[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth

David Herselman dhe at syrex.co
Mon Jun 12 13:56:14 UTC 2017


Hi everyone,

We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be experiencing a problem with authentication, when the RPC domain is not supplied as part of the username.

I have two scenarios where this has cropped up:
  RADIUS authentication using ntlm_auth
  Apache HTTP using mod_auth_ntlm_winbind



RADIUS authentication:
We use the freeRADIUS 'mschap' module to provide centralise MS-CHAP2 based authentication for CheckPoint firewalls. The module really just passes calls through to 'ntlm_auth' and has worked for over a year on 4.4.5. With the migration to 4.6.5 we obtain the following error when attempting to authenticate:
  Mon Jun 12 08:57:55 2017 : Auth: Login incorrect (mschap: External script says Memory allocation error (0xc0000017)): [davidh] (from client checkpoint_gaia port 0) nas-ip:8.8.8.8 nas-id:

The following change of the freeRADIUS 'mschap' module works around the issue by hard coding the domain:
-       ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
+       ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-DOMAIN-01} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"



Apache HTTP has been setup to use the mod_auth_ntlm_winbind module and works perfectly when accessing the website from a user that is logged in to the domain (NTLM authentication I presume). When attempting access from outside the network, for example from my personal PC at home, I'm prompted for authentication and can now only successfully authenticate when I prefix the legacy RPC domain name to my username.
  ie:  Using just 'davidh' fails whereas 'DOMAIN-01\davidh' works.

The web server logs the following error when attempting to authenticate without the RPC domain prefix (domain-01\):
  /var/log/httpd/localhost-error_log
    GENSEC login failed: NT_STATUS_NO_MEMORY

Apache is running on one of the Samba AD servers, with the following .htaccess file:
  <Files index.pl>
  require valid-user
  AuthName "Windows Domain"
  NTLMOmitDomain on
  #NTLMDomainSeparator +
  NTLMBasicAuth on
  NTLMBasicAuthoritative on
  NTLMBasicRealm "Windows Domain"
  PlaintextAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic"
  NTLMAuth on
  AuthType NTLM
  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
  NegotiateAuth off
  AuthType Negotiate
  NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
  </Files>



We have Samba configured to enable the 'winbind use default domain' option and are attempting to reproduce the problem via command line. Whilst authentication without the RPC domain prefixing the username works here, I get the same NT_STATUS_NO_MEMMORY error when setting the RPC domain as something invalid, such as the AD realm 'AD.LAIR.CO.ZA', in the following example:
  [root at unix-01 samba]# wbinfo -a exam%secret
    plaintext password authentication succeeded
   challenge/response password authentication succeeded
  [root at unix-01 samba]# ntlm_auth --helper-protocol=squid-2.5-basic
    exam secret
    OK
  [root at unix-01 samba]# ntlm_auth --request-nt-key  --username=exam --password=secret
    NT_STATUS_OK: Success (0x0)
  [root at unix-01 samba]# ntlm_auth --domain=DOMAIN-01 --request-nt-key  --username=exam --password=secret
    NT_STATUS_OK: Success (0x0)
  [root at unix-01 samba]# ntlm_auth --domain=AD.LAIR.CO.ZA --request-nt-key  --username=exam --password=secret
    NT_STATUS_NO_MEMORY: Memory allocation error (0xc0000017)


We would be extremely grateful for any pointers as to where we could start turning up debugging and/or testing authentication on the command line to narrow down where the issue originates from.


Additional information:
  - We are using the default winbind separator '\'
  - We have enabled NTLMv1 to provide necessary support for pppd, for PPTP VPN tunnels

Our smb.conf file (excludes share definitions):
  [global]
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate

        workgroup = Domain-01
        realm = ad.lair.co.za
        netbios name = Unix-01

        remote announce = 192.168.1.255 192.168.5.255 192.168.255.255 192.168.1.5
        remote browse sync = 192.168.1.5
        bind interfaces only = yes
        interfaces = 127.0.0.1/8 192.168.1.3/24

        ntlm auth = yes
        guest account = nobody
       idmap cache time = 300
        idmap_ldb:use rfc2307 = yes
        kerberos method = system keytab
        allow dns updates = secure only

        template homedir = /home/users/%U
        template shell = /sbin/nologin
        log level = 2 winbind:10
        log file = /var/log/samba/%m.log
        enable core files = no
        max log size = 50
        dont descend = /dev, /mirror, /proc

        time server = yes
        wins support = yes

        printing = cups
        cups options = raw

        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind expand groups = 1

  [netlogon]
        path = /var/lib/samba/sysvol/ad.lair.co.za/scripts
        comment = Network Logon Service
       read only = no

  [sysvol]
        path = /var/lib/samba/sysvol
        comment = Active Directory System Volume
        read only = no

  [nobody]
        path = /dev/null
        comment = Access denied - Guest
        guest ok = no
        printable = no
        browseable = no



winbind debug information when running with 'log level = 2 winbind:10'.
  The following is when attempting to browse to the Apache HTTP server and not prefixing the RPC domain name to the username:

[2017/06/12 15:46:21.302872, 10, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:69(child_read_request)
  Need to read 262 extra bytes
[2017/06/12 15:46:21.302893,  4, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1386(child_handler)
  child daemon request 14
[2017/06/12 15:46:21.302905, 10, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:512(child_process_request)
  child_process_request: request fn AUTH_CRAP
[2017/06/12 15:46:21.302915,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:2061(winbindd_dual_pam_auth_crap)
  [31938]: pam auth crap domain:  user: davidh
[2017/06/12 15:46:21.303466,  1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
  rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.303848,  1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
  rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.303867,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
  Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 0)
[2017/06/12 15:46:21.303877,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop)
  The connection to netlogon failed, retrying
[2017/06/12 15:46:21.304224,  1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
  rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.304240,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
  Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 1)
[2017/06/12 15:46:21.304249,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop)
  This is again a problem for this particular call, forcing the close of this connection
[2017/06/12 15:46:21.304258,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop)
  The connection to netlogon failed, retrying
[2017/06/12 15:46:21.304604,  1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
  rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.304620,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
  Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 2)
[2017/06/12 15:46:21.304629,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop)
  This is again a problem for this particular call, forcing the close of this connection
[2017/06/12 15:46:21.304655,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1362(winbind_samlogon_retry_loop)
  This is the third problem for this particular call, adding DC to the negative cache list
[2017/06/12 15:46:21.307342,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop)
  The connection to netlogon failed, retrying
[2017/06/12 15:46:21.307962,  1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
  rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.307979,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
  Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 3)
[2017/06/12 15:46:21.307988,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop)
  This is again a problem for this particular call, forcing the close of this connection
[2017/06/12 15:46:21.307997,  3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1362(winbind_samlogon_retry_loop)
  This is the third problem for this particular call, adding DC to the negative cache list
[2017/06/12 15:46:21.308015,  2, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:2033(winbind_dual_SamLogon)
  NTLM CRAP authentication for user []\[davidh] returned NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.308028,  4, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1394(child_handler)
  Finished processing child request 14
[2017/06/12 15:46:21.308040, 10, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:104(child_write_response)
  Writing 3496 bytes to parent


Regards
David Herselman


More information about the samba mailing list