samba - Jun 2020 - Wrong password, Win10 not using SMB3_11?

I have Samba AD-domain with two fileservers and two Samba DS-servers. Most 
people can authenticate OK, but one user always gets "wrong password".

I tried changing this user's password, and was able to connect by using 
smbclient, and I was also able to map this drive using the user's username 
and password on my own windows 10 workstation.

Also;

# wbinfo -a username
Enter username's password:
plaintext password authentication succeeded
Enter username's password:
challenge/response password authentication succeeded

But the user's Windows 10 workstation always fails with wrong password.

When trying to compare the wealth of data in the logs, the succeeding 
mapping goes along the lines of

[2020/06/16 14:00:37.688035,  3, pid=193148, effective(0, 0), real(0, 0), 
class=smb2] ../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces
s_negprot)
   Selected protocol SMB3_11

Followed by Kerberos this and that and a success.

When connecting from the failing workstation (I now suspect it's the 
workstation) which BTW is on OpenVPN, the logs look like this;

[2020/06/16 13:48:57.546741,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [PC NETWORK PROGRAM 1.0]
[2020/06/16 13:48:57.546788,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [LANMAN1.0]
[2020/06/16 13:48:57.546809,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [Windows for Workgroups 3.1a]
[2020/06/16 13:48:57.546827,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [LM1.2X002]
[2020/06/16 13:48:57.546851,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [LANMAN2.1]
[2020/06/16 13:48:57.546881,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [NT LM 0.12]
[2020/06/16 13:48:57.546905,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [SMB 2.002]
[2020/06/16 13:48:57.546927,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [SMB 2.???]
[2020/06/16 13:48:57.546949, 10, pid=192951, effective(0, 0), real(0, 0)] 
../source3/lib/util.c:1208(set_remote_arch)
   set_remote_arch: Client arch is 'UNKNOWN'
[2020/06/16 13:48:57.547000,  6, pid=192951, effective(0, 0), real(0, 0)] 
../source3/param/loadparm.c:2336(lp_file_list_changed)

[2020/06/16 13:48:57.547406,  3, pid=192951, effective(0, 0), real(0, 0), 
class=smb2] ../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_ne
gprot)
   Selected protocol SMB2_FF

[2020/06/16 13:49:02.120489, 10, pid=192951, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth_winbind.c:51(check_winbind_security)
   Check auth for: [username]
[2020/06/16 13:49:02.120503,  4, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2020/06/16 13:49:02.120525,  4, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/uid.c:581(push_conn_ctx)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2020/06/16 13:49:02.120587,  4, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2020/06/16 13:49:02.120602,  5, pid=192951, effective(0, 0), real(0, 0)] 
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2020/06/16 13:49:02.120629,  5, pid=192951, effective(0, 0), real(0, 0)] 
../source3/auth/token_util.c:866(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2020/06/16 13:49:02.124191,  4, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2020/06/16 13:49:02.124217, 10, pid=192951, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth_winbind.c:106(check_winbind_security)
   check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_AUTH_ERROR
[2020/06/16 13:49:02.124248,  5, pid=192951, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:251(auth_check_ntlm_password)
   auth_check_ntlm_password: winbind authentication for user [username] 
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2020/06/16 13:49:02.124279,  2, pid=192951, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:334(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [username] -> [username] 
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2020/06/16 13:49:02.124311,  2, pid=192951, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:610(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [SAD]\[username] at [Tue, 16 Jun 2020 
13:49:02.124298 EEST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] 
workstation [HP840-017] remote host [ipv6:xxx:xxx:xxx:36::100b:58502] 
mapped to [SAD]\[username]. local host [ipv6:xxx:xxx:xxx:xxx::3:445]


What could cause the workstation to not try to authenticate using Kerberos? 
Am I right in my assumption on where it goes wrong?

Thanks


-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

On 16/06/2020 12:41, Harald Hannelius via samba wrote:
> I have Samba AD-domain with two fileservers and two Samba DS-servers. 
> Most people can authenticate OK, but one user always gets "wrong 
> password".
What versions of Samba ?
> Auth: [SMB2,(null)] user [SAD]\[username] at [Tue, 16 Jun 2020 
> 13:49:02.124298 EEST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] 
> workstation [HP840-017] remote host [ipv6:xxx:xxx:xxx:36::100b:58502] 
> mapped to [SAD]\[username]. local host [ipv6:xxx:xxx:xxx:xxx::3:445]
>
Is SMBv1 turned on, on the Win10 client ?

Rowland

On Tue, 16 Jun 2020, Rowland penny via samba wrote:
> On 16/06/2020 12:41, Harald Hannelius via samba wrote:
>> I have Samba AD-domain with two fileservers and two Samba DS-servers.
Most
>> people can authenticate OK, but one user always gets "wrong
password".
> What versions of Samba ?
All servers are 4.9.5-Debian.
>> Auth: [SMB2,(null)] user [SAD]\[username] at [Tue, 16 Jun 2020 
>> 13:49:02.124298 EEST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] 
>> workstation [HP840-017] remote host [ipv6:xxx:xxx:xxx:36::100b:58502] 
>> mapped to [SAD]\[username]. local host [ipv6:xxx:xxx:xxx:xxx::3:445]
>> 
> Is SMBv1 turned on, on the Win10 client ?
I checked the "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" and 
LmComptabilityLevel on both computers, they where both 0.

I missed a few protocols in the failed log

   Selected protocol SMB 2.???

   Selected protocol SMB3_11

But it ends with

[2020/06/16 13:49:02.124311, 2, pid=192951, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:610(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [SAD]\[username] at [Tue, 16 Jun 2020 
13:49:02.124298 EEST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] 
workstation [HP840-017] remote host [ipv6:xxx:xxx:xxx:36::100b:58502] mapped 
to [SAD]\[username]. local host [ipv6:xxx:xxx:xxx:33::3:445]
   {"timestamp": "2020-06-16T13:49:02.124402+0300",
"type": "Authentication",
"Authentication": {"version": {"major": 1,
"minor": 0}, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress":
"ipv6:xxx:xxx:xxx:33::3:445",
"remoteAddress": "ipv6:xxx:xxx:xxx:36::100b:58502",
"serviceDescription":
"SMB2", "authDescription": null, "clientDomain":
"SAD", "clientAccount":
"username", "workstation": "HP840-017",
"becameAccount": null,
"becameDomain": null, "becameSid": null,
"mappedAccount": "username",
"mappedDomain": "SAD", "netlogonComputer": null,
"netlogonTrustAccount":
null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType":
0, "netlogonTrustAccountSid": null, "passwordType":
"NTLMv1", "duration":
13033}}
[2020/06/16 13:49:02.124447,  5, pid=192951, effective(0, 0), real(0, 0)] 
../source3/auth/auth_ntlmssp.c:196(auth3_check_password)
   Checking NTLMSSP password for SAD\username failed: 
NT_STATUS_WRONG_PASSWORD, authoritative=1
[2020/06/16 13:49:02.124467,  5, pid=192951, effective(0, 0), real(0, 0), 
class=auth] ../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send)
   ntlmssp_server_auth_send: Checking NTLMSSP password for SAD\username 
failed: NT_STATUS_WRONG_PASSWORD



-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020