[Samba] authentication failures

Adam Weremczuk adamw at matrixscience.com
Thu Jun 13 15:05:27 UTC 2019 

I got authentication (bind credentials) working for account2 on the old 
DC (Samba 4.0.9):

CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK
CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL
MATRIXSCIENCE.CO.UK\account1 ---> OK
MATRIXSCIENCE.CO.UK\account2 ---> OK

but it's still failing on the new DC (Samba 4.5.16):

CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK
CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL
MATRIXSCIENCE.CO.UK\account1 ---> FAIL
MATRIXSCIENCE.CO.UK\account2 ---> FAIL

I suspected this might be due to some difference in smb.conf files on 
both controllers.
They are now almost identical to no joy and I'm running out of ideas...


On 13/06/19 09:26, Adam Weremczuk wrote:
>
> Hi all,
>
> I'm trying to make pfSense talk to Samba AD LDAP through "bind 
> credentials to resolve distinguished names" option.
>
> One account them successfully connects (Samba logs):
>
> [2019/06/12 14:34:41.517364,  3] 
> ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2019/06/12 14:34:41.520731,  3] 
> ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
>   auth_check_password_send: Checking password for unmapped user 
> [MATRIX_SCIENCE]\[account1]@[(null)]
>   auth_check_password_send: mapped user is: 
> [MATRIX_SCIENCE]\[account1]@[(null)]
> [2019/06/12 14:34:41.521510,  4] 
> ../source4/auth/sam.c:183(authsam_account_ok)
>   authsam_account_ok: Checking SMB password for user account1
>
> The other one fails:
>
> [2019/06/12 15:09:56.215000,  3] 
> ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2019/06/12 15:09:56.217871,  3] 
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'ldapsrv_call_loop: 
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2019/06/12 15:09:56.217941,  3] 
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[ldapsrv_call_loop: 
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>
> I get the same failure when I try it against the primary DC (Samba 
> 4.0.9) and the replica (Samba 4.5.16) which I've deployed as a 
> soon-to-be replacement.
>
> All credentials are valid as I can log in to the domain with both.
>
> Both accounts, as far as I can tell, look identical from AD perspective.
>
> The only difference that I can spot is when I run "ldapsearch -D 
> 'account at matrixscience.co.uk' -b 
> 'cn=Users,dc=matrixscience,dc=co,dc=uk' -H ldap://dc15 -W 
> sAMAccountName=account"
>
> The responses are successful and identical apart from these 2 lines:
>
> msDS-SupportedEncryptionTypes: 0
> msSFU30Name: account2
>
> which only appear for the second (problematic) account.
>
> Any idea what the second account is missing?
>
> The difference in my opinion must be restricted to what's replicated 
> between domain controllers.
>
> Thanks,
> Adam
>

More information about the samba mailing list