Hi samba list,
I work on an classicupgrade of our NT4/ldap domain.
On my tests (DC and filer are on FreeBSD and zfs file system, client is
a Windows 10 22H2):
-> I'm able to do this classicupgrade and keep all users able to connect
on computers with their domain account.
-> In a second step I configure samba DC to improve security and by the
way I upgrade our FL to 2012_R2, schema to 69 and ad dc FL to 2016
(commented line below are uncommented at this step):
smb.conf :
[global]
netbios name = <DC NAME>
realm = <realm>
server role = active directory domain controller
workgroup = <workgroup>
idmap_ldb:use rfc2307 = yes
dns forwarder = <resolvers>
#ldap server require strong auth = yes
#tls enabled = yes
winbind enum users = yes
ad dc functional level = 2016
#server min protocol = SMB2_02
restrict anonymous = 2
#disable netbios = yes
#smb ports = 445
#printcap name = /dev/null
#load printers = no
#disable spoolss = yes
#printing = bsd
#ntlm auth = mschapv2-and-ntlmv2-only
ntlm auth = yes
#rpc server dynamic port range = 50000-55000
#machine password timeout = 604800
tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
tls certfile = tls/<crt>
tls keyfile = tls/<key>
tls cafile = <ca>
username map = /usr/local/etc/user.map
krb5.conf
[libdefaults]
default_realm = <Realm>
dns_lookup_realm = false
dns_lookup_kdc = true
#default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
#default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
#permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
[realms]
<Realm> = {
default_domain = <fqdn = realm>
}
[domain_realm]
<DC Name> = <Realm>
-> After a while (~2-3 days):
* I'm unable to logon with an AD account on the Win10 client, on the DC
I have nothing in the logs files
* I'm able to access to a share on the filer from W10 client and on the
DC (sysvol), and on the DC log I can see entry about NTLM2 success log-in :
[2024/06/04 11:20:16.375698, 3]
../../auth/auth_log.c:876(log_authentication_event_human_readable)
Auth: [SMB2,NTLMSSP] user [<user>] at [Tue, 04 Jun 2024
11:20:16.375682 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation
[<hostname>] remote host [ipv6<IP>:30676] became <user>
[<SID>]. local
host [ipv6<IP>:445]
* If I rejoin the Win10 to the domain nothing change
* If I change the user password, I'm able to open session on the W10 and
I see logs about kerberos authentication on DC.
* If on the DC I do "kinit" of on user that have not is password
changed
I'm able to take a
I suspect that my problem have a link with the FL upgrade to 2012_R2 and
DC to 2016.
My questions :
1 - Do you think this problem come from the FL upgrade ?
2 - Why user without password changed can get a kerberos ticket on the
DC but seems not to get it on Win10 client ?
3 - Is there a way to allow fallback to ntlm2 when a session is opened
on the client if kerberos doesn't work ?
PS: I have also this error in DC's winbind logs:
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
Content of /usr/local/etc/user.map :
!root = <short DOMAIN>\Administrator
Regards,
--
Havany
On Tue, 4 Jun 2024 12:48:07 +0200 Havany via samba <samba at lists.samba.org> wrote:> Hi samba list, > > I work on an classicupgrade of our NT4/ldap domain. > > On my tests (DC and filer are on FreeBSD and zfs file system, client > is a Windows 10 22H2): > > -> I'm able to do this classicupgrade and keep all users able to > connect on computers with their domain account. > > -> In a second step I configure samba DC to improve security and by > the way I upgrade our FL to 2012_R2, schema to 69 and ad dc FL to > 2016 (commented line below are uncommented at this step): > > smb.conf : > [global] > netbios name = <DC NAME> > realm = <realm> > server role = active directory domain controller > workgroup = <workgroup> > idmap_ldb:use rfc2307 = yes > dns forwarder = <resolvers>I hope the 'resolvers' are not in the same dns domain as the AD domain> winbind enum users = yesYou do not require the 'winbind enum users' line, in fact, on large domains, it can slow things down.> ad dc functional level = 2016 > restrict anonymous = 2 > ntlm auth = yesWhat do you need ntlm auth for ?> tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 > tls certfile = tls/<crt> > tls keyfile = tls/<key> > tls cafile = <ca> > username map = /usr/local/etc/user.mapSorry, but you must not use a user.map on a DC, it breaks the mapping in idmap.ldb, I suggest you remove the 'username map' line.> > krb5.conf > [libdefaults] > default_realm = <Realm> > dns_lookup_realm = false > dns_lookup_kdc = true > #default_tkt_enctypes = aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 #default_tgs_enctypes > aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 #permitted_enctypes > aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 [realms] > <Realm> = { > default_domain = <fqdn = realm> > } > [domain_realm] > <DC Name> = <Realm> > > > -> After a while (~2-3 days): > * I'm unable to logon with an AD account on the Win10 client, on the > DC I have nothing in the logs files > * I'm able to access to a share on the filer from W10 client and on > the DC (sysvol), and on the DC log I can see entry about NTLM2 > success log-in : > > [2024/06/04 11:20:16.375698, 3] > ../../auth/auth_log.c:876(log_authentication_event_human_readable) > Auth: [SMB2,NTLMSSP] user [<user>] at [Tue, 04 Jun 2024 > 11:20:16.375682 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation > [<hostname>] remote host [ipv6<IP>:30676] became <user> [<SID>]. > local host [ipv6<IP>:445] > > * If I rejoin the Win10 to the domain nothing change > * If I change the user password, I'm able to open session on the W10 > and I see logs about kerberos authentication on DC. > * If on the DC I do "kinit" of on user that have not is password > changed I'm able to take aI think there probably should be more to that last sentence.> > I suspect that my problem have a link with the FL upgrade to 2012_R2 > and DC to 2016. > > My questions : > > 1 - Do you think this problem come from the FL upgrade ?Probably not.> 2 - Why user without password changed can get a kerberos ticket on > the DC but seems not to get it on Win10 client ?DNS, when something like this happens, it is usually dns.> 3 - Is there a way to allow fallback to ntlm2 when a session is > opened on the client if kerberos doesn't work ?The problem is, that question should have been the opposite way around, i.e. how to stop fallback . This is because, that is how it is supposed to, fall back to NTLM> > PS: I have also this error in DC's winbind logs: > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPEDThat is very probably because of your user.map> > Content of /usr/local/etc/user.map : > !root = <short DOMAIN>\AdministratorYou need to remove it. Rowland
Andrew Bartlett
2024-Jun-04 20:02 UTC
[Samba] Classicupgrade FL 2012_R2 NTLM/Kerberos logon
On Tue, 2024-06-04 at 12:48 +0200, Havany via samba wrote:> Hi samba list, > > I work on an classicupgrade of our NT4/ldap domain. > > On my tests (DC and filer are on FreeBSD and zfs file system, client > is > a Windows 10 22H2): > > -> I'm able to do this classicupgrade and keep all users able to > connect > on computers with their domain account. > > -> In a second step I configure samba DC to improve security and by > the > way I upgrade our FL to 2012_R2, schema to 69 and ad dc FL to 2016 > (commented line below are uncommented at this step):> -> After a while (~2-3 days): > * I'm unable to logon with an AD account on the Win10 client, on the > DC > I have nothing in the logs files > * I'm able to access to a share on the filer from W10 client and on > the > DC (sysvol), and on the DC log I can see entry about NTLM2 success > log-in : > > [2024/06/04 11:20:16.375698, 3] > ../../auth/auth_log.c:876(log_authentication_event_human_readable) > Auth: [SMB2,NTLMSSP] user [<user>] at [Tue, 04 Jun 2024 > 11:20:16.375682 CEST] with [NTLMv2] status [NT_STATUS_OK] > workstation > [<hostname>] remote host [ipv6<IP>:30676] became <user> [<SID>]. > local > host [ipv6<IP>:445] > > * If I rejoin the Win10 to the domain nothing change > * If I change the user password, I'm able to open session on the W10 > and > I see logs about kerberos authentication on DC.I think what is happening is that the DC has only the NT hash for users and computers, but that clients are expecting that the DC has an AES key given the domain is in such a high FL> * If on the DC I do "kinit" of on user that have not is password > changed > I'm able to take akinit on the DC will be honouring the krb5.conf settings, which may still allow the AS-REQ with the rc4-hmac key.> I suspect that my problem have a link with the FL upgrade to 2012_R2 > and > DC to 2016. > > My questions : > > 1 - Do you think this problem come from the FL upgrade ? > 2 - Why user without password changed can get a kerberos ticket on > the > DC but seems not to get it on Win10 client ? > 3 - Is there a way to allow fallback to ntlm2 when a session is > opened > on the client if kerberos doesn't work ?That final point (3) would be question about client configuration, but you really don't want that, you need to get to Kerberos as fast as possible. This is a complex situation, I would have expected it would still be possible to keep user accounts working with just an NT hash (sadly), but you would need to take network traces to show the clients still sending that. Also note that by updating the FL, FAST should now be used. This is good, but might make the traces harder to interpret. Due to the complexity of the migration (I presume you have a very large domain otherwise you would have just changed the passwords) I suggest working closely with your Samba commercial support provider to see if anything can be done on Samba's side. Otherwise leave the FL lower and set all the accounts to 'must change password at next logon' would be my suggestion. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions