[Samba] authentication failures

Adam Weremczuk adamw at matrixscience.com
Thu Jun 13 08:26:31 UTC 2019 

Hi all,

I'm trying to make pfSense talk to Samba AD LDAP through "bind 
credentials to resolve distinguished names" option.

One account them successfully connects (Samba logs):

[2019/06/12 14:34:41.517364,  3] 
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2019/06/12 14:34:41.520731,  3] 
../source4/auth/ntlm/auth.c:271(auth_check_password_send)
   auth_check_password_send: Checking password for unmapped user 
[MATRIX_SCIENCE]\[account1]@[(null)]
   auth_check_password_send: mapped user is: 
[MATRIX_SCIENCE]\[account1]@[(null)]
[2019/06/12 14:34:41.521510,  4] 
../source4/auth/sam.c:183(authsam_account_ok)
   authsam_account_ok: Checking SMB password for user account1

The other one fails:

[2019/06/12 15:09:56.215000,  3] 
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2019/06/12 15:09:56.217871,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2019/06/12 15:09:56.217941,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

I get the same failure when I try it against the primary DC (Samba 
4.0.9) and the replica (Samba 4.5.16) which I've deployed as a 
soon-to-be replacement.

All credentials are valid as I can log in to the domain with both.

Both accounts, as far as I can tell, look identical from AD perspective.

The only difference that I can spot is when I run "ldapsearch -D 
'account at matrixscience.co.uk' -b 'cn=Users,dc=matrixscience,dc=co,dc=uk' 
-H ldap://dc15 -W sAMAccountName=account"

The responses are successful and identical apart from these 2 lines:

msDS-SupportedEncryptionTypes: 0
msSFU30Name: account2

which only appear for the second (problematic) account.

Any idea what the second account is missing?

The difference in my opinion must be restricted to what's replicated 
between domain controllers.

Thanks,
Adam

More information about the samba mailing list