[Samba] samba 4.4.2 ads member not authenticating properly

Mark Grabowski elric at udel.edu
Thu Apr 14 20:14:38 UTC 2016


I have a Centos 7 system running samba that is joined to an ADS.  When I
was running 4.4.0 everything worked just fine.  When I installed 4.4.2
samba stopped authenticating passwords against the ads properly.  I am
using sssd and have verified that it is working correctly and able to
validate passwords.  I am not running winbind.  Both 4.4.0 and 4.4.2 were
compiled using exactly the same environment.

I have turned on log level 3 to try and figure out what is going on.  Under
4.4.0 I can see that samba is using the the server machine password to
communicate with the ads.

  Connecting to xxx.xxx.xx.x at port 445
[2016/04/14 14:10:21.519533,  3]
  ldb_wrap open of secrets.ldb
[2016/04/14 14:10:21.541269,  3]
  check_ntlm_password: winbind authentication for user [elric] succeeded
[2016/04/14 14:10:21.541340,  2]
  check_ntlm_password:  authentication for user [elric] -> [elric] ->
[elric@***.udel.edu] succeeded

I am not seeing this step in the 4.4.2 logging, instead:

  Connecting to xxx.xxx.xx.x at port 445
[2016/04/14 15:42:00.043844,  3]
  Doing spnego session setup (blob length=120)
[2016/04/14 15:42:00.043946,  3]
  got OID=
  got OID=1.2.840.48018.1.2.2
  got OID=1.2.840.113554.1.2.2
  got OID=1.2.840.113554.
  got OID=
[2016/04/14 15:42:00.043975,  3]
  got principal=not_defined_in_RFC4178 at please_ignore
[2016/04/14 15:42:00.045446,  3]
  Got challenge flags:
[2016/04/14 15:42:00.045487,  3]
  Got NTLMSSP neg_flags=0x62898215
[2016/04/14 15:42:00.045614,  3]
  NTLMSSP: Set final flags:
[2016/04/14 15:42:00.045630,  3]
  Got NTLMSSP neg_flags=0x62088a15
[2016/04/14 15:42:00.045644,  3]
  NTLMSSP Sign/Seal - Initialising with flags:
[2016/04/14 15:42:00.045655,  3]
  Got NTLMSSP neg_flags=0x62088a15
[2016/04/14 15:42:00.047444,  3]
  SPNEGO login failed: Logon failure

In both cases I am seeing the correct preferred server list and the same
mapped user information.

Assuming that this was being caused by some of the new security flags I
have tried to turn some of the new features off.  I was unable to get
things working

Can anyone point me in the right direction?

Thanks, Mark

Mark Grabowski
University of Delaware Library
University of Delaware
(302) 831-3310

More information about the samba mailing list