[Samba] authentication failures

Adam Weremczuk adamw at matrixscience.com
Fri Jun 14 12:08:19 UTC 2019


Hi Rowland,

Even with exactly identical smb.conf file the behavior hasn't changed.

LDAP browser (http://directory.apache.org/studio/) helped a bit and 
allowed me to see a more specific error:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: 
AcceptSecurityContext error, data 52e, v1db1]

After a bit of research I've managed to connect using 
"account at domain.co.uk" format in "Bind credentials" username.

This is not mentioned in pfSense-LDAP troubleshooting guide 
(https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html).

To recap the situation I'm in regarding "Bind credentials" and Samba DC 
versions:

**account at domain.co.uk**   ---> this works for both 4.0.9 and 4.5.16
**DOMAIN.CO.UK\account**   ---> this works for 4.0.9 but not 4.5.16
**CN=account,CN=Users,DC=domain,DC=co,DC=uk**   ---> this works for both 
4.0.9 and 4.5.16 for some users but not for some others. I haven't been 
able to find a pattern and all test users look identical to me from AD 
perspective.

I can consider my issue solved but wouldn't mind getting to the bottom 
of it if anybody has any suggestions.

Thanks,
Adam


On 13/06/19 16:17, Rowland penny via samba wrote:
> On 13/06/2019 16:05, Adam Weremczuk via samba wrote:
>> I got authentication (bind credentials) working for account2 on the 
>> old DC (Samba 4.0.9):
>>
>> CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK
>> CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL
>> MATRIXSCIENCE.CO.UK\account1 ---> OK
>> MATRIXSCIENCE.CO.UK\account2 ---> OK
>>
>> but it's still failing on the new DC (Samba 4.5.16):
>>
>> CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK
>> CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL
>> MATRIXSCIENCE.CO.UK\account1 ---> FAIL
>> MATRIXSCIENCE.CO.UK\account2 ---> FAIL
>>
>> I suspected this might be due to some difference in smb.conf files on 
>> both controllers.
>> They are now almost identical to no joy and I'm running out of ideas...
>>
> Try posting the smb.conf files here, we may be able to spot something.
>
> It might also help if you can show how pfsense is trying to connect to 
> AD.
>
> Rowland
>
>
>




More information about the samba mailing list