[Samba] Password server behaves differently for clients from Windows 7 Professional and Windows 7 Enterprise

Fri May 3 14:50:30 MDT 2013

Hi,

I have been using Samba as a file server and a domain controller in a mixed
AIX/Windows environment for a long time. Due to changes in the network
infrastructure in my lab, I have to stop using my own LDAP server and Samba
domain controller, and migrate all my user accounts to a central
proprietary
directory server. On AIX, I now use a proprietary loadable authentication
module on AIX to talk to that server. To Samba, the accounts just look like
local accounts, except that passwords are not managed locally.

I want to continue serving files using Samba on my AIX box, but I cannot
use a
local smbpasswd file because there is no way to sync passwords between the
proprietary server with the local smbpasswd file. So I tried using server
security and delegating authentication to a SMB interface provided by the
directory server. Here are the relevant parts of my smb.conf:

netbios name = MILAN
security = server
password server = tlbgsa.ibm.com
encrypt passwords = yes

ntlm auth = no
lanman auth = no
use spnego = no
server schannel = no
server signing = disabled

client plaintext auth = no
client lanman auth = no
client ntlmv2 auth = yes
client schannel = no
client signing = auto
client use spnego = no

When clients on Windows XP, Windows Server 2003, and Windows 7 Professional
connect to shares on \\milan, they are successfully authenticated by the
password server:

[2013/05/02 17:08:17,  3] auth/auth_sam.c:check_sam_security(282)
  check_sam_security: Couldn't find user 'bryanpkc' in passdb.
[2013/05/02 17:08:17,  5] auth/auth.c:check_ntlm_password(272)
  check_ntlm_password: sam authentication for user [bryanpkc] FAILED with
error NT_STATUS_NO_SUCH_USER
[2013/05/02 17:08:18,  3] auth/auth.c:check_ntlm_password(269)
  check_ntlm_password: smbserver authentication for user [bryanpkc]
succeeded
[2013/05/02 17:08:18,  5] auth/auth.c:check_ntlm_password(295)
  check_ntlm_password:  PAM Account for user [bryanpkc] succeeded
[2013/05/02 17:08:18,  2] auth/auth.c:check_ntlm_password(308)
  check_ntlm_password:  authentication for user [bryanpkc] -> [bryanpkc] ->
[bryanpkc] succeeded

However, when I try the same operation on Windows Server 2008, Windows
Vista,
and Windows 7 Enterprise, the authentication attempt is rejected by the
password server:

[2013/05/02 17:01:06,  5] auth/auth.c:check_ntlm_password(272)
  check_ntlm_password: sam authentication for user [bryanpkc] FAILED with
error NT_STATUS_NO_SUCH_USER
[2013/05/02 17:01:06,  1] auth/auth_server.c:check_smbserver_security(410)
  password server TLBGSA.IBM.COM rejected the password:
NT_STATUS_LOGON_FAILURE
[2013/05/02 17:01:06,  5] auth/auth.c:check_ntlm_password(272)
  check_ntlm_password: smbserver authentication for user [bryanpkc] FAILED
with error NT_STATUS_LOGON_FAILURE
[2013/05/02 17:01:06,  2] auth/auth.c:check_ntlm_password(318)

I have more verbose logs (log level = 10) that show the different
behaviours,
but I am not able to tell why the connection attempt works on some machines
but not on others. Any suggestion? I can send the log files if necessary.

Thanks,
--
Bryan Chan
bryan.chan at ca.ibm.com