[Samba] [samba] strange: 20 characters max in samAccountName

Rowland Penny rowlandpenny241155 at gmail.com
Wed Jul 1 15:07:35 UTC 2015


On 01/07/15 15:44, mathias dufresne wrote:
> Hi all,
>
> Sernet Samba 4.2.2 as Active Directory on Debian 7.8. No other DC.
>
> I can't log in with on Windows systems (Windows 7) when samAccountName are
> longer than 20 characters. This seems to be a LAN MAN or NT4 limitation
> which should not happen on AD domain.
> Any idea what could leads my to that limitation?
>
> I can log in using administrator account or any other having a short
> (enough) samAccountName.
> I tried to add @ad.domain.tld to samAccountName during log in process
> without any success.
>
> smb.conf is:
> -------------------------------------------------------------
> # Global parameters
> [global]
>          workgroup = AD.DOMAIN
>          realm = ad.domain.tld
>          netbios name = DC01
>          server role = active directory domain controller
>
>          dns forwarder = 10.0.0.240
>          # DC version of rfc2307
>          idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>          path = /var/lib/samba/sysvol/ad.domain.tld/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> -------------------------------------------------------------
>
> here are some logs:
> -----------------------------------------------------------
> [2015/07/01 16:36:22.869382,  4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
>    dreplsrv_notify_schedule(5) scheduled for: Wed Jul  1 16:36:28 2015 CEST
> [2015/07/01 16:36:27.902117,  4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
>    dreplsrv_notify_schedule(5) scheduled for: Wed Jul  1 16:36:33 2015 CEST
> [2015/07/01 16:36:28.716277,  4]
> ../source4/lib/socket/interface.c:121(add_interface)
>    added interface eth0 ip=10.156.248.217 bcast=10.156.255.255
> netmask=255.255.240.0
> [2015/07/01 16:36:32.935297,  4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
>    dreplsrv_notify_schedule(5) scheduled for: Wed Jul  1 16:36:38 2015 CEST
> [2015/07/01 16:36:36.569356,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: AS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN from ipv4:
> 10.156.248.234:54408 for krbtgt/AD.DOMAIN at AD.DOMAIN
> [2015/07/01 16:36:36.654528,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: Client sent patypes: 128
> [2015/07/01 16:36:36.654564,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: Looking for PKINIT pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.654569,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: Looking for ENC-TS pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.654590,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.655635,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>    Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> [2015/07/01 16:36:36.655666,  5]
> ../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
>    imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35
> [2015/07/01 16:36:36.655687,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>    single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2015/07/01 16:36:36.656998,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: AS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN from ipv4:
> 10.156.248.234:54409 for krbtgt/AD.DOMAIN at AD.DOMAIN
> [2015/07/01 16:36:36.739262,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: Client sent patypes: encrypted-timestamp, 128
> [2015/07/01 16:36:36.739295,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: Looking for PKINIT pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.739300,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: Looking for ENC-TS pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.739327,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: ENC-TS Pre-authentication succeeded --
> abcdef.abcdefg-abcdef at AD.DOMAIN using arcfour-hmac-md5
> [2015/07/01 16:36:36.739336,  4]
> ../source4/auth/sam.c:181(authsam_account_ok)
>    authsam_account_ok: Checking SMB password for user
> abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.740906,  5] ../source4/auth/sam.c:115(logon_hours_ok)
>    logon_hours_ok: No hours restrictions for user
> abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.758828,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: AS-REQ authtime: 2015-07-01T16:36:36 starttime: unset endtime:
> 2015-07-02T02:36:36 renew till: 2015-07-08T16:36:36
> [2015/07/01 16:36:36.758886,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using
> arcfour-hmac-md5/arcfour-hmac-md5
> [2015/07/01 16:36:36.758896,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> forwardable
> [2015/07/01 16:36:36.760092,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>    Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> [2015/07/01 16:36:36.760116,  5]
> ../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
>    imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35
> [2015/07/01 16:36:36.760141,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>    single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2015/07/01 16:36:36.767240,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: TGS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN.TLD from ipv4:
> 10.156.248.234:54410 for host/win7-md02.ad.dgfip.org at AD.DOMAIN.TLD
> [canonicalize, renewable, forwardable]
> [2015/07/01 16:36:36.829364,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: TGS-REQ authtime: 2015-07-01T16:36:36 starttime:
> 2015-07-01T16:36:36 endtime: 2015-07-02T02:36:36 renew till:
> 2015-07-08T16:36:36
> [2015/07/01 16:36:36.831057,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>    Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> [2015/07/01 16:36:36.831122,  5]
> ../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
>    imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35
> [2015/07/01 16:36:36.831148,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>    single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2015/07/01 16:36:37.967955,  4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
>    dreplsrv_notify_schedule(5) scheduled for: Wed Jul  1 16:36:43 2015 CEST
> -----------------------------------------------------------
>
> These two lines seem to show authentication is working well as Kerberos
> ticket seems to be granted:
> [2015/07/01 16:36:36.829364,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: TGS-REQ authtime: 2015-07-01T16:36:36 starttime:
> 2015-07-01T16:36:36 endtime: 2015-07-02T02:36:36 renew till:
> 2015-07-08T16:36:36
>
> I don't understand why this limitation comes up...
>
> Best regards,
>
> Mathias

You cannot have a sAMAccountName that is longer than 20 characters, this 
is a Microsoft AD restriction, see here:

https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx

Rowland



More information about the samba mailing list