[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth

David Herselman dhe at syrex.co
Wed Jun 14 06:58:18 UTC 2017 

Hi Rowland,

I did enable NTLMv1 to provide necessary support for pppd for PPTP VPN connections and that's working as expected. I however do not find any release notes pertaining to 'winbind use default domain = yes' no longer working on a Samba DC. The Samba man pages appear to detail options which apply to winbindd (https://www.samba.org/samba/docs/man/manpages/winbindd.8.html), which includes the 'winbind use default domain' option. The only reference to this not working on a Samba DC was a post I stumbled on from a while ago where the claim wasn't substantiated and indicated that none of the winbind options in smb.conf applied.

Everything worked perfectly on 4.4.5, could you point me somewhere where this was discussed and possibly a work around, as it breaks legacy mail processing?

Are the ntlm_auth problems pertaining to the following debug not an issue and as such acceptable?:
[2017/06/12 15:46:21.303848,  1, pid=31947, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
  rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY



PS: Apologies about the late reply, I only discovered your reply on the samba mailing list archive. It would appear that it takes a while before new subscribers start receiving messages...


Regards
David Herselman


-----Original Message-----
From: Rowland Penny
Sent: Mon Jun 12 15:52:40 UTC 2017
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: RE: [Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth

On Mon, 12 Jun 2017 13:56:14 +0000
David Herselman via samba <samba at lists.samba.org> wrote:

> Hi everyone,
> 
> We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be
> experiencing a problem with authentication, when the RPC domain is
> not supplied as part of the username.
> 

'winbind use default domain = yes' doesn't work on a DC

I think your main problem can be explained by this extract from the
release notes for 4.5.0:

NTLMv1 authentication disabled by default
-----------------------------------------

In order to improve security we have changed
the default value for the "ntlm auth" option from
"yes" to "no". This may have impact on very old
clients which doesn't support NTLMv2 yet.

The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.

By default, Samba will only allow NTLMv2 via NTLMSSP now,
as we have the following default "lanman auth = no",
"ntlm auth = no" and "raw NTLMv2 auth = no".

Rowland

More information about the samba mailing list