samba - Aug 2022 - Authentication failure after upgrade from 4.5.8 to 4.13.13

> You didn't upgrade far enough, you need to (in my opinion) upgrade to
> AD, Samba is working hard on removing SMBv1 and your setup requires it.
> It was turned off by default at 4.11.0, so you could try adding these
> lines to your smb.conf:
>
> client min protocol = NT1
> server min protocol = NT1
>
> You may also have to add:
> ntlm auth = yes
>
> Also ensure that winbind is running.
Thanks. I tried adding all three lines as well as just the first two. I
restarted smbd and winbind each time and ensured they were both running.
However, I still see this in `/var/log/samba/log.smbd` (the log is the same
with and without `ntlm auth = yes`):

```
[2022/08/05 10:08:28.032980,  0]
../../source3/auth/auth_util.c:1913(check_account)
  check_account: Failed to convert SID
S-1-5-21-1165166887-308749777-1031590606-13278 to a UID
(dom_user[EXAMPLE\<test_user>])
[2022/08/05 10:08:28.033122,  2]
../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [<test_user>] ->
[<test_user>] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2022/08/05 10:08:28.033206,  2]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [WORKGROUP]\[<test_user>] at [Fri, 05 Aug 2022
10:08:28.033183 PDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER]
workstation [<***computer_name***>] remote host
[ipv4:192.168.144.137:48258]
mapped to [WORKGROUP]\[<test_user>]. local host [ipv4:192.168.5.17:445]
  {"timestamp": "2022-08-05T10:08:28.033344-0700",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor": 2},
"eventId": 4625, "logonId": "0",
"logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress":
"ipv4:192.168.5.17:445",
"remoteAddress": "ipv4:192.168.144.137:48258",
"serviceDescription":
"SMB2", "authDescription": null, "clientDomain":
"WORKGROUP",
"clientAccount": "<test_user>",
"workstation": "<***computer_name***>",
"becameAccount": null, "becameDomain": null,
"becameSid": null,
"mappedAccount": "<test_user>",
"mappedDomain": "WORKGROUP",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"NTLMv2", "duration":
32274}}
```

You didn't mention anything about `map untrusted to domain = yes`. Does
that mean you don't think that is a factor here?

Thanks,

Curtis

On Fri, 2022-08-05 at 10:15 -0700, Curtis Spencer via samba
wrote:
> > You didn't upgrade far enough, you need to (in my opinion) upgrade
> > to
> > AD, Samba is working hard on removing SMBv1 and your setup requires
> > it.
> > It was turned off by default at 4.11.0, so you could try adding
> > these
> > lines to your smb.conf:
> > 
> > client min protocol = NT1
> > server min protocol = NT1
> > 
> > You may also have to add:
> > ntlm auth = yes
> > 
> > Also ensure that winbind is running.
> 
> Thanks. I tried adding all three lines as well as just the first two.
> I
> restarted smbd and winbind each time and ensured they were both
> running.
> However, I still see this in `/var/log/samba/log.smbd` (the log is
> the same
> with and without `ntlm auth = yes`):
I didn't mention 'map untrusted to domain' because it doesn't
matter
whether it has anything to do with the problem or not (I do not think
it has), it was removed and it is very unlikely to come back.

It has been quite sometime since I had anything to with an NT4-style
domain (which yours is for all intents and purposes), but I think you
need to add 'idmap config' lines, something like these:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 10000-999999

Though you may need to use a different backend for the 'EXAMPLE' domain
('ad' for instance if you have uidNumber & gidNumber attributes).
You
may also have to 'play' with the 'range' numbers.

I would highly recommend upgrading to AD, it is much simpler and is the
way forward, NT4-style domains are the past and will go away.

Rowland