[Samba] Samba v3 works with LDAP, but not Samba v4
Emil Henry
hbcsc153 at gmail.com
Wed Oct 17 03:20:49 UTC 2018
Hi Andrew!
I am not 100% sure that the password is correct. I was told that it was
changed to the one I am testing. But, when I try the old password, I get a
different error message (NT_STATUS_INVALID_SID). I will attached the
output.
I added the 'ntlm auth = yes' to the smb.conf. How would I change the
client?
The version of Samba that we are running is 4.7.1, which is the latest
version that is available in the yum repository.
Thanks.
[root at SMBServer ~]# smbclient //localhost/share -U johndoe -d 10
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
Processing section "[global]"
doing parameter security = user
doing parameter ldap user suffix = ou=people
doing parameter ldap group suffix = ou=groups
doing parameter ldap ssl = off
doing parameter ldap passwd sync = yes
doing parameter ldap delete dn = no
doing parameter workgroup = example.com
doing parameter server string = "Samba Drives"
doing parameter netbios name = SMBServer
doing parameter log file = /var/log/samba/log.%m
doing parameter log level = 5
doing parameter max log size = 50
doing parameter ldap suffix = "o=EXAMPLE"
doing parameter ldap admin dn = "cn=PUser,ou=Proxies,ou=Auth,o=EXAMPLE"
doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com
doing parameter ntlm auth = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface enp7s0f1 ip=192.168.2.122 bcast=192.168.2.255
netmask=255.255.255.0
added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SMBServer"
Client started (version 4.7.1).
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec 31
04:00:00 PM 1969 PST] (-1539746033 seconds in the past)
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up localhost#20 (sitename (null))
name localhost#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 127.0.0.1 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061296
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
session request ok
negotiated dialect[SMB3_11] against server[localhost]
got OID=1.3.6.1.4.1.311.2.2.10
Enter EXAMPLE.COM\johndoe's password:
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_SERVER
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
short string '', sent with NULL termination despite NOTERM flag in IDL
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Indicates the SID structure is not valid.
session setup failed: NT_STATUS_INVALID_SID
On Tue, Oct 16, 2018 at 5:39 PM Andrew Bartlett <abartlet at samba.org> wrote:
> On Tue, 2018-10-16 at 15:18 -0700, Emil Henry wrote:
> > Hi Andrew!
> >
> > I included it in one response, but may have not done a Reply All. Am
> resending it.
> >
> > Thanks.
>
> It is reading the hashes, so it looks like it is working. Dumb
> question, but are you really sure the password is right?
>
> Otherwise, it might be some very odd NTLMv2 thing. Try (on the client)
> 'client ntlmv2 auth = no' and 'ntlm auth = yes' (on the server) just to
> rule that out.
>
> Also please try with Samba 4.9, Samba 4.1 is very old and there may be
> something else we have fixed.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>
More information about the samba
mailing list