[Samba] [EXTERNAL] Re: Unable to authenticate to share using UPN
Mike Robbert
mrobbert at mines.edu
Fri Jun 23 18:08:45 UTC 2023
Sorry about that I typed and sent a full message, but it looks like the entire body got swallowed up in transit. Here is the full text again. Let's hope this one works.
I have a server running CentOS 7.9 with the system provided Samba packages (4.10.16-24.el7_9). It is joined to an Active Directory domain and acting as a member server. The active Directory domain has a user object with among others, the following attributes defined
sAMAccountName = m12345678
gecos = Zach Detest
gidNumer = 12345678
uid = zach_detest
uidNumer = 12345678
unixHomeDirectory = /home/m12345678
userPrincipalName = zach_destest at domain.tld
The smb.conf on the server looks like this:
[global]
additional dns hostnames = dct-hanas-2.domain.tld
debug class = Yes
debug pid = Yes
debug uid = Yes
disable spoolss = Yes
kerberos method = secrets and keytab
load printers = No
local master = No
log file = /var/log/samba/log.%I
max log size = 0
netbios name = SERVER-DEV
nt pipe support = No
printcap name = /dev/null
realm = ADDOM.DOMAIN.TLD
security = ADS
server min protocol = SMB2
server string = Fileserver %m
template homedir = /home/%U@%D
template shell = /bin/bash
unix extensions = No
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = ADDOM
fruit:nfs_aces = no
idmap config * : range = 1-999
idmap config addom : unix_primary_group = yes
idmap config addom : unix_nss_info = yes
idamp config addom : schema_mode = rfc2307
idmap config addom : backend = ad
idmap config addom : range = 1000-999999999
idmap config * : backend = tdb
acl group control = Yes
create mask = 0664
directory mask = 0775
dos filemode = Yes
force create mode = 0664
force directory mode = 0775
include = /etc/samba/samba-shares.share
map acl inherit = Yes
nt acl support = No
printing = bsd
read only = No
vfs objects = catia fruit streams_xattr
[test-open]
path = /tmp/test-open
Both wbinfo and getent work to resolve this users information using either samaccountname or UPN
[root at dct-hanas-2 samba]# wbinfo -i m12345678
m12345678:*:12345678:12345678:Zach Detest:/home/m12345678:/bin/bash
[root at dct-hanas-2 samba]# wbinfo -i zach_detest at domain.tld
m12345678:*:12345678:12345678:Zach Detest:/home/m12345678:/bin/bash
[root at dct-hanas-2 samba]# getent passwd m12345678
m12345678:*:12345678:12345678:Zach Detest:/home/m12345678:/bin/bash
[root at dct-hanas-2 samba]# getent passwd zach_detest at domain.tld
m12345678:*:12345678:12345678:Zach Detest:/home/m12345678:/bin/bash
As expected resolving the uid field does not work:
[root at dct-hanas-2 samba]# wbinfo -i zach_detest
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user zach_detest
[root at dct-hanas-2 samba]# getent passwd zach_detest
I am able to map the share from a client host using the samaccountname, but the problem is that we want the users to be able to use either their uid or UPN and mapping using those usernames don’t work.
Below are the logs from log level 3 for an authentication attempt using the username zach_detest at domain.tld
[2023/06/23 10:05:49.969713, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2023/06/23 10:05:50.006889, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[zach_detest] domain=[domain.tld] workstation=[ITS-MACBOOK09] len1=24 len2=254
[2023/06/23 10:05:50.007015, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:3881(lp_load_ex)
lp_load_ex: refreshing parameters
[2023/06/23 10:05:50.007181, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:550(init_globals)
Initialising global parameters
[2023/06/23 10:05:50.007415, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:2795(lp_do_section)
Processing section "[global]"
[2023/06/23 10:05:50.008547, 2, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:2812(lp_do_section)
Processing section "[test-open]"
[2023/06/23 10:05:50.008692, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:1630(lp_add_ipc)
adding IPC service
[2023/06/23 10:05:50.008789, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [domain.tld]\[zach_detest]@[ITS-MACBOOK09] with the new password interface
[2023/06/23 10:05:50.008831, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [domain.tld]\[zach_detest]@[ITS-MACBOOK09]
[2023/06/23 10:05:50.011740, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:400(check_sam_security)
check_sam_security: Couldn't find user 'zach_detest' in passdb.
[2023/06/23 10:05:50.011820, 2, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [zach_detest] -> [zach_detest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/06/23 10:05:50.011932, 2, pid=22679, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [domain.tld]\[zach_detest] at [Fri, 23 Jun 2023 10:05:50.011889 MDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [ITS-MACBOOK09] remote host [ipv4:138.67.168.73:51158] mapped to [domain.tld]\[zach_detest]. local host [ipv4:138.67.209.40:445]
{"timestamp": "2023-06-23T10:05:50.012231-0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:138.67.209.40:445", "remoteAddress": "ipv4:138.67.168.73:51158", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "domain.tld", "clientAccount": "zach_detest", "workstation": "ITS-MACBOOK09", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "zach_detest", "mappedDomain": "domain.tld", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 42977}}
[2023/06/23 10:05:50.012555, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/spnego.c:1444(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER
[2023/06/23 10:05:50.012663, 3, pid=22679, effective(0, 0), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2023/06/23 10:05:50.048193, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2023/06/23 10:05:50.080011, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[zach_detest] domain=[ADDOM] workstation=[ITS-MACBOOK09] len1=24 len2=254
[2023/06/23 10:05:50.080110, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:3881(lp_load_ex)
lp_load_ex: refreshing parameters
[2023/06/23 10:05:50.080222, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:550(init_globals)
Initialising global parameters
[2023/06/23 10:05:50.080443, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:2795(lp_do_section)
Processing section "[global]"
[2023/06/23 10:05:50.081499, 2, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:2812(lp_do_section)
Processing section "[test-open]"
[2023/06/23 10:05:50.081635, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:1630(lp_add_ipc)
adding IPC service
[2023/06/23 10:05:50.081811, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [ADDOM]\[zach_detest]@[ITS-MACBOOK09] with the new password interface
[2023/06/23 10:05:50.081886, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [ADDOM]\[zach_detest]@[ITS-MACBOOK09]
[2023/06/23 10:05:50.083899, 2, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [zach_detest] -> [zach_detest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/06/23 10:05:50.084007, 2, pid=22679, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [ADDOM]\[zach_detest] at [Fri, 23 Jun 2023 10:05:50.083982 MDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [ITS-MACBOOK09] remote host [ipv4:138.67.168.73:51158] mapped to [ADDOM]\[zach_detest]. local host [ipv4:138.67.209.40:445]
{"timestamp": "2023-06-23T10:05:50.084307-0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:138.67.209.40:445", "remoteAddress": "ipv4:138.67.168.73:51158", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "ADDOM", "clientAccount": "zach_detest", "workstation": "ITS-MACBOOK09", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "zach_detest", "mappedDomain": "ADDOM", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 36356}}
[2023/06/23 10:05:50.084448, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/spnego.c:1444(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER
[2023/06/23 10:05:50.084538, 3, pid=22679, effective(0, 0), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2023/06/23 10:05:50.141119, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2023/06/23 10:05:50.171506, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[zach_detest] domain=[domain.tld@\server-dev.domain.tld] workstation=[ITS-MACBOOK09] len1=24 len2=254
[2023/06/23 10:05:50.171601, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:3881(lp_load_ex)
lp_load_ex: refreshing parameters
[2023/06/23 10:05:50.171700, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:550(init_globals)
Initialising global parameters
[2023/06/23 10:05:50.171865, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:2795(lp_do_section)
Processing section "[global]"
[2023/06/23 10:05:50.172995, 2, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:2812(lp_do_section)
Processing section "[test-open]"
[2023/06/23 10:05:50.173124, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:1630(lp_add_ipc)
adding IPC service
[2023/06/23 10:05:50.173179, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [domain.tld@\server-dev.domain.tld]\[zach_detest]@[ITS-MACBOOK09] with the new password interface
[2023/06/23 10:05:50.173220, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [domain.tld@\server-dev.domain.tld]\[zach_detest]@[ITS-MACBOOK09]
[2023/06/23 10:05:50.175303, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:400(check_sam_security)
check_sam_security: Couldn't find user 'zach_detest' in passdb.
[2023/06/23 10:05:50.175367, 2, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [zach_detest] -> [zach_detest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/06/23 10:05:50.175442, 2, pid=22679, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [domain.tld@\\server-dev.domain.tld]\[zach_detest] at [Fri, 23 Jun 2023 10:05:50.175418 MDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [ITS-MACBOOK09] remote host [ipv4:138.67.168.73:51158] mapped to [domain.tld@\\server-dev.domain.tld]\[zach_detest]. local host [ipv4:138.67.209.40:445]
{"timestamp": "2023-06-23T10:05:50.175524-0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:138.67.209.40:445", "remoteAddress": "ipv4:138.67.168.73:51158", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": domain.tld@\\server-dev.domain.tld, "clientAccount": "zach_detest", "workstation": "ITS-MACBOOK09", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "zach_detest", "mappedDomain": domain.tld@\\server-dev.domain.tld, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 34608}}
[2023/06/23 10:05:50.175644, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/spnego.c:1444(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER
[2023/06/23 10:05:50.175732, 3, pid=22679, effective(0, 0), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2023/06/23 10:05:52.335644, 3, pid=22679, effective(0, 0), real(0, 0)] ../../source3/smbd/server_exit.c:236(exit_server_common)
Server exit (NT_STATUS_END_OF_FILE)
How can we get UPN authentication working?
Hopefully this problem is fully described well enough that this isn’t a guessing game, but if I missed any important information, please let me know what you’d like to see and I will happily provide it.
________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny via samba <samba at lists.samba.org>
Sent: Friday, June 23, 2023 10:23
To: samba at lists.samba.org
Cc: Rowland Penny
Subject: [EXTERNAL] Re: [Samba] Unable to authenticate to share using UPN
CAUTION: This email originated from outside of the Colorado School of Mines organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe.
On 23/06/2023 17:15, Mike Robbert via samba wrote:
Mike, you are going to have to write something in your posts, we are not
mindreaders :-)
What have you tried ? On what OS, with what version of Samba ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list