[Samba] [samba] strange: 20 characters max in samAccountName
Rowland Penny
rowlandpenny241155 at gmail.com
Wed Jul 1 15:07:35 UTC 2015
On 01/07/15 15:44, mathias dufresne wrote:
> Hi all,
>
> Sernet Samba 4.2.2 as Active Directory on Debian 7.8. No other DC.
>
> I can't log in with on Windows systems (Windows 7) when samAccountName are
> longer than 20 characters. This seems to be a LAN MAN or NT4 limitation
> which should not happen on AD domain.
> Any idea what could leads my to that limitation?
>
> I can log in using administrator account or any other having a short
> (enough) samAccountName.
> I tried to add @ad.domain.tld to samAccountName during log in process
> without any success.
>
> smb.conf is:
> -------------------------------------------------------------
> # Global parameters
> [global]
> workgroup = AD.DOMAIN
> realm = ad.domain.tld
> netbios name = DC01
> server role = active directory domain controller
>
> dns forwarder = 10.0.0.240
> # DC version of rfc2307
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad.domain.tld/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -------------------------------------------------------------
>
> here are some logs:
> -----------------------------------------------------------
> [2015/07/01 16:36:22.869382, 4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:28 2015 CEST
> [2015/07/01 16:36:27.902117, 4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:33 2015 CEST
> [2015/07/01 16:36:28.716277, 4]
> ../source4/lib/socket/interface.c:121(add_interface)
> added interface eth0 ip=10.156.248.217 bcast=10.156.255.255
> netmask=255.255.240.0
> [2015/07/01 16:36:32.935297, 4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:38 2015 CEST
> [2015/07/01 16:36:36.569356, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN from ipv4:
> 10.156.248.234:54408 for krbtgt/AD.DOMAIN at AD.DOMAIN
> [2015/07/01 16:36:36.654528, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client sent patypes: 128
> [2015/07/01 16:36:36.654564, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for PKINIT pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.654569, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for ENC-TS pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.654590, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.655635, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> [2015/07/01 16:36:36.655666, 5]
> ../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
> imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35
> [2015/07/01 16:36:36.655687, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2015/07/01 16:36:36.656998, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN from ipv4:
> 10.156.248.234:54409 for krbtgt/AD.DOMAIN at AD.DOMAIN
> [2015/07/01 16:36:36.739262, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client sent patypes: encrypted-timestamp, 128
> [2015/07/01 16:36:36.739295, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for PKINIT pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.739300, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for ENC-TS pa-data -- abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.739327, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: ENC-TS Pre-authentication succeeded --
> abcdef.abcdefg-abcdef at AD.DOMAIN using arcfour-hmac-md5
> [2015/07/01 16:36:36.739336, 4]
> ../source4/auth/sam.c:181(authsam_account_ok)
> authsam_account_ok: Checking SMB password for user
> abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.740906, 5] ../source4/auth/sam.c:115(logon_hours_ok)
> logon_hours_ok: No hours restrictions for user
> abcdef.abcdefg-abcdef at AD.DOMAIN
> [2015/07/01 16:36:36.758828, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ authtime: 2015-07-01T16:36:36 starttime: unset endtime:
> 2015-07-02T02:36:36 renew till: 2015-07-08T16:36:36
> [2015/07/01 16:36:36.758886, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using
> arcfour-hmac-md5/arcfour-hmac-md5
> [2015/07/01 16:36:36.758896, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> forwardable
> [2015/07/01 16:36:36.760092, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> [2015/07/01 16:36:36.760116, 5]
> ../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
> imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35
> [2015/07/01 16:36:36.760141, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2015/07/01 16:36:36.767240, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ abcdef.abcdefg-abcdef at AD.DOMAIN.TLD from ipv4:
> 10.156.248.234:54410 for host/win7-md02.ad.dgfip.org at AD.DOMAIN.TLD
> [canonicalize, renewable, forwardable]
> [2015/07/01 16:36:36.829364, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ authtime: 2015-07-01T16:36:36 starttime:
> 2015-07-01T16:36:36 endtime: 2015-07-02T02:36:36 renew till:
> 2015-07-08T16:36:36
> [2015/07/01 16:36:36.831057, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> [2015/07/01 16:36:36.831122, 5]
> ../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
> imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.2625.35
> [2015/07/01 16:36:36.831148, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2015/07/01 16:36:37.967955, 4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Wed Jul 1 16:36:43 2015 CEST
> -----------------------------------------------------------
>
> These two lines seem to show authentication is working well as Kerberos
> ticket seems to be granted:
> [2015/07/01 16:36:36.829364, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ authtime: 2015-07-01T16:36:36 starttime:
> 2015-07-01T16:36:36 endtime: 2015-07-02T02:36:36 renew till:
> 2015-07-08T16:36:36
>
> I don't understand why this limitation comes up...
>
> Best regards,
>
> Mathias
You cannot have a sAMAccountName that is longer than 20 characters, this
is a Microsoft AD restriction, see here:
https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx
Rowland
More information about the samba
mailing list