samba - Jun 2020 - Wrong password, Win10 not using SMB3_11?

On Tue, 16 Jun 2020, Rowland penny via samba wrote:
> On 16/06/2020 12:41, Harald Hannelius via samba wrote:
>> I have Samba AD-domain with two fileservers and two Samba DS-servers.
Most
>> people can authenticate OK, but one user always gets "wrong
password".
> What versions of Samba ?
All servers are 4.9.5-Debian.
>> Auth: [SMB2,(null)] user [SAD]\[username] at [Tue, 16 Jun 2020 
>> 13:49:02.124298 EEST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] 
>> workstation [HP840-017] remote host [ipv6:xxx:xxx:xxx:36::100b:58502] 
>> mapped to [SAD]\[username]. local host [ipv6:xxx:xxx:xxx:xxx::3:445]
>> 
> Is SMBv1 turned on, on the Win10 client ?
I checked the "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" and 
LmComptabilityLevel on both computers, they where both 0.

I missed a few protocols in the failed log

   Selected protocol SMB 2.???

   Selected protocol SMB3_11

But it ends with

[2020/06/16 13:49:02.124311, 2, pid=192951, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:610(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [SAD]\[username] at [Tue, 16 Jun 2020 
13:49:02.124298 EEST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] 
workstation [HP840-017] remote host [ipv6:xxx:xxx:xxx:36::100b:58502] mapped 
to [SAD]\[username]. local host [ipv6:xxx:xxx:xxx:33::3:445]
   {"timestamp": "2020-06-16T13:49:02.124402+0300",
"type": "Authentication",
"Authentication": {"version": {"major": 1,
"minor": 0}, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress":
"ipv6:xxx:xxx:xxx:33::3:445",
"remoteAddress": "ipv6:xxx:xxx:xxx:36::100b:58502",
"serviceDescription":
"SMB2", "authDescription": null, "clientDomain":
"SAD", "clientAccount":
"username", "workstation": "HP840-017",
"becameAccount": null,
"becameDomain": null, "becameSid": null,
"mappedAccount": "username",
"mappedDomain": "SAD", "netlogonComputer": null,
"netlogonTrustAccount":
null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType":
0, "netlogonTrustAccountSid": null, "passwordType":
"NTLMv1", "duration":
13033}}
[2020/06/16 13:49:02.124447,  5, pid=192951, effective(0, 0), real(0, 0)] 
../source3/auth/auth_ntlmssp.c:196(auth3_check_password)
   Checking NTLMSSP password for SAD\username failed: 
NT_STATUS_WRONG_PASSWORD, authoritative=1
[2020/06/16 13:49:02.124467,  5, pid=192951, effective(0, 0), real(0, 0), 
class=auth] ../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send)
   ntlmssp_server_auth_send: Checking NTLMSSP password for SAD\username 
failed: NT_STATUS_WRONG_PASSWORD



-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

On 16/06/2020 13:18, Harald Hannelius wrote:
>
>
> On Tue, 16 Jun 2020, Rowland penny via samba wrote:
>
>> Is SMBv1 turned on, on the Win10 client ?
>
> I checked the "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" and 
> LmComptabilityLevel on both computers, they where both 0.
'0' == Clients use LM and NTLMv1 authentication, but they never use 
NTLMv2 session security, I think you want '5' on the clients.

Rowland

On Tue, 16 Jun 2020, Rowland penny via samba wrote:
> On 16/06/2020 13:18, Harald Hannelius wrote:
>> On Tue, 16 Jun 2020, Rowland penny via samba wrote:
>> 
>>> Is SMBv1 turned on, on the Win10 client ?
>> 
>> I checked the "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" and
>> LmComptabilityLevel on both computers, they where both 0.
>
> '0' == Clients use LM and NTLMv1 authentication, but they never use
NTLMv2
> session security, I think you want '5' on the clients.
Thank You, it's amazing how much baggage one keeps lugging around for 20+ 
years.

I will try this.

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

On Tue, 16 Jun 2020, Rowland penny via samba wrote:
> On 16/06/2020 13:18, Harald Hannelius wrote:
>> 
>> 
>> On Tue, 16 Jun 2020, Rowland penny via samba wrote:
>> 
>>> Is SMBv1 turned on, on the Win10 client ?
>> 
>> I checked the "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" and
>> LmComptabilityLevel on both computers, they where both 0.
>
> '0' == Clients use LM and NTLMv1 authentication, but they never use
NTLMv2
> session security, I think you want '5' on the clients.
Thank You, this fixed the problem. Funny that '0' worked on one computer
and
not on another. But that's Windows I think.

I read this page;

https://itconnect.uw.edu/wares/msinf/other-help/lmcompatibilitylevel/

I tried with both 3 and 5 and they both worked so problem solved. Thanks 
again.


-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020