[Samba] [samba] strange: 20 characters max in samAccountName
mathias dufresne
infractory at gmail.com
Wed Jul 1 14:44:41 UTC 2015
Hi all,
Sernet Samba 4.2.2 as Active Directory on Debian 7.8. No other DC.
I can't log in with on Windows systems (Windows 7) when samAccountName are
longer than 20 characters. This seems to be a LAN MAN or NT4 limitation
which should not happen on AD domain.
Any idea what could leads my to that limitation?
I can log in using administrator account or any other having a short
(enough) samAccountName.
I tried to add @ad.domain.tld to samAccountName during log in process
without any success.
smb.conf is:
-------------------------------------------------------------
# Global parameters
[global]
workgroup = AD.DOMAIN
realm = ad.domain.tld
netbios name = DC01
server role = active directory domain controller
dns forwarder = 10.0.0.240
# DC version of rfc2307
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/ad.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-------------------------------------------------------------
here are some logs:
-----------------------------------------------------------
[2015/07/01 16:36:22.869382, 4]
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:28 2015 CEST
[2015/07/01 16:36:27.902117, 4]
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:33 2015 CEST
[2015/07/01 16:36:28.716277, 4]
../source4/lib/socket/interface.c:121(add_interface)
added interface eth0 ip=10.156.248.217 bcast=10.156.255.255
netmask=255.255.240.0
[2015/07/01 16:36:32.935297, 4]
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:38 2015 CEST
[2015/07/01 16:36:36.569356, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN from ipv4:
10.156.248.234:54408 for krbtgt/AD.DOMAIN at AD.DOMAIN
[2015/07/01 16:36:36.654528, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 128
[2015/07/01 16:36:36.654564, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN
[2015/07/01 16:36:36.654569, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN
[2015/07/01 16:36:36.654590, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
abcdef.abcdefg-abcdef at AD.DOMAIN
[2015/07/01 16:36:36.655635, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2015/07/01 16:36:36.655666, 5]
../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35
[2015/07/01 16:36:36.655687, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
[2015/07/01 16:36:36.656998, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN from ipv4:
10.156.248.234:54409 for krbtgt/AD.DOMAIN at AD.DOMAIN
[2015/07/01 16:36:36.739262, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 128
[2015/07/01 16:36:36.739295, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN
[2015/07/01 16:36:36.739300, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN
[2015/07/01 16:36:36.739327, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded --
abcdef.abcdefg-abcdef at AD.DOMAIN using arcfour-hmac-md5
[2015/07/01 16:36:36.739336, 4]
../source4/auth/sam.c:181(authsam_account_ok)
authsam_account_ok: Checking SMB password for user
abcdef.abcdefg-abcdef at AD.DOMAIN
[2015/07/01 16:36:36.740906, 5] ../source4/auth/sam.c:115(logon_hours_ok)
logon_hours_ok: No hours restrictions for user
abcdef.abcdefg-abcdef at AD.DOMAIN
[2015/07/01 16:36:36.758828, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2015-07-01T16:36:36 starttime: unset endtime:
2015-07-02T02:36:36 renew till: 2015-07-08T16:36:36
[2015/07/01 16:36:36.758886, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
[2015/07/01 16:36:36.758896, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
forwardable
[2015/07/01 16:36:36.760092, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2015/07/01 16:36:36.760116, 5]
../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35
[2015/07/01 16:36:36.760141, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
[2015/07/01 16:36:36.767240, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN.TLD from ipv4:
10.156.248.234:54410 for host/win7-md02.ad.dgfip.org at AD.DOMAIN.TLD
[canonicalize, renewable, forwardable]
[2015/07/01 16:36:36.829364, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2015-07-01T16:36:36 starttime:
2015-07-01T16:36:36 endtime: 2015-07-02T02:36:36 renew till:
2015-07-08T16:36:36
[2015/07/01 16:36:36.831057, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2015/07/01 16:36:36.831122, 5]
../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35
[2015/07/01 16:36:36.831148, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
[2015/07/01 16:36:37.967955, 4]
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:43 2015 CEST
-----------------------------------------------------------
These two lines seem to show authentication is working well as Kerberos
ticket seems to be granted:
[2015/07/01 16:36:36.829364, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2015-07-01T16:36:36 starttime:
2015-07-01T16:36:36 endtime: 2015-07-02T02:36:36 renew till:
2015-07-08T16:36:36
I don't understand why this limitation comes up...
Best regards,
Mathias
More information about the samba
mailing list