[Samba] Samba update cause windows incorrect password

Enrico Morelli morelli at cerm.unifi.it
Fri Apr 24 13:55:37 UTC 2020 

On Fri, 24 Apr 2020 14:26:36 +0100
Rowland penny via samba <samba at lists.samba.org> wrote:

> On 24/04/2020 14:02, Enrico Morelli wrote:
> > On Fri, 24 Apr 2020 13:15:57 +0100
> > Rowland penny via samba <samba at lists.samba.org> wrote:
> >  
> >> On 24/04/2020 12:32, Enrico Morelli via samba wrote:  
> >>> On Fri, 24 Apr 2020 11:59:23 +0100
> >>> Rowland penny via samba <samba at lists.samba.org> wrote:
> >>>     
> >>>> On 24/04/2020 11:38, Enrico Morelli via samba wrote:  
> >>>>> On Thu, 23 Apr 2020 08:08:39 +1200
> >>>>> Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> >>>>>        
> >>>>>> On Wed, 2020-04-22 at 20:01 +0100, Rowland penny via samba
> >>>>>> wrote:  
> >>>>>>> On 22/04/2020 19:25, Enrico Morelli via samba wrote:  
> >>>>>>>>> On 22/04/2020 16:06, Enrico Morelli via samba wrote:  
> >>>>>>>>>> Dear,
> >>>>>>>>>>
> >>>>>>>>>> on my debian system I upgraded samba from 4.5.16 to 4.9.5.
> >>>>>>>>>> My samba
> >>>>>>>>>> server is configured as domain controller.
> >>>>>>>>>>
> >>>>>>>>>> Now happens a strange thing. From a windows 10 client I'm
> >>>>>>>>>> able to login
> >>>>>>>>>> with a domain user without problem. But if I logout and try
> >>>>>>>>>> to enter
> >>>>>>>>>> the password for the same user, Windows tells me that the
> >>>>>>>>>> password is
> >>>>>>>>>> incorrect.
> >>>>>>>>>>
> >>>>>>>>>> To be able to loing, I've to select Other User, enter
> >>>>>>>>>> username and
> >>>>>>>>>> password and all works fine. But if I logout and enter the
> >>>>>>>>>> same password, Windows tells me "Incorrect password".
> >>>>>>>>>>            
> >>>>>>> Apart from multiple default lines, there doesn't seem to
> >>>>>>> anything really
> >>>>>>> wrong with your smb.conf, so it looks like this could be yet
> >>>>>>> another reason to not use Windows 10 with an NT4-style PDC.
> >>>>>>>
> >>>>>>> You could try raising the log level, add 'log level = 10' to
> >>>>>>> the smb.conf and restart Samba, but beware, this will lead to
> >>>>>>> a lot of output.  
> >>>>>> Thanks Rowland.  This is the right approach.  Once we get that,
> >>>>>> we should be (even log level 5 would show it) able to work out
> >>>>>> what username form was being sent in both cases, and see if we
> >>>>>> can map between them.
> >>>>>>
> >>>>>> Andrew Bartlett
> >>>>>>        
> >>>>> I'd set the loglevel to 5 and happens a strange thing:
> >>>>>
> >>>>> SAM Logon (Interactive). Domain:[CERMDOMAIN].
> >>>>> User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN]
> >>>>> [2020/04/24 12:04:50.144675,
> >>>>> 5] ../source3/rpc_server/netlogon/srv_netlog_nt.c:1628(_netr_LogonSamLogon_base)
> >>>>> Attempting validation level 3 for unmapped username visitor2.
> >>>>> [2020/04/24 12:04:50.144698,
> >>>>> 5] ../source3/auth/auth.c:412(load_auth_module)
> >>>>> load_auth_module: Attempting to find an auth method to match
> >>>>> sam_netlogon3 [2020/04/24 12:04:50.144715,
> >>>>> 5] ../source3/auth/auth.c:437(load_auth_module)
> >>>>> load_auth_module: auth method sam_netlogon3 has a valid init
> >>>>> [2020/04/24 12:04:50.144729,
> >>>>> 5] ../source3/auth/auth.c:412(load_auth_module)
> >>>>> load_auth_module: Attempting to find an auth method to match
> >>>>> winbind [2020/04/24 12:04:50.144743,
> >>>>> 5] ../source3/auth/auth.c:437(load_auth_module)
> >>>>> load_auth_module: auth method winbind has a valid init
> >>>>> [2020/04/24 12:04:50.144894,
> >>>>> 5] ../source3/auth/auth_util.c:122(make_user_info_map) Mapping
> >>>>> user [DOMAIN]\[visitor2] from workstation [STUDENTI2]
> >>>>> [2020/04/24 12:04:50.144910,
> >>>>> 5] ../source3/auth/user_info.c:64(make_user_info) attempting to
> >>>>> make a user_info for visitor2 (visitor2) [2020/04/24
> >>>>> 12:04:50.144962,
> >>>>> 3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
> >>>>> check_ntlm_password:  Checking password for unmapped user
> >>>>> [DOMAIN]\[visitor2]@[STUDENTI2] with the new password interface
> >>>>> [2020/04/24 12:04:50.144978,
> >>>>> 3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
> >>>>> check_ntlm_password:  mapped user is:
> >>>>> [DOMAIN]\[visitor2]@[STUDENTI2] [2020/04/24 12:04:50.145020,
> >>>>> 5] ../source3/auth/auth_sam.c:162(auth_sam_netlogon3_auth)
> >>>>> auth_sam_netlogon3_auth: DOMAIN is not our domain name (DC for
> >>>>> CERMDOMAIN) 2020/04/24 12:04:50.145228,
> >>>>> 5] ../source3/auth/auth.c:251(auth_check_ntlm_password)
> >>>>> auth_check_ntlm_password: winbind authentication for user
> >>>>> [visitor2] FAILED with error NT_STATUS_NO_SUCH_USER,
> >>>>> authoritative=0 [2020/04/24 12:04:50.145246,
> >>>>> 2] ../source3/auth/auth.c:334(auth_check_ntlm_password)
> >>>>> check_ntlm_password:  Authentication for user [visitor2] ->
> >>>>> [visitor2] FAILED with error NT_STATUS_NO_SUCH_USER,
> >>>>> authoritative=0 [2020/04/24 12:04:50.145276,
> >>>>> 2] ../auth/auth_log.c:610(log_authentication_event_human_readable)
> >>>>> Auth: [SamLogon,(null)] user [DOMAIN]\[visitor2] at [Fri, 24
> >>>>> Apr 2020 12:04:50.145263 CEST] with [Supplied-NT-Hash] status
> >>>>> [NT_STATUS_NO_SUCH_USER] workstation [STUDENTI2] remote host
> >>>>> [ipv4:192.168.100.12:51475] mapped to [DOMAIN]\[visitor2].
> >>>>> local host [ipv4:192.168.100.27:445]
> >>>>>
> >>>>>
> >>>>> Seems like the studenti2 PC is in a wrong domain, but I checked
> >>>>> that and it is on the correct CERMDOMAIN domain.
> >>>>> In the past we had an old samba server that served as DC for
> >>>>> DOMAIN domain. But now, all the machine are configured to use
> >>>>> the new domain and before the update all worked fine.
> >>>>>
> >>>>> I'm very confused because this is the behavior of all the
> >>>>> windows 10 machines in the domain.
> >>>>>
> >>>>> I also tried to remove the studenti2 machine from the domain and
> >>>>> put it again without any result.
> >>>>>        
> >>>> Problem is that you posted this in your smb.conf:
> >>>>
> >>>>        workgroup = DOMAIN
> >>>>
> >>>> Is the 'DOMAIN' actually 'CERMDOMAIN' ? or is it something else ?
> >>>>
> >>>> Rowland  
> >>> The actual domain is CERMDOMAIN. Sorry.  
> >> OK, at the top of your log fragment is this:
> >>
> >> SAM Logon (Interactive). Domain:[CERMDOMAIN].
> >> User:[visitor2 at STUDENTI2] Requested Domain:[DOMAIN]
> >>
> >> So, your actual Domain is 'CERMDOMAIN', but the Win 10 machine
> >> seems to be sending 'DOMAIN', which isn't 'CERMDOMAIN', is this
> >> correct ?
> >>
> >> If it is, then the problem seems to be a Windows one, it doesn't
> >> look like it is sending the correct data. Do you recognise what
> >> 'DOMAIN' is ? Is it the dns domain ? or the name of the computer ?
> >>
> >> Rowland
> >>  
> > Really I don't know. It isn't a dns domain not the computer name
> > (it's studenti2). DOMAIN is the domain I used before CERMDOMAIN,
> > but I hadn't problem before the update. Really I don't understand,
> > because as I wrote, if I login the user after a reboot I'm able to
> > enter, but if I logout the user and try to re-enter I receive
> > Incorrect password. So I've to enter as Other user and with the
> > same username and password I'm able to enter. I'm going crazy.
> >
> >  
> How are logging in to Windows 10 ?
> 
> Is it 'CERMDOMAIN\username' or 'username' ?
> 
> Rowland
> 
> 
> 
I shared some pictures.
This is the login page, as you see the domain seems to be correct
https://drive.google.com/open?id=1cA-9Y90mbXpU8p7_T28WsV4fcLbqa7-J

After entered username and password, I'm able to login:
https://drive.google.com/open?id=1cABgFwpmQ3X79Ju0DtsmLKcp8n403h7W

I check the domain of the computer and seems to be ok:
https://drive.google.com/open?id=1boRTqeUa_09EZ9qeyot7wObFkrNpMCTJ

I logout the user or lock the screen and try to re-enter:
https://drive.google.com/open?id=1bxk-YUqUw9euPs3KXJgTAya3LAIsdUUB

Enter the password and et voilà the error:
https://drive.google.com/open?id=1bx9xOoZ3zOWkSR73ZNcxsbOz_SVc7vPz
-- 
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------

More information about the samba mailing list