level 3 for unmapped username visitor2.
> >>> [2020/04/24 12:04:50.144698,
> >>> 5] ../source3/auth/auth.c:412(load_auth_module)
load_auth_module:
> >>> Attempting to find an auth method to match sam_netlogon3
> >>> [2020/04/24 12:04:50.144715,
> >>> 5] ../source3/auth/auth.c:437(load_auth_module)
load_auth_module:
> >>> auth method sam_netlogon3 has a valid init [2020/04/24
> >>> 12:04:50.144729, 5]
../source3/auth/auth.c:412(load_auth_module)
> >>> load_auth_module: Attempting to find an auth method to match
> >>> winbind [2020/04/24 12:04:50.144743,
> >>> 5] ../source3/auth/auth.c:437(load_auth_module)
load_auth_module:
> >>> auth method winbind has a valid init [2020/04/24
12:04:50.144894,
> >>> 5] ../source3/auth/auth_util.c:122(make_user_info_map) Mapping
> >>> user [DOMAIN]\[visitor2] from workstation [STUDENTI2]
[2020/04/24
> >>> 12:04:50.144910,
> >>> 5] ../source3/auth/user_info.c:64(make_user_info) attempting
to
> >>> make a user_info for visitor2 (visitor2) [2020/04/24
> >>> 12:04:50.144962,
> >>> 3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
> >>> check_ntlm_password:  Checking password for unmapped user
> >>> [DOMAIN]\[visitor2]@[STUDENTI2] with the new password
interface
> >>> [2020/04/24 12:04:50.144978,
> >>> 3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
> >>> check_ntlm_password:  mapped user is:
> >>> [DOMAIN]\[visitor2]@[STUDENTI2] [2020/04/24 12:04:50.145020,
> >>> 5] ../source3/auth/auth_sam.c:162(auth_sam_netlogon3_auth)
> >>> auth_sam_netlogon3_auth: DOMAIN is not our domain name (DC for
> >>> CERMDOMAIN) 2020/04/24 12:04:50.145228,
> >>> 5] ../source3/auth/auth.c:251(auth_check_ntlm_password)
> >>> auth_check_ntlm_password: winbind authentication for user
> >>> [visitor2] FAILED with error NT_STATUS_NO_SUCH_USER,
> >>> authoritative=0 [2020/04/24 12:04:50.145246,
> >>> 2] ../source3/auth/auth.c:334(auth_check_ntlm_password)
> >>> check_ntlm_password:  Authentication for user [visitor2] ->
> >>> [visitor2] FAILED with error NT_STATUS_NO_SUCH_USER,
> >>> authoritative=0 [2020/04/24 12:04:50.145276,
> >>> 2]
../auth/auth_log.c:610(log_authentication_event_human_readable)
> >>> Auth: [SamLogon,(null)] user [DOMAIN]\[visitor2] at [Fri, 24
Apr
> >>> 2020 12:04:50.145263 CEST] with [Supplied-NT-Hash] status
> >>> [NT_STATUS_NO_SUCH_USER] workstation [STUDENTI2] remote host
> >>> [ipv4:192.168.100.12:51475] mapped to [DOMAIN]\[visitor2].
local
> >>> host [ipv4:192.168.100.27:445]
> >>>
> >>>
> >>> Seems like the studenti2 PC is in a wrong domain, but I
checked
> >>> that and it is on the correct CERMDOMAIN domain.
> >>> In the past we had an old samba server that served as DC for
> >>> DOMAIN domain. But now, all the machine are configured to use
the
> >>> new domain and before the update all worked fine.
> >>>
> >>> I'm very confused because this is the behavior of all the
windows
> >>> 10 machines in the domain.
> >>>
> >>> I also tried to remove the studenti2 machine from the domain
and
> >>> put it again without any result.
> >>>     
> >> Problem is that you posted this in your smb.conf:
> >>
> >>   ??? workgroup = DOMAIN
> >>
> >> Is the 'DOMAIN' actually 'CERMDOMAIN' ? or is it
something else ?
> >>
> >> Rowland  
> > The actual domain is CERMDOMAIN. Sorry.  
> 
> OK, at the top of your log fragment is this:
> 
> SAM Logon (Interactive). Domain:[CERMDOMAIN].
> User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN]
> 
> So, your actual Domain is 'CERMDOMAIN', but the Win 10 machine
seems
> to be sending 'DOMAIN', which isn't 'CERMDOMAIN', is
this correct ?
> 
> If it is, then the problem seems to be a Windows one, it doesn't look 
> like it is sending the correct data. Do you recognise what 'DOMAIN'
> is ? Is it the dns domain ? or the name of the computer ?
> 
> Rowland
> 
Really I don't know. It isn't a dns domain not the computer name
(it's
studenti2). DOMAIN is the domain I used before CERMDOMAIN, but I hadn't
problem before the update. Really I don't understand, because as I
wrote, if I login the user after a reboot I'm able to enter, but if I
logout the user and try to re-enter I receive Incorrect password. So
I've to enter as Other user and with the same username and password
I'm able to enter. I'm going crazy. 


-- 
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------

On 24/04/2020 14:02, Enrico Morelli wrote:
> On Fri, 24 Apr 2020 13:15:57 +0100
> Rowland penny via samba <samba at lists.samba.org> wrote:
>
>> On 24/04/2020 12:32, Enrico Morelli via samba wrote:
>>> On Fri, 24 Apr 2020 11:59:23 +0100
>>> Rowland penny via samba <samba at lists.samba.org> wrote:
>>>   
>>>> On 24/04/2020 11:38, Enrico Morelli via samba wrote:
>>>>> On Thu, 23 Apr 2020 08:08:39 +1200
>>>>> Andrew Bartlett via samba <samba at lists.samba.org>
wrote:
>>>>>      
>>>>>> On Wed, 2020-04-22 at 20:01 +0100, Rowland penny via
samba
>>>>>> wrote:
>>>>>>> On 22/04/2020 19:25, Enrico Morelli via samba
wrote:
>>>>>>>>> On 22/04/2020 16:06, Enrico Morelli via
samba wrote:
>>>>>>>>>> Dear,
>>>>>>>>>>
>>>>>>>>>> on my debian system I upgraded samba
from 4.5.16 to 4.9.5. My
>>>>>>>>>> samba
>>>>>>>>>> server is configured as domain
controller.
>>>>>>>>>>
>>>>>>>>>> Now happens a strange thing. From a
windows 10 client I'm
>>>>>>>>>> able to login
>>>>>>>>>> with a domain user without problem. But
if I logout and try
>>>>>>>>>> to enter
>>>>>>>>>> the password for the same user, Windows
tells me that the
>>>>>>>>>> password is
>>>>>>>>>> incorrect.
>>>>>>>>>>
>>>>>>>>>> To be able to loing, I've to select
Other User, enter
>>>>>>>>>> username and
>>>>>>>>>> password and all works fine. But if I
logout and enter the
>>>>>>>>>> same password, Windows tells me
"Incorrect password".
>>>>>>>>>>          
>>>>>>> Apart from multiple default lines, there
doesn't seem to
>>>>>>> anything really
>>>>>>> wrong with your smb.conf, so it looks like this
could be yet
>>>>>>> another reason to not use Windows 10 with an
NT4-style PDC.
>>>>>>>
>>>>>>> You could try raising the log level, add 'log
level = 10' to the
>>>>>>> smb.conf and restart Samba, but beware, this will
lead to a lot
>>>>>>> of output.
>>>>>> Thanks Rowland.  This is the right approach.  Once we
get that,
>>>>>> we should be (even log level 5 would show it) able to
work out
>>>>>> what username form was being sent in both cases, and
see if we
>>>>>> can map between them.
>>>>>>
>>>>>> Andrew Bartlett
>>>>>>      
>>>>> I'd set the loglevel to 5 and happens a strange thing:
>>>>>
>>>>> SAM Logon (Interactive). Domain:[CERMDOMAIN].
>>>>> User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN]
>>>>> [2020/04/24 12:04:50.144675,
>>>>> 5]
../source3/rpc_server/netlogon/srv_netlog_nt.c:1628(_netr_LogonSamLogon_base)
>>>>> Attempting validation level 3 for unmapped username
visitor2.
>>>>> [2020/04/24 12:04:50.144698,
>>>>> 5] ../source3/auth/auth.c:412(load_auth_module)
load_auth_module:
>>>>> Attempting to find an auth method to match sam_netlogon3
>>>>> [2020/04/24 12:04:50.144715,
>>>>> 5] ../source3/auth/auth.c:437(load_auth_module)
load_auth_module:
>>>>> auth method sam_netlogon3 has a valid init [2020/04/24
>>>>> 12:04:50.144729, 5]
../source3/auth/auth.c:412(load_auth_module)
>>>>> load_auth_module: Attempting to find an auth method to
match
>>>>> winbind [2020/04/24 12:04:50.144743,
>>>>> 5] ../source3/auth/auth.c:437(load_auth_module)
load_auth_module:
>>>>> auth method winbind has a valid init [2020/04/24
12:04:50.144894,
>>>>> 5] ../source3/auth/auth_util.c:122(make_user_info_map)
Mapping
>>>>> user [DOMAIN]\[visitor2] from workstation [STUDENTI2]
[2020/04/24
>>>>> 12:04:50.144910,
>>>>> 5] ../source3/auth/user_info.c:64(make_user_info)
attempting to
>>>>> make a user_info for visitor2 (visitor2) [2020/04/24
>>>>> 12:04:50.144962,
>>>>> 3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
>>>>> check_ntlm_password:  Checking password for unmapped user
>>>>> [DOMAIN]\[visitor2]@[STUDENTI2] with the new password
interface
>>>>> [2020/04/24 12:04:50.144978,
>>>>> 3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
>>>>> check_ntlm_password:  mapped user is:
>>>>> [DOMAIN]\[visitor2]@[STUDENTI2] [2020/04/24
12:04:50.145020,
>>>>> 5] ../source3/auth/auth_sam.c:162(auth_sam_netlogon3_auth)
>>>>> auth_sam_netlogon3_auth: DOMAIN is not our domain name (DC
for
>>>>> CERMDOMAIN) 2020/04/24 12:04:50.145228,
>>>>> 5] ../source3/auth/auth.c:251(auth_check_ntlm_password)
>>>>> auth_check_ntlm_password: winbind authentication for user
>>>>> [visitor2] FAILED with error NT_STATUS_NO_SUCH_USER,
>>>>> authoritative=0 [2020/04/24 12:04:50.145246,
>>>>> 2] ../source3/auth/auth.c:334(auth_check_ntlm_password)
>>>>> check_ntlm_password:  Authentication for user [visitor2]
->
>>>>> [visitor2] FAILED with error NT_STATUS_NO_SUCH_USER,
>>>>> authoritative=0 [2020/04/24 12:04:50.145276,
>>>>> 2]
../auth/auth_log.c:610(log_authentication_event_human_readable)
>>>>> Auth: [SamLogon,(null)] user [DOMAIN]\[visitor2] at [Fri,
24 Apr
>>>>> 2020 12:04:50.145263 CEST] with [Supplied-NT-Hash] status
>>>>> [NT_STATUS_NO_SUCH_USER] workstation [STUDENTI2] remote
host
>>>>> [ipv4:192.168.100.12:51475] mapped to [DOMAIN]\[visitor2].
local
>>>>> host [ipv4:192.168.100.27:445]
>>>>>
>>>>>
>>>>> Seems like the studenti2 PC is in a wrong domain, but I
checked
>>>>> that and it is on the correct CERMDOMAIN domain.
>>>>> In the past we had an old samba server that served as DC
for
>>>>> DOMAIN domain. But now, all the machine are configured to
use the
>>>>> new domain and before the update all worked fine.
>>>>>
>>>>> I'm very confused because this is the behavior of all
the windows
>>>>> 10 machines in the domain.
>>>>>
>>>>> I also tried to remove the studenti2 machine from the
domain and
>>>>> put it again without any result.
>>>>>      
>>>> Problem is that you posted this in your smb.conf:
>>>>
>>>>    ??? workgroup = DOMAIN
>>>>
>>>> Is the 'DOMAIN' actually 'CERMDOMAIN' ? or is
it something else ?
>>>>
>>>> Rowland
>>> The actual domain is CERMDOMAIN. Sorry.
>> OK, at the top of your log fragment is this:
>>
>> SAM Logon (Interactive). Domain:[CERMDOMAIN].
>> User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN]
>>
>> So, your actual Domain is 'CERMDOMAIN', but the Win 10 machine
seems
>> to be sending 'DOMAIN', which isn't 'CERMDOMAIN',
is this correct ?
>>
>> If it is, then the problem seems to be a Windows one, it doesn't
look
>> like it is sending the correct data. Do you recognise what
'DOMAIN'
>> is ? Is it the dns domain ? or the name of the computer ?
>>
>> Rowland
>>
> Really I don't know. It isn't a dns domain not the computer name
(it's
> studenti2). DOMAIN is the domain I used before CERMDOMAIN, but I hadn't
> problem before the update. Really I don't understand, because as I
> wrote, if I login the user after a reboot I'm able to enter, but if I
> logout the user and try to re-enter I receive Incorrect password. So
> I've to enter as Other user and with the same username and password
> I'm able to enter. I'm going crazy.
>
>
How are logging in to Windows 10 ?

Is it 'CERMDOMAIN\username' or 'username' ?

Rowland