[Samba] authentication failures
Adam Weremczuk
adamw at matrixscience.com
Thu Jun 13 08:26:31 UTC 2019
Hi all,
I'm trying to make pfSense talk to Samba AD LDAP through "bind
credentials to resolve distinguished names" option.
One account them successfully connects (Samba logs):
[2019/06/12 14:34:41.517364, 3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2019/06/12 14:34:41.520731, 3]
../source4/auth/ntlm/auth.c:271(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[MATRIX_SCIENCE]\[account1]@[(null)]
auth_check_password_send: mapped user is:
[MATRIX_SCIENCE]\[account1]@[(null)]
[2019/06/12 14:34:41.521510, 4]
../source4/auth/sam.c:183(authsam_account_ok)
authsam_account_ok: Checking SMB password for user account1
The other one fails:
[2019/06/12 15:09:56.215000, 3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2019/06/12 15:09:56.217871, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2019/06/12 15:09:56.217941, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
I get the same failure when I try it against the primary DC (Samba
4.0.9) and the replica (Samba 4.5.16) which I've deployed as a
soon-to-be replacement.
All credentials are valid as I can log in to the domain with both.
Both accounts, as far as I can tell, look identical from AD perspective.
The only difference that I can spot is when I run "ldapsearch -D
'account at matrixscience.co.uk' -b 'cn=Users,dc=matrixscience,dc=co,dc=uk'
-H ldap://dc15 -W sAMAccountName=account"
The responses are successful and identical apart from these 2 lines:
msDS-SupportedEncryptionTypes: 0
msSFU30Name: account2
which only appear for the second (problematic) account.
Any idea what the second account is missing?
The difference in my opinion must be restricted to what's replicated
between domain controllers.
Thanks,
Adam
More information about the samba
mailing list