[Samba] shared folder in the samba domain, can't be access on trusting domain users

Mario Codeniera mario.codeniera at gmail.com
Tue Sep 11 03:16:22 UTC 2018 

Hi,

Anybody got experienced that the shared folder (in SAMBAAD domain) can't be
accessible on the trusting domain (TESTHV).

Background: SAMBAAD has one-way trust with TESTHV. TESTHV users can
login in the SAMBAAD connected machines. Currently using Version 4.9.0rc5.

It's working fine if the SAMBAAD users access with it, but users in TESTHV
could not access with it even the permission has been added. Even change
the ntlm, NTLMv2 but no avail in the configuration in samba.

But on the configuration seems weird related to NTLMv2, I don't know if
related also to the bugs on GPO
<https://bugzilla.samba.org/show_bug.cgi?id=11517> (in which the default
domain is the samba, not the trusting domain).

[2018/09/10 18:18:57.226639,  3]
> ../libcli/auth/schannel_state_tdb.c:199(schannel_fetch_session_key_tdb)
>   schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/VM000459
> [2018/09/10 18:18:57.227149,  3]
> ../libcli/auth/schannel_state_tdb.c:199(schannel_fetch_session_key_tdb)
>   schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/VM000459
> [2018/09/10 18:18:57.227191,  3]
> ../source4/auth/ntlm/auth.c:243(auth_check_password_send)
>   auth_check_password_send: Checking password for unmapped user
> [TESTHV]\[mtest]@[TESTHV-DC1]
>   auth_check_password_send: user is: [TESTHV]\[mtest]@[TESTHV-DC1]
> [2018/09/10 18:18:57.227872,  2]
> ../source4/auth/ntlm/auth.c:478(auth_check_password_recv)
>   auth_check_password_recv: NO_METHOD authentication for user
> [TESTHV\mtest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0
> [2018/09/10 18:18:57.227909,  2]
> ../auth/auth_log.c:476(log_authentication_event_human_readable)
>   Auth: [SamLogon,network] user [TESTHV]\[mtest] at [Mon, 10 Sep 2018
> 18:18:57.227901 NZST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER]
> workstation [TESTHV-DC1] remote host [ipv4:192.168.179.229:50070] mapped
> to [TESTHV]\[mtest]. local host [ipv4:192.168.179.226:49153]  NETLOGON
> computer [VM000459] trust account [VM000459$]
> [2018/09/10 18:18:57.228057,  2]
> ../lib/audit_logging/audit_logging.c:141(audit_log_json)
>   JSON Authentication: {"timestamp": "2018-09-10T18:18:57.227924+1200",
> "type": "Authentication", "Authentication": {"version": {"major": 1,
> "minor": 0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:
> 192.168.179.226:49153", "remoteAddress": "ipv4:192.168.179.229:50070",
> "serviceDescription": "SamLogon", "authDescription": "network",
> "clientDomain": "TESTHV", "clientAccount": "mtest", "workstation":
> "TESTHV-DC1", "becameAccount": null, "becameDomain": null, "becameSid":
> null, "mappedAccount": "mtest", "mappedDomain": "TESTHV",
> "netlogonComputer": "VM000459", "netlogonTrustAccount": "VM000459$",
> "netlogonNegotiateFlags": "0x612FFFFF", "netlogonSecureChannelType": 2,
> "netlogonTrustAccountSid":
> "S-1-5-21-3359915894-2567539813-9720661963-1612", "passwordType": "NTLMv2",
> "duration": 844}}
> [2018/09/10 18:18:57.237759,  3]
> ../libcli/auth/schannel_state_tdb.c:199(schannel_fetch_session_key_tdb)
>   schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/VM000459
> [2018/09/10 18:18:57.237791,  3]
> ../source4/auth/ntlm/auth.c:243(auth_check_password_send)
>   auth_check_password_send: Checking password for unmapped user
> [TESTHV]\[mtest]@[TESTHV-DC1]
>   auth_check_password_send: user is: [TESTHV]\[mtest]@[TESTHV-DC1]
> [2018/09/10 18:18:57.238119,  2]
> ../source4/auth/ntlm/auth.c:478(auth_check_password_recv)
>   auth_check_password_recv: NO_METHOD authentication for user
> [TESTHV\mtest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0
> [2018/09/10 18:18:57.238143,  2]
> ../auth/auth_log.c:476(log_authentication_event_human_readable)
>   Auth: [SamLogon,network] user [TESTHV]\[mtest] at [Mon, 10 Sep 2018
> 18:18:57.238136 NZST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER]
> workstation [TESTHV-DC1] remote host [ipv4:192.168.179.229:50070] mapped
> to [TESTHV]\[mtest]. local host [ipv4:192.168.179.226:49153]  NETLOGON
> computer [VM000459] trust account [VM000459$]
> [2018/09/10 18:18:57.238217,  2]
> ../lib/audit_logging/audit_logging.c:141(audit_log_json)
>   JSON Authentication: {"timestamp": "2018-09-10T18:18:57.238153+1200",
> "type": "Authentication", "Authentication": {"version": {"major": 1,
> "minor": 0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:
> 192.168.179.226:49153", "remoteAddress": "ipv4:192.168.179.229:50070",
> "serviceDescription": "SamLogon", "authDescription": "network",
> "clientDomain": "TESTHV", "clientAccount": "mtest", "workstation":
> "TESTHV-DC1", "becameAccount": null, "becameDomain": null, "becameSid":
> null, "mappedAccount": "mtest", "mappedDomain": "TESTHV",
> "netlogonComputer": "VM000459", "netlogonTrustAccount": "VM000459$",
> "netlogonNegotiateFlags": "0x612FFFFF", "netlogonSecureChannelType": 2,
> "netlogonTrustAccountSid":
> "S-1-5-21-3359915894-2567539813-9720661963-1612", "passwordType": "NTLMv2",
> "duration": 421}}
> [2018/09/10 18:18:57.248268,  3]
> ../libcli/auth/schannel_state_tdb.c:199(schannel_fetch_session_key_tdb)
>   schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/VM000459
> [2018/09/10 18:18:57.248307,  3]
> ../source4/auth/ntlm/auth.c:243(auth_check_password_send)
>   auth_check_password_send: Checking password for unmapped user
> [TESTHV]\[mtest]@[TESTHV-DC1]
>   auth_check_password_send: user is: [TESTHV]\[mtest]@[TESTHV-DC1]
> [2018/09/10 18:18:57.248645,  2]
> ../source4/auth/ntlm/auth.c:478(auth_check_password_recv)
>   auth_check_password_recv: NO_METHOD authentication for user
> [TESTHV\mtest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0
> [2018/09/10 18:18:57.248667,  2]
> ../auth/auth_log.c:476(log_authentication_event_human_readable)
>   Auth: [SamLogon,network] user [TESTHV]\[mtest] at [Mon, 10 Sep 2018
> 18:18:57.248661 NZST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER]
> workstation [TESTHV-DC1] remote host [ipv4:192.168.179.229:50070] mapped
> to [TESTHV]\[mtest]. local host [ipv4:192.168.179.226:49153]  NETLOGON
> computer [VM000459] trust account [VM000459$]
> [2018/09/10 18:18:57.248760,  2]
> ../lib/audit_logging/audit_logging.c:141(audit_log_json)
>   JSON Authentication: {"timestamp": "2018-09-10T18:18:57.248677+1200",
> "type": "Authentication", "Authentication": {"version": {"major": 1,
> "minor": 0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:
> 192.168.179.226:49153", "remoteAddress": "ipv4:192.168.179.229:50070",
> "serviceDescription": "SamLogon", "authDescription": "network",
> "clientDomain": "TESTHV", "clientAccount": "mtest", "workstation":
> "TESTHV-DC1", "becameAccount": null, "becameDomain": null, "becameSid":
> null, "mappedAccount": "mtest", "mappedDomain": "TESTHV",
> "netlogonComputer": "VM000459", "netlogonTrustAccount": "VM000459$",
> "netlogonNegotiateFlags": "0x612FFFFF", "netlogonSecureChannelType": 2,
> "netlogonTrustAccountSid":
> "S-1-5-21-3359915894-2567539813-9720661963-1612", "passwordType": "NTLMv2",
> "duration": 452}}
> [2018/09/10 18:18:57.821005,  2]
> ../source4/dsdb/samdb/ldb_modules/netlogon.c:161(fill_netlogon_samlogon_response)
>   Unable to find a correct reference to GUID
> '9fe2dd08-e8fe-435a-8633-79d8f28e6b84' or SID
> 'S-1-5-21-590730843-99389099-1391847318' in sam


In the PDC  (Samba3.3) it only works for Windows 2012 Server but beyond it
same issue above.

Thanks,
Mario

More information about the samba mailing list