freebsd at tango.lu
2020-Sep-05 15:30 UTC
[Samba] Cross-domain share access via same user+password doesn't work anymore
On 2020-09-03 20:59, Rowland penny via samba wrote:> On 03/09/2020 19:09, freebsd--- via samba wrote: >> I having the same issue like: >> >> https://forge.univention.org/bugzilla/show_bug.cgi?id=47314 >> >> I have 2 samba servers running with nearly identical configs: >> >> ii? samba???????????????????????????????? 2:3.6.6-6+deb7u15 >> ii? samba-common?????????????????? 2:4.9.5+dfsg-5+deb10u1 >> >> The problem is that for old os-es like Win9X the username cannot be >> changed, it will just use USERNAME or WORKGROUP\USERNAME for the user. >> >> With the old samba version this works well because if it accepts only >> the username for authentication with the new one I just cannot make it >> accept it so only: >> >> smbclient -U "SAMBASERVERNAME\user%password" \\1.2.3.4\share >> >> works and as I noted older Win9X clients cant do this type of >> authentication. >> >> The desired would be: >> >> smbclient -U "user%password" \\1.2.3.4\share >> >> >> First I found this option in the old samba (regardless it is set to No >> by default it just works): >> >> ????map untrusted to domain = No >> >> This option is no longer available in the new samba. >> >> >> Another suggested solution, also not available in the new samba: >> >> As a workaround the following option can be set on all Samba AD/DCs of >> the domain: >> >> ?auth methods = anonymous sam winbind_rodc sam_failtrusts >> sam_ignoredomain >> >> >> Is there any way I can get this work with the new version or am I >> forced to compile 3.x to get this feature back? >> >> > I don't think that is your problem, it is more likely to be the > password, try adding these lines: > > lanman auth = Yes > client lanman auth = Yes > client plaintext auth = Yes > > But be aware, your Samba is now very insecure. > > RowlandHello, I already had those in both samba server and I don't care about security with this setup. Here is what happens: [2020/09/05 17:19:36.046568, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [WG1]\[USER]@[winbox] with the new password interface [2020/09/05 17:19:36.046648, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [WG1]\[USER]@[winbox] [2020/09/05 17:19:36.046726, 1] ../source3/auth/auth.c:128(check_domain_match) check_domain_match: Attempt to connect as user USER from domain WG1 denied. [2020/09/05 17:19:36.046802, 2] ../source3/auth/auth.c:334(auth_check_ntlm_password) check_ntlm_password: Authentication for user [USER] -> [USER] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1 [2020/09/05 17:19:36.046945, 2] ../auth/auth_log.c:610(log_authentication_event_human_readable) Auth: [SMB,(null)] user [WG1]\[USER] at [Sat, 05 Sep 2020 17:19:36.046895 CEST] with [LANMan] status [NT_STATUS_LOGON_FAILURE] workstation [winbox] remote host [ipv4:172.16.2.5:1025] mapped to [WG1]\[USER]. local host [ipv4:172.16.2.1:139] {"timestamp": "2020-09-05T17:19:36.047105+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_LOGON_FAILURE", "localAddress": "ipv4:172.16.2.1:139", "remoteAddress": "ipv4:172.16.2.5:1025", "serviceDescription": "SMB", "authDescription": null, "clientDomain": "WG1", "clientAccount": "USER", "workstation": "winbox", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "USER", "mappedDomain": "WG1", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "LANMan", "duration": 18476}} [2020/09/05 17:19:36.047362, 3] ../source3/smbd/error.c:104(error_packet_set) DOS error packet at ../source3/smbd/sesssetup.c(965) cmd=115 (SMBsesssetupX) eclass=1 ecode=5 [2020/09/05 17:19:36.573052, 3] ../source3/smbd/server_exit.c:237(exit_server_common) Server exit (failed to receive smb request) WG1 is a workgroup the old windows machines are in, they are also in another subnet going through a router where the 2 other samba server are. The 2 other samba servers are in another different workgroup, they both have a local account for USER with the same password and as I said their configuration is also nearly identical. The 3.6 auth works fine the 4.x fails.
Rowland penny
2020-Sep-05 16:05 UTC
[Samba] Cross-domain share access via same user+password doesn't work anymore
On 05/09/2020 16:30, freebsd at tango.lu wrote:> >>> >> > > Hello, > > I already had those in both samba server and I don't care about > security with this setup. Here is what happens:Well, not having seen your smb.conf files, I didn't know you had those lines. I also had to point out the pitfalls of using them. I think it may help if we see your smb.conf files. Rowland
freebsd at tango.lu
2020-Sep-08 07:54 UTC
[Samba] Cross-domain share access via same user+password doesn't work anymore
On 2020-09-05 18:05, Rowland penny via samba wrote:> On 05/09/2020 16:30, freebsd at tango.lu wrote: >> >>>> >>> >> >> Hello, >> >> I already had those in both samba server and I don't care about >> security with this setup. Here is what happens: > > Well, not having seen your smb.conf files, I didn't know you had those > lines. I also had to point out the pitfalls of using them. > > I think it may help if we see your smb.conf files. > > RowlandHello, Yes that is exactly what I thought that it is not a config issue because with nearly the same config it works on the 3.6 and not the 4.x. Since someone asked for my smb.conf here it goes: [global] workgroup = WG2 netbios name = SMBB guest ok = no security = user wins support = yes wins proxy = no syslog only = no syslog = 0; encrypt passwords = true ; WIN 98 lanman auth = Yes client lanman auth = Yes client plaintext auth = Yes log level = 3 log file = /var/log/samba/smbd.log max log size = 5000 utmp = Yes os level = 255 domain master = yes local master = yes preferred master = yes domain logons = no logon script = %U allow trusted domains = no nt acl support = no enhanced browsing = No message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' & name resolve order = wins lmhosts host bcast hide dot files = yes wide links = yes unix extensions = no delete veto files = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes show add printer wizard = no [share] comment = share volume = share path = /mnt/share force user = user force group = users create mask = 644 directory mask = 775 browseable = no follow symlinks = Yes writeable = no read only = yes valid users = user So yet again typical example of a software actually getting WORSE than improving over the years. I don't know who the hell felt that this was a good idea to deprecate this mapping option but you should consider putting it back and never again try to pull something like this. What happened to Samba? some systemD developers crawled over there to destroy the project with their stupidity? Next thing we gonna see on Samba 5 hell let's change the entire config, rename all the options and why not just make it XML or encrypted JSON binary config to be sysadmin unfriendly. Great Success!