samba - Jan 2022 - Samba 4.14.5 NTLMv1

Hello

After updating my machine to samba 4.14.5 it is not possible to
authenticate using NLTMv1. The clients are proprietary control / PLC units
where I am not able to change anything.

I figured out that there must be something with a missing domain /
workgroup during the authentication process.

Example, workgroup before  DOMAIN-USER  is empty:

check_ntlm_password:  Checking password for unmapped user []\[ DOMAIN-USER
]@[m194940] with the new password interface

I can connect the same user from the machines smbclient: smbclient //xx/xx
-mNT1 -U DOMAIN-USER

The smbclient attempts to connect with "passwordType":
"NTLMv2". This
works, but NTLMv1 fails.

Also, wbinfo succeeded: wbinfo -a  DOMAINUSER%password --ntlmv1
plaintext password authentication succeeded
challenge/response password authentication succeeded

Is there any way to tell samba using the domain/workgroup as a default?

Some smb.conf:

[global]
kerberos method = secrets and keytab
template homedir = /home/%U@%D
workgroup =  WORKGROUP
server min protocol = NT1
client min protocol = NT1
template shell = /bin/bash
template homedir = /home/%U
security = ads
realm = WORKGROUP.INTERN
ntlm auth = yes
lanman auth = yes

Some Log for the NTLMv1 attempt:

[2022/01/18 14:16:10.852289,  3]
../../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'DOMAIN-USER' in passdb.
[2022/01/18 14:16:10.852301,  5]
../../source3/auth/auth.c:264(auth_check_ntlm_password)
  auth_check_ntlm_password: sam authentication for user [DOMAIN-USER]
FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2022/01/18 14:16:10.852320,  2]
../../source3/auth/auth.c:348(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [DOMAIN-USER] ->
[DOMAIN-USER] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2022/01/18 14:16:10.852347,  2]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [SMB,(null)] user []\[DOMAIN-USER] at [Tue, 18 Jan 2022
14:16:10.852330 CET] with [NTLMv1] status [NT_STATUS_NO_SUCH_USER]
workstation [m194940] remote host [ipv4:xxx:1024] mapped to
[]\[DOMAIN-USER]. local host [ipv4:xxx:139]
  {"timestamp": "2022-01-18T14:16:10.852396+0100",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor": 2},
"eventId": 4625, "logonId": "0",
"logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress":
"ipv4:xxx:139", "remoteAddress":
"ipv4:xxx:1024", "serviceDescription": "SMB",
"authDescription": null,
"clientDomain": "", "clientAccount":
"DOMAIN-USER", "workstation":
"m194940", "becameAccount": null, "becameDomain":
null, "becameSid": null,
"mappedAccount": "DOMAIN-USER", "mappedDomain":
"", "netlogonComputer":
null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null,
"passwordType": "NTLMv1", "duration": 2274}}
[2022/01/18 14:16:10.852435,  5]
../../source3/auth/auth_ntlmssp.c:215(auth3_check_password_send)
  auth3_check_password_send: Checking NTLMSSP password for \DOMAIN-USER
failed: NT_STATUS_NO_SUCH_USER, authoritative=1
[2022/01/18 14:16:10.852456,  3]
../../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../../source3/smbd/sesssetup.c(956) cmd=115
(SMBsesssetupX) NT_STATUS_LOGON_FAILURE

> On 18. Jan 2022, at 16.18, Eric Lehmann via samba <samba at
lists.samba.org> wrote:
> 
> Hello
> 
> After updating my machine to samba 4.14.5 it is not possible to
> authenticate using NLTMv1. The clients are proprietary control / PLC units
> where I am not able to change anything.
> 
> I figured out that there must be something with a missing domain /
> workgroup during the authentication process.
> 
> Example, workgroup before  DOMAIN-USER  is empty:
> 
> check_ntlm_password:  Checking password for unmapped user []\[ DOMAIN-USER
> ]@[m194940] with the new password interface
> 
> I can connect the same user from the machines smbclient: smbclient //xx/xx
> -mNT1 -U DOMAIN-USER
> 
> The smbclient attempts to connect with "passwordType":
"NTLMv2". This
> works, but NTLMv1 fails.
> 
> Also, wbinfo succeeded: wbinfo -a  DOMAINUSER%password --ntlmv1
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> 
> Is there any way to tell samba using the domain/workgroup as a default?
> 
> Some smb.conf:
> 
> [global]
> kerberos method = secrets and keytab
> template homedir = /home/%U@%D
> workgroup =  WORKGROUP
> server min protocol = NT1
> client min protocol = NT1
> template shell = /bin/bash
> template homedir = /home/%U
> security = ads
> realm = WORKGROUP.INTERN
> ntlm auth = yes
> lanman auth = yes
> 
> Some Log for the NTLMv1 attempt:
> 
> [2022/01/18 14:16:10.852289,  3]
> ../../source3/auth/check_samsec.c:399(check_sam_security)
>  check_sam_security: Couldn't find user 'DOMAIN-USER' in
passdb.
> [2022/01/18 14:16:10.852301,  5]
> ../../source3/auth/auth.c:264(auth_check_ntlm_password)
>  auth_check_ntlm_password: sam authentication for user [DOMAIN-USER]
> FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
> [2022/01/18 14:16:10.852320,  2]
> ../../source3/auth/auth.c:348(auth_check_ntlm_password)
>  check_ntlm_password:  Authentication for user [DOMAIN-USER] ->
> [DOMAIN-USER] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
> [2022/01/18 14:16:10.852347,  2]
> ../../auth/auth_log.c:653(log_authentication_event_human_readable)
>  Auth: [SMB,(null)] user []\[DOMAIN-USER] at [Tue, 18 Jan 2022
> 14:16:10.852330 CET] with [NTLMv1] status [NT_STATUS_NO_SUCH_USER]
> workstation [m194940] remote host [ipv4:xxx:1024] mapped to
> []\[DOMAIN-USER]. local host [ipv4:xxx:139]
>  {"timestamp": "2022-01-18T14:16:10.852396+0100",
"type":
> "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
> "eventId": 4625, "logonId": "0",
"logonType": 3, "status":
> "NT_STATUS_NO_SUCH_USER", "localAddress":
"ipv4:xxx:139", "remoteAddress":
> "ipv4:xxx:1024", "serviceDescription": "SMB",
"authDescription": null,
> "clientDomain": "", "clientAccount":
"DOMAIN-USER", "workstation":
> "m194940", "becameAccount": null,
"becameDomain": null, "becameSid": null,
> "mappedAccount": "DOMAIN-USER",
"mappedDomain": "", "netlogonComputer":
> null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> "passwordType": "NTLMv1", "duration": 2274}}
> [2022/01/18 14:16:10.852435,  5]
> ../../source3/auth/auth_ntlmssp.c:215(auth3_check_password_send)
>  auth3_check_password_send: Checking NTLMSSP password for \DOMAIN-USER
> failed: NT_STATUS_NO_SUCH_USER, authoritative=1
> [2022/01/18 14:16:10.852456,  3]
> ../../source3/smbd/error.c:82(error_packet_set)
>  NT error packet at ../../source3/smbd/sesssetup.c(956) cmd=115
> (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
> -- 

I had this same problem a while back when connecting from Supermicro IPMI
interface. The workaround was to use UPN in the form of user.account at
domain.com. Is this possible in your clients? You can find my posts from last
March in the list archives.

I never found any smb.conf setting that would make this work again. Did you
upgrade your base OS as well? In my testing this stopped working after upgrading
from Ubuntu 18 to 20. Perhaps the packages are compiled differently or there?s
some incompatibility between later Samba and Ubuntu builds.

-Perttu

On Tue, 2022-01-18 at 15:18 +0100, Eric Lehmann via samba
wrote:
> Hello
> 
> After updating my machine to samba 4.14.5 it is not possible to
> authenticate using NLTMv1. The clients are proprietary control / PLC
> units
> where I am not able to change anything.
> 
> I figured out that there must be something with a missing domain /
> workgroup during the authentication process.
> 
> Example, workgroup before  DOMAIN-USER  is empty:
> 
> check_ntlm_password:  Checking password for unmapped user []\[
> DOMAIN-USER
> ]@[m194940] with the new password interface
> 
> I can connect the same user from the machines smbclient: smbclient
> //xx/xx
> -mNT1 -U DOMAIN-USER
> 
> The smbclient attempts to connect with "passwordType":
"NTLMv2". This
> works, but NTLMv1 fails.
> 
> Also, wbinfo succeeded: wbinfo -a  DOMAINUSER%password --ntlmv1
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> 
> Is there any way to tell samba using the domain/workgroup as a
> default?
> 
> Some smb.conf:
> 
> [global]
> kerberos method = secrets and keytab
> template homedir = /home/%U@%D
> workgroup =  WORKGROUP
> server min protocol = NT1
> client min protocol = NT1
> template shell = /bin/bash
> template homedir = /home/%U
> security = ads
> realm = WORKGROUP.INTERN
> ntlm auth = yes
> lanman auth = yes
If that is the entire [global] section of your smb.conf , where are the
'idmap config' lines ?

Rowland