[Samba] Samba update cause windows incorrect password

Rowland penny rpenny at samba.org
Fri Apr 24 10:59:23 UTC 2020 

On 24/04/2020 11:38, Enrico Morelli via samba wrote:
> On Thu, 23 Apr 2020 08:08:39 +1200
> Andrew Bartlett via samba <samba at lists.samba.org> wrote:
>
>> On Wed, 2020-04-22 at 20:01 +0100, Rowland penny via samba wrote:
>>> On 22/04/2020 19:25, Enrico Morelli via samba wrote:
>>>>> On 22/04/2020 16:06, Enrico Morelli via samba wrote:
>>>>>> Dear,
>>>>>>
>>>>>> on my debian system I upgraded samba from 4.5.16 to 4.9.5. My
>>>>>> samba
>>>>>> server is configured as domain controller.
>>>>>>
>>>>>> Now happens a strange thing. From a windows 10 client I'm able
>>>>>> to login
>>>>>> with a domain user without problem. But if I logout and try to
>>>>>> enter
>>>>>> the password for the same user, Windows tells me that the
>>>>>> password is
>>>>>> incorrect.
>>>>>>
>>>>>> To be able to loing, I've to select Other User, enter username
>>>>>> and
>>>>>> password and all works fine. But if I logout and enter the
>>>>>> same password, Windows tells me "Incorrect password".
>>>>>>    
>>> Apart from multiple default lines, there doesn't seem to anything
>>> really
>>> wrong with your smb.conf, so it looks like this could be yet
>>> another reason to not use Windows 10 with an NT4-style PDC.
>>>
>>> You could try raising the log level, add 'log level = 10' to the
>>> smb.conf and restart Samba, but beware, this will lead to a lot of
>>> output.
>> Thanks Rowland.  This is the right approach.  Once we get that, we
>> should be (even log level 5 would show it) able to work out what
>> username form was being sent in both cases, and see if we can map
>> between them.
>>
>> Andrew Bartlett
>>
> I'd set the loglevel to 5 and happens a strange thing:
>
> SAM Logon (Interactive). Domain:[CERMDOMAIN].
> User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN]
> [2020/04/24 12:04:50.144675,
> 5] ../source3/rpc_server/netlogon/srv_netlog_nt.c:1628(_netr_LogonSamLogon_base)
> Attempting validation level 3 for unmapped username visitor2.
> [2020/04/24 12:04:50.144698,
> 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module:
> Attempting to find an auth method to match sam_netlogon3 [2020/04/24
> 12:04:50.144715,  5] ../source3/auth/auth.c:437(load_auth_module)
> load_auth_module: auth method sam_netlogon3 has a valid init
> [2020/04/24 12:04:50.144729,
> 5] ../source3/auth/auth.c:412(load_auth_module) load_auth_module:
> Attempting to find an auth method to match winbind [2020/04/24
> 12:04:50.144743,  5] ../source3/auth/auth.c:437(load_auth_module)
> load_auth_module: auth method winbind has a valid init [2020/04/24
> 12:04:50.144894,
> 5] ../source3/auth/auth_util.c:122(make_user_info_map) Mapping user
> [DOMAIN]\[visitor2] from workstation [STUDENTI2] [2020/04/24
> 12:04:50.144910,  5] ../source3/auth/user_info.c:64(make_user_info)
> attempting to make a user_info for visitor2 (visitor2)
> [2020/04/24 12:04:50.144962,
> 3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
> check_ntlm_password:  Checking password for unmapped user
> [DOMAIN]\[visitor2]@[STUDENTI2] with the new password interface
> [2020/04/24 12:04:50.144978,
> 3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
> check_ntlm_password:  mapped user is: [DOMAIN]\[visitor2]@[STUDENTI2]
> [2020/04/24 12:04:50.145020,
> 5] ../source3/auth/auth_sam.c:162(auth_sam_netlogon3_auth)
> auth_sam_netlogon3_auth: DOMAIN is not our domain name (DC for
> CERMDOMAIN)
> 2020/04/24 12:04:50.145228,
> 5] ../source3/auth/auth.c:251(auth_check_ntlm_password)
> auth_check_ntlm_password: winbind authentication for user [visitor2]
> FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0 [2020/04/24
> 12:04:50.145246,
> 2] ../source3/auth/auth.c:334(auth_check_ntlm_password)
> check_ntlm_password:  Authentication for user [visitor2] -> [visitor2]
> FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0 [2020/04/24
> 12:04:50.145276,
> 2] ../auth/auth_log.c:610(log_authentication_event_human_readable)
> Auth: [SamLogon,(null)] user [DOMAIN]\[visitor2] at [Fri, 24 Apr 2020
> 12:04:50.145263 CEST] with [Supplied-NT-Hash] status
> [NT_STATUS_NO_SUCH_USER] workstation [STUDENTI2] remote host
> [ipv4:192.168.100.12:51475] mapped to [DOMAIN]\[visitor2]. local host
> [ipv4:192.168.100.27:445]
>
>
> Seems like the studenti2 PC is in a wrong domain, but I checked that and
> it is on the correct CERMDOMAIN domain.
> In the past we had an old samba server that served as DC for DOMAIN
> domain. But now, all the machine are configured to use the new domain
> and before the update all worked fine.
>
> I'm very confused because this is the behavior of all the windows 10
> machines in the domain.
>
> I also tried to remove the studenti2 machine from the domain and
> put it again without any result.
>
Problem is that you posted this in your smb.conf:

     workgroup = DOMAIN

Is the 'DOMAIN' actually 'CERMDOMAIN' ? or is it something else ?

Rowland

More information about the samba mailing list