[Samba] authentication failures
Adam Weremczuk
adamw at matrixscience.com
Thu Jun 13 15:05:27 UTC 2019
I got authentication (bind credentials) working for account2 on the old
DC (Samba 4.0.9):
CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK
CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL
MATRIXSCIENCE.CO.UK\account1 ---> OK
MATRIXSCIENCE.CO.UK\account2 ---> OK
but it's still failing on the new DC (Samba 4.5.16):
CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK
CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL
MATRIXSCIENCE.CO.UK\account1 ---> FAIL
MATRIXSCIENCE.CO.UK\account2 ---> FAIL
I suspected this might be due to some difference in smb.conf files on
both controllers.
They are now almost identical to no joy and I'm running out of ideas...
On 13/06/19 09:26, Adam Weremczuk wrote:
>
> Hi all,
>
> I'm trying to make pfSense talk to Samba AD LDAP through "bind
> credentials to resolve distinguished names" option.
>
> One account them successfully connects (Samba logs):
>
> [2019/06/12 14:34:41.517364, 3]
> ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2019/06/12 14:34:41.520731, 3]
> ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
> auth_check_password_send: Checking password for unmapped user
> [MATRIX_SCIENCE]\[account1]@[(null)]
> auth_check_password_send: mapped user is:
> [MATRIX_SCIENCE]\[account1]@[(null)]
> [2019/06/12 14:34:41.521510, 4]
> ../source4/auth/sam.c:183(authsam_account_ok)
> authsam_account_ok: Checking SMB password for user account1
>
> The other one fails:
>
> [2019/06/12 15:09:56.215000, 3]
> ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2019/06/12 15:09:56.217871, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2019/06/12 15:09:56.217941, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>
> I get the same failure when I try it against the primary DC (Samba
> 4.0.9) and the replica (Samba 4.5.16) which I've deployed as a
> soon-to-be replacement.
>
> All credentials are valid as I can log in to the domain with both.
>
> Both accounts, as far as I can tell, look identical from AD perspective.
>
> The only difference that I can spot is when I run "ldapsearch -D
> 'account at matrixscience.co.uk' -b
> 'cn=Users,dc=matrixscience,dc=co,dc=uk' -H ldap://dc15 -W
> sAMAccountName=account"
>
> The responses are successful and identical apart from these 2 lines:
>
> msDS-SupportedEncryptionTypes: 0
> msSFU30Name: account2
>
> which only appear for the second (problematic) account.
>
> Any idea what the second account is missing?
>
> The difference in my opinion must be restricted to what's replicated
> between domain controllers.
>
> Thanks,
> Adam
>
More information about the samba
mailing list