ldap simple bind problem after upgrade from 4.14 to 4.15

Dr. Hansjörg Maurer hansjoerg.maurer at itsd.de
Fri May 20 09:12:40 UTC 2022 

Hi

we upgraded an 4.14.12  AD-DC to 4.15.7 and after the upgrade all LDAP 
searches with simple bind failed with

A commandline  ldap search (working before, User and domaininformation 
replaced) shows
ldapsearch -x -D "CN=user,CN=Users,DC=xxx,DC=yyy,DC=de" -W -H 
ldap://192.168.0.1:389 -b "CN=Users,DC=xxx,DC=yyy,DC=de" -s sub 'uid=ccc'
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
         additional info: 80090308: LdapErr: DSID-0C0903A9, comment: 
AcceptSecurityContext error, data 531, v1db1



During the bind Samba  Logs  (User and domaininformation replaced as above)


   {"timestamp": "2022-05-20T08:38:09.967130+0200", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4625, "logonId": "0", "logonType": 8, "status": 
"NT_STATUS_INVALID_WORKSTATION", "localAddress": "ipv4:192.168.0.1:389", 
"remoteAddress": "ipv4:192.168.0.10:56620", "serviceDescription": 
"LDAP", "authDescription": "simple bind", "clientDomain": "DOM", 
"clientAccount": "CN=user,CN=Users,DC=xxx,DC=yyy,DC=de", "workstation": 
"DC01", "becameAccount": null, "becameDomain": null, "becameSid": null, 
"mappedAccount": "user", "mappedDomain": "DOM", "netlogonComputer": 
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": 
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": 
null, "passwordType": "Plaintext", "duration": 2301}}
[2022/05/20 08:38:09.969011,  3] 
../../source4/samba/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 
'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT'
   {"timestamp": "2022-05-20T08:38:09.969592+0200", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4625, "logonId": "0", "logonType": 8, "status": 
"NT_STATUS_INVALID_WORKSTATION", "localAddress": "ipv4:192.168.0.1:389", 
"remoteAddress": "ipv4:192.168.0.10:56618", "serviceDescription": 
"LDAP", "authDescription": "simple bind", "clientDomain": "DOM", 
"clientAccount": "CN=user,CN=Users,DC=xxx,DC=yyy,DC=de", "workstation": 
"DC01", "becameAccount": null, "becameDomain": null, "becameSid": null, 
"mappedAccount": "user", "mappedDomain": "DOM", "netlogonComputer": 
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": 
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": 
null, "passwordType": "Plaintext", "duration": 2406}}
[2022/05/20 08:38:09.969921,  3] 
../../source4/samba/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 
'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT'
[2022/05/20 08:38:10.970860,  3] 
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2022/05/20 08:38:10.974556,  3] 
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2022/05/20 08:38:10.976832,  3] 
../../source4/auth/ntlm/auth.c:207(auth_check_password_send)
   auth_check_password_send: Checking password for unmapped user 
[DOM]\[user]@[DC01]
   auth_check_password_send: user is: [DOM]\[user]@[DC01]
[2022/05/20 08:38:10.977700,  2] 
../../source4/auth/ntlm/auth.c:401(auth_check_password_recv)
   auth_check_password_recv: sam authentication for user [DOM\user] 
FAILED with error NT_STATUS_INVALID_WORKSTATION, authoritative=1
[2022/05/20 08:38:10.977778,  2] 
../../auth/auth_log.c:665(log_authentication_event_human_readable)
   Auth: [LDAP,simple bind] user 
[ITSYSTEMS]\[CN=user,CN=Users,DC=xxx,DC=yyy,DC=de] at [Fri, 20 May 2022 
08:38:10.977761 CEST] with [Plaintext] status 
[NT_STATUS_INVALID_WORKSTATION] workstation [DC01] remote host 
[ipv4:192.168.0.10:56622] mapped to [DOM]\[user]. local host 
[ipv4:192.168.0.1:389]


in smb.conf
         ldap server require strong auth = no

is set

I downgraded to 4.14 and it worked again

The domain above is a rather old one, migrated from samba NT DC with 
openldap backend many years ago

I tried to setup a fresh 4.14 AD-DC Testsysstem, migrated it to 4.15 and 
the problem does not occur.

What does the
NT_STATUS_INVALID_WORKSTATION mean and could the problem be DNS related?

Even if the problem is not general, I  hesitate to upgrade additional 
systems...


Regards

Hansjörg






-- 
Dr. Hansjörg Maurer
itsystems Deutschland AG
Erzgießereistr. 22
80335 München
Tel:   +49-89-52 04 68-41
Fax:   +49-89-52 04 68-59
E-Mail: hansjoerg.maurer at itsd.de
Web:    http://www.itsd.de


Amtsgericht München HRB 132146
USt-IdNr. DE 812991301
Steuer-Nr. 143/100/81575

Aufsichtsratsvorsitzender:
Stefan Adam
Vorstand:
Dr. Michael Krocka
Dr. Hansjörg Maurer



----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.

Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.

More information about the samba-technical mailing list