[Samba] Samba v3 works with LDAP, but not Samba v4

Emil Henry hbcsc153 at gmail.com
Tue Oct 16 19:44:36 UTC 2018 

Hi Michal!

I am attaching the log for the smbclient connection. It might have
everything you asked for.

Thanks!

On Tue, Oct 16, 2018 at 12:24 PM Michal <Michal67M at seznam.cz> wrote:

> I can not see any ldap call, did you try to tcpdump for ldap packets?
>
> Michal
>
> Ășt 16. 10. 2018 v 21:14 odesĂ­latel Emil Henry via samba <
> samba at lists.samba.org> napsal:
>
>> Hello!
>>
>> We have Samba v3 (3.5.10) working against an LDAP server, and need to
>> upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple
>> configs of the smb.conf (including the old config) without success.
>> Cleaned
>> up smb.conf is below. Also, included is the output of a smbclient command
>> on the SMBServer with debug option 10. Hoping that someone can point me in
>> the right direction.
>>
>> Thanks
>>
>> [global]
>>         security = user
>>         ldap user suffix = ou=people
>>         ldap group suffix = ou=groups
>>         ldap ssl = off
>>         ldap passwd sync = yes
>>         ldap delete dn = no
>>         workgroup = WORKGROUP
>>         server string = "Samba Drives"
>>         netbios name = SMBServer
>>         log file = /var/log/samba/log.%m
>>
>> # For debugging enable the log level of 5
>>         log level = 5
>>         max log size = 50
>>
>> # LDAP Settings
>>         ldap suffix = "o=EXAMPLE"
>>         ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE"
>>         passdb backend = ldapsam:ldap://ldapserver.example.com
>>
>> [homes]
>>         valid users = %S
>>         read only = No
>>         writeable = yes
>>         browseable = no
>>         create mask = 0600
>>         public = No
>>         comment = %u's Z-Drive
>>         nt acl support = no
>>         inherit permissions = no
>>         hide dot files = yes
>>         directory mask = 0700
>>         force create mode = 0700
>>         valid users = MYDOMAIN\%S
>>
>>
>> --------------------------------------------------------------------------------------------------
>> [root at SMBServer samba]# smbclient //localhost/share -U johndoe -d 10
>> INFO: Current debug levels:
>>   all: 10
>>   tdb: 10
>>   printdrivers: 10
>>   lanman: 10
>>   smb: 10
>>   rpc_parse: 10
>>   rpc_srv: 10
>>   rpc_cli: 10
>>   passdb: 10
>>   sam: 10
>>   auth: 10
>>   winbind: 10
>>   vfs: 10
>>   idmap: 10
>>   quota: 10
>>   acls: 10
>>   locking: 10
>>   msdfs: 10
>>   dmapi: 10
>>   registry: 10
>>   scavenger: 10
>>   dns: 10
>>   ldb: 10
>>   tevent: 10
>>   auth_audit: 10
>>   auth_json_audit: 10
>>   kerberos: 10
>>   drs_repl: 10
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> INFO: Current debug levels:
>>   all: 10
>>   tdb: 10
>>   printdrivers: 10
>>   lanman: 10
>>   smb: 10
>>   rpc_parse: 10
>>   rpc_srv: 10
>>   rpc_cli: 10
>>   passdb: 10
>>   sam: 10
>>   auth: 10
>>   winbind: 10
>>   vfs: 10
>>   idmap: 10
>>   quota: 10
>>   acls: 10
>>   locking: 10
>>   msdfs: 10
>>   dmapi: 10
>>   registry: 10
>>   scavenger: 10
>>   dns: 10
>>   ldb: 10
>>   tevent: 10
>>   auth_audit: 10
>>   auth_json_audit: 10
>>   kerberos: 10
>>   drs_repl: 10
>> Processing section "[global]"
>> doing parameter security = user
>> doing parameter ldap user suffix = ou=people
>> doing parameter ldap group suffix = ou=groups
>> doing parameter ldap ssl = off
>> doing parameter ldap passwd sync = yes
>> doing parameter ldap delete dn = no
>> doing parameter workgroup = WORKGROUP
>> doing parameter server string = "A Drives"
>> doing parameter netbios name = SMBServer
>> doing parameter log file = /var/log/samba/log.%m
>> doing parameter log level = 5
>> doing parameter max log size = 50
>> doing parameter ldap suffix = "o=EXAMPLE"
>> doing parameter ldap admin dn = "cn=cecs,ou=Proxies,ou=Auth,o=EXAMPLE"
>> doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com
>> pm_process() returned Yes
>> lp_servicenumber: couldn't find homes
>> added interface enp7s0f1 ip=192.168.2.192 bcast=192.168.2.255
>> netmask=255.255.255.0
>> added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255
>> netmask=255.255.255.0
>> Netbios name list:-
>> my_netbios_names[0]="SMBServer"
>> Client started (version 4.7.1).
>> Opening cache file at /var/lib/samba/gencache.tdb
>> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
>> Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec 31
>> 04:00:00 PM 1969 PST] (-1539716622 seconds in the past)
>> sitename_fetch: No stored sitename for realm ''
>> internal_resolve_name: looking up localhost#20 (sitename (null))
>> name localhost#20 found.
>> remove_duplicate_addrs2: looking for duplicate address/port pairs
>> Connecting to 127.0.0.1 at port 445
>> Socket options:
>>         SO_KEEPALIVE = 0
>>         SO_REUSEADDR = 0
>>         SO_BROADCAST = 0
>>         TCP_NODELAY = 1
>>         TCP_KEEPCNT = 9
>>         TCP_KEEPIDLE = 7200
>>         TCP_KEEPINTVL = 75
>>         IPTOS_LOWDELAY = 0
>>         IPTOS_THROUGHPUT = 0
>>         SO_REUSEPORT = 0
>>         SO_SNDBUF = 2626560
>>         SO_RCVBUF = 1061296
>>         SO_SNDLOWAT = 1
>>         SO_RCVLOWAT = 1
>>         SO_SNDTIMEO = 0
>>         SO_RCVTIMEO = 0
>>         TCP_QUICKACK = 1
>>         TCP_DEFER_ACCEPT = 0
>>  session request ok
>>  negotiated dialect[SMB3_11] against server[localhost]
>> got OID=1.3.6.1.4.1.311.2.2.10
>> Enter EXAMPLE.COM\johndoe's password:
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'naclrpc_as_system' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'ntlmssp_resume_ccache' registered
>> GENSEC backend 'http_basic' registered
>> GENSEC backend 'http_ntlm' registered
>> Starting GENSEC mechanism spnego
>> Starting GENSEC submechanism ntlmssp
>>      negotiate: struct NEGOTIATE_MESSAGE
>>         Signature                : 'NTLMSSP'
>>         MessageType              : NtLmNegotiate (1)
>>         NegotiateFlags           : 0x62088215 (1644724757)
>>                1: NTLMSSP_NEGOTIATE_UNICODE
>>                0: NTLMSSP_NEGOTIATE_OEM
>>                1: NTLMSSP_REQUEST_TARGET
>>                1: NTLMSSP_NEGOTIATE_SIGN
>>                0: NTLMSSP_NEGOTIATE_SEAL
>>                0: NTLMSSP_NEGOTIATE_DATAGRAM
>>                0: NTLMSSP_NEGOTIATE_LM_KEY
>>                0: NTLMSSP_NEGOTIATE_NETWARE
>>                1: NTLMSSP_NEGOTIATE_NTLM
>>                0: NTLMSSP_NEGOTIATE_NT_ONLY
>>                0: NTLMSSP_ANONYMOUS
>>                0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>>                0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>>                0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>>                1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>                0: NTLMSSP_TARGET_TYPE_DOMAIN
>>                0: NTLMSSP_TARGET_TYPE_SERVER
>>                0: NTLMSSP_TARGET_TYPE_SHARE
>>                1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>                0: NTLMSSP_NEGOTIATE_IDENTIFY
>>                0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>>                0: NTLMSSP_NEGOTIATE_TARGET_INFO
>>                1: NTLMSSP_NEGOTIATE_VERSION
>>                1: NTLMSSP_NEGOTIATE_128
>>                1: NTLMSSP_NEGOTIATE_KEY_EXCH
>>                0: NTLMSSP_NEGOTIATE_56
>>         DomainNameLen            : 0x0000 (0)
>>         DomainNameMaxLen         : 0x0000 (0)
>>         DomainName               : *
>>             DomainName               : ''
>>         WorkstationLen           : 0x0000 (0)
>>         WorkstationMaxLen        : 0x0000 (0)
>>         Workstation              : *
>>             Workstation              : ''
>>         Version: struct ntlmssp_VERSION
>>             ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
>>             ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
>>             ProductBuild             : 0x0000 (0)
>>             Reserved: ARRAY(3)
>>                 [0]                      : 0x00 (0)
>>                 [1]                      : 0x00 (0)
>>                 [2]                      : 0x00 (0)
>>             NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x628a8215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_TARGET_TYPE_SERVER
>>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>   NTLMSSP_NEGOTIATE_TARGET_INFO
>>   NTLMSSP_NEGOTIATE_VERSION
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> short string '', sent with NULL termination despite NOTERM flag in IDL
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x62088215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>   NTLMSSP_NEGOTIATE_VERSION
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x62088215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>   NTLMSSP_NEGOTIATE_VERSION
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> SPNEGO login failed: The attempted logon is invalid. This is either due to
>> a bad username or authentication information.
>> session setup failed: NT_STATUS_LOGON_FAILURE
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

More information about the samba mailing list