[Samba] Samba v3 works with LDAP, but not Samba v4
Andrew Bartlett
abartlet at samba.org
Wed Oct 17 03:36:35 UTC 2018
On Tue, 2018-10-16 at 20:20 -0700, Emil Henry wrote:
> Hi Andrew!
>
> I am not 100% sure that the password is correct. I was told that it
> was changed to the one I am testing. But, when I try the old
> password, I get a different error message (NT_STATUS_INVALID_SID). I
> will attached the output.
Then it is the old password, and you have other issues you need to sort
out.
Again, the server-side log will show more about what is wrong, but look
up the error message, it typically means your primary group ID is
mapped incorrectly in idmap.
> I added the 'ntlm auth = yes' to the smb.conf. How would I change the client?
The client uses the smb.conf on the host it runs on. But the above
suggests that the issue was just a wrong password.
> The version of Samba that we are running is 4.7.1, which is the latest version that is available in the yum repository.
OK, I must have mis-read that.
Sorry,
Andrew Bartlett
> Thanks.
>
> [root at SMBServer ~]# smbclient //localhost/share -U johndoe -d 10
> INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> tevent: 10
> auth_audit: 10
> auth_json_audit: 10
> kerberos: 10
> drs_repl: 10
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> tevent: 10
> auth_audit: 10
> auth_json_audit: 10
> kerberos: 10
> drs_repl: 10
> Processing section "[global]"
> doing parameter security = user
> doing parameter ldap user suffix = ou=people
> doing parameter ldap group suffix = ou=groups
> doing parameter ldap ssl = off
> doing parameter ldap passwd sync = yes
> doing parameter ldap delete dn = no
> doing parameter workgroup = example.com
> doing parameter server string = "Samba Drives"
> doing parameter netbios name = SMBServer
> doing parameter log file = /var/log/samba/log.%m
> doing parameter log level = 5
> doing parameter max log size = 50
> doing parameter ldap suffix = "o=EXAMPLE"
> doing parameter ldap admin dn = "cn=PUser,ou=Proxies,ou=Auth,o=EXAMPLE"
> doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com
> doing parameter ntlm auth = yes
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface enp7s0f1 ip=192.168.2.122 bcast=192.168.2.255 netmask=255.255.255.0
> added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 netmask=255.255.255.0
> Netbios name list:-
> my_netbios_names[0]="SMBServer"
> Client started (version 4.7.1).
> Opening cache file at /var/lib/samba/gencache.tdb
> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
> Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec 31 04:00:00 PM 1969 PST] (-1539746033 seconds in the past)
> sitename_fetch: No stored sitename for realm ''
> internal_resolve_name: looking up localhost#20 (sitename (null))
> name localhost#20 found.
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> Connecting to 127.0.0.1 at port 445
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 2626560
> SO_RCVBUF = 1061296
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> session request ok
> negotiated dialect[SMB3_11] against server[localhost]
> got OID=1.3.6.1.4.1.311.2.2.10
> Enter EXAMPLE.COM\johndoe's password:
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism ntlmssp
> negotiate: struct NEGOTIATE_MESSAGE
> Signature : 'NTLMSSP'
> MessageType : NtLmNegotiate (1)
> NegotiateFlags : 0x62088215 (1644724757)
> 1: NTLMSSP_NEGOTIATE_UNICODE
> 0: NTLMSSP_NEGOTIATE_OEM
> 1: NTLMSSP_REQUEST_TARGET
> 1: NTLMSSP_NEGOTIATE_SIGN
> 0: NTLMSSP_NEGOTIATE_SEAL
> 0: NTLMSSP_NEGOTIATE_DATAGRAM
> 0: NTLMSSP_NEGOTIATE_LM_KEY
> 0: NTLMSSP_NEGOTIATE_NETWARE
> 1: NTLMSSP_NEGOTIATE_NTLM
> 0: NTLMSSP_NEGOTIATE_NT_ONLY
> 0: NTLMSSP_ANONYMOUS
> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> 0: NTLMSSP_TARGET_TYPE_DOMAIN
> 0: NTLMSSP_TARGET_TYPE_SERVER
> 0: NTLMSSP_TARGET_TYPE_SHARE
> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> 0: NTLMSSP_NEGOTIATE_IDENTIFY
> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> 0: NTLMSSP_NEGOTIATE_TARGET_INFO
> 1: NTLMSSP_NEGOTIATE_VERSION
> 1: NTLMSSP_NEGOTIATE_128
> 1: NTLMSSP_NEGOTIATE_KEY_EXCH
> 0: NTLMSSP_NEGOTIATE_56
> DomainNameLen : 0x0000 (0)
> DomainNameMaxLen : 0x0000 (0)
> DomainName : *
> DomainName : ''
> WorkstationLen : 0x0000 (0)
> WorkstationMaxLen : 0x0000 (0)
> Workstation : *
> Workstation : ''
> Version: struct ntlmssp_VERSION
> ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
> ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
> ProductBuild : 0x0000 (0)
> Reserved: ARRAY(3)
> [0] : 0x00 (0)
> [1] : 0x00 (0)
> [2] : 0x00 (0)
> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
> Got challenge flags:
> Got NTLMSSP neg_flags=0x628a8215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_TARGET_TYPE_SERVER
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_TARGET_INFO
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> short string '', sent with NULL termination despite NOTERM flag in IDL
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> SPNEGO login failed: Indicates the SID structure is not valid.
> session setup failed: NT_STATUS_INVALID_SID
>
>
> On Tue, Oct 16, 2018 at 5:39 PM Andrew Bartlett <abartlet at samba.org> wrote:
> > On Tue, 2018-10-16 at 15:18 -0700, Emil Henry wrote:
> > > Hi Andrew!
> > >
> > > I included it in one response, but may have not done a Reply All. Am resending it.
> > >
> > > Thanks.
> >
> > It is reading the hashes, so it looks like it is working. Dumb
> > question, but are you really sure the password is right?
> >
> > Otherwise, it might be some very odd NTLMv2 thing. Try (on the client)
> > 'client ntlmv2 auth = no' and 'ntlm auth = yes' (on the server) just to
> > rule that out.
> >
> > Also please try with Samba 4.9, Samba 4.1 is very old and there may be
> > something else we have fixed.
> >
> > Thanks,
> >
> > Andrew Bartlett
> >
> >
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list