[Samba] Multi-homed Samba 4 file server on Samba 4 AD domain - cross network authentication

David Lomax dave at davidlomax.co.uk
Wed May 13 17:52:09 UTC 2020

Hi all,

I have a question about a multi-homed Samba file server and interoperability
with AD.  It's a bit complicated, so please bear with me.

I've been running Samba 4.11.6 as an AD server (two DCs) for a while (in
RFC2307 mode) in a mixed Windows/Linux environment.  I have a server running
Proxmox (Debian) with Samba 4.9.5 and it is sharing my huge ZFS volume via
Samba to Windows clients.  Windows 7 clients on the same LAN log on to the
Domain and can easily map a network drive to the Proxmox file server and
everything works fine - they connect automatically using the domain
credentials.  After some pain, all of the permissions work ok.  This regular
gigabit Ethernet network is

Now I work with some huge video files on my Windows 7 workstation and I want
to send them to my Proxmox file server using 10 Gigabit (10G BASE-T) cards,
but I don't have a 10 Gig switch.  So I put the cards in the server and
workstation and I configured ISC DHCP Server on the Proxmox server for the
10G adapters only, so the special workstation client gets an IP address from
it.  They can ping each other, and I have set jumbo packets and all the
usual optimisations.  No Gateway or DNS is configured for this network.
This mini 10G network is

I configured Samba on the file server to listen on both the normal 1G and
the 10G networks.  File sharing on the normal network continues to work
fine.  The special Windows 7 client continues to access the file share over
the normal network.  

The problem is I cannot map a network drive using the 10G IP address,
because it asks for a username/password and authentication fails.  I have
tried the domain username/password, and I have tried local Linux accounts
(even root!) but I always get "The specified network password is not
correct", which shows as access denied in the Samba logs (see below).

	C:\Users\lomaxd>net use x: \\\fs$ /user:NSA\lomaxd
	Enter the password for 'NSA\lomaxd' to connect to '':
	System error 86 has occurred.

	The specified network password is not correct.

I think what is happening is that the file server for some reason cannot
authenticate the username/password because the request comes from a
different network to the one having the Domain Controllers.  I tried
changing the provider order (network routing priority) on the Windows 7
client, but it makes no difference.   Does anyone have any ideas how to get
Samba to authenticate the request from the 2nd network?

Things I have tried:
	. Mapping the drive by IP address ( on the Windows 7
	. I tried authenticating with the domain admin username/password, as
well as local Linux accounts (even root!) but I always get access denied.
	. I tried by listing both adapters explicitly in
smb.conf/interfaces, and also by putting a wider subnet (
instead for interfaces.
	.Using static IP addresses (instead of a DHCP server)
	.Ping and SSH work on the 10G network

Below you can see the topology and configuration:

The normal network looks like this, which includes the following machines:

1 Gb 'normal' LAN:
	.   pfSense, with internal AD domain DNS delegated to
	.   DC1, running Samba 4
	.   DC2, running Samba 4
	.   Proxmox, also used as my monster file server
running the default version of Samba (3.x).  This machine also has a 10G
	.   Windows 7 client, with mapped network drives to
the Proxmox machine.  This machine also has a 10G card.

10 Gb 'fast' LANL:
	.  Proxmox file server (same machine as
	.  Windows 7 client trying to access files from above
server.  (same machine as

I should mention that 3 Bridges are also defined manually on the Proxmox
	. vmbr0: This unifies the Gigabit Ethernet ports (normal network)
	. vmbr1: This unifies the 10 Gigabit Ethernet ports (fast network)
	. vmbr2: This is a private host-only subnet for the VMs on the box -

Below, here are my logs and configuration files.  It's all very long, so
I'll close here.

I would very much appreciate some advice on whether it is possible to
authenticate against a Domain Controller on a different network to the
client.  I'm sure I had it working once, but I don't understand the bad
password error I get now.

Thank you all very much in advance, for reading this far! :-)



In /var/log/samba/wb-NSA:

	[2020/05/13 13:44:49.104704,  2]
	  NTLM CRAP authentication for user [NSA]\[lomaxd] returned

In /var/log/samba/wb-VULCAN:

	[2020/05/13 13:46:46.802888,  2]
	  name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED

In /var/log/samba/log.

	[2020/05/13 16:28:04.650026,  2]
	  Processing section "[fs$]"
	 [2020/05/13 16:28:04.650112,  1]
	  NOTE: Service test is flagged unavailable.
	[2020/05/13 16:28:04.654259,  2]
	  check_ntlm_password:  Authentication for user [lomaxd] -> [lomaxd]
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
	[2020/05/13 16:28:04.654299,  2]
	  Auth: [SMB2,(null)] user [NSA]\[lomaxd] at [Wed, 13 May 2020
16:28:04.654290 BST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD]
workstation [ROMULUS] remote host [ipv4:] mapped to
[NSA]\[lomaxd]. local host [ipv4:]
	  {"timestamp": "2020-05-13T16:28:04.654375+0100", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor": 0},
"status": "NT_STATUS_WRONG_PASSWORD", "localAddress":
"ipv4:", 	"remoteAddress":
"ipv4:", "serviceDescription": "SMB2",
"authDescription": null, "clientDomain": "NSA", "clientAccount": "lomaxd",
"workstation": "ROMULUS", "becameAccount": null, "becameDomain": null,
"becameSid": null, "mappedAccount": "lomaxd", "mappedDomain": "NSA",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": 	null, "passwordType": "NTLMv1", "duration":

In /var/log/samba/log.smbd.1:

	[2020/05/13 16:28:17.733824,  2]
	  samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x55e2e5e02900]
mpx_fde[(nil)] fd[14] - disabling

Now I'll share my configuration files:

My /etc/samba/smb.conf:
(My file share is fs$)

#======================= Global Settings =======================


## Browsing/Identification ###

   netbios name = VULCAN
   workgroup = NSA
   realm = NSA.INT
   #server role = member server
   security = ads
   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   #map archive = no
   #map hidden = no
   #map read only = no
   #map system = no
   inherit permissions = yes
   nt acl support = yes
   inherit acls = yes
   server string = %h server (Samba, Ubuntu)

   # DL: Including any of the below overrides the defaults.  Comment them
out for the defaults.  Dont change the values!
   lanman auth = yes
   client lanman auth = yes
   allow trusted domains = yes
   follow symlinks = no
   wide links = no
   unix extensions = yes

   winbind offline logon = false
   winbind nss info = rfc2307 # In samba >4.6.0 this has been replaced by
idmap config HOME
   winbind enum users = yes
   winbind enum groups = yes
   winbind cache time = 10
   winbind nested groups = yes
   winbind refresh tickets = yes

   dns forwarder =
   dns proxy = no

#### Networking ####

   interfaces = lo vmbr0 vmbr1 vmbr2
   ;interfaces =
   ;bind interfaces only = yes

#### Debugging/Accounting ####

   log file = /var/log/samba/log.%m
   log level = 2
   max log size = 1000000
   logging = file
   panic action = /usr/share/samba/panic-action %d

####### Authentication #######

   #passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   guest account = nobody

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

########## Domains ###########

#   logon path = \\%N\profiles\%U
#   logon path = \\%N\%U\profile
#   logon drive = H:
#   logon home = \\%N\%U
#   logon script = logon.cmd
#   add user script = /usr/sbin/adduser --quiet --disabled-password --gecos
"" %u
#   add machine script  = /usr/sbin/useradd -g machines -c "%u machine
account" -d /var/lib/samba -s /bin/false %u
#   add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

;   include = /home/samba/etc/smb.conf.%m
   idmap_ldb:use rfc2307 = yes
   idmap config * : backend = tdb
   idmap config * : range = 20000 - 40000
   idmap config NSA : backend = ad
   idmap config NSA : schema_mode = rfc2307
   idmap config NSA : range = 2000 - 4000
   idmap config NSA : unix_nss_info = yes
   idmap config NSA : unix_primary_group = yes
   #username map = /etc/samba/user.map
   username map script = /bin/echo
   #map untrusted to domain = yes
   template shell = /bin/bash
   template homedir = /home/%U
#   usershare max shares = 100
   usershare allow guests = yes

# DL: Experimental - boost performance of Samba file shares
#socket options = TCP_NODELAY

#======================= Share Definitions =======================

# This exports every folder under /tank/fs/usr/ by username
   comment = Home Directories
   path = /tank/fs/usr/%U
   browseable = yes
   writeable = yes
   create mask = 0700
   directory mask = 0700
   #valid users = %S
   #write list = root, NSA.INT\Domain Users

#       path = /usr/local/samba/var/locks/sysvol
#       read only = no

   comment = Network Logon Service
   path = /home/samba/netlogon
   #guest ok = yes
   writeable = yes
   #valid users = %S, NSA.INT\%S
   write list = root, NSA.INT\Domain Users

   comment = Users profiles
   path = /tank/fs/usr
   #guest ok = no
   browseable = no
   #valid users = %S, NSA.INT\%S
   write list = root, NSA.INT\Domain Users
   create mask = 0600
   directory mask = 0700

   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = yes
   writeable = yes
   #valid users = %S, NSA.INT\%S
   write list = root, NSA.INT\Domain Users
   create mask = 0700

   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   writeable = no
   guest ok = yes
   #valid users = %S, NSA.INT\%S
   write list = root, NSA.INT\Domain Users

   comment = ZPool FS
   browseable = yes
   path = /tank/fs
   writeable = yes
   #valid users = %S, NSA.INT\%S
   write list = root, NSA.INT\Domain Users
   create mask = 0700
   directory mask = 0700

My /etc/nsswitch.conf:

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files dns winbind
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

My /etc/resolv.conf:

search nsa.int
domain nsa.int

My /etc/network/interfaces:

auto lo
iface lo inet loopback

# 10 Gigabit Port 1
allow-hotplug ens3f0
auto ens3f0
iface ens3f0 inet manual
        mtu 9014

# 10 Gigabit Port 2
allow-hotplug ens3f1
auto ens3f1
iface ens3f1 inet manual
        mtu 9014

# 10 Gigabit Port 3
allow-hotplug ens4f0
auto ens4f0
iface ens4f0 inet manual
        mtu 9014

# 10 Gigabit Port 4
allow-hotplug ens4f1
auto ens4f1
iface ens4f1 inet manual
        mtu 9014

# 10 Gigabit Port 5
allow-hotplug enp4s0f0
auto enp4s0f0
iface enp4s0f0 inet manual
        mtu 9014

# 10 Gigabit Port 6
allow-hotplug enp4s0f1
auto enp4s0f1
iface enp4s0f1 inet manual
        mtu 9014

# 1 Gig Bridge (normal network)
auto vmbr0
iface vmbr0 inet static
    bridge-ports eno2
    bridge-stp off
    bridge-fd 0
    mtu 1500
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr0/proxy_arp

# 10 Gigabit Bridge (fast network)
auto vmbr1
iface vmbr1 inet static
    bridge-ports ens3f0 ens3f1 ens4f0 ens4f1 enp4s0f0 enp4s0f1
    bridge-stp off
    bridge-fd 0
    mtu 9014
    pre-up ifconfig ens3f0 mtu 9014
    pre-up ifconfig ens3f1 mtu 9014
    pre-up ifconfig ens4f0 mtu 9014
    pre-up ifconfig ens4f1 mtu 9014
    pre-up ifconfig enp4s0f0 mtu 9014
    pre-up ifconfig enp4s0f1 mtu 9014

# Bridge network for Proxmox (a private host-only subnet you can ignore)
auto vmbr2
iface vmbr2 inet static
    bridge-ports vmbr0
    bridge-stp off
    bridge-fd 0

More information about the samba mailing list