[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.

Marco Gaiarin gaio at sv.lnf.it
Tue Sep 25 16:05:22 UTC 2018


Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> Now remove the : map to guest =  
> Setting from your smb.conf, because you wil never get this right if you keep useing that. 
> Check/test without the setting and post the logs so we can see the result of that. 

Seems the same things.

[2018/09/25 17:48:23.191423,  3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [dominique]\[Administrator]@[DOMINIQUE] with the new password interface
[2018/09/25 17:48:23.191437,  3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [dominique]\[Administrator]@[DOMINIQUE]
[2018/09/25 17:48:23.191450,  5] ../lib/util/util.c:514(dump_data)
  [0000] B3 87 AB FB 08 65 57 E9                             .....eW. 
[2018/09/25 17:48:23.191479,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2018/09/25 17:48:23.191505,  4] ../source3/smbd/uid.c:493(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2018/09/25 17:48:23.191519,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2018/09/25 17:48:23.191532,  5] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2018/09/25 17:48:23.191545,  5] ../source3/auth/token_util.c:810(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2018/09/25 17:48:23.193391,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2018/09/25 17:48:23.193422,  5] ../source3/auth/auth.c:251(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/25 17:48:23.193469,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/25 17:48:23.193501,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [dominique]\[Administrator] at [mar, 25 set 2018 17:48:23.193491 CEST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [DOMINIQUE] remote host [ipv4:10.5.2.37:58918] mapped to [dominique]\[Administrator]. local host [ipv4:10.5.1.26:445] 
[2018/09/25 17:48:23.193810,  2] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-09-25T17:48:23.193744+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.5.1.26:445", "remoteAddress": "ipv4:10.5.2.37:58918", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "dominique", "clientAccount": "Administrator", "workstation": "DOMINIQUE", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)", "mappedAccount": "Administrator", "mappedDomain": "dominique", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv2"}}
[2018/09/25 17:48:23.193851,  5] ../source3/auth/auth_ntlmssp.c:196(auth3_check_password)
  Checking NTLMSSP password for dominique\Administrator failed: NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/25 17:48:23.193876,  5] ../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send)
  ntlmssp_server_auth_send: Checking NTLMSSP password for dominique\Administrator failed: NT_STATUS_WRONG_PASSWORD
[2018/09/25 17:48:23.193902,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/09/25 17:48:23.193933,  5] ../auth/gensec/gensec.c:492(gensec_update_done)
  gensec_update_done: ntlmssp[0x5594f55535d0]: NT_STATUS_WRONG_PASSWORD
[2018/09/25 17:48:23.193956,  3] ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step)
  gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_PASSWORD
[2018/09/25 17:48:23.194043,  5] ../auth/gensec/gensec.c:492(gensec_update_done)
  gensec_update_done: spnego[0x5594f5552720]: NT_STATUS_WRONG_PASSWORD


> Are you setting up a  "Guest" share services OR a GUEST SERVER access in total, also 2 different things. 
> For example, you setup and have the following result. 
> \\server   ( access denied ) 
> \\server\guestshare ( access granted ) 

No, guest share. If i do in explorer '\\server\', i input some domein
credential and then rerun \\server\myguestshare\myscript.bat clearly
works, because i'm using the previously input domain credentials.


> And if you want the behaivior back as you had in 4.5, that is possible, but only by reverting back. 
> Windows and Samba have has so many security fixed which resulted in your problem now with 4.8.
> A setup with isnt compatible to current standards. 

I need 'winbind use default domain = yes'.

But i suppose applied only to ''current'' domain, eg if i have:

	security = ADS
        workgroup = LNFFVG
	winbind use default domain = yes

'LNFFVG\gaio' became 'gaio'. And manpage illude me:

	Users without a domain component are treated as is part of the
	winbindd server's own domain.

for me 'own domain' is LNFFVG.

OK, i'm reading this sentence on reverse, but by log seems clear to me
that windows client present itself as DOMINIQUE\Admnistrator, so i
don't understand why get 'mapped' to LNFFVG\Administrator...


Clearly i cannot revert to 4.5, nor backport some patcjes and manage
'my' samba version.

I'm simply asking why the behaviour changed between 4.5 and 4.8...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



More information about the samba mailing list