[Samba] samba 4.4.2 ads member not authenticating properly
Mark Grabowski
elric at udel.edu
Thu Apr 14 20:14:38 UTC 2016
Hello,
I have a Centos 7 system running samba that is joined to an ADS. When I
was running 4.4.0 everything worked just fine. When I installed 4.4.2
samba stopped authenticating passwords against the ads properly. I am
using sssd and have verified that it is working correctly and able to
validate passwords. I am not running winbind. Both 4.4.0 and 4.4.2 were
compiled using exactly the same environment.
I have turned on log level 3 to try and figure out what is going on. Under
4.4.0 I can see that samba is using the the server machine password to
communicate with the ads.
Connecting to xxx.xxx.xx.x at port 445
[2016/04/14 14:10:21.519533, 3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/04/14 14:10:21.541269, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [elric] succeeded
[2016/04/14 14:10:21.541340, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [elric] -> [elric] ->
[elric@***.udel.edu] succeeded
I am not seeing this step in the 4.4.2 logging, instead:
Connecting to xxx.xxx.xx.x at port 445
[2016/04/14 15:42:00.043844, 3]
../source3/libsmb/cliconnect.c:1798(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2016/04/14 15:42:00.043946, 3]
../source3/libsmb/cliconnect.c:1825(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2016/04/14 15:42:00.043975, 3]
../source3/libsmb/cliconnect.c:1835(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178 at please_ignore
[2016/04/14 15:42:00.045446, 3]
../auth/ntlmssp/ntlmssp_client.c:275(ntlmssp_client_challenge)
Got challenge flags:
[2016/04/14 15:42:00.045487, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2016/04/14 15:42:00.045614, 3]
../auth/ntlmssp/ntlmssp_client.c:731(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2016/04/14 15:42:00.045630, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088a15
[2016/04/14 15:42:00.045644, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/04/14 15:42:00.045655, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088a15
[2016/04/14 15:42:00.047444, 3]
../source3/libsmb/cliconnect.c:2173(cli_session_setup_done_spnego)
SPNEGO login failed: Logon failure
In both cases I am seeing the correct preferred server list and the same
mapped user information.
Assuming that this was being caused by some of the new security flags I
have tried to turn some of the new features off. I was unable to get
things working
Can anyone point me in the right direction?
Thanks, Mark
--
Mark Grabowski
University of Delaware Library
University of Delaware
(302) 831-3310
More information about the samba
mailing list