ldap simple bind problem after upgrade from 4.14 to 4.15
Dr. Hansjörg Maurer
hansjoerg.maurer at itsd.de
Fri May 20 09:12:40 UTC 2022
Hi
we upgraded an 4.14.12 AD-DC to 4.15.7 and after the upgrade all LDAP
searches with simple bind failed with
A commandline ldap search (working before, User and domaininformation
replaced) shows
ldapsearch -x -D "CN=user,CN=Users,DC=xxx,DC=yyy,DC=de" -W -H
ldap://192.168.0.1:389 -b "CN=Users,DC=xxx,DC=yyy,DC=de" -s sub 'uid=ccc'
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 531, v1db1
During the bind Samba Logs (User and domaininformation replaced as above)
{"timestamp": "2022-05-20T08:38:09.967130+0200", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
2}, "eventId": 4625, "logonId": "0", "logonType": 8, "status":
"NT_STATUS_INVALID_WORKSTATION", "localAddress": "ipv4:192.168.0.1:389",
"remoteAddress": "ipv4:192.168.0.10:56620", "serviceDescription":
"LDAP", "authDescription": "simple bind", "clientDomain": "DOM",
"clientAccount": "CN=user,CN=Users,DC=xxx,DC=yyy,DC=de", "workstation":
"DC01", "becameAccount": null, "becameDomain": null, "becameSid": null,
"mappedAccount": "user", "mappedDomain": "DOM", "netlogonComputer":
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null, "passwordType": "Plaintext", "duration": 2301}}
[2022/05/20 08:38:09.969011, 3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT'
{"timestamp": "2022-05-20T08:38:09.969592+0200", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
2}, "eventId": 4625, "logonId": "0", "logonType": 8, "status":
"NT_STATUS_INVALID_WORKSTATION", "localAddress": "ipv4:192.168.0.1:389",
"remoteAddress": "ipv4:192.168.0.10:56618", "serviceDescription":
"LDAP", "authDescription": "simple bind", "clientDomain": "DOM",
"clientAccount": "CN=user,CN=Users,DC=xxx,DC=yyy,DC=de", "workstation":
"DC01", "becameAccount": null, "becameDomain": null, "becameSid": null,
"mappedAccount": "user", "mappedDomain": "DOM", "netlogonComputer":
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null, "passwordType": "Plaintext", "duration": 2406}}
[2022/05/20 08:38:09.969921, 3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT'
[2022/05/20 08:38:10.970860, 3]
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2022/05/20 08:38:10.974556, 3]
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2022/05/20 08:38:10.976832, 3]
../../source4/auth/ntlm/auth.c:207(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[DOM]\[user]@[DC01]
auth_check_password_send: user is: [DOM]\[user]@[DC01]
[2022/05/20 08:38:10.977700, 2]
../../source4/auth/ntlm/auth.c:401(auth_check_password_recv)
auth_check_password_recv: sam authentication for user [DOM\user]
FAILED with error NT_STATUS_INVALID_WORKSTATION, authoritative=1
[2022/05/20 08:38:10.977778, 2]
../../auth/auth_log.c:665(log_authentication_event_human_readable)
Auth: [LDAP,simple bind] user
[ITSYSTEMS]\[CN=user,CN=Users,DC=xxx,DC=yyy,DC=de] at [Fri, 20 May 2022
08:38:10.977761 CEST] with [Plaintext] status
[NT_STATUS_INVALID_WORKSTATION] workstation [DC01] remote host
[ipv4:192.168.0.10:56622] mapped to [DOM]\[user]. local host
[ipv4:192.168.0.1:389]
in smb.conf
ldap server require strong auth = no
is set
I downgraded to 4.14 and it worked again
The domain above is a rather old one, migrated from samba NT DC with
openldap backend many years ago
I tried to setup a fresh 4.14 AD-DC Testsysstem, migrated it to 4.15 and
the problem does not occur.
What does the
NT_STATUS_INVALID_WORKSTATION mean and could the problem be DNS related?
Even if the problem is not general, I hesitate to upgrade additional
systems...
Regards
Hansjörg
--
Dr. Hansjörg Maurer
itsystems Deutschland AG
Erzgießereistr. 22
80335 München
Tel: +49-89-52 04 68-41
Fax: +49-89-52 04 68-59
E-Mail: hansjoerg.maurer at itsd.de
Web: http://www.itsd.de
Amtsgericht München HRB 132146
USt-IdNr. DE 812991301
Steuer-Nr. 143/100/81575
Aufsichtsratsvorsitzender:
Stefan Adam
Vorstand:
Dr. Michael Krocka
Dr. Hansjörg Maurer
----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.
Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.
More information about the samba-technical
mailing list