[Samba] Wrong password, Win10 not using SMB3_11?

Harald Hannelius harald+samba at arcada.fi
Tue Jun 16 11:41:31 UTC 2020 


I have Samba AD-domain with two fileservers and two Samba DS-servers. Most 
people can authenticate OK, but one user always gets "wrong password".

I tried changing this user's password, and was able to connect by using 
smbclient, and I was also able to map this drive using the user's username 
and password on my own windows 10 workstation.

Also;

# wbinfo -a username
Enter username's password:
plaintext password authentication succeeded
Enter username's password:
challenge/response password authentication succeeded

But the user's Windows 10 workstation always fails with wrong password.

When trying to compare the wealth of data in the logs, the succeeding 
mapping goes along the lines of

[2020/06/16 14:00:37.688035,  3, pid=193148, effective(0, 0), real(0, 0), 
class=smb2] ../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces
s_negprot)
   Selected protocol SMB3_11

Followed by Kerberos this and that and a success.

When connecting from the failing workstation (I now suspect it's the 
workstation) which BTW is on OpenVPN, the logs look like this;

[2020/06/16 13:48:57.546741,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [PC NETWORK PROGRAM 1.0]
[2020/06/16 13:48:57.546788,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [LANMAN1.0]
[2020/06/16 13:48:57.546809,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [Windows for Workgroups 3.1a]
[2020/06/16 13:48:57.546827,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [LM1.2X002]
[2020/06/16 13:48:57.546851,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [LANMAN2.1]
[2020/06/16 13:48:57.546881,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [NT LM 0.12]
[2020/06/16 13:48:57.546905,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [SMB 2.002]
[2020/06/16 13:48:57.546927,  3, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/negprot.c:636(reply_negprot)
   Requested protocol [SMB 2.???]
[2020/06/16 13:48:57.546949, 10, pid=192951, effective(0, 0), real(0, 0)] 
../source3/lib/util.c:1208(set_remote_arch)
   set_remote_arch: Client arch is 'UNKNOWN'
[2020/06/16 13:48:57.547000,  6, pid=192951, effective(0, 0), real(0, 0)] 
../source3/param/loadparm.c:2336(lp_file_list_changed)

[2020/06/16 13:48:57.547406,  3, pid=192951, effective(0, 0), real(0, 0), 
class=smb2] ../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_ne
gprot)
   Selected protocol SMB2_FF

[2020/06/16 13:49:02.120489, 10, pid=192951, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth_winbind.c:51(check_winbind_security)
   Check auth for: [username]
[2020/06/16 13:49:02.120503,  4, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2020/06/16 13:49:02.120525,  4, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/uid.c:581(push_conn_ctx)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2020/06/16 13:49:02.120587,  4, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2020/06/16 13:49:02.120602,  5, pid=192951, effective(0, 0), real(0, 0)] 
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2020/06/16 13:49:02.120629,  5, pid=192951, effective(0, 0), real(0, 0)] 
../source3/auth/token_util.c:866(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2020/06/16 13:49:02.124191,  4, pid=192951, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2020/06/16 13:49:02.124217, 10, pid=192951, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth_winbind.c:106(check_winbind_security)
   check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_AUTH_ERROR
[2020/06/16 13:49:02.124248,  5, pid=192951, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:251(auth_check_ntlm_password)
   auth_check_ntlm_password: winbind authentication for user [username] 
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2020/06/16 13:49:02.124279,  2, pid=192951, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:334(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [username] -> [username] 
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2020/06/16 13:49:02.124311,  2, pid=192951, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:610(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [SAD]\[username] at [Tue, 16 Jun 2020 
13:49:02.124298 EEST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] 
workstation [HP840-017] remote host [ipv6:xxx:xxx:xxx:36::100b:58502] 
mapped to [SAD]\[username]. local host [ipv6:xxx:xxx:xxx:xxx::3:445]


What could cause the workstation to not try to authenticate using Kerberos? 
Am I right in my assumption on where it goes wrong?

Thanks


-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

More information about the samba mailing list