samba - Sep 2020 - Cross-domain share access via same user+password doesn't work anymore

On 2020-09-03 20:59, Rowland penny via samba wrote:
> On 03/09/2020 19:09, freebsd--- via samba wrote:
>> I having the same issue like:
>> 
>> https://forge.univention.org/bugzilla/show_bug.cgi?id=47314
>> 
>> I have 2 samba servers running with nearly identical configs:
>> 
>> ii? samba???????????????????????????????? 2:3.6.6-6+deb7u15
>> ii? samba-common?????????????????? 2:4.9.5+dfsg-5+deb10u1
>> 
>> The problem is that for old os-es like Win9X the username cannot be 
>> changed, it will just use USERNAME or WORKGROUP\USERNAME for the user.
>> 
>> With the old samba version this works well because if it accepts only 
>> the username for authentication with the new one I just cannot make it 
>> accept it so only:
>> 
>> smbclient -U "SAMBASERVERNAME\user%password" \\1.2.3.4\share
>> 
>> works and as I noted older Win9X clients cant do this type of 
>> authentication.
>> 
>> The desired would be:
>> 
>> smbclient -U "user%password" \\1.2.3.4\share
>> 
>> 
>> First I found this option in the old samba (regardless it is set to No 
>> by default it just works):
>> 
>> ????map untrusted to domain = No
>> 
>> This option is no longer available in the new samba.
>> 
>> 
>> Another suggested solution, also not available in the new samba:
>> 
>> As a workaround the following option can be set on all Samba AD/DCs of 
>> the domain:
>> 
>> ?auth methods = anonymous sam winbind_rodc sam_failtrusts 
>> sam_ignoredomain
>> 
>> 
>> Is there any way I can get this work with the new version or am I 
>> forced to compile 3.x to get this feature back?
>> 
>> 
> I don't think that is your problem, it is more likely to be the
> password, try adding these lines:
> 
> lanman auth = Yes
> client lanman auth = Yes
> client plaintext auth = Yes
> 
> But be aware, your Samba is now very insecure.
> 
> Rowland
Hello,

I already had those in both samba server and I don't care about security 
with this setup. Here is what happens:

[2020/09/05 17:19:36.046568,  3] 
../source3/auth/auth.c:189(auth_check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[WG1]\[USER]@[winbox] with the new password interface
[2020/09/05 17:19:36.046648,  3] 
../source3/auth/auth.c:192(auth_check_ntlm_password)
   check_ntlm_password:  mapped user is: [WG1]\[USER]@[winbox]
[2020/09/05 17:19:36.046726,  1] 
../source3/auth/auth.c:128(check_domain_match)
   check_domain_match: Attempt to connect as user USER from domain WG1 
denied.
[2020/09/05 17:19:36.046802,  2] 
../source3/auth/auth.c:334(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [USER] -> [USER] FAILED 
with error NT_STATUS_LOGON_FAILURE, authoritative=1
[2020/09/05 17:19:36.046945,  2] 
../auth/auth_log.c:610(log_authentication_event_human_readable)
   Auth: [SMB,(null)] user [WG1]\[USER] at [Sat, 05 Sep 2020 
17:19:36.046895 CEST] with [LANMan] status [NT_STATUS_LOGON_FAILURE] 
workstation [winbox] remote host [ipv4:172.16.2.5:1025] mapped to 
[WG1]\[USER]. local host [ipv4:172.16.2.1:139]
   {"timestamp": "2020-09-05T17:19:36.047105+0200",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
0}, "status": "NT_STATUS_LOGON_FAILURE",
"localAddress":
"ipv4:172.16.2.1:139", "remoteAddress":
"ipv4:172.16.2.5:1025",
"serviceDescription": "SMB", "authDescription":
null, "clientDomain":
"WG1", "clientAccount": "USER",
"workstation": "winbox",
"becameAccount": null, "becameDomain": null,
"becameSid": null,
"mappedAccount": "USER", "mappedDomain":
"WG1", "netlogonComputer":
null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid":
null, "passwordType": "LANMan", "duration":
18476}}
[2020/09/05 17:19:36.047362,  3] 
../source3/smbd/error.c:104(error_packet_set)
   DOS error packet at ../source3/smbd/sesssetup.c(965) cmd=115 
(SMBsesssetupX) eclass=1 ecode=5
[2020/09/05 17:19:36.573052,  3] 
../source3/smbd/server_exit.c:237(exit_server_common)
   Server exit (failed to receive smb request)


WG1 is a workgroup the old windows machines are in, they are also in 
another subnet going through a router where the 2 other samba server 
are. The 2 other samba servers are in another different workgroup, they 
both have a local account for USER with the same password and as I said 
their configuration is also nearly identical. The 3.6 auth works fine 
the 4.x fails.

On 05/09/2020 16:30, freebsd at tango.lu wrote:
>
>>>
>>
>
> Hello,
>
> I already had those in both samba server and I don't care about 
> security with this setup. Here is what happens:
Well, not having seen your smb.conf files, I didn't know you had those 
lines. I also had to point out the pitfalls of using them.

I think it may help if we see your smb.conf files.

Rowland

On 2020-09-05 18:05, Rowland penny via samba wrote:
> On 05/09/2020 16:30, freebsd at tango.lu wrote:
>> 
>>>> 
>>> 
>> 
>> Hello,
>> 
>> I already had those in both samba server and I don't care about 
>> security with this setup. Here is what happens:
> 
> Well, not having seen your smb.conf files, I didn't know you had those
> lines. I also had to point out the pitfalls of using them.
> 
> I think it may help if we see your smb.conf files.
> 
> Rowland
Hello,

Yes that is exactly what I thought that it is not a config issue because 
with nearly the same config it works on the 3.6 and not the 4.x.

Since someone asked for my smb.conf here it goes:

[global]
    workgroup = WG2
    netbios name = SMBB
    guest ok = no
    security = user
    wins support = yes
    wins proxy = no
    syslog only = no
    syslog = 0;
    encrypt passwords = true

; WIN 98
lanman auth = Yes
client lanman auth = Yes
client plaintext auth = Yes


    log level = 3
    log file = /var/log/samba/smbd.log
    max log size = 5000
    utmp = Yes

    os level = 255
    domain master = yes
    local master = yes
    preferred master = yes
    domain logons = no
    logon script = %U
    allow trusted domains = no
    nt acl support = no
    enhanced browsing = No
    message command = /bin/sh -c '/usr/bin/linpopup "%f"
"%m" %s; rm %s'
&

    name resolve order = wins lmhosts host bcast
    hide dot files = yes
    wide links = yes
    unix extensions = no
    delete veto files = yes
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    show add printer wizard = no

[share]
   comment =  share
   volume = share
   path = /mnt/share
   force user = user
   force group = users
   create mask = 644
   directory mask = 775
   browseable = no
   follow symlinks = Yes
   writeable = no
   read only = yes
   valid users = user


So yet again typical example of a software actually getting WORSE than 
improving over the years. I don't know who the hell felt that this was a 
good idea to deprecate this mapping option but you should consider 
putting it back and never again try to pull something like this. What 
happened to Samba? some systemD developers crawled over there to destroy 
the project with their stupidity? Next thing we gonna see on Samba 5 
hell let's change the entire config, rename all the options and why not 
just make it XML or encrypted JSON binary config to be sysadmin 
unfriendly. Great Success!