samba - Jun 2023 - [EXTERNAL] Re: Unable to authenticate to share using UPN

?
On 6/24/23, 03:17, "samba" <samba-bounces at lists.samba.org>
wrote:


On 23/06/2023 19:08, Mike Robbert wrote:
> Sorry about that I typed and sent a full message, but it looks like the
entire body got swallowed up in transit. Here is the full text again. Let's
hope this one works.
>
> I have a server running CentOS 7.9 with the system provided Samba packages
(4.10.16-24.el7_9). It is joined to an Active Directory domain and acting as a
member server. The active Directory domain has a user object with among others,
the following attributes defined
> sAMAccountName = m12345678
> gecos = Zach Detest
> gidNumer = 12345678
> uid = zach_detest
> uidNumer = 12345678
> unixHomeDirectory = /home/m12345678
> userPrincipalName = zach_destest at domain.tld
>
> The smb.conf on the server looks like this:
>
> [global]
> additional dns hostnames = dct-hanas-2.domain.tld
Unless red-hat backported this, 'additional dns hostnames' didn't
appear
until Samba 4.11.0 at the earliest (I say that because I cannot find
just when it was added, but it isn't in 'man smb.conf' for 4.10.x,
but
it is in 'man smb.conf' for 4.11.x). 

RedHat must have backported this because it is in the man page and this line was
not inserted manually by me, it was inserted when I joined the machine to the
domain using ?net ads join?

> idmap config * : range = 1-999
> idmap config addom : unix_primary_group = yes
> idmap config addom : unix_nss_info = yes
> idamp config addom : schema_mode = rfc2307
> idmap config addom : backend = ad
> idmap config addom : range = 1000-999999999
> idmap config * : backend = tdb
Do you mind if I ask why you are using such strange (to me) ranges ?
They would seem to preclude having any local users and groups. 

We don?t have any local users other than the OS system users which all fall
under 1000. All other users are in AD.


They are the attributes that work with user searches, however 'uid'
(being a multi value ldap attribute) doesn't, This isn't just a Samba or
Unix thing, Windows works in the same way.

It looks to me (and I could be totally wrong) that sssd must have code
that can use the 'uid' value and then set that as the owner of a file.
If it is doing this, then how does it get around 'uid' being a multi
valued attribute ?

It is strange you have raised this, Stefan Kania raised virtually the
same subject about a week ago and during this week, a bug report was listed:

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15399&data=05%7C01%7Cmrobbert%40mines.edu%7C6d9d22a918d244cfd7aa08db7493d40a%7C997209e009b346239a4d76afa44a675c%7C0%7C0%7C638231950507722632%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6LEBdKreAKqrRagAID1VPXUGCvfW8HgCP3RdA6muNZ0%3D&reserved=0
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15399&amp;data=05%7C01%7Cmrobbert%40mines.edu%7C6d9d22a918d244cfd7aa08db7493d40a%7C997209e009b346239a4d76afa44a675c%7C0%7C0%7C638231950507722632%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=6LEBdKreAKqrRagAID1VPXUGCvfW8HgCP3RdA6muNZ0%3D&amp;reserved=0>

I replied to Stefan here:

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Farchive%2Fsamba%2F2023-June%2F245561.html&data=05%7C01%7Cmrobbert%40mines.edu%7C6d9d22a918d244cfd7aa08db7493d40a%7C997209e009b346239a4d76afa44a675c%7C0%7C0%7C638231950507722632%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3xp%2BaSNg8YF3sQxL461twpt3ifoKugIeY9YCHz3C%2Bd4%3D&reserved=0
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Farchive%2Fsamba%2F2023-June%2F245561.html&amp;data=05%7C01%7Cmrobbert%40mines.edu%7C6d9d22a918d244cfd7aa08db7493d40a%7C997209e009b346239a4d76afa44a675c%7C0%7C0%7C638231950507722632%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=3xp%2BaSNg8YF3sQxL461twpt3ifoKugIeY9YCHz3C%2Bd4%3D&amp;reserved=0>

Rowland 

I did see Stafan?s post and the replies, but it did not address the issue that I
am asking about. I don?t care about SSH access of users on this server and while
it may a useful part of the solution, I am not asking about how users files
ownership is displayed from the console/CLI. This server is only used as a file
server and I would like for users to be able to map SMB/CIFS shares by entering
their UPN as the username. The log that I sent was from a connection where I
tried that with my test user zach_detest at domain.tld <mailto:zach_detest at
domain.tld>

It looks like the server received that from the client here: 
[2023/06/23 10:05:50.006889, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[zach_detest] domain=[domain.tld] workstation=[ITS-MACBOOK09] len1=24
len2=254

Then when it checks the password against the AD domain it mangles the input by
moving the UPN suffix to the AD domain field:
[2023/06/23 10:05:50.008789, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[domain.tld]\[zach_detest]@[ITS-MACBOOK09] with the new password interface

Which fails: 
[2023/06/23 10:05:50.011820, 2, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [zach_detest] -> [zach_detest]
FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1


It tries again using the correct AD domain name, but doesn?t include the UPN
suffix that was sent to it.
[2023/06/23 10:05:50.080011, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[zach_detest] domain=[ADDOM] workstation=[ITS-MACBOOK09] len1=24
len2=254
Fails again: 
[2023/06/23 10:05:50.083899, 2, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [zach_detest] -> [zach_detest]
FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1

It tries one last time with another mangling of the input 
[2023/06/23 10:05:50.171506, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[zach_detest] domain=[domain.tld@\server-dev.domain.tld]
workstation=[ITS-MACBOOK09] len1=24 len2=254

But still isn?t sending the full UPN so it fails again: 
[2023/06/23 10:05:50.175367, 2, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [zach_detest] -> [zach_detest]
FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1

Is there anything we can do to in order to get Samba/winbind to try sending the
full UPN that the user entered to the domain controller?

Thanks, 
Mike 




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 9275 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20230626/761401e5/smime.bin>

On 26/06/2023 17:02, Mike Robbert via samba wrote:
> ?
> On 6/24/23, 03:17, "samba" <samba-bounces at
lists.samba.org> wrote:
> 
> 
> On 23/06/2023 19:08, Mike Robbert wrote:
>> Sorry about that I typed and sent a full message, but it looks like the
entire body got swallowed up in transit. Here is the full text again. Let's
hope this one works.
>>
>> I have a server running CentOS 7.9 with the system provided Samba
packages (4.10.16-24.el7_9). It is joined to an Active Directory domain and
acting as a member server. The active Directory domain has a user object with
among others, the following attributes defined
>> sAMAccountName = m12345678
>> gecos = Zach Detest
>> gidNumer = 12345678
>> uid = zach_detest
>> uidNumer = 12345678
>> unixHomeDirectory = /home/m12345678
>> userPrincipalName = zach_destest at domain.tld
>>
>> The smb.conf on the server looks like this:
>>
>> [global]
>> additional dns hostnames = dct-hanas-2.domain.tld
> 
> Unless red-hat backported this, 'additional dns hostnames'
didn't appear
> until Samba 4.11.0 at the earliest (I say that because I cannot find
> just when it was added, but it isn't in 'man smb.conf' for
4.10.x, but
> it is in 'man smb.conf' for 4.11.x).
> 
> RedHat must have backported this because it is in the man page and this
line was not inserted manually by me, it was inserted when I joined the machine
to the domain using ?net ads join?
> 
> 
>> idmap config * : range = 1-999
>> idmap config addom : unix_primary_group = yes
>> idmap config addom : unix_nss_info = yes
>> idamp config addom : schema_mode = rfc2307
>> idmap config addom : backend = ad
>> idmap config addom : range = 1000-999999999
>> idmap config * : backend = tdb
> 
> Do you mind if I ask why you are using such strange (to me) ranges ?
> They would seem to preclude having any local users and groups.
> 
> We don?t have any local users other than the OS system users which all fall
under 1000. All other users are in AD.
I take it that you do not use sudo and just log on as root when required.
The default range '*' is meant for the Well Known SIDs, the BUILTIN 
users and groups and anything outside the 'ADDOM' domain, you also have 
system users & groups that start at 0 and theoretically go up to 999.
> 
> 
> They are the attributes that work with user searches, however 'uid'
> (being a multi value ldap attribute) doesn't, This isn't just a
Samba or
> Unix thing, Windows works in the same way.
> 
> It looks to me (and I could be totally wrong) that sssd must have code
> that can use the 'uid' value and then set that as the owner of a
file.
> If it is doing this, then how does it get around 'uid' being a
multi
> valued attribute ?
> 
> It is strange you have raised this, Stefan Kania raised virtually the
> same subject about a week ago and during this week, a bug report was
listed:
> 
> Rowland
> 
> I did see Stafan?s post and the replies, but it did not address the issue
that I am asking about. I don?t care about SSH access of users on this server
and while it may a useful part of the solution, I am not asking about how users
files ownership is displayed from the console/CLI. This server is only used as a
file server and I would like for users to be able to map SMB/CIFS shares by
entering their UPN as the username. The log that I sent was from a connection
where I tried that with my test user zach_detest at domain.tld
<mailto:zach_detest at domain.tld>
I did some further testing using the standard UPN
i.e username at dns.domain.tld

With chown, the command returned correctly, but when checked, the file 
was owned by the users samaccountname.

I setup a user with a UPN 'user at example.com' and tried this, chown
flat
out refused to change the file ownership.
> 
> It looks like the server received that from the client here:
> [2023/06/23 10:05:50.006889, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
> Got user=[zach_detest] domain=[domain.tld] workstation=[ITS-MACBOOK09]
len1=24 len2=254
> 
> Then when it checks the password against the AD domain it mangles the input
by moving the UPN suffix to the AD domain field:
> [2023/06/23 10:05:50.008789, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
[domain.tld]\[zach_detest]@[ITS-MACBOOK09] with the new password interface
> 
> Which fails:
> [2023/06/23 10:05:50.011820, 2, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [zach_detest] ->
[zach_detest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
Your problem there appears to be that you are trying to use the contents 
of the 'uid' attribute and (as far as I am aware) no tools use that 
attribute for authentication.
> 
> 
> It tries again using the correct AD domain name, but doesn?t include the
UPN suffix that was sent to it.
> [2023/06/23 10:05:50.080011, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
> Got user=[zach_detest] domain=[ADDOM] workstation=[ITS-MACBOOK09] len1=24
len2=254
> Fails again:
> [2023/06/23 10:05:50.083899, 2, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [zach_detest] ->
[zach_detest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
> 
> It tries one last time with another mangling of the input
> [2023/06/23 10:05:50.171506, 3, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
> Got user=[zach_detest] domain=[domain.tld@\server-dev.domain.tld]
workstation=[ITS-MACBOOK09] len1=24 len2=254
> 
> But still isn?t sending the full UPN so it fails again:
> [2023/06/23 10:05:50.175367, 2, pid=22679, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [zach_detest] ->
[zach_detest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
> 
> Is there anything we can do to in order to get Samba/winbind to try sending
the full UPN that the user entered to the domain controller?
I do not think that winbind is reading the UPN from AD, I could be wrong 
though.
The problem is, as I said earlier, whilst you can feed a UPN to chown, 
the file ends up belonging to the users samaccountname.

I personally do not think you can get Samba to do what you require, but 
I could be wrong and if I am, someone will explain where I am going wrong.

Rowland