[Samba] User cannot change password
Kees van Vloten
keesvanvloten at gmail.com
Thu Feb 22 12:02:55 UTC 2024
Hi Team,
I am running Samba 4.19.4 on bookworm, clients are Windows 10 22H2 with
automatic win-updates enabled.
The [global] section of smb.conf:
[global]
netbios name = DC01
realm = EXAMPLE.COM
server role = active directory domain controller
server services = -dns
workgroup = EXAMPLE
kerberos method = secrets and keytab
kerberos encryption types = strong
rpc server dynamic port range = 50000-55000
ntlm auth = mschapv2-and-ntlmv2-only
disable netbios = yes
template homedir = /home/%U
template shell = /bin/bash
tls enabled = yes
tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
tls cafile = /etc/ssl/certs/ca.pem
tls keyfile = /var/lib/samba/private/tls/dc01.example.com.key
tls certfile = /etc/ssl/certs/dc01.example.com.crt
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
smb ports = 445
smbd profiling level = on
server min protocol = SMB3_11
client min protocol = SMB3_11
restrict anonymous = 2
map acl inherit = yes
panic action = /usr/share/samba/panic-action %d
server smb encrypt = desired
interfaces = lo eth0
bind interfaces only = yes
allow dns updates = disabled
ldap server require strong auth = yes
ldap ssl = start tls
dedicated keytab file = /var/lib/samba/private/secrets.keytab
log level = 3 winbind:2
auth_json_audit:3@/var/log/samba/audit_auth.log
full_audit:success = open fsync_recv fsync_send ftruncate
pwrite pwrite_recv pwrite_send renameat unlinkat write
full_audit:failure = open pread read
full_audit:prefix = samba: IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local6
full_audit:priority = NOTICE
idmap config *:range = 1000000-1999999
host msdfs = yes
max log size = 0
vfs objects = dfs_samba4, acl_xattr, full_audit
tls crlfile = /etc/ssl/certs/crl.pem
tls dh params file = /etc/ssl/certs/dhparam.pem
Now a user has an interesting issue, she can login on Windows without
issues but when changing the password Windows complains the password is
wrong.
In log.samba on the DC, I see this:
[2024/02/22 12:15:57.646475, 3]
auth/auth_log.c:858(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[user1 at EXAMPLE] at [Thu, 22 Feb 2024 12:15:57.646467 CET] with
[aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
remote host [ipv4:192.168.0.211:50757] became [EXAMPLE]\[user1]
[S-1-5-21-1366037735-1163107043-795354949-1003]. local host [NULL]
[2024/02/22 12:15:57.646564, 3]
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.020364
[2024/02/22 12:15:57.646571, 3]
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ SUCCESS ipv4:192.168.0.211:50757 user1 at EXAMPLE
kadmin/changepw at EXAMPLE pa=ENC-TS etype=18/18
canon_client_name=user1 at EXAMPLE.COM pac_attributes=1 pa-etype=18
client-pa=ENC-TS,128 end=1708600677 auth=1708600557
etypes=18,17,23,24,-135,3 renew=1709205357 pa-succeeded-kvno=19
reqaddrs=TYPE_20:50433131312020202020202020202020 elapsed=0.020364
flags=renewable-ok,canonicalize,renewable,forwardable
[2024/02/22 12:15:57.647409, 3]
source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
[2024/02/22 12:15:57.648670, 3]
auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
Found account name from PAC: user1 [User One]
[2024/02/22 12:15:57.653002, 3]
lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of privilege.ldb
[2024/02/22 12:15:57.653253, 1]
source4/kdc/kpasswd-service-heimdal.c:297(kpasswd_handle_request)
kpasswd_handle_request: String conversion failed!
[2024/02/22 12:15:57.654054, 3]
source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
This is interesting: kpasswd_handle_request: String conversion failed!
It is the only clue in the server logging that something is not alright,
as far as I can see.
The audit_auth.log does not report any issues:
{"timestamp": "2024-02-22T12:15:33.140169+0100", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
3}, "eventId": 4624, "logonId": "19e950ca59b91207", "logonType": 3, "status"
: "NT_STATUS_OK", "localAddress": null, "remoteAddress":
"ipv4:192.168.0.211:50753", "serviceDescription": "Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
"clientAccou
nt": "user1 at EXAMPLE", "workstation": null, "becameAccount": "user1",
"becameDomain": "EXAMPLE", "becameSid":
"S-1-5-21-1366037735-1163107043-795354949-1003", "mappedAccount":
"user1", "mappedDo
main": "EXAMPLE", "netlogonComputer": null, "netlogonTrustAccount":
null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "aes256
-cts-hmac-sha1-96", "clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null, "duration": 13086}}
{"timestamp": "2024-02-22T12:15:33.150004+0100", "type": "KDC
Authorization", "KDC Authorization": {"version": {"major": 1, "minor":
0}, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "
ipv4:192.168.0.211:50754", "serviceDescription":
"host/pc11.exmaple.com at EXAMPLE.COM", "authType": "TGS-REQ with
Ticket-Granting Ticket", "domain": "EXAMPLE", "account": "user1", "sid":
"S-1-5-2
1-1366037735-1163107043-795354949-1003", "logonServer": "DC01",
"authTime": "2024-02-22T12:15:33.141814+0100",
"serverPolicyAccessCheck": null}}
{"timestamp": "2024-02-22T12:15:57.646491+0100", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
3}, "eventId": 4624, "logonId": "979e535fc7a6536d", "logonType": 3, "status"
: "NT_STATUS_OK", "localAddress": null, "remoteAddress":
"ipv4:192.168.0.211:50757", "serviceDescription": "Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
"clientAccou
nt": "user1 at EXAMPLE", "workstation": null, "becameAccount": "user1",
"becameDomain": "EXAMPLE", "becameSid":
"S-1-5-21-1366037735-1163107043-795354949-1003", "mappedAccount":
"user1", "mappedDo
main": "EXAMPLE", "netlogonComputer": null, "netlogonTrustAccount":
null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "aes256
-cts-hmac-sha1-96", "clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null, "duration": 20296}}
Any ideas what is going wrong here?
- Kees.
More information about the samba
mailing list