[Samba] winbind joining NT4-style domain - two strange issues

Stefan Froehlich samba at froehlich.priv.at
Sat Dec 17 21:12:28 UTC 2016 

A new Debian(unstable) machine with Samba 4.5.2 is trying to join an
NT4-style Samba domain hosted on a Debian(wheezy) Server with 3.6.6
which can't be changed but has been working for some years now with a
couple of windows clients.

Joining the domain was quite easy (only surprise was "client ipc
signing"), and "wbinfo -u" gives me a list with all domain users.

BUT (issue one) "getent passwd" listed only local users in the
beginning. Google has many hits for this with many different reasons.
Learning from them I now have a smb.conf with the following relevant
entries:

| netbios name = DALET-STG
| workgroup = SYNTH
| wins support = no
| wins server = herkules.synth.intern
| client ipc signing = auto
| server role = member server
| security = domain
| password server = herkules.synth.intern
| idmap config *:backend = tdb
| idmap config *:range = 1000-9999
| idmap config SYNTH:backend = rid
| idmap config SYNTH:range = 10000-19999
| winbind separator = +
| winbind enum groups = yes
| winbind enum users = yes
| winbind use default domain = no

After configuring "idmap config SYNTH:backend=rid" to my surprise
"getent passwd" now returns exactly ONE domain user (actually it
returns *my* user). So I can do:

| $ wbinfo -a SYNTH+user1%pass1
| plaintext password authentication succeeded
| challenge/response password authentication succeeded
|
| $ wbinfo -a SYNTH+user2%pass2
| plaintext password authentication succeeded
| challenge/response password authentication succeeded
|
| $ getent passwd SYNTH+user1
| SYNTH+user1:*:13000:10513:Stefan Froehlich:/home/SYNTH/user1:/bin/bash
|
| $ getent passwd SYNTH+user2
| [no output at all]

ONLY user1 is found, nothing else, whatever I do (I was desperate
enough to even reboot the machine, but... well, I did not expect it
to help and it did not).

Does anyone have a clue what is going on here? What to try next?


The seccond odd thing is PAM authentication. I configured
pam_winbind and tried to connect via ssh and via postgresql - using
the non-mapped account of user2 in the example above. Both of them
are running through exactly the same PAM configuration, but still
postgrseql succeeds and ssh login fails. I had a look at the level 9
debug logs on the server side and found out the following (so most
likely this is an issue on the rather ancient 3.6.6 machine, but
still I would be REALLY thankful for help).

Connection attempt from postgres:

| [2016/12/17 20:55:55.268015,  3] auth/auth.c:219(check_ntlm_password)
|   check_ntlm_password:  Checking password for unmapped user [SYNTH]\[user2]@[\\DALET-STG] with the new password interface
| [2016/12/17 20:55:55.268040,  3] auth/auth.c:222(check_ntlm_password)
|   check_ntlm_password:  mapped user is: [SYNTH]\[user2]@[\\DALET-STG]

[about 50 lines snipped]

| [2016/12/17 20:55:55.268723,  5] lib/username.c:171(Get_Pwnam_alloc)
|   Finding user user2
| [2016/12/17 20:55:55.268746,  5] lib/username.c:116(Get_Pwnam_internals)
|   Trying _Get_Pwnam(), username as lowercase is user2
| [2016/12/17 20:55:55.268773,  5] lib/username.c:149(Get_Pwnam_internals)
|   Get_Pwnam_internals did find user [user2]!
| [2016/12/17 20:55:55.268808,  3] passdb/lookup_sid.c:1754(get_primary_group_sid)
|   Forcing Primary Group to 'Domain Users' for user2
| [2016/12/17 20:55:55.268835,  4] smbd/sec_ctx.c:214(push_sec_ctx)
|   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
| [2016/12/17 20:55:55.268860,  4] smbd/uid.c:460(push_conn_ctx)
|   push_conn_ctx(100) : conn_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.268884,  4] smbd/sec_ctx.c:314(set_sec_ctx)
|   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
| [2016/12/17 20:55:55.268908,  5] ../libcli/security/security_token.c:53(security_token_debug)
|   Security token: (NULL)
| [2016/12/17 20:55:55.268931,  5] auth/token_util.c:527(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2016/12/17 20:55:55.268972,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.269007,  4] lib/substitute.c:527(automount_server)
|   Home server: herkules
| [2016/12/17 20:55:55.269039,  4] lib/substitute.c:527(automount_server)
|   Home server: herkules
| [2016/12/17 20:55:55.269070,  4] smbd/sec_ctx.c:214(push_sec_ctx)
|   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
| [2016/12/17 20:55:55.269095,  4] smbd/uid.c:460(push_conn_ctx)
|   push_conn_ctx(100) : conn_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.269119,  4] smbd/sec_ctx.c:314(set_sec_ctx)
|   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
| [2016/12/17 20:55:55.269142,  5] ../libcli/security/security_token.c:53(security_token_debug)
|   Security token: (NULL)
| [2016/12/17 20:55:55.269165,  5] auth/token_util.c:527(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2016/12/17 20:55:55.269208,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.269243,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
|   pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
| [2016/12/17 20:55:55.269274,  4] auth/check_samsec.c:183(sam_account_ok)
|   sam_account_ok: Checking SMB password for user user2
| [2016/12/17 20:55:55.269302,  5] auth/check_samsec.c:165(logon_hours_ok)
|   logon_hours_ok: user user2 allowed to logon at this time (Sat Dec 17 19:55:55 2016
|   )
| [2016/12/17 20:55:55.269334,  4] smbd/sec_ctx.c:214(push_sec_ctx)
|   push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.269360,  4] smbd/uid.c:460(push_conn_ctx)
|   push_conn_ctx(100) : conn_ctx_stack_ndx = 0


Connection attempt from ssh:

| [2016/12/17 20:55:19.843012,  3] auth/auth.c:219(check_ntlm_password)
|   check_ntlm_password:  Checking password for unmapped user [SYNTH]\[user2]@[\\DALET-STG] with the new password interface
| [2016/12/17 20:55:19.843038,  3] auth/auth.c:222(check_ntlm_password)
|   check_ntlm_password:  mapped user is: [SYNTH]\[user2]@[\\DALET-STG]

[completely identical lines to the above log file snipped]

| [2016/12/17 20:55:19.844194,  5] auth/token_util.c:527(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2016/12/17 20:55:19.844236,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:19.844271,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
|   pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
| [2016/12/17 20:55:19.844301,  3] ../libcli/auth/ntlm_check.c:238(hash_password_check)
|   ntlm_password_check: Interactive logon: NT password check failed for user user2
| [2016/12/17 20:55:19.844329,  4] smbd/sec_ctx.c:214(push_sec_ctx)
|   push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:19.844354,  4] smbd/uid.c:460(push_conn_ctx)
|   push_conn_ctx(100) : conn_ctx_stack_ndx = 0

This seems completely irrational to me - in both cases the same
password has been entered, exactly the same piece of software is
called, but - reproducible! - a different result is returned.

Again, I highly welcome any hints and suggestions. If any additional
file or configuration information is needed of either client or
server, or if I should try out something, just tell. 

Bye,
Stefan

More information about the samba mailing list