[Samba] smbclient works, mount.cifs fails NT_STATUS_LOGON_FAILURE in Samba 4.8.3

Wed Jan 23 08:31:41 UTC 2019

On Tue, 22 Jan 2019 13:43:33 -0800
Jordan Castillo via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> I am attempting to debug an issue with my Samba configuration. It has
> been working fine, but we recently updated Samba from 4.6.x to 4.8.3
> and are now seeing some issues authenticating.
> 
> Most of our servers are still working fine after the upgrade, but one
> server is giving us issues. A little more environment info: The
> server is running Centos 7.1. Windows clients can connect OK. We are
> using sssd server-side to connect to Active Directory for Windows
> auth. Linux and OS X clients are encountering issues mounting the smb
> share directly, although this was working correctly prior to updating
> sssd and samba.
> 
> I am working on a Fedora 28 workstation. When I attempt to connect to
> the share with smbclient using this command:
> 
> `smbclient //server.domain.com/SHARED -U DOMAIN.COM\\jsmith`
> 
> I enter my password, it works and appears to auth with kerberos:

No it isn't, that's using NTLM and NTLMv2 became the default at 4.7.0

> 
> ```
> [2019/01/22 13:23:53.850746,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'gssapi_spnego' registered
> [2019/01/22 13:23:53.850783,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'gssapi_krb5' registered
> [2019/01/22 13:23:53.850808,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'gssapi_krb5_sasl' registered
> [2019/01/22 13:23:53.850819,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'spnego' registered
> [2019/01/22 13:23:53.850836,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'schannel' registered
> [2019/01/22 13:23:53.850846,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'naclrpc_as_system' registered
> [2019/01/22 13:23:53.850855,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'sasl-EXTERNAL' registered
> [2019/01/22 13:23:53.850870,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'ntlmssp' registered
> [2019/01/22 13:23:53.850919,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'ntlmssp_resume_ccache' registered
> [2019/01/22 13:23:53.850935,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'http_basic' registered
> [2019/01/22 13:23:53.850953,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'http_ntlm' registered
> [2019/01/22 13:23:53.850962,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'http_negotiate' registered
> [2019/01/22 13:23:56.488705,  3]
> ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
>   Found account name from PAC: jsmith [John Smith]
> [2019/01/22 13:23:56.488742,  3]
> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>   Kerberos ticket principal name is [jsmith at DOMAIN.COM]
> ```
> When I attempt to mount the share with mount using this command:
> 
> `sudo mount -v -t cifs  -o username=jsmith,domain=domain.com //
> server.domain.com/SHARED SHARED`

If you want to use kerberos, you have to tell mount.cifs to use it with
'sec=krb5' or 'sec=krb5i', see 'man mount.cifs' for more info

> 
> I get hit with 'mount error(13): Permission denied' client-side and
> see this output in the server's log:
> 
> ```
> [2019/01/22 13:26:49.466127,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'gssapi_spnego' registered
> [2019/01/22 13:26:49.466161,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'gssapi_krb5' registered
> [2019/01/22 13:26:49.466177,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'gssapi_krb5_sasl' registered
> [2019/01/22 13:26:49.466249,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'spnego' registered
> [2019/01/22 13:26:49.466274,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'schannel' registered
> [2019/01/22 13:26:49.466341,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'naclrpc_as_system' registered
> [2019/01/22 13:26:49.466353,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'sasl-EXTERNAL' registered
> [2019/01/22 13:26:49.466403,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'ntlmssp' registered
> [2019/01/22 13:26:49.466411,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'ntlmssp_resume_ccache' registered
> [2019/01/22 13:26:49.466420,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'http_basic' registered
> [2019/01/22 13:26:49.466430,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'http_ntlm' registered
> [2019/01/22 13:26:49.466439,  3]
> ../auth/gensec/gensec_start.c:977(gensec_register)
>   GENSEC backend 'http_negotiate' registered
> [2019/01/22 13:26:49.469535,  3]
> ../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0xe0080225
>     NTLMSSP_NEGOTIATE_UNICODE
>     NTLMSSP_REQUEST_TARGET
>     NTLMSSP_NEGOTIATE_SEAL
>     NTLMSSP_NEGOTIATE_NTLM
>     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>     NTLMSSP_NEGOTIATE_128
>     NTLMSSP_NEGOTIATE_KEY_EXCH
>     NTLMSSP_NEGOTIATE_56
> [2019/01/22 13:26:49.469907,  3]
> ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
>   Got user=[jsmith] domain=[domain.com] workstation=[] len1=0 len2=168
> [2019/01/22 13:26:49.470215,  2]
> ../source3/param/loadparm.c:2799(lp_do_section)
>   Processing section "[rhome]"
> [2019/01/22 13:26:49.470263,  2]
> ../source3/param/loadparm.c:2799(lp_do_section)
>   Processing section "[it_home]"
> [2019/01/22 13:26:49.470297,  2]
> ../source3/param/loadparm.c:2799(lp_do_section)
>   Processing section "[vpnhome]"
> [2019/01/22 13:26:49.470357,  2]
> ../source3/param/loadparm.c:2799(lp_do_section)
>   Processing section "[shared]"
> [2019/01/22 13:26:49.470412,  2]
> ../source3/param/loadparm.c:2799(lp_do_section)
>   Processing section "[dev-share]"
> [2019/01/22 13:26:49.470457,  2]
> ../source3/param/loadparm.c:2799(lp_do_section)
>   Processing section "[scans]"
> [2019/01/22 13:26:49.470528,  3]
> ../source3/auth/auth.c:189(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user
> [domain.com]\[jsmith]@[]
> with the new password interface
> [2019/01/22 13:26:49.470538,  3]
> ../source3/auth/auth.c:192(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is: [domain.com]\[jsmith]@[]
> [2019/01/22 13:26:49.470582,  2]
> ../source3/auth/auth.c:332(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [jsmith] -> [jsmith]
> FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
> [2019/01/22 13:26:49.470619,  2]
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>   Auth: [SMB2,(null)] user [domain.com]\[jsmith] at [Tue, 22 Jan 2019
> 13:26:49.470605 PST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE]
> workstation [] remote host [ipv4:192.168.10.100:55024] mapped to
> [domain.com]\[jsmith].
> local host [ipv4:192.168.20.200:445]
> ```
> Here is my smb.conf file:
> 
> ```
> [global]
>    min protocol = SMB2
>    workgroup = DOMAIN
>    realm = DOMAIN.COM
>    security = ads
>    password server = ad1.domain.com ad2.domain.com

Don't set 'password server', let Samba find the password server.

>    kerberos method = secrets and keytab
>    template shell = /bin/bash
>    encrypt passwords = yes
> 
>    log file = /var/log/samba/log.%U
>    log level = 2 auth:4
> 
>    idmap config * : backend = tdb
>    idmap config * : range = 500-9999999999
>    idmap config DOMAIN.COM:default = true
>    idmap config DOMAIN.COM:backend = ad
>    idmap config DOMAIN.COM:range = 500-9999999999

There are 4 things wrong with the above block:

1) '500' is a bad number to start from.
2) The ranges are not supposed to overlap, you don't get much more of an
overlap than when the ranges match.
3) You have used 'DOMAIN.COM' which is your realm, it should be
'DOMAIN' which is the workgroup.
4) You are using sssd (which is not supported by Samba) so you
shouldn't have it anyway.

> 
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
> ```
> 
> In case it helps, sssd.conf:

No it doesn't, Samba doesn't support sssd.

Rowland