samba - Sep 2020 - Cross-domain share access via same user+password doesn't work anymore

I having the same issue like:

https://forge.univention.org/bugzilla/show_bug.cgi?id=47314

I have 2 samba servers running with nearly identical configs:

ii  samba                                 2:3.6.6-6+deb7u15
ii  samba-common                   2:4.9.5+dfsg-5+deb10u1

The problem is that for old os-es like Win9X the username cannot be 
changed, it will just use USERNAME or WORKGROUP\USERNAME for the user.

With the old samba version this works well because if it accepts only 
the username for authentication with the new one I just cannot make it 
accept it so only:

smbclient -U "SAMBASERVERNAME\user%password" \\1.2.3.4\share

works and as I noted older Win9X clients cant do this type of 
authentication.

The desired would be:

smbclient -U "user%password" \\1.2.3.4\share


First I found this option in the old samba (regardless it is set to No 
by default it just works):

	map untrusted to domain = No

This option is no longer available in the new samba.


Another suggested solution, also not available in the new samba:

As a workaround the following option can be set on all Samba AD/DCs of 
the domain:

  auth methods = anonymous sam winbind_rodc sam_failtrusts 
sam_ignoredomain


Is there any way I can get this work with the new version or am I forced 
to compile 3.x to get this feature back?

On 03/09/2020 19:09, freebsd--- via samba wrote:
> I having the same issue like:
>
> https://forge.univention.org/bugzilla/show_bug.cgi?id=47314
>
> I have 2 samba servers running with nearly identical configs:
>
> ii? samba???????????????????????????????? 2:3.6.6-6+deb7u15
> ii? samba-common?????????????????? 2:4.9.5+dfsg-5+deb10u1
>
> The problem is that for old os-es like Win9X the username cannot be 
> changed, it will just use USERNAME or WORKGROUP\USERNAME for the user.
>
> With the old samba version this works well because if it accepts only 
> the username for authentication with the new one I just cannot make it 
> accept it so only:
>
> smbclient -U "SAMBASERVERNAME\user%password" \\1.2.3.4\share
>
> works and as I noted older Win9X clients cant do this type of 
> authentication.
>
> The desired would be:
>
> smbclient -U "user%password" \\1.2.3.4\share
>
>
> First I found this option in the old samba (regardless it is set to No 
> by default it just works):
>
> ????map untrusted to domain = No
>
> This option is no longer available in the new samba.
>
>
> Another suggested solution, also not available in the new samba:
>
> As a workaround the following option can be set on all Samba AD/DCs of 
> the domain:
>
> ?auth methods = anonymous sam winbind_rodc sam_failtrusts 
> sam_ignoredomain
>
>
> Is there any way I can get this work with the new version or am I 
> forced to compile 3.x to get this feature back?
>
>
I don't think that is your problem, it is more likely to be the 
password, try adding these lines:

lanman auth = Yes
client lanman auth = Yes
client plaintext auth = Yes

But be aware, your Samba is now very insecure.

Rowland

On 2020-09-03 20:59, Rowland penny via samba wrote:
> On 03/09/2020 19:09, freebsd--- via samba wrote:
>> I having the same issue like:
>> 
>> https://forge.univention.org/bugzilla/show_bug.cgi?id=47314
>> 
>> I have 2 samba servers running with nearly identical configs:
>> 
>> ii? samba???????????????????????????????? 2:3.6.6-6+deb7u15
>> ii? samba-common?????????????????? 2:4.9.5+dfsg-5+deb10u1
>> 
>> The problem is that for old os-es like Win9X the username cannot be 
>> changed, it will just use USERNAME or WORKGROUP\USERNAME for the user.
>> 
>> With the old samba version this works well because if it accepts only 
>> the username for authentication with the new one I just cannot make it 
>> accept it so only:
>> 
>> smbclient -U "SAMBASERVERNAME\user%password" \\1.2.3.4\share
>> 
>> works and as I noted older Win9X clients cant do this type of 
>> authentication.
>> 
>> The desired would be:
>> 
>> smbclient -U "user%password" \\1.2.3.4\share
>> 
>> 
>> First I found this option in the old samba (regardless it is set to No 
>> by default it just works):
>> 
>> ????map untrusted to domain = No
>> 
>> This option is no longer available in the new samba.
>> 
>> 
>> Another suggested solution, also not available in the new samba:
>> 
>> As a workaround the following option can be set on all Samba AD/DCs of 
>> the domain:
>> 
>> ?auth methods = anonymous sam winbind_rodc sam_failtrusts 
>> sam_ignoredomain
>> 
>> 
>> Is there any way I can get this work with the new version or am I 
>> forced to compile 3.x to get this feature back?
>> 
>> 
> I don't think that is your problem, it is more likely to be the
> password, try adding these lines:
> 
> lanman auth = Yes
> client lanman auth = Yes
> client plaintext auth = Yes
> 
> But be aware, your Samba is now very insecure.
> 
> Rowland
Hello,

I already had those in both samba server and I don't care about security 
with this setup. Here is what happens:

[2020/09/05 17:19:36.046568,  3] 
../source3/auth/auth.c:189(auth_check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[WG1]\[USER]@[winbox] with the new password interface
[2020/09/05 17:19:36.046648,  3] 
../source3/auth/auth.c:192(auth_check_ntlm_password)
   check_ntlm_password:  mapped user is: [WG1]\[USER]@[winbox]
[2020/09/05 17:19:36.046726,  1] 
../source3/auth/auth.c:128(check_domain_match)
   check_domain_match: Attempt to connect as user USER from domain WG1 
denied.
[2020/09/05 17:19:36.046802,  2] 
../source3/auth/auth.c:334(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [USER] -> [USER] FAILED 
with error NT_STATUS_LOGON_FAILURE, authoritative=1
[2020/09/05 17:19:36.046945,  2] 
../auth/auth_log.c:610(log_authentication_event_human_readable)
   Auth: [SMB,(null)] user [WG1]\[USER] at [Sat, 05 Sep 2020 
17:19:36.046895 CEST] with [LANMan] status [NT_STATUS_LOGON_FAILURE] 
workstation [winbox] remote host [ipv4:172.16.2.5:1025] mapped to 
[WG1]\[USER]. local host [ipv4:172.16.2.1:139]
   {"timestamp": "2020-09-05T17:19:36.047105+0200",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
0}, "status": "NT_STATUS_LOGON_FAILURE",
"localAddress":
"ipv4:172.16.2.1:139", "remoteAddress":
"ipv4:172.16.2.5:1025",
"serviceDescription": "SMB", "authDescription":
null, "clientDomain":
"WG1", "clientAccount": "USER",
"workstation": "winbox",
"becameAccount": null, "becameDomain": null,
"becameSid": null,
"mappedAccount": "USER", "mappedDomain":
"WG1", "netlogonComputer":
null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid":
null, "passwordType": "LANMan", "duration":
18476}}
[2020/09/05 17:19:36.047362,  3] 
../source3/smbd/error.c:104(error_packet_set)
   DOS error packet at ../source3/smbd/sesssetup.c(965) cmd=115 
(SMBsesssetupX) eclass=1 ecode=5
[2020/09/05 17:19:36.573052,  3] 
../source3/smbd/server_exit.c:237(exit_server_common)
   Server exit (failed to receive smb request)


WG1 is a workgroup the old windows machines are in, they are also in 
another subnet going through a router where the 2 other samba server 
are. The 2 other samba servers are in another different workgroup, they 
both have a local account for USER with the same password and as I said 
their configuration is also nearly identical. The 3.6 auth works fine 
the 4.x fails.