[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth
David Herselman
dhe at syrex.co
Tue Jun 13 08:36:19 UTC 2017
Hi again,
The winbind debug logs pertaining to this appear to be the following:
[2017/06/12 15:46:21.303848, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
We have a further nuance with Samba 4.6.5, also relating to the 'winbind use default domain' parameter, in that usernames are returned with the RPC domain prefix. This is causing problems at a site which still runs legacy mail using Dovecot (POP3/IMAP) and Sendmail.
There are two issues at this site, one is that Sendmail is now storing new messages in a mailbox 'DOMAIN\user' instead of just 'user' and the second is that Dovecot is incorrectly changing 'DOMAIN\user' to 'DOMAINuser' and subsequently creates an empty mailbox at login (the second is probably a Dovecor issue where the winbind separator is being interpreted):
[admin at unix-01 mail]# dir /var/spool/mail/GOLD*ananda /var/spool/mail/ananda
-rw------- 1 GOLDENERA\ananda mail 1555636 Jun 10 16:07 /var/spool/mail/ananda
-rw------- 1 GOLDENERA\ananda mail 6283446 Jun 13 08:43 /var/spool/mail/GOLDENERAananda
-rw------- 1 GOLDENERA\ananda users 0 Jun 13 09:07 /var/spool/mail/GOLDENERA\ananda
I assume the root cause here also to be winbindd not honouring the 'winbind use default domain' option having been set to 'yes'...
The Sendmail PAM configuration file (/etc/pam.d/smtp.sendmail):
#%PAM-1.0
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure
account sufficient pam_winbind.so use_first_pass
account required pam_unix.so
The original Sendmail PAM configuration file (/etc/pam.d/smtp.sendmail.orig):
#%PAM-1.0
auth include system-auth
account include system-auth
Regards
David Herselman
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of David Herselman via samba
Sent: Monday, 12 June 2017 3:56 PM
To: samba at lists.samba.org
Subject: [Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth
Hi everyone,
We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be experiencing a problem with authentication, when the RPC domain is not supplied as part of the username.
I have two scenarios where this has cropped up:
RADIUS authentication using ntlm_auth
Apache HTTP using mod_auth_ntlm_winbind
RADIUS authentication:
We use the freeRADIUS 'mschap' module to provide centralise MS-CHAP2 based authentication for CheckPoint firewalls. The module really just passes calls through to 'ntlm_auth' and has worked for over a year on 4.4.5. With the migration to 4.6.5 we obtain the following error when attempting to authenticate:
Mon Jun 12 08:57:55 2017 : Auth: Login incorrect (mschap: External script says Memory allocation error (0xc0000017)): [davidh] (from client checkpoint_gaia port 0) nas-ip:8.8.8.8 nas-id:
The following change of the freeRADIUS 'mschap' module works around the issue by hard coding the domain:
- ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
+ ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-DOMAIN-01} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
Apache HTTP has been setup to use the mod_auth_ntlm_winbind module and works perfectly when accessing the website from a user that is logged in to the domain (NTLM authentication I presume). When attempting access from outside the network, for example from my personal PC at home, I'm prompted for authentication and can now only successfully authenticate when I prefix the legacy RPC domain name to my username.
ie: Using just 'davidh' fails whereas 'DOMAIN-01\davidh' works.
The web server logs the following error when attempting to authenticate without the RPC domain prefix (domain-01\):
/var/log/httpd/localhost-error_log
GENSEC login failed: NT_STATUS_NO_MEMORY
Apache is running on one of the Samba AD servers, with the following .htaccess file:
<Files index.pl>
require valid-user
AuthName "Windows Domain"
NTLMOmitDomain on
#NTLMDomainSeparator +
NTLMBasicAuth on
NTLMBasicAuthoritative on
NTLMBasicRealm "Windows Domain"
PlaintextAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic"
NTLMAuth on
AuthType NTLM
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NegotiateAuth off
AuthType Negotiate
NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
</Files>
We have Samba configured to enable the 'winbind use default domain' option and are attempting to reproduce the problem via command line. Whilst authentication without the RPC domain prefixing the username works here, I get the same NT_STATUS_NO_MEMMORY error when setting the RPC domain as something invalid, such as the AD realm 'AD.LAIR.CO.ZA', in the following example:
[root at unix-01 samba]# wbinfo -a exam%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root at unix-01 samba]# ntlm_auth --helper-protocol=squid-2.5-basic
exam secret
OK
[root at unix-01 samba]# ntlm_auth --request-nt-key --username=exam --password=secret
NT_STATUS_OK: Success (0x0)
[root at unix-01 samba]# ntlm_auth --domain=DOMAIN-01 --request-nt-key --username=exam --password=secret
NT_STATUS_OK: Success (0x0)
[root at unix-01 samba]# ntlm_auth --domain=AD.LAIR.CO.ZA --request-nt-key --username=exam --password=secret
NT_STATUS_NO_MEMORY: Memory allocation error (0xc0000017)
We would be extremely grateful for any pointers as to where we could start turning up debugging and/or testing authentication on the command line to narrow down where the issue originates from.
Additional information:
- We are using the default winbind separator '\'
- We have enabled NTLMv1 to provide necessary support for pppd, for PPTP VPN tunnels
Our smb.conf file (excludes share definitions):
[global]
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = Domain-01
realm = ad.lair.co.za
netbios name = Unix-01
remote announce = 192.168.1.255 192.168.5.255 192.168.255.255 192.168.1.5
remote browse sync = 192.168.1.5
bind interfaces only = yes
interfaces = 127.0.0.1/8 192.168.1.3/24
ntlm auth = yes
guest account = nobody
idmap cache time = 300
idmap_ldb:use rfc2307 = yes
kerberos method = system keytab
allow dns updates = secure only
template homedir = /home/users/%U
template shell = /sbin/nologin
log level = 2 winbind:10
log file = /var/log/samba/%m.log
enable core files = no
max log size = 50
dont descend = /dev, /mirror, /proc
time server = yes
wins support = yes
printing = cups
cups options = raw
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 1
[netlogon]
path = /var/lib/samba/sysvol/ad.lair.co.za/scripts
comment = Network Logon Service
read only = no
[sysvol]
path = /var/lib/samba/sysvol
comment = Active Directory System Volume
read only = no
[nobody]
path = /dev/null
comment = Access denied - Guest
guest ok = no
printable = no
browseable = no
winbind debug information when running with 'log level = 2 winbind:10'.
The following is when attempting to browse to the Apache HTTP server and not prefixing the RPC domain name to the username:
[2017/06/12 15:46:21.302872, 10, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:69(child_read_request)
Need to read 262 extra bytes
[2017/06/12 15:46:21.302893, 4, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1386(child_handler)
child daemon request 14
[2017/06/12 15:46:21.302905, 10, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:512(child_process_request)
child_process_request: request fn AUTH_CRAP
[2017/06/12 15:46:21.302915, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:2061(winbindd_dual_pam_auth_crap)
[31938]: pam auth crap domain: user: davidh
[2017/06/12 15:46:21.303466, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.303848, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.303867, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 0)
[2017/06/12 15:46:21.303877, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop)
The connection to netlogon failed, retrying
[2017/06/12 15:46:21.304224, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.304240, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 1)
[2017/06/12 15:46:21.304249, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop)
This is again a problem for this particular call, forcing the close of this connection
[2017/06/12 15:46:21.304258, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop)
The connection to netlogon failed, retrying
[2017/06/12 15:46:21.304604, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.304620, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 2)
[2017/06/12 15:46:21.304629, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop)
This is again a problem for this particular call, forcing the close of this connection
[2017/06/12 15:46:21.304655, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1362(winbind_samlogon_retry_loop)
This is the third problem for this particular call, adding DC to the negative cache list
[2017/06/12 15:46:21.307342, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1372(winbind_samlogon_retry_loop)
The connection to netlogon failed, retrying
[2017/06/12 15:46:21.307962, 1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.307979, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1342(winbind_samlogon_retry_loop)
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 3)
[2017/06/12 15:46:21.307988, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1348(winbind_samlogon_retry_loop)
This is again a problem for this particular call, forcing the close of this connection
[2017/06/12 15:46:21.307997, 3, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1362(winbind_samlogon_retry_loop)
This is the third problem for this particular call, adding DC to the negative cache list
[2017/06/12 15:46:21.308015, 2, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:2033(winbind_dual_SamLogon)
NTLM CRAP authentication for user []\[davidh] returned NT_STATUS_NO_MEMORY
[2017/06/12 15:46:21.308028, 4, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1394(child_handler)
Finished processing child request 14
[2017/06/12 15:46:21.308040, 10, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:104(child_write_response)
Writing 3496 bytes to parent
Regards
David Herselman
More information about the samba
mailing list