[Samba] stumped, security = domain FAILS for NTLMv2 only

Aaron J. Zirbes ajz at cccs.umn.edu
Wed Feb 2 17:30:00 GMT 2005 

I have a Samba only domain (Samba PDC, Samba Member Servers) where 
security = domain.

Versions are all 3.0.10

compiled with --enable-cups --with-utmp --with-acl-support

Backend is tdbsam

All smb.confs have the following:
...
pdc: security = user
members: security = domain
...
restrict anonymous = 2
encrypt passwords = yes
lanman auth = no
ntlm auth = no
client ntlmv2 auth = yes 
 
client schannel = yes
server schannel = yes
client signing = auto
server signing = auto
...

Domain controller works like a charm, all Windows2000/XP clients are 
locked down the same schannel=yes,ntlmv2 only,restrict anon=2.  All 
clients can auth through each other (I can view shares on other 
workstations)

net rpc testjoin returns "OK" from all samba-3.0.10 members

attempts to connect to samba-3.0.10 member server fail with
   session setup failed: NT_STATUS_LOGON_FAILURE

unix accounts exists for domain members.

winbindd is up and running on members as auth only (no account creation)

attempts to connect to windows members succeed.

If security = user is used on members, and a smbpasswd -a command is 
issued to assign the samba password on members (which makes the 
membership useless), connection attempts succeed.


Logs on the Samba member server [RHEL] look like this:

[2005/02/02 10:26:59, 10] auth/auth_util.c:make_user_info(201)
   made an encrypted user_info for myuser (myuser)
[2005/02/02 10:26:59, 3] auth/auth.c:check_ntlm_password(219)
   check_ntlm_password:  Checking password for unmapped user 
[MYDOMAIN]\[myuser]@[LINUXBOX] with the new password interface
[2005/02/02 10:26:59, 3] auth/auth.c:check_ntlm_password(222)
   check_ntlm_password:  mapped user is: [MYDOMAIN]\[myuser]@[LINUXBOX]
[2005/02/02 10:26:59, 10] auth/auth.c:check_ntlm_password(231)
   check_ntlm_password: auth_context challenge created by random
[2005/02/02 10:26:59, 10] auth/auth.c:check_ntlm_password(233)
   challenge is:
[2005/02/02 10:26:59, 10] auth/auth.c:check_ntlm_password(259)
   check_ntlm_password: guest had nothing to say
[2005/02/02 10:26:59, 6] auth/auth_sam.c:check_samstrict_security(358)
   check_samstrict_security: MYDOMAIN is not one of my local names 
(ROLE_DOMAIN_MEMBER)
[2005/02/02 10:26:59, 10] auth/auth.c:check_ntlm_password(259)
   check_ntlm_password: sam had nothing to say
[2005/02/02 10:26:59, 5] auth/auth.c:check_ntlm_password(271)
   check_ntlm_password: winbind authentication for user [myuser] FAILED 
with error NT_STATUS_WRONG_PASSWORD
[2005/02/02 10:26:59, 2] auth/auth.c:check_ntlm_password(312)
   check_ntlm_password:  Authentication for user [myuser] -> [myuser] 
FAILED with error NT_STATUS_WRONG_PASSWORD


Logs on the domain controller [FreeBSD] look like this:

[2005/02/02 10:26:59, 3] auth/auth.c:check_ntlm_password(219)
   check_ntlm_password:  Checking password for unmapped user 
[MYDOMAIN]\[myuser]@[LINUXBOX] with the new password interface
[2005/02/02 10:26:59, 3] auth/auth.c:check_ntlm_password(222)
   check_ntlm_password:  mapped user is: [MYDOMAIN]\[myuser]@[LINUXBOX]
[2005/02/02 10:26:59, 4] libsmb/ntlm_check.c:ntlm_password_check(288)
   ntlm_password_check: Checking NTLMv2 password with domain [MYDOMAIN]
[2005/02/02 10:26:59, 4] libsmb/ntlm_check.c:ntlm_password_check(298)
   ntlm_password_check: Checking NTLMv2 password with uppercased version 
of domain [MYDOMAIN]
[2005/02/02 10:26:59, 4] libsmb/ntlm_check.c:ntlm_password_check(308)
   ntlm_password_check: Checking NTLMv2 password without a domain
[2005/02/02 10:26:59, 3] libsmb/ntlm_check.c:ntlm_password_check(317)
   ntlm_password_check: NTLMv2 password check failed
[2005/02/02 10:26:59, 5] auth/auth.c:check_ntlm_password(271)
   check_ntlm_password: sam authentication for user [myuser] FAILED with 
error NT_STATUS_WRONG_PASSWORD
[2005/02/02 10:26:59, 3] auth/auth_winbind.c:check_winbind_security(80)
   check_winbind_security: Not using winbind, requested domain 
[MYDOMAIN] was for this SAM.
[2005/02/02 10:26:59, 2] auth/auth.c:check_ntlm_password(312)
   check_ntlm_password:  Authentication for user [myuser] -> [myuser] 
FAILED with error NT_STATUS_WRONG_PASSWORD

I am stumped.

Is a tdbsam backend unsupported for security = domain?
(not stated in docs)

Do I have to move to an LDAP backend?  Although this is not noted in any 
documentation I have found.

Side note:
I noticed that even though I am setting auth to NTLMv2 ONLY, the 
password databases are still storing the LANMAN hashes... is there a 
reason for this?

-- 
Aaron Zirbes
Systems Administrator
Environmental Health Sciences
University of Minnesota

More information about the samba mailing list